LMS Config Guide

Configuration Management with Cisco
Prime LAN Management Solution 4.2
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-25941-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCBs public
domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this
URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership
relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display
output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in
illustrative content is unintentional and coincidental.
Configuration Management with Cisco Prime LAN Management Solution 4.2
1998-2012 Cisco Systems, Inc. All rights reserved.
CONTENTS
Preface
xxv
Audience
xxv
Document Conventions
xxvi
Product Documentation
xxvi
Obtaining Documentation and Submitting a Service Request

Notices
xxix
OpenSSL/Open SSL Project

License Issues i-xxix
CHAPTER
i-xxix
Overview of Configuration Management

Organization
Configuration Center
2
Best Practices Deviation
Device Change Audit
2-1
2-3
2-4
Config Protocol Summary

Hardware Summary
CHAPTER
2-5
2-6
2-7
Software Summary
Syslog Alerts
2-1
2-2
Job Information Status
Job Approval
1-3
1-8
About Configuration Dashboard

Discrepancies
1-1
1-2
Configuration Management Tasks
CHAPTER
xxvii
2-8
2-8
Managing and Deploying Templates

Accessing Template Center
3-2
Creating Configuration Templates

Deploying Templates
3-1
3-12
3-15
Managing Templates 3-18

Editing Templates 3-19
Deleting Templates 3-20
OL-25941-01
iii
Contents
Exporting Templates 3-20

Handling Multi-line Commands 3-21
Viewing Template Details 3-21
Importing Templates 3-22
Importing from XML File 3-22
Importing from a Cisco Configuration Professional File
Importing Running Config from Device 3-25
Assigning Templates to Users
3-23
3-26
Understanding the Template Center Jobs Browser
3-27
Guidelines for Creating Configuration Templates Using IF and FOREACH Statements

Syntax/Example for IF 3-32
Syntax/Example for FOREACH 3-33
XML Specification for Template 3-33
CHAPTER
Using Compliance and Audit Manager Feature
3-31
4-1
Managing Policy Groups 4-1

Adding Policy Groups 4-1
Adding New Policy Group by Selecting Policies from Existing System-Defined Policy Group
Adding a New Policy Group by Adding New Policies 4-2
Cloning Policy Groups 4-3
Editing Policy Groups 4-4
Deleting User-Defined Policy Groups 4-5
Deleting a Policy from User-Defined Policy Group 4-5
4-2
Managing Policy Profile 4-6

Adding a New Policy Profile 4-6
Cloning Policy Profiles 4-7
Editing Policy Profile 4-7
Deleting Policy Profiles 4-8
Running Compliance Check 4-8
Viewing Job History 4-9
Fixing Profile Violations
4-12
Understanding Compliance Violation Fix Job Browser
4-14
Understanding Compliance and Audit Manager (CAAM) Policies

Center of Internet Security (CIS) 4-19
Cisco Security Best Practices (SAFE) 4-20
Department Of Homeland Security (DHS) 4-21
Defense Information Security Agency (DISA) 4-21
End of Life (EOL) 4-22
Healthcare Insurance Portability Act (HIPAA) 4-22
4-18
iv
OL-25941-01
Contents
ISO17799 4-22
National Security Agency (NSA) Router 4-23
Payment Card Industry (PCI) 4-24
Cisco Security Advisory (PSIRT) 4-25
SysAdmin, Audit, Network, Security (SANS) 4-30
Sarbanes Oxley Act (SOX) 4-31
Compliance and Audit Manager Policies 4-31
Banners 4-31
Console Access 4-38
Domain Name 4-40
Host Name 4-43
Logging and Syslog 4-44
Terminal Access 4-53
User Passwords 4-59
ACL on Interfaces 4-65
Firewall Traffic Rules 4-66
Null (Black Hole) Routing 4-68
SMURF Attack 4-70
Traffic Rules 4-71
Dynamic Trunking Protocols (DTP) 4-72
IEEE 802.3 Flow Control 4-73
Spanning Tree Protocols (STP) 4-75
Unidirectional Link Detection (UDLD) 4-79
VLAN 1 4-81
VLAN Trunking Protocols (VTP) 4-84
Remote Commands 4-87
AAA 4-88
AAA Accounting - Commands 4-92
AAA Accounting - Connections 4-95
AAA Accounting - Exec 4-99
AAA Accounting - Network 4-103
AAA Accounting - System 4-107
AAA Authentication - Enable 4-111
AAA Authentication - Login 4-115
AAA Authorization - Commands 4-121
AAA Authorization - Configuration 4-123
AAA Authorization - EXEC 4-127
AAA Authrorization - Network 4-131
Control Plane Policing 4-135
HTTP Server 4-137
OL-25941-01
Contents
Miscellanous Service 4-143

Routing and Forwarding 4-152
SNMP 4-159
TCP Parameters 4-166
BGP 4-171
EIGRP 4-176
OSPF 4-180
RIP 4-184
ACLs 4-188
CDP 4-191
Clock 4-194
Miscellaneous Services On Firewalls 4-196
NTP Configuration 4-199
Device Version Checks 4-205
Devices Running outdated OS Versions 4-207
Devices with outdated modules 4-210
Outdated Devices As Per Vendor Specific EOL/EOS Announcement 4-214
IEEE 802.1X Port-Based Authentication 4-217
IOS Software SIP DoS Vulnerability - 112248 4-219
Management VLAN 4-222
IOS Software IPv6 DoS Vulnerability - 112252 4-225
IOS Software Data Link Switching Vulnerability - 112254 4-227
Cisco 10000 Series DoS Vulnerability - 113032 4-230
IOS Software NAT H.323 Vulnerability - 112253 4-231
Multiple SSH Vulnerabilities - 8118 4-232
IOS Software Smart Install Vulnerability - 113030 4-233
SSH Parameters 4-235
IOS Software IPv6 over Multiprotocol Label Switching Vulnerability - 113058 4-238
IOS Software ICMPv6 over Multiprotocol Label Switching Vulnerability - 113058 4-240
FTP 4-242
Cisco ASA Internet Locator Service Inspection DoS vulnerability - 113097 4-243
IP Phone + Host Ports 4-244
Port Security 4-250
ASA SCCP Inspection DoS Vulnerability - 112881 4-252
Password Rules 4-253
ASA Unauthorized File System Access Vulnerability - 112881 4-254
IOS Software IPS and Zone Based Firewall Memory Leak Vulnerability - 113057 4-255
ASA Transparent Firewall Packet Buffer Exhaustion Vulnerability - 112881 4-256
IP Phone Ports 4-257
ASA Routing Information Protocol DoS Vulnerability - 112881 4-263
vi
OL-25941-01
Contents
Outdated Devices As Per Vendor Specific EOL/EOS Announcements 4-264

Cisco ASA TACACS+ Authentication Bypass vulnerability - 113097 4-268
Content Services Gateway Service policy bypass - 112206 4-269
IOS Software NAT LDAP Vulnerability - 112253 4-270
DHCP 4-271
IOS Software IP Service Level Agreement Vulnerability - 113056 4-272
DHCP Status 4-274
Cisco ASA Four SunRPC Inspection Denial of Service vulnerability - 113097 4-275
Content Services Gateway DOS Vulnerability - 112206 4-276
IOS Software IPS and Zone Based Firewall crafted HTTP packets Vulnerability - 113057
Secure Webmode Access 4-280
Unused Ports 4-281
Cisco ASA MSN Instant Messenger Inspection DoS vulnerability - 113097 4-285
DHCP Snooping 4-286
IOS Software NAT SIP Vulnerability - 112253 4-288
Hot Standby Router Protocol (HSRP) 4-289
AAA Command Authorization By-pass - 68840 [IOS] 4-290
ARP Table Overwrite - 13600 [IOS] 4-292
ASA Crafted IKE Message DoS Vulnerability - 111877 [ASA] 4-293
ASA Crafted IKE Message DoS Vulnerability - 111877 4-294
ASA Crafted TCP Segment DoS Vulnerability - 111485 [ASA] 4-295
ASA Crypto Accelerator Memory Leak Vulnerability - 108009 [ASA] 4-296
ASA NTLMv1 Authentication Bypass Vulnerability - 111485 [ASA] 4-297
ASA SCCP Inspection DoS Vulnerability - 111485 [ASA] 4-298
ASA SIP Inspection DoS Vulnerability - 111485 [ASA] 4-299
ASA SIP Inspection DoS Vulnerability - 111877 [ASA] 4-300
ASA TCP Connection Exhaustion DoS Vulnerability - 111485 [ASA] 4-301
ASA Three SunRPC Inspection DoS Vulnerability - 111877 [ASA] 4-302
ASA Three TLS DoS Vulnerability - 111877 [ASA] 4-303
ASA WebVPN DTLS DoS Vulnerability - 111485 [ASA] 4-304
Access Point Memory Exhaustion from ARP Attacks - 68715 [IOS] 4-305
Access Point Web-browser Interface - 70567 [IOS] 4-306
Auth Proxy Buffer Overflow - 66269 [IOS] 4-308
Authentication Proxy Vulnerability - 110478 [IOS] 4-309
BGP Attribute Corruption - 10935 [IOS] 4-312
BGP Logging - 63845 [IOS] 4-313
BGP Long AS path Vulnerability - 110457 [IOS] 4-314
BGP Packet - 53021 [IOS] 4-316
BGP Update Message Vulnerability - 110457 [IOS] 4-317
CEF Data Leak - 20640 [IOS] 4-319
4-277

OL-25941-01
vii
Contents
Call Processing Solutions - 63708 [IOS] 4-320

CatOS Catalyst 5000 Series 802.1x Vulnerability - 13617 [CatOS] 4-321
CatOS Denial-of-Service of TCP-based services - 43864 [CatOS] 4-323
CatOS DoS using Telnet, HTTP and SSH - 52781 [CatOS] 4-324
CatOS Embedded HTTP Server Buffer Overflow - 27962 [CatOS] 4-325
CatOS Enable Password Bypass Vulnerability - 13619 [CatOS] 4-326
CatOS Memory Leak Vulnerability - 13618 [CatOS] 4-327
CatOS Multiple SSH Vulnerabilities - 8118 [CatOS] 4-328
CatOS NAM (Network Analysis Module) Vulnerability - 81863 [CatOS] 4-330
CatOS OpenSSH Server Vulnerabilities - 45322 [CatOS] 4-331
CatOS Password Bypass Vulnerability - 42340 [CatOS] 4-333
CatOS SNMP Malformed Message Handling - 19296 [CatOS] 4-334
CatOS SNMP Multiple Community String Vulnerabilities - 13629 [CatOS] 4-336
CatOS SNMP Version 3 Authentication Vulnerability - 107408 [CatOS] 4-336
CatOS SSH Can Cause a Crash - 24862 [CatOS] 4-338
CatOS SSH Protocol Mismatch Vulnerability - 10932 [CatOS] 4-339
CatOS TCP Conn Reset - 50961 [CatOS] 4-340
CatOS TCP State Manipulation DoS Vulnerability - 109444 [CatOS] 4-341
CatOS Telnet Buffer Vulnerability - 20776 [CatOS] 4-342
Cisco IOS Software IGMP Vulnerability - 112027 [IOS] 4-343
Crafted Encryption Packet DoS Vulnerability - 110393 [IOS] 4-346
Crafted ICMP Messages DoS for IPSec Tunnels - 64520 [IOS] 4-348
Crafted ICMP Messages DoS for L2TPv2 - 64520 [IOS] 4-351
Crafted ICMP Messages DoS for TCP over IPv4 - 64520 [IOS] 4-353
Crafted ICMP Messages DoS for TCP over IPv6 - 64520 [IOS] 4-354
Crafted IP Option - 81734 [IOS] 4-355
Crafted TCP Packet Denial of Service Vulnerability - 111450 [IOS] 4-357
Crafted UDP Packet Vulnerability - 108558 [IOS] 4-361
Crypto - 91890 [IOS] 4-362
DFS ACL Leakage - 13655 [IOS] 4-364
DHCP - 63312 [IOS] 4-365
DLSw Denial of Service Vulnerabilities - 99758 [IOS] 4-366
DLSw Vulnerability - 77859 [IOS] 4-368
FTP Server - 90782 [IOS] 4-369
Firewall Application Inspection Control Vulnerability - 107716 [IOS] 4-370
H.323 Denial of Service Vulnerability - 111265 [IOS] 4-373
H.323 Protocol DoS Vulnerability - 110396 [IOS] 4-376
H323 DoS Vulnerability - 112021 [IOS] 4-378
HTTP - 13627 [IOS] 4-380
HTTP Auth - 13626 [IOS] 4-381
viii
OL-25941-01
Contents
HTTP Command Injection - 68322 [IOS] 4-382

HTTP GET Vulnerability - 44162 [IOS] 4-383
HTTP Server Query - 13628 [IOS] 4-384
Hard-Coded SNMP Community Names in Cisco Industrial Ethernet 3000 Series Switches
Vulnerability- 111895 [IOS] 4-385
IKE Resource Exhaustion Vulnerability - 110559 [IOS] 4-388
IKE Xauth - 64424 [IOS] 4-390
IPS ATOMIC.TCP Signature Vulnerability - 81545 [IOS] 4-391
IPS DoS Vulnerability - 107583 [IOS] 4-393
IPS Fragmented Packet Vulnerability - 81545 [IOS] 4-395
IPSec IKE Malformed Packet - 50430 [IOS] 4-396
IPsec Vulnerability- 111266 [IOS] 4-397
IPv4 - 44020 [IOS] 4-398
IPv6 Crafted Packet - 65783 [IOS] 4-399
IPv6 Routing Header - 72372 [IOS] 4-400
Information Leakage Using IPv6 Routing Header - 97848 [IOS] 4-402
Inter Process Communication (IPC) Vulnerabilty - 107661 [IOS] 4-403
Layer 2 Tunneling Protocol (l2TP) DoS Vulnerability - 107441 4-408
MPLS - 63846 [IOS] 4-411
MPLS Forwarding Infrastructure DoS Vulnerability - 107646 4-412
MPLS VPN May Leak Information Vulnerability - 107578 4-413
Mobile IP and IPv6 Vulnerabilities - 109487 4-415
Multicast Virtual Private Network (MVPN) Date Leak - 100374 [IOS] 4-418
Multiple Crafted IPv6 Packets - 63844 4-420
Multiple DNS Cache Poisioning Attacks - 107064 [IOS] 4-421
Multiple Features Crafted TCP Sequence Vulnerability - 109337 4-422
Multiple Features IP Sockets Vulnerability - 109333 [IOS] 4-423
Multiple Multicase Vulnerabilities - 107550 4-425
Multiple SIP DoS Vulnerabilities - 107617 4-428
Multiple SSH Vulnerabilities - 8118 4-431
Multiprotocol Label Switching Packet Vulnerability - 111458 4-432
NAM (Network Analysis Module) Vulnerability - 81863 4-438
NAT - 13659 4-439
NAT Skinny Call Control Protocol Vulnerability - 111268 4-440
NAT Skinny Call Control Protocol Vulnerability - 99866 4-441
NTP - 23445 4-442
NTP Packet Vulnerability - 110447 4-443
Network Address Translation Vulnerability - 112028 4-448
Next Hop Resolution Protocol Vulnerability - 91766 4-450
OSPF Malformed Packet- 61365 [IOS] 4-451
OL-25941-01
ix
Contents
OSPF, MPLS VPN Vulnerability - 100526 [IOS] 4-452

Object-Group ACL Bypass Vulnerability - 110398 [IOS] 4-454
OpenSSL Implementation DoS Vulnerability - 45643 [IOS] 4-455
OpenSSL Implementation Vulnerability - 49898 [IOS] 4-456
PIX Crafted MGCP Packet - 98711 [PIX, ASA] 4-457
PIX Crafted TLS Packet - 98711 [PIX, ASA] 4-459
PIX Erroneous SIP Processing Vulnerabilities - 107475 [PIX, ASA] 4-460
PIX Buffer overflow - 28947 [PIX, ASA] 4-461
PIX CBAC - 23885 [PIX, ASA] 4-462
PIX Control Plane Access Control List Vulnerability - 105444 [PIX, ASA] 4-464
PIX Crafted TCP ACK Packet Vulnerability - 105444 [PIX, ASA] 4-465
PIX Crafted TLS Packet Vulnerability - 105444 [PIX, ASA] 4-466
PIX Crypto - 23886 [PIX, ASA] 4-467
PIX Crypto - 91890 [PIX, ASA] 4-468
PIX DoS - 13635 [PIX, ASA] 4-469
PIX Device Reload with SIP Inspection Vulnerability - 107475 [PIX, ASA] 4-471
PIX Enhanced inspection of Malformed HTTP traffic - 77853 [PIX, ASA] 4-472
PIX FTP - 13638 [PIX, ASA] 4-473
PIX Firewall Unintentional Password Modification - 70811 [PIX, ASA] 4-474
PIX IPSec Client Authentication Processing Vulnerability - 107475 [PIX, ASA] 4-477
PIX ISAKMP - 28947 [PIX, ASA] 4-478
PIX Inspection of a stream of malformed TCP packets - 77853 [PIX, ASA] 4-479
PIX Inspection of malformed SIP packets - 77853 [PIX, ASA] 4-480
PIX Instant Message Inspection Vulnerability - 105444 [PIX, ASA] 4-482
PIX LDAP Authentication Bypass - 82451 [PIX, ASA] 4-483
PIX Mailgaurd - 13636 [PIX, ASA] 4-485
PIX Multiple SSH Vulnerabilities - 8118 [PIX, ASA] 4-486
PIX OpenSSL Implementation DoS Vulnerability - 45643 [PIX, ASA] 4-488
PIX OpenSSL Implementation Vulnerability - 49898[PIX, ASA] 4-489
PIX Potential Information Disclosure in Clientless VPNs - 107475 [PIX, ASA] 4-490
PIX Privilege escalation - 77853 [PIX, ASA] 4-491
PIX SMTP - 15235 [PIX, ASA] 4-493
PIX SNMP - 19296 [PIX, ASA] 4-495
PIX SNMPv3 - 47284 [PIX, ASA] 4-496
PIX SSH - 24862 [PIX, ASA] 4-497
PIX SSL VPN DOS - 82451 [PIX, ASA] 4-498
PIX SSL VPN Memory Leak Vulnerability - 107475 [PIX, ASA] 4-499
PIX Scan Denial of Service Vulnerability - 105444 [PIX, ASA] 4-500
PIX TCP Conn Reset - 50961 [PIX, ASA] 4-501
PIX TCP Prevention - 68268 [PIX, ASA] 4-502
OL-25941-01
Contents
PIX TCP Reset - 13639 [PIX, ASA] 4-504

PIX Time-to-Live Vulnerability - 100314 [PIX, ASA] 4-505
PIX Traceback When Processing Malformed SIP Requests - 107475[PIX, ASA] 4-506
PIX URI Processing Error Vulnerability in SSL VPNs - 107475 [PIX, ASA] 4-507
PIX VPN Password Expiry - 82451 [PIX, ASA] 4-508
PIX VPNC - 47284 [PIX, ASA] 4-510
PIX/ASA ACL Bypass Vulnerability - 109974 [PIX, ASA] 4-511
PIX/ASA Crafted H.323 Packet DoS Vulnerability - 109974 [PIX, ASA] 4-513
PIX/ASA Crafted HTTP Packet DoS Vulnerability - 109974 [PIX, ASA] 4-513
PIX/ASA Crafted TCP Packet DoS Vulnerability - 109974 [PIX, ASA] 4-515
PIX/ASA IPv6 Denial of Service Vulnerability - 108009 [PIX, ASA] 4-516
PIX/ASA SQL *Net Packet DoS Vulnerability - 109974 [PIX, ASA] 4-517
PIX/ASA TCP State Manipulation DoS Vulnerability - 109444 [PIX, ASA] 4-518
PIX/ASA VPN Authentication Bypass Vulnerability - 109974 [PIX, ASA] 4-520
PIX/ASA Windows NT Domain Authentication Bypass Vulnerability - 108009 4-521
PPTP - 13640 [IOS] 4-522
Radius - 65328 [IOS] 4-523
Reload After Scanning - 13632[IOS] 4-524
SAA Packets - 42744 [IOS] 4-525
SGBP Packet - 68793 [IOS] 4-526
SIP - 81825 [IOS] 4-527
SIP DoS Vulnerabilities - 109322 [IOS] 4-530
SIP DoS Vulnerability - 110395 [IOS] 4-533
SIP DoS Vulnerability - 112022 [IOS] 4-536
SNMP Malformed Message Handling - 19294 [IOS] 4-540
SNMP Message Processing - 50980 [IOS] 4-541
SNMP Multiple Community String Vulnerabilities - 13629 [IOS] 4-542
SNMP Read-Write ILMI Community String - 13630 [IOS] 4-543
SNMP Trap Reveals WEP Key - 46468 [IOS] 4-544
SNMP Version 3 Authentication Vulnerability -107408 [IOS] 4-545
SSH Can Cause a Crash -24862 [IOS] 4-549
SSH Malformed Packet -29581 [IOS] 4-550
SSH TACACS+ Authentication -64439 [IOS] 4-551
SSL -91888 [IOS] 4-552
SSL Packet Processing Vulnerability - 107631 [IOS] 4-554
SSL VPN Vulnerability - 112029 [IOS] 4-556
Secure Copy Authorization Bypass Vulnerability - 97261 [IOS] 4-560
Secure Copy Privilege Escalation Vulnerability - 109323 [IOS] 4-561
Secure Shell Denial of Services Vulnerabilities -99725 [IOS] 4-563
Session Initiation Protocol Denial of Services Vulnerability -111448 [IOS] 4-566
OL-25941-01
xi
Contents
Syslog Crash -13660 [IOS] 4-570

TCP -72318 [IOS] 4-571
TCP Conn Reset -50960 [IOS] 4-572
TCP Denial of Service Service Vulnerability -112099 [IOS] 4-574
TCP ISN -13631 [IOS] 4-579
TCP State Manipulation DoS Vulnerability -109444 [IOS] 4-581
Telnet DoS -61671 [IOS] 4-583
Telnet Option-10939 [IOS] 4-584
Timers Heap Overflow -68064 [IOS] 4-585
Tunnels DoS Vulnerability -109482 [IOS] 4-586
Unified Communications Manager Express Vulnerability -110451 4-587
User Datagram protocol delivery issue -100638 [IOS] 4-588
Virtual Private Dial-up Network DoS Vulnerability -97278 [IOS] 4-590
Vulnerabilities Found by PROTOS IPSec Test Suite -68158 [IOS] 4-592
Vulnerability in IOS Firewall Feature Set -9360 [IOS] 4-593
WeBVPN and SSLVPN Vulnerabilities -107397 [IOS] 4-594
Zone-Based Policy Firewall Vulnerability -110410 [IOS] 4-596
cTCP Denial of Service Vulnerability -109314 [IOS] 4-597
uBR10012 Series Devices SNMP Vulnerability -107696 [IOS] 4-599
Land Attack 4-600
Risky Traffic 4-601
Loopback Interfaces 4-620
Distributed DoS Attacks 4-627
Web Mode Status 4-630
SNMP Status 4-631
WLAN Security Status 4-634
CDP Status 4-635
Syslog Status 4-636
Telnet Status 4-637
NTP Server should be Configured 4-638
Check IDS Status 4-639
Check Authentication Servers 4-640
Data Synchronization between LMS and CAAM
CHAPTER
4-641
Making and Deploying Configuration Changes Using NetConfig

NetConfig Tasks
5-1
5-2
Preparing to Use NetConfig 5-3

Verifying Device Credentials 5-3
Modifying Device Security 5-3
xii
OL-25941-01
Contents
Verifying Device Prompts 5-4

Configuring Default Job Policies (Optional) 5-4
Assigning Task Access Privileges to Users (Optional)
Enabling Job Approval (Optional) 5-4
Rolling Back Configuration Changes 5-5
Creating Rollback Commands 5-5
Configuring a Job to Roll Back on Failure
Understanding NetConfig User Permissions
Job Approval Permissions 5-6
User-defined Tasks Permissions 5-6
Administrator Task Permissions 5-6
Job Editing Permissions 5-6
Using NetConfig
5-4
5-5
5-5
5-6
Starting a New NetConfig Job 5-7

Create a NetConfig Job based on Device 5-7
Create a NetConfig Job based on Module or Port
5-12
Browsing and Editing Jobs Using the NetConfig Job Browser

Viewing Job Details 5-23
5-18
Creating and Editing User-defined Tasks 5-25

Parameterized Templates 5-29
Creating a Parameters File (XML file) 5-30
Parameters File: More Examples 5-31
Assigning Tasks to Users
5-33
Handling Interactive Commands 5-33

Using NetConfig User-defined Templates and Adhoc Tasks
Handling Multi-line Commands
5-34
5-34
Using System-defined Tasks 5-35

Understanding the System-defined Task User Interface (Dialog Box)
Adhoc Task 5-40
Authentication Proxy Task 5-41
Banner Task 5-43
CDP Task 5-44
Certification Authority Task 5-46
Crypto Map Task 5-47
DNS Task 5-49
Enable Password Task 5-50
HTTP Server Task 5-53
Local Username Task 5-54
IGMP Configuration Task 5-57
5-39

OL-25941-01
xiii
Contents
Interface IP Address Configuration Task 5-58

Internet Key Exchange (IKE) Configuration Task 5-59
NTP Server Configuration Task 5-61
RADIUS Server Configuration Task 5-63
RCP Configuration Task 5-66
Reload Task 5-67
SNMP Community Configuration Task 5-68
SNMP Security Configuration Task 5-70
SNMP Traps Configuration Task 5-72
Smart Call Home Task 5-76
Syslog Task 5-83
SSH Configuration Task 5-87
TACACS Configuration Task 5-88
TACACS+ Configuration Task 5-89
Telnet Password Configuration Task 5-91
Transform System-Defined Task 5-92
Web User Task 5-94
User-defined Protocol Task 5-94
Cable BPI/BPI+ Task 5-95
Cable DHCP-GiAddr and Helper Task 5-97
Cable Downstream Task 5-98
Cable Upstream Task 5-100
Cable Interface Bundling Task 5-104
Cable Spectrum Management Task 5-104
Cable Trap Source Task 5-106
Support for Auto Smartports and Smartports 5-107
Auto Smartports 5-107
Manage Auto Smartports 5-111
Smartports 5-112
PoE Task 5-113
Catalyst Integrated Security Features 5-114
EEM Environmental Variables Task 5-116
Embedded Event Manager Task 5-117
EnergyWise Configuration Task 5-118
EnergyWise Parameters Task 5-121
EnergyWise Events Task 5-121
GOLD Boot Level Task 5-123
GOLD Monitoring Test Task 5-124
GOLD Health Monitoring Test Task 5-125
SRE Operation Task 5-127
xiv
OL-25941-01
Contents
cwcli netconfig 5-128

Use Case: Using NetConfig Templates to change Configurations for many Devices
CHAPTER
Archiving Configurations and Managing them using Configuration Archive

Performing Configuration Archive Tasks
6-6
6-7
Using the Config Fetch Protocol Usage Report

Generating an Out-of-Sync Report
Scheduling Sync on Device Job
6-1
6-2
Checking Configuration Archival Status 6-3

Configuration Archival Reports 6-4
Successful Devices Report 6-5
Failed Devices Report 6-5
Partially Successful Devices Report 6-6
Configuration Never Collected Devices Report
Scheduling Sync Archive Job
5-129
6-9
6-10
6-10
Using the Configuration Version Tree
6-12
Understanding the Config Viewer Window
6-13
Viewing the Configuration Version Summary

Configuration Quick Deploy 6-17
Performing a Configuration Quick Deploy
6-16
6-18
Configuring Labels 6-20

Creating a Label 6-21
Editing a Labeled Configuration 6-22
Viewing the Labeled Configuration 6-23
Deleting the Labeled Configuration 6-24
Using Search Archive 6-24
Creating a Custom Query 6-25
Running a Custom Query 6-26
Editing a Custom Query 6-27
Deleting the Custom Queries 6-27
Searching Archive 6-28
Search Archive Result 6-30
Device Configuration Quick View Report
6-30
Comparing Configurations 6-33

Comparing Startup vs. Running Configurations 6-33
Comparing Running vs. Latest Archived Configurations 6-34
Comparing Two Configuration Versions of the Same Device 6-35
Compare Two Configuration Versions of Different Devices 6-36
OL-25941-01
xv
Contents
Compare Base Config vs. Latest Configuration Version of Multiple Devices

Understanding the Config Diff Viewer Window 6-41
Using Configuration Archive Job Browser 6-44
Retrying a Config Job 6-46
Stopping a Config Job 6-48
Deleting the Config Jobs 6-49
Viewing the Configuration Archive Job Details
CHAPTER
6-50
Using Baseline Templates to Check Configuration Compliance

What is a Baseline Template?
Features of Baseline Templates
6-38
7-1
7-1
7-3
Baseline Template Management Window 7-5

Editing a Baseline Template 7-9
Exporting a Baseline Template 7-10
Deleting a Baseline Template 7-11
Creating a Baseline Template 7-11
Creating a Basic Baseline Template 7-12
Creating a Basic Baseline Template - an Example 7-15
Creating an Advanced Baseline Template 7-16
Creating an Advanced Baseline Template - an Example 7-20
Importing a Baseline Template 7-24
Running Compliance Check 7-25
Understanding the Baseline Compliance Report
7-27
Deploying a Baseline Template 7-28

Deploying a Baseline Template Using User Interface 7-29
Deploying a Baseline Template Using File System 7-32
Using Compliance and Deploy Jobs Window
Deploying the Commands 7-37
Deleting the Compliance Jobs 7-40
CHAPTER
7-36
Editing and Deploying Configurations Using Config Editor

Config Editor Tasks
8-1
8-2
Benefits of Configuration Editor

Setting Up Preferences
8-3
8-8
Overview: Editing a Configuration File

Working With the Configuration Editor
Processed Mode 8-10
Raw Mode 8-11
8-9
8-9
xvi
OL-25941-01
Contents
Editing Configuration Files by Handling Interactive Commands in Config Editor Jobs

Modifying Credentials 8-12
Removing a Configuration File
Saving a Configuration File
Undoing All
Replacing All
8-13
8-14
8-15
8-15
Printing a Configuration File
8-16
Exporting Changes of a Configuration File

Deploying a Configuration File
Closing a Configuration File
8-17
8-18
8-20
Selecting Configuration Tools
8-20
Comparing Versions of Configuration Files

Displaying Your Changes
8-22
8-23
Overview: Syntax Checker 8-23

Interface to External Syntax Checker 8-23
Registering an External Syntax Checker Application With CMIC
Viewing the List of Modified Configs
8-26
Opening a Configuration File - By Device and Version

Opening a Configuration File - By Pattern Search
Opening a Configuration File - By Baseline
Baseline Configuration Editor
8-26
8-27
8-29
8-30
Opening an External Configuration File
8-31
Configuration Deployment in Overwrite and Merge Modes

Overview: Downloading a Configuration File
Starting a New Download Job
Selecting Configs
8-35
Scheduling a Job
8-36
Reviewing the Work Order
8-32
8-33
8-33
8-39
Viewing the Status of all Deployed Jobs

9
8-25
8-25
Overview: Opening a Configuration File
CHAPTER
8-11
8-40
Managing Software Images Using Software Management

Setting Up Your Environment 9-4
Requirements on LMS Server 9-4
Logging Into Cisco.com 9-5
Using Job Approval for Software Management
9-1
9-6

OL-25941-01
xvii
Contents
Software Repository 9-7

Software Repository Synchronization 9-8
Scheduling a Synchronization Report 9-10
Viewing a Synchronization Report 9-11
Removing a Synchronization Report Job 9-11
Adding Images to the Software Repository 9-11
Adding Images to the Software Repository From Cisco.com 9-12
Adding Images to the Software Repository From Devices 9-15
Adding Images to the Software Repository From a File System 9-17
Adding Images to the Software Repository From a URL 9-19
Adding Images to the Software Repository From the Network 9-21
Synchronizing Software Image Status With Cisco.com 9-23
Deleting Images From the Software Repository 9-24
Exporting Images from Software Repository 9-25
Searching for Images from Software Repository 9-26
Software Image Attributes 9-26
Understanding Software Image Attributes 9-27
Understanding Default Attribute Values 9-28
Finding Missing Attribute Information 9-28
Editing and Viewing the Image Attributes 9-28
Software Distribution 9-29
Upgrade Analysis 9-29
Planning an Upgrade From Cisco.com 9-30
Planning an Upgrade From Repository 9-31
Understanding the Upgrade Analysis Report 9-32
Support for In Service Software Upgrade 9-34
Software Distribution Methods 9-35
Planning the Upgrade 9-37
Configuring Devices for Upgrades 9-38
Scheduling the Upgrade 9-50
Authorizing a Distribution Job 9-51
Distributing by Devices [Basic] 9-51
Distributing by Devices [Advanced] 9-55
Distributing by Images 9-60
Support for IOS Software Modularity 9-65
Patch Distribution 9-67
Patch Distribution - by Devices 9-67
Patch Distribution - by Patch 9-71
Remote Staging and Distribution 9-75
Using External FTP Server 9-76
xviii
OL-25941-01
Contents
Using External TFTP Server 9-84

Using Remote Stage Device 9-88
Understanding Upgrade Recommendations 9-93
Upgrade Recommendation for Cisco IOS Devices 9-93
Upgrade Recommendation for Catalyst Devices 9-94
Upgrade Recommendation for VPN 3000 Series 9-95
Upgrade Recommendation for Catalyst 1900/2820 9-95
Upgrade Recommendation for Other Device Types 9-95
Using Software Management Job Browser 9-95
Changing the Schedule of a Job 9-97
Retry a Failed Distribution Job 9-98
Undo a Successful Distribution Job 9-99
Stopping a Job 9-100
Deleting Jobs 9-100
Understanding the Software Management Job Summary
Understanding User-supplied Scripts
9-102
Locating Software Management Files
CHAPTER
10
Virtual Switching System Support

Prerequisites for Conversion
9-101
9-105
10-1
10-2
Virtual Switching System Configuration Process 10-2

Converting Switches from Standalone to VSS Mode
10-5
Support for Virtual Switching Systems 10-9

Inventory Management 10-9
Configuration Management 10-9
Syslog 10-10
Software Management - Software Distribution 10-10
Software Management - Scheduling a Software Distribution Job
Converting Switches from Virtual to Standalone Mode
10-11
10-11
Use Case: Converting Standalone Switches into a Virtual Switching System
CHAPTER
11
Configuring VLAN
10-13
11-1
Understanding Virtual LAN (VLAN) 11-2

Advantages of VLANs 11-2
Simplification of Adds, Moves, and Changes
Controlled Broadcast Activity 11-2
Workgroup and Network Security 11-3
VLAN Components 11-3
11-2

OL-25941-01
xix
Contents
Using VLANs
11-4
Configuring VLANs 11-4

Selecting Devices or Entities 11-5
Creating VLANs 11-6
Assigning Ports to VLANs 11-8
Advanced Filter 11-9
Disallowing VLAN on Trunks 11-11
Understanding VLAN Creation Summary 11-11
Deleting VLANs 11-12
Moving Affected Ports to New VLAN 11-14
Understanding VLAN Deletion Summary 11-15
Creating Ethernet VLANs 11-15
Ethernet VLANs 11-15
Creating Ethernet VLANs
11-16
Configuring Token Ring VLANs 11-16

Understanding trBRF VLANs 11-17
Creating trBRF VLANs 11-17
Understanding trCRF VLANs 11-18
Creating trCRF VLANs 11-18
Deleting trBRF and trCRF VLANs 11-19
Interpreting VLAN Summary Information
Displaying VLAN Reports 11-21
Interpreting VLAN Reports 11-23
11-20
Understanding Private VLAN 11-24

Types of Private VLAN Ports 11-24
Promiscuous Ports 11-24
PVLAN Host Ports 11-24
PVLAN Trunk Ports 11-25
Using Private VLAN 11-25
Creating PVLAN 11-26
Creating Primary VLAN 11-26
Creating Secondary VLAN and Associating to Primary VLAN
Associating Ports to Secondary VLAN 11-28
Configuring Promiscuous Ports 11-28
Deleting PVLAN 11-29
Understanding Inter-VLAN Routing
11-27
11-30
Using Inter-VLAN Routing 11-30

Configuring Inter-VLAN Routing on RSM, MSFC, L2/L3 Devices
Configuring Inter-VLAN Routing on External Routers 11-32
11-31
xx
OL-25941-01
Contents
VLAN Trunking Protocol 11-33

VTP Domains 11-34
Components of VTP Domains 11-34
Understanding VLAN Trunking Protocol Version 3
Support for VTP Version 3 11-35
Using VLAN Trunking Protocol (VTP) 11-37
Displaying VTP Reports 11-37
Interpreting VTP Reports 11-38
Using VTP Views 11-39
11-35
Understanding Trunking 11-40

Trunking Considerations 11-40
Dynamic Trunking Protocol (DTP) 11-40
Trunk Encapsulation 11-41
Trunk Characteristics 11-41
Encapsulation Types 11-42
Creating Trunk 11-42
Modifying Trunk Attributes 11-44
EtherChannel 11-46
Understanding EtherChannel 11-46
Using EtherChannel 11-46
Configuring EtherChannel 11-46
VLAN Port Assignment 11-47
Understanding VLAN Port Assignment 11-48
Starting VLAN Port Assignment 11-48
Using VLAN Port Assignment
11-49
Usage Scenarios for Managing VLANs 11-50

Configuring PVLANs in External Demilitarized Zone
Prerequisites 11-51
Reproducing Scenario 11-51
Verifying Configuration 11-52
CHAPTER
12
Configuring Virtual Routing and Forwarding (VRF)
12-1
Configuring VRF 12-2

Create VRF 12-2
Interface Mapping to VRF 12-5
Routing Protocol Configuration 12-9
Summary of VRFs to be Configured 12-11
Understanding VRF Configurations for Create VRF
Editing VRF
11-50
12-12
12-13
OL-25941-01
xxi
Contents
Interface Mapping to VRF in Edit VRF 12-14

Routing Protocol Configuration in Edit VRF 12-16
Summary of Edit VRF 12-19
Extend VRF 12-20
Interface Mapping to VRF in Extend VRF 12-23
Routing Protocol Configuration in Extend VRF 12-26
Summary of Extend VRF 12-27
Deleting VRF 12-29
Delete VRF - Summary
12-30
Edge VLAN Configuration 12-31

VLAN to VRF Mapping 12-33
Edge VLAN Configuration Summary
Using VRF Lite Job Browser
CHAPTER
APPENDIX
13
Viewing Topology Services

CLI Utilities
12-36
12-38
13-1
A-1
CWCLI A-1
Overview: CLI Framework (cwcli) A-2
cwcli Global Arguments A-3
Remote Access A-4
Overview: cwcli config Command A-7
Using the cwcli config Command for Batch Processing
Getting Started With cwcli config A-8
Uses of cwcli config A-8
Remote Access A-10
Running cwcli config A-10
cwcli config Command Parameters A-11
Parameters For All cwcli config Commands A-13
cwcli config Syntax Examples A-15
cwcli config Core Arguments A-19
Examples of cwcli config A-20
cwcli config Command Man Page A-20
Arguments A-22
cwcli config Subcommand Man Pages A-25
Overview: cwcli netconfig Command A-33
cwcli netconfig Remote Access A-41
Overview: cwcli export Command A-42
Using the cwcli export Command A-44
A-7
xxii
OL-25941-01
Contents
Running cwcli export changeaudit A-48

Running cwcli export config A-58
Running cwcli export inventory Command A-62
XML Schema for cwcli export inventory Data A-63
Overview: cwcli inventory Command A-79
Using the cwcli inventory Command A-80
Running the cwcli inventory cda Command A-83
Running the cwcli inventory crmexport Command A-91
Running the cwcli inventory deletedevice Command A-93
Running the cwcli inventory getdevicestate Command A-95
Overview: cwcli invreport Command A-97
Overview: cwcli netshow Command A-104
Running cwcli netshow Command A-105
Executing Netshow CLI Remotely A-109
Performance Tuning Tool A-110
PTT Features A-110
Profiles and PTT A-111
PTT Commands A-113
syslogConf.pl Utility
A-114
Software Management CLI Utility A-116

Running cwcli swim Command A-116
Running SWIM CLI Remotely A-119
APPENDIX
Config Template XML Schema
B-1
Understanding the XML Schema B-1

Detailed Description of Template XML Schema
B-5
Sample Template for Identity - Change of Authorization

Sample Template for IF Statement
APPENDIX
Troubleshooting Tips and FAQs
B-12
B-22
C-1
Configuration Archive C-1

Configuration Archive FAQs C-2
Login Authentication in Telnet Mode C-3
Login Authentication in SSH Mode C-3
Enable Login Authentication in Telnet Mode C-4
Enable Login Authentication in SSH Mode C-4
Troubleshooting Configuration Archive C-6
NetConfig C-9
NetConfig FAQs
C-9
OL-25941-01
xxiii
Contents
Troubleshooting NetConfig
Config Editor
C-10
C-11
Software Management C-13

Software Management FAQs C-13
Troubleshooting Software Management
Job Approval
C-73
cwcli config
C-75
cwcli export
C-77
VRF Lite
C-48
C-79
INDEX
xxiv
OL-25941-01
Preface
Cisco Prime LAN Management Solution (LMS) provides you with powerful features that enable you to
configure, monitor, troubleshoot, and administer Cisco networks.
Cisco Prime LMS 4.2 has a new menu layout that facilitates access to information and to tools required
for managing your network.
Cisco Prime LMS 4.2 groups the options to the following underlying core functions in this release:
Monitoring
Inventory Management
Configuration
Reporting
Administration
Work Center Management
This guide provides you with information on the Configuration Management function in Cisco Prime
LMS.
This preface lists related documents that support the Configuration Management function, and
demonstrates the styles and conventions used in this guide. The preface contains the following sections:
Audience
Audience
This guide is for users who are skilled at network administration and management, and for network
operators who can use this guide to make configuration changes to devices, using LMS. The network
administrators or the operators should be familiar with the following:
Basic Network Administration and Management
Basic Solaris and Soft Appliance System Administration
Basic Windows System Administration
Basic LMS Administration

OL-25941-01
xxv
Preface
Table 1 describes the conventions followed in the user guide.
Table 1
Note
Conventions Used
Item
Convention
Commands and keywords
boldface font
Variables for which you supply values
italic font
Displayed session and system information
screen
Information you enter
boldface screen
Variables you enter
italic screen
Menu items and button names
boldface font
Selecting a menu item in paragraphs
Option > Network Preferences
Selecting a menu item in tables
Option > Network Preferences
font
font
font
Means reader take note. Notes contain helpful suggestions or references to material not covered in the
publication.
Note
We sometimes update the printed and electronic documentation after original publication. Therefore,
you should also review the documentation on Cisco.com for any updates.
Table 2 describes on the product documentation that is available.
Table 2
Document Title
Available Formats
Getting Started with Cisco Prime LAN

Management Solution 4.2
PDF version part of Cisco Prime LMS 4.2 Product

DVD.
Context-sensitive online help
Select an option from the navigation tree, then

click Help.
Configuration Management with Cisco Prime

LAN Management Solution 4.2 (This document)

DVD.
Monitoring and Troubleshooting with Cisco

Prime LAN Management Solution 4.2

DVD.
Inventory Management with Cisco Prime LAN


DVD.
Administration of Cisco Prime LAN Management PDF version part of Cisco Prime LMS 4.2 Product
Solution 4.2
DVD.
xxvi
OL-25941-01
Preface
Table 2
Product Documentation (continued)
Document Title
Available Formats
Technology Work Centers in Cisco Prime LAN


DVD.
Reports Management with Cisco Prime LAN


DVD.
Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly Whats New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the Whats New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS version 2.0.

OL-25941-01
xxvii
Notices
The following acknowledgements pertain to this software license:

LMS includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/), and cryptographic software written by Eric Young (eay@cryptsoft.com), and
software written by Tim Hudson (tjh@cryptsoft.com).
License Issues
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the
original SSLeay license apply to the toolkit. The license texts are listed below. Actually both licenses
are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact
openssl-core@openssl.org.
OpenSSL License:
Copyright 1998-2007 The OpenSSL Project. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1.
Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.
2.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions,
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
3.
All advertising materials mentioning features or use of this software must display the following
acknowledgment: This product includes software developed by the OpenSSL Project for use in the
OpenSSL Toolkit (http://www.openssl.org/).
4.
The names OpenSSL Toolkit and OpenSSL Project must not be used to endorse or promote
products derived from this software without prior written permission. For written permission, please
contact openssl-core@openssl.org.
5.
Products derived from this software may not be called OpenSSL nor may OpenSSL appear in
their names without prior written permission of the OpenSSL Project.
6.
Redistributions of any form whatsoever must retain the following acknowledgment:

OL-25941-01
xxix
Notices
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit
(http://www.openssl.org/).
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT AS IS' AND ANY EXPRESSED
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product
includes software written by Tim Hudson (tjh@cryptsoft.com).
Original SSLeay License:
Copyright 1995-1998 Eric Young (eay@cryptsoft.com). All rights reserved.

This package is an SSL implementation written by Eric Young (eay@cryptsoft.com).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are
adhered to. The following conditions apply to all code found in this distribution, be it the RC4, RSA,
lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is
covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Youngs, and as such any Copyright notices in the code are not to be removed.
If this package is used in a product, Eric Young should be given attribution as the author of the parts of
the library used. This can be in the form of a textual message at program startup or in documentation
(online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided
that the following conditions are met:
1.
Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.
2.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution.
3.
All advertising materials mentioning features or use of this software must display the following
acknowledgement:
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).
The word cryptographic can be left out if the routines from the library being used are not
cryptography-related.
4.
If you include any Windows specific code (or a derivative thereof) from the apps directory
(application code) you must include an acknowledgement: This product includes software written
by Tim Hudson (tjh@cryptsoft.com).
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG AS IS AND ANY EXPRESS OR IMPLIED

WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO
EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
xxx
OL-25941-01
Notices
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,

DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The license and distribution terms for any publicly available version or derivative of this code cannot be
changed. i.e. this code cannot simply be copied and put under another distribution license [including the
GNU Public License].

OL-25941-01
xxxi
CH A P T E R

Configuration Management in Cisco Prime LAN Management Solutions (LMS) allows you to manage,
deploy, and modify the configuration files used by devices in your network. You can run tools that can
compare configuration files and perform software image management tasks.
Configuration Dashboard in LMS provides information such as date of last configuration change, status
of the configuration jobs, summary of inventory configuration protocol and Hardware and Software
summary.
You can create configuration jobs and also manage configuration archive settings. You can define
baseline configuration templates and determine the devices that are non-compliant in your network.
You can perform VLANs configurations and Virtual Switching System (VSS) conversions.
This chapter provides information on the organization of the Configuration Management user guide and
an overview of Configuration Management tasks.
It explains:
Organization

OL-25941-01
1-1
Chapter 1
Organization
Organization
The Configuration Management user guide is organized as follows:
Table 1-1
Configuration Management User Guide
Chapter
Description
Chapter 1, Overview of
Configuration Management
(This chapter)
Provides information on the organization of Configuration

Management with Cisco Prime LMS user guide and an overview of the
tasks in Configuration Management functionality.
Chapter 2, About
Configuration Dashboard
Describes the Configuration Dashboard portlets in LMS.
Chapter 3, Managing and

Deploying Templates
Describes how to manage configuration templates and deploy them on

devices.
Chapter 4, Using
Compliance and Audit
Manager Feature
Describes how to manage policy groups, policy profiles, run

compliance check and fix the violations shown in the report.
Chapter 5, Making and

Deploying Configuration
Changes Using NetConfig
Describes how to use the NetConfig feature in Configuration

Management.
Chapter 6, Archiving
Configurations and Managing
them using Configuration
Archive
Describes how to use the Configuration Management feature.
Chapter 7, Using Baseline

Templates to Check
Configuration Compliance
Describes how to use Compliance management task to create, deploy

and manage baseline templates.
Chapter 8, Editing and

Deploying Configurations
Using Config Editor
Describes how to use the Config Editor task. Config Editor allows you
to edit a configuration file that exists in the configuration archive.
Chapter 9, Managing
Software Images Using
Software Management
Describes how to use the Software Image Management tool in LMS.
Chapter 10, Virtual

Switching System Support
Describes how to convert two standalone switches into a Virtual

Switching System.
NetConfig allows you to make configuration changes to your managed

network devices whose configurations are archived in the
Configuration Archive.
Configuration Management gives you easy access to the configuration
files for all devices or Cisco IOS-based Catalyst switches, Content
Service Switches, Content Engines, and Cisco routers in the LMS
inventory.
It also describes how to check for configuration compliance.
To ensure rapid, reliable software upgrades, Software Management

automates many steps associated with upgrade planning, scheduling,
downloading, and monitoring.
It also describes how to convert a Virtual Switching System back to

standalone switches.
Chapter 11, Configuring
VLAN
Describes how to configure and manage a Virtual Local Area Network

(VLAN) in your network.
It also describes how to configure and manage a Private VLAN
(PVLAN), Trunk, and also assign ports to VLANs.
1-2
OL-25941-01
Chapter 1

Table 1-1
Configuration Management User Guide (continued)
Chapter
Description
Chapter 12, Configuring

Virtual Routing and
Forwarding (VRF)
Describes how to perform end-to-end VRF configurations in an

enterprise network using LMS.
Chapter 13, Viewing

Topology Services
Describes how to view and monitor your network including the links
and the ports of each link using Topology Services in LMS.
Appendix A, CLI Utilities
Describes how to use the CiscoWorks Command Line (CWCLI)

utilities in LMS.
Appendix B, Config
Template XML Schema
Describes how to create new configuration templates that can be

deployed using the Template Center feature.
Appendix C,
Troubleshooting Tips and
FAQs
Describes the Troubleshooting tips and FAQs.

This section provides an overview of the Configuration Management tasks supported in LMS. The
information is organized as follows:
Configuration Tasks
Menu Navigation Path
Description
Configuration > Dashboard:

Configuration
You can view and configure the following

configuration dashboard portlets:
Dashboard
Configuration
Discrepancies
Device Change Audit
Inventory Config Protocol Summary
Hardware Summary
Job Approval
Software Summary
Syslog Alerts
Compliance
Compliance
Templates
Configuration > Compliance:

Compliance Templates
You can perform the following compliance

tasks:
Manage Baseline templates
Run compliance check
Deploy Baseline templates
Run compliance check and deploy jobs

OL-25941-01
1-3
Chapter 1
Configuration Tasks
Description
Out-of-Sync
Summary
Configuration > Compliance:

Out-of-Sync Summary
You can generate an Out-of-Sync report for

the group of devices for which running
configurations are not synchronized with the
startup configuration.
Compliance
Configuration > Job Browsers:

Compliance
You can view the compliance check and

deploy job status.
Configuration
Archive

Configuration Archive
You can manage archive management jobs.
Template Center

Template Center
You can browse the template deployment

jobs registered on the system. Using the
Template Center, you can manage template
jobs. That is, you can stop, delete, refresh, or
filter jobs using this job browser. You can
also view the template job details such as
work order, device details, and job summary.
NetConfig

NetConfig
Using the Job Browser, you can manage

NetConfig jobs. That is, you can edit, stop,
delete, or filter jobs using this job browser.
Software Image
Management

Software Image Management
You can view all your scheduled Software

Management jobs. You can edit, stop, delete
the jobs using the Software Image
Management Job Browser.
Config Editor

Config Editor
You can manage configuration editor jobs.
Job Approval

Job Approval
You can approve configuration jobs.
Job Browsers
Tools
Template Center
Configuration > Tools: Template Template Center in LMS provides you with a
Center
list of system-defined templates. These
templates contain configuration commands
that can be deployed on the devices in your
network.
You can perform the following tasks from
Template Center:
Deploying Templates
Managing Templates
Importing Templates
Assigning Template to users
Viewing and Managing Template Center

Jobs
1-4
OL-25941-01
Chapter 1

Configuration Tasks
Description
NetConfig
Configuration > Tools:

NetConfig
You can perform the following NetConfig

tasks:
Config Editor
Software Image
Management
Configuration > Tools: Config

Editor
Deploying NetConfig jobs
Assigning Tasks to users
User Defined Tasks
You can open a configuration file, edit it,

save it in a private location or in public
location using the following tasks:
Open and edit config files
Save config files as private
Save config files as public
Configuration > Tools: Software You can perform the following Software
Image Management
Image Management tasks:
Patch Distribution
Software Distribution
Software Repository
Repository Synchronization
Upgrade Analysis
Software Management Jobs
Workflows
VLAN
VRF-lite
Configuration > Workflows:

VLAN

VRF-lite
You perform the following VLAN tasks:
Configure VLAN
Delete VLAN
Create Private VLAN
Delete Private VLAN
Configure Port Assignment
Configure Promiscuous Ports
Create Trunk
Modify Trunk Attributes
You can perform the following Virtual

Routing and Forwarding (VRF) tasks:
Create VRF
Edit VRF
Extend VRF
Delete VRF
Edge VLAN Configuration

OL-25941-01
1-5
Chapter 1
Configuration Tasks
Description
Virtual Switching
System

Virtual Switching System
You can convert two standalone switches

into a Virtual Switching System or convert
Virtual Switching System back to standalone
switches.
Configuration > Configuration

Center
You can view all the launch points for all

types of device or feature configurations
supported in LMS.
1-6
OL-25941-01
Chapter 1

Configuration Tasks
Description
Summary

Archive: Summary
You can view the configuration archival

status and summary.
Views

Archive: Views
You can search archives using version tree

and version summary. Views list the
following links:
Custom Queries
Search Archive
Version Summary
Version Tree
Synchronization

Archive: Synchronization
You can schedule a job to update the

configuration archive for selected group of
devices.
Compare Configs

Archive: Compare Configs
You can compare the following

configurations:
Startup vs Running
Running vs Latest Archived
Two Versions of the Same Device
Two Versions of Different Devices
Base Config vs Latest Version of

Multiple Devices
Label Configs

Archive: Label Configs
A label is a name given to a group of

customized selection of configuration files.
You can select configuration files from
different devices, group and label them.
Protocol Usage
Summary

Archive: Protocol Usage
Summary
You can view the configuration protocol

usage details for successful configuration
fetches.
Configuration > Topology
You can launch Topology Services to view

and monitor your network.
Topology
Topology Services

OL-25941-01
1-7
Chapter 1
Configuration Center is a launch point for all types of device or feature configurations supported in
LMS.
The various device or feature configurations supported in LMS are
Configuration
Description
Technologies and Services
Auto Smartport
Auto Smartports macros dynamically configure switch ports based on the

device type detected on the port.
You can:
Credential
EEM
EnergyWise
Assess Auto Smartports readiness of the network.
Upgrade IOS, wherever required, to make the device ASP capable.
Deploy Auto Smartports templates on selected devices.
Add or edit macros, system-defined, user-defined, or remote macro,

associated to an event.
Enable or disable Auto Smartports on selected interfaces of the selected

devices.
Modify or disable Auto Smartports configuration on ASP enabled devices.
You can:
Configure or change enable or secret password to enter in enable mode on

devices.
Configure local username and password authentication on devices.
Configure SSH.
Add, remove, and edit Telnet passwords.
You can:
Configure EEM scripts or applets on selected devices.
Configure the EEM policy.
Register or unregister a script or applet.
Configure EEM environmental variables that are used by the TCL script.
You can measure, monitor, and manage the way your devices consume energy.
You can:
Assess EnergyWise readiness of the network.
Upgrade IOS, wherever required, to make the device EnergyWise capable.
Define EnergyWise domains.
Associate devices to the EnergyWise domain.
Define Endpoint group and configuring EnergyWise policies.
1-8
OL-25941-01
Chapter 1

Configuration
Description
Gold
You can configure Boot Level Diagnositc tests and configure GOLD
Monitoring tests on devices.
You can:
Identity
Configure Boot Level diagnositc tests.
Configure GOLD monitoring tests.
Configure Health Monitoring diagnostics.
Enable or disable Health Monitoring diagnostics test.
Configure Health Monitoring interval.
Identity offers authentication, access control, and user policies to secure

network resources and connectivity.
You can:
MACsec
Assess Identity readiness of the network.
Upgrade IOS, wherever required, to make the device Identity capable.
Configure RADIUS settings.
Configure security modes, authentication profile, and host mode.
Configure MACsec on capable devices.
You can configure MACsec to provide secure, encrypted communication on

wired LANs.
You can use this template to configure:
Performance
Monitoring
Security policy to be applied to the session after the supplicant passes

802.1x authentication.
Authentication Failure Policy.
MKA policy.
You can configure the following for endpoints like Cisco Unified Video
Advantage (CUVA), Cisco TelePresence Movi, Tandberg, and Webex Servers:
Configure a flow record to specify the fields you want to monitor.
Configure a policy to include one or more classes.
Reaction ID, jitter and threshold of lost packets.
You can configure a flow record and specify how the collected data is
aggregated and presented.
PfR
Performance Routing provides best path optimization and load balancing of

traffic over the WAN and to the Internet for enterprise networks with multiple
paths.
You can:
Configure traffic classes for performance routing.
Configure performance metrics of these individual traffic classes.
Control the traffic by applying suitable traffic class and link policies.

OL-25941-01
1-9
Chapter 1
Configuration
Description
Port Macros
You can configure Auto Smartport macros on devices.

You can:
QoS
Enable or disable Auto Smartport at device level.
Apply or remove Auto Smartport policy definitions.
This template provides QoS macros to switch ports upon detection of a

Medianet endpoint.
You can:
RSVP
Select specific network traffic.
Prioritize it according to its relative importance.
Use QoS macros to provide preferential treatment of traffic in your

network.
Resource Reservation Protocol (RSVP) signals the QoS needs of an

application's traffic, along the devices, in the end-to-end path through the
network.
You can configure:
User or application that requires an RSVP request.
Bandwidth that has to be reserved.
Admission policy that the devices use to admit the RSVP message.
SCH
You can use this template to enable Smart Call Home on MDS, Nexus, IOS and
ASA platforms.
SGA
You can propagate the Security Group Tags (SGT) across network devices that
do not have hardware support for Cisco TrustSec.
Smart Install
Default SGT Exchange Protocol (SXP) password.
SXP address connection.
Default SXP source IP address.
Smart Install is a configuration and image management feature that provides

zero-touch deployment for new devices.
You can:
SNMP
Assess the readiness of your network for Smart Install capable directors.
Upgrade IOS, wherever required, to make the device Smart Install

capable.
Discover and enable Smart Install on Smart Install capable directors.
Manage configuration files and images of clients in the Smart Install

director.
Configure DHCP settings for Smart Install.
You can configure SNMP community strings, SNMP security feature, and
SNMP traps on devices.
1-10
OL-25941-01
Chapter 1

Configuration
Description
TACACS
You can configure:
Video Conferencing
TACACS authentication
TACACS+ authentication
RADIUS on devices
You can use this template to configure different video endpoints for video
conferences.
You can configure three types of video profiles:
Homogeneous Video Conference
Heterogeneous Video Conference
Guaranteed Audio Conference
Video Transcoding
You can use this template to configure video transcoding when the bit rate,
frame rate, resolution, or codec is different between two endpoints.
VLAN
You can configure and manage VLAN, Private VLAN (PVLAN), Trunk, and
also assign ports to VLANs.
VRF-Lite
You can select Layer 2 or Layer 3 devices and configure VRF on the selected
devices.
You can:
VSS
Select the Layer 2 or Layer 3 devices from the Distribution Layer or the
Core Layer.
Configure VRF on the selected devices.
Configure details of the VRF like: VRF Name, Route Distinguisher, and
description of VRF.
Map an interface to a VRF.
Configure the routing protocol to the selected devices on which VRF is

configured.
You can convert VSS-capable standalone switches to a Virtual Switching

System.
You can:
Select devices for VSS configuration
Perform hardware compatibility checks on the devices
Perform software compatibility checks on the devices and generate

compliance report
Define configuration parameters
Deploy commands on the devices to enable VSS mode
Validated Designs
Access Switch
Configuration
You can use this template to configure QoS, rate limiting, ACLs, OSPF for
routed access, and IPv6 on Access switches.
Cisco Smart Business This template provides resilience, QoS, security, and, scalability for Cisco
Architecture
Smart Business Architecture (SBA) networks.

OL-25941-01
1-11
Chapter 1
Configuration
Description
Small Branch
Configuration
You can use this template to configure security features like GETVPN,
DMVPN, Firewall, IPS and unified communications.
Configuration Tools
NetConfig Templates
You can configure:
General Settings
NetConfig provides system-defined configuration tasks. You can create
configuration commands by using these tasks. All System-defined tasks
are categorized into various task groups in the Tasks Selector.
User-defined tasks
You can create user-defined tasks and add one or more templates to each
task. The templates contain configuration commands and rollback
commands. You can enter the configuration commands either by typing
them or by importing them from a file. The template is associated with the
MDF categories of devices, for which these templates will be applicable.
Template Center
You can deploy system-defined templates and user-defined templates on

devices in your network.
You can configure the following types of templates:
Custom TemplatesLists all the user-defined templates assigned to the

current user.
Cisco Best Practices TemplatesLists all the system-defined templates.
Note
Some of the NetConfig Tasks will be listed as Cisco Best Practice

templates from LMS 4.2.1 Release.
1-12
OL-25941-01
CH A P T E R

This chapter provides information on the Configuration dashboard in LMS.
Configuration dashboard in LMS provides information such as the date of last configuration change,
status of the configuration jobs, summary of configuration protocol, Hardware and Software summary.
The Configuration dashboard shows the following list of portlets:
Discrepancies
Device Change Audit
Hardware Summary
Job Approval
Software Summary
Syslog Alerts

You can view the deviation type and the number of deviations using the Best Practices Deviation portlet.
The Best Practices Deviation portlet helps you to view deviations from normal or recommended
practices in a network and provides information on each of the Best Practice deviations reported in LMS.
These deviations do not have a serious impact on the functioning of the network.
This portlet gives a description of the Best Practice Deviation. It includes the impact, if any, that the
deviation has on the network and ways to resolve the deviation.

OL-25941-01
2-1
Chapter 2
Discrepancies
Table 2-1 lists Best Practices Deviation portlet details.

Table 2-1
Best Practices Deviation Porlet Details
Field
Description
Type
Brief description of the deviation from the Best Practice.
Count
Number of deviations.
Click the number corresponding to the deviation to navigate to the Unacknowledged Best Practices
Deviation Reports.
This page displays details such as the type, summary, first found and remarks.
You can click the portlet name in the title bar to navigate directly to the Report Generator page. Select
Best Practices Deviations from the Select a Report drop-down list to navigate to the Best Practices
Deviations page.
Discrepancies
In the Discrepancies portlet, you can view the type and count of discrepancies, such as network
inconsistencies and anomalies or misconfigurations in the discovered network.
The Discrepancy portlet gives a description of the discrepancy, the impact it has on the network, and
ways to resolve it.
LMS provides reports on discrepancies in the discovered network, enabling identification of
configuration errors such as link-speed mismatches on either end of a connection. Discrepancies are
computed at the end of each data collection schedule.
Table 2-2 lists the Discrepancies portlet details.
2-2
OL-25941-01
Chapter 2

Table 2-2
Discrepancy Porlet Details
Field
Description
Type
Type of the discrepancies such as network inconsistencies, anomalies or

misconfigurations in the network.
The available types are:
Count
Port is in Error Disabled StateCount of switch ports in the

discovered network have a status of errDisable.
VTP Disconnected DomainCount of devices that are part of the

same VTP domain have different VTP configuration revision
numbers.
Link Duplex MismatchCount of discrepancies when there is a

duplex mismatch between links.
Devices with duplicate SysNameCount of discrepancies when LMS

discovers two devices with the same SysName.
Trunk VLANs MismatchCount of discrepancies when the list of

active or allowed VLANs between the two ends of a trunk do not
match.
Number of deviations.
Click the number corresponding to the deviation to navigate to the
Unacknowledged Discrepancy Report in the application.
You can click the portlet name in the title bar to navigate directly to the Report Generator page. Select
Discrepancies from the Select a Report drop-down list to navigate to the Network Discrepancy page.

In the Job Information Status portlet, you can view the status of up to 20 jobs of the installed
applications. You can click the portlet name in the title bar of the portlet to navigate to the Job Browser
page.
Table 2-3 lists Job Information Status portlet details.
Table 2-3
Job Information Status Porlet Details
Field
Description
Job ID
Unique ID assigned to the job by the system, when the job is created. The Job IDs are
displayed in ID.No.of.Instances format in periodic jobs.
For example, the Job ID 1002.11 indicates that this is the eleventh instance of the job
whose ID is 1002.
When you click the Job ID, the job details, if available, are displayed.
Job Type
Type of the job.

For example, Inventory Collection, SyslogDefaultPurge, and NetConfig Job.

OL-25941-01
2-3
Chapter 2
Device Change Audit
Table 2-3
Job Information Status Porlet Details
Field
Description
Status
Status of the scheduled jobs that are completed.

The Job status include Succeeded, Failed, Crashed, Cancelled, and Rejected.
The status of the succeeded jobs are displayed in green and the Failed, Crashed,
Cancelled, and Rejected jobs are displayed in red.
Job Description
Description of the job provided by the job creator.

It can contain alphanumeric characters.
Owner
Name of the user who created the job.
Scheduled At
Date and time when the job is scheduled to run.
Device Change Audit

In the Device Change Audit portlet, you can view the changes in the inventory and configuration
information for all the devices after every Inventory or Configuration Collection.
However, the VLAN config change details will not be displayed.
The changes in the exception period are displayed in red.
Table 2-4 lists the Device Change Audit portlet details.
Table 2-4
Device Change Audit Portlet Details
Field
Description
Device Name
Device name as entered in the Device and Credential Repository. Click or

hover the mouse over the device name to view device details.
User Name
Name of the user who performed the change. This is the name entered when
the user logged in.
It can be the name under which the LMS application is running, or the name
using which the change was performed on the device.
The User Name field may not always reflect the user name.
The User Name is reflected only when:
Config change was performed using LMS
Config change was performed outside LMS, and the network has
username based on AAA security model
wherein authentication is performed by a AAA server (such as
TACACS/RADIUS or local server).
Creation Time
Date and the time at which the application communicated the network change
or when Change Audit saw the change record.
Message
Brief summary of the changes in the network change.

You can click the Message link to navigate to the 24-hour Inventory Change
Report details page.
2-4
OL-25941-01
Chapter 2

You can click the portlet name in the title bar to navigate directly to the Report Generator page.
To configure the Device Change Audit portlet:
Step 1
Move the mouse over the title bar of the Device Change Audit portlet to view the icons.
Step 2
Click the Configuration icon. You can:
Step 3
Select the minute and hour from the Refresh Every drop-down list to change the Refresh time. The
items in the portlet get refreshed at the changed Refresh time.
Select the Only Exception Period Report checkbox to view any of the special or extraordinary period
report.
Click Save to view the configured portlet with the changed settings.

In Config Protocol Summary portlet, you can view the configuration protocol usage details for
successful configuration fetches.
Table 2-5 lists the Config Protocol Summary details.
Table 2-5
Config Protocol Summary Details
Field
Description
Protocol
Protocols used by LMS for fetching the configuration.
Config Type
The Configuration types for the various protocols. The available types are:
Running Count of the successful running configuration fetched for each protocol.
Startup Count of the successful startup configuration fetched for each protocol.
VLAN Count of the successful VLAN configuration fetched for each protocol. This
configuration fetch is supported by only Telnet and SSH protocols.
Click the Count link to view a detailed report for a protocol and corresponding Config Type. The
detailed report shows the list of devices which are accessed using a particular protocol and for
which successful Config Fetch has happened.
Example:
If you click on a Count link, 20, for Telnet protocol and Running Config Type, a detailed report is
generated with the following fields:
Device Name Device Name of each device.
Accessed At Date and time at which each device was accessed for Config Fetch purpose.
Config Type Configuration type for each device.
File Type - Configuration file type for each device.
This detailed report shows only the devices for which Telnet has successfully fetched
configurations.
You can use the export icon to export the list of devices from this detailed report to the device selector.

OL-25941-01
2-5
Chapter 2
Hardware Summary
Table 2-5
Config Protocol Summary Details (continued)
Field
Description
Config
NeverCollected
The count of devices for which configuration fetch has never happened.
Edit Protocol Order
Click this button, if you want to change the transport protocol order.
Click the Count link to launch the Configuration Never Collected Device page.
Hardware Summary
In the Hardware Summary portlet, you can view a pie graph that displays the distribution of all managed
Cisco devices in the inventory. The graph plots the percentage count of devices, based on Cisco
MetaData Framework (MDF) categorization of devices.
Each section represents the device category, the device count and percentage of total devices.
The portlet has the following view options:
View as GridShows the information in a table format.
View as ChartShows the information in a pie-chart format.
Table 2-6 lists Hardware Summary portlet details.

Table 2-6
Hardware Summary
Fields
Description
Network Management
Percentage of network management used.
DSL and Long Reach Ethernet
Percentage of Ethernet used.
Security and VPN
Percentage of security and VPN used.
Switches and Hubs
Percentage of switches and hubs used.
Routers
Percentage of routers used.
Count
Count of the devices.

For instance, you can click the number corresponding to Switches
and Hubs to navigate to the Hardware Report details page.
For more information on how to generate the report, see section Generating a Hardware Report in
Reports Management with Cisco Prime LAN Management Solution 4.2.
2-6
OL-25941-01
Chapter 2

Job Approval
Job Approval
In Job Approval portlet, you can view the list of all jobs.
Table 2-7 lists Job Approval portlet details.
Table 2-7
Job Approval Portlet Details
Field
Description
Job ID
ID of the job that has been given for approval.

ID is the unique number assigned to the job. For periodic jobs such as Daily, Weekly, and so on, the
job IDs are in the number.x format. The x represents the number of instances of the job.
For example, 1001.3, indicates that this is the third instance of the job ID 1001.
Click the Job ID hyperlink to view the job details.
Job Description
Description of the job.
Job Schedule
Date and time for which the job has been scheduled.
The Job Approval portlet allows you to approve or reject a job for which you are an approver. A job will
run only if it is approved. If the job is not approved by its scheduled runtime, or if an approver rejects
it, the job is moved to its rejected state and will not run.
For periodic jobs, only one instance of the job needs to be approved. If one instance is approved, all other
instances are also considered as approved.
You are notified by e-mail, when a job that has to be approved by you is created.
This portlet enforces the approval process by sending job requests through e-mail to people on the
approver list.
You can click the portlet name in the title bar to navigate directly to the Jobs Pending Approval details
page in LMS.
In the Job Approval portlet, you can view the list of Job details.
You can configure the Job Approval portlet to set the number of records to be displayed in the portlet
and refresh time both manually and automatically.
To configure the Job Approval portlet:
Step 1
Move the mouse over the title bar of the Job Approval portlet to view the icons.
Step 2
Click the Configuration icon.
Step 3
You can:
Step 4
Select the minute and hour from the Refresh Every drop-down list to change the refresh time. The
items in the portlet get refreshed at the changed Refresh time.
Select the number of records to be displayed in the portlet from the Show Last Records drop-down
list.
Click Save to view the portlet with the configured settings.

OL-25941-01
2-7
Chapter 2
Software Summary
Software Summary
In the Software Summary portlet, you can view the software version information and count for selected
devices such as Cisco Interfaces and Modules, Switches and Hubs, Universal Gateways and Access
Servers, and Routers.
Table 2-8 lists the Software Summary portlet details.
Table 2-8
Software Summary Portlet Details
Fields
Description
Device Categories
Categories of devices used in the application.
Software Version
Software version of the device categories.
Count
Number of devices.
For instance, you can click on the number corresponding to Switches and Hubs to navigate to the
Software Report details page.
For more information on how to generate the report, see section Generating a Software Report in
Reports Management with Cisco Prime LAN Management Solution 4.2.
Configuring Software Summary Portlet
To configure the Software Summary portlet:

Step 1
Move the mouse over the title bar of the Software Summary portlet to view the icons.
Step 2
Click the Configuration icon.

You can:
Select the minute and hour from the Refresh Every drop-down list to change the Refresh time.
The items in the portlet get refreshed at the changed Refresh time.
Step 3
Select the number of rows to be displayed in the portlet from the No. of Rows to be Displayed
drop-down list.
Syslog Alerts
The Syslog Alerts portlet displays the 24-hour Syslog event distribution as a pie chart. It also displays
the total number of Syslog counts.
The portlet displays the top ten syslog summary reports.
The portlet has the following view options:
View as GridShows the information in a table format.
View as ChartShows the information in a pie-chart format.
2-8
OL-25941-01
Chapter 2

Syslog Alerts
To configure the Syslog Summary portlet:

Step 1
Move the mouse over the title bar of the Syslog Summary portlet.
Step 2
Click the configuration icon.

You can:
Select the minute and hour from the Refresh Every drop-down list to change the Refresh time.
The items in the portlet get refreshed at the changed refresh time.
Step 3
Select the number of rows to be displayed in the portlet from the No.of Rows to be Displayed
drop-down list.
Select the Show graph checkbox.

OL-25941-01
2-9
CH A P T E R

This chapter guides you to manage and deploy configuration templates in LMS.
It explains:
Deploying Templates
Managing Templates
Importing Templates

OL-25941-01
3-1
Chapter 3
Figure 3-1
Managing and Deploying Template Flow Diagram

Template
System Defined and User Defined Templates
Export the Relevant

Template to Client
Customize Configuration
Command using XML
Import the Customized

template to LMS
Managing Templates
Importing Templates
Export
Handle Delete
Multi-line
Commands
View
Import from Running

Configuration from Device
Deploying the Templates
Understanding Template Center Jobs Browser
Delete Job
Select the Template to

be assigned
Assign to the Selected User
Export to
XML format
Save the
Specify the commands
template as
in multiline using
User Defined
<MLTCMD></MLTCMD>
templates
Export to XML format
Refresh
Job
Select the Valid LMS User
Cisco Configuration
Professional File Import
XML Import
Customize Select
Template
the
Configuration
commands
Stop
Job
View Work
Order
Filter Job
View
Device
Details
Select Device-based
template
Select Port-based
template
Select Module-based
template
Select the Device
Select a device
Select a device
Schedule the
Deployment Job
Select a port group
Select a module group
Unselect the ports for which you do

not want to deploy the templates
Schedule the
Deployment Job
View Job
Summary
284541
Edit
Deploy the customized template

to devices available in the network
Schedule the Deployment Job

The Template Center in LMS provides you with a list of both system-defined templates and user-defined
templates. These templates contain configuration commands that can be deployed on the devices in your
network. These templates are deployed using Deploy Template jobs in LMS.
You can make customized versions of these system-defined templates, by exporting them, changing
CLI's/parameters in template XML according to needs, and importing it back after changing the template
name. You can also import templates from a client machine and these templates are stored as
user-defined templates in LMS.
It is highly recommended to the user to understand the commands in the template and use it according
to their network requirements and other configurations already done/to be done.
To access Template Center, go to Configuration > Tools > Template Center.
Table 3-1 describes a list of system-defined templates shipped into LMS 4.2.
3-2
OL-25941-01
Chapter 3

Table 3-1
System-defined Templates
Template
Description
DMP Location Configuration
This template configures location information on access ports connected to Digital

Media Player. This is a port-based template.
Guaranteed Audio
This Template offers voice services with point-to-point guarantees in an MPLS

network. It also offers predictable packet delivery characteristics at various
network conditions and loads.
When you configure this profile, the system attempts to display video for all
participants; however, it does not guarantee that the video of all participants is
displayed. For those participants whose video is not displayed, participants are
downgraded to audio-only and the profile guarantees preservation of the audio
portion of the call.
Heterogeneous Video Conference
This template allows the participants to use different video formats.

You can configure different frame rates, bit rates, codecs, or resolutions, and you
have the flexibility to choose what profiles to configure, depending on the nature
of the participants.
Homogeneous Video Conference
This template allows all the participants in the conference to use the same video
format. You must configure the same bit rate, frame rate, codec, resolution, and so
on . Only one codec, resolution, and bit rate is configured. All other participants
are forced to negotiate to match this profile to join the video conference. If
negotiation fails, they fall back to audio-only participants.
Identity - Change of Authorization
This template provides a mechanism for changing the attributes of a session after
authentication. When a change in authentication, authorization, and accounting
(AAA) policy occurs for a user or user group, administrators can send the RADIUS
CoA packets from the AAA server, such as the Cisco Secure Access Control
Server (ACS), to re-initialize authentication and apply the new policies.
In LMS, you can use this CoA template to generate the configuration commands
that can be deployed on devices in your network device to enable Change of
Authorization on the device.
IPVSC Location Configuration
This template configures location information on access ports connected to IP

Video Surveillance Camera. This is a port-based template.
L2 Access Edge Interface Configuration This template focuses on Ethernet access interface. It provides Cisco best practice
for interface configuration that includes Port security, dhcp snooping, IP Source
guard (IPSG), Dynamic ARP Inspection (DAI) and Quality of Service (QoS).
This template requires global configuration for IPSG, DAI, and DHCP snooping.
Location Configuration
This template configures location information on access ports connected to any

endpoint. This is a port-based template.

OL-25941-01
3-3
Chapter 3
Table 3-1
System-defined Templates (continued)
Template
Description
MACsec
This template allows you to enable MACsec to provide secure, encrypted

communication on wired LANs.
MACsec allows unauthorized LAN connections to be identified and excluded from
communication within the network. MACsec defines a security infrastructure to
provide data confidentiality and data integrity. MACsec can mitigate attacks on
Layer 2 protocols and work with any type of traffic carried over Ethernet links.
Security policy to be applied to the session after the supplicant passes 802.1x
authentication.
Authentication Failure Policy.
MKA policy.
Guidelines for this template:
Select any value from the Authentication Failure Policy drop-down list, only
if Static Link Policy is Always Secure Sessions.
For other values of Static Link Policy, select No Change as the Authentication
Failure Policy.
Enter a value for VLAN To Be Used only if Authentication Failure Policy is

Authorize into a VLAN.
Enter a name of the other MKA Policy only if MKA Policy is Other Policy.
Note
If you do not adhere to these guidelines, wrong commands can get

deployed.
3-4
OL-25941-01
Chapter 3

Table 3-1
Template
Description
Performance Monitoring
You can configure the following for endpoints like Cisco Unified Video Advantage
(CUVA), Cisco TelePresence Movi, Tandberg, Webex Servers, and voice data on
all endpoints:
A flow record to specify the key and non-key fields you want to monitor.
A flow monitor that includes the flow record and flow exporter.
A class to specify the filtering criteria.
A policy to include one or more classes.
One or more performance-monitor type flow monitors.
Reaction ID, jitter and threshold of lost packets.
Before you deploy any Performance Monitoring template on a router, you must
apply the license command on the router devices.
To apply the license in a router:
1.
Go to config mode.
2.
Enter the following commands:

license boot module <device series> technology-package datak9
wr mem
3.
Reboot the router.
Performance Monitoring-CUVA
This template allows you to configure Performance Monitor on Cisco Unified

Video Advantage (CUVA). CUVA adds video to your communications experience
by providing video telephony functionality to Cisco Unified IP phones.
Performance Monitoring-Movi
This template allows you to configure Performance Monitor on Cisco

TelePresence Movi. Cisco TelePresence Movi extends the benefits of face-to-face
video collaboration to remote workers.
Performance Monitoring-Tandberg
This template allows you to configure Performance Monitor on all Cisco all
Tandberg Endpoints. Tandberg video endpoints work together to provide video
users with the full functionality of IP telephony.
Performance Monitoring-Voice
This template allows you to configure Performance Monitor for voice data on all
endpoints.
Performance Monitoring-Webex Servers This template allows you to configure Performance Monitor on Webex Servers.
PFR
This template caters for Performance Routing (PFR) that provides best path
optimization and advanced load balancing of traffic over the WAN and to the
Internet for enterprise networks with multiple paths.
You can
Configure traffic classes for performance routing.
Configure performance metrics of these individual traffic classes.
Control the traffic by applying suitable traffic class and link policies.

OL-25941-01
3-5
Chapter 3
Table 3-1
Template
Description
QoS
This template provides Quality of Service (QoS) macros to switch ports upon
detection of a Medianet endpoint.
You can
RSVP
Select specific network traffic.
Prioritize it according to its relative importance.
Use QoS macros to provide preferential treatment of traffic in your network.
Resource Reservation Protocol (RSVP) signals the QoS needs of an application's

traffic along the devices, in the end-to-end path through the network.
You can configure:
SBA
User or application that requires an RSVP request.
Bandwidth that has to be reserved.
Admission policy that the devices uses to admit the RSVP message.
LMS provides various Smart Business Architecture (SBA) templates to configure

resilience, QoS, security and, scalability for SBA networks, for different types of
devices. For more information, see Creating Configuration Templates.
SCH
SCH on IOS and ASA platforms
This template allows you to configure Smart Call Home (SCH) parameters on IOS
and ASA devices.
SCH on MDS platform
This template allows you to configure Smart Call Home parameters on MDS
devices.
Note
You can use this template only on MDS devices with NX-OS 4.1(3) or
higher software version. SanOS is not supported for the HTTPS transport.
In this template, when you enter the Contact Phone Number, it should be in
international format and begin with a + sign. You can use hyphens but no spaces
in between, for example:
+1-100-100-1000
+11001001000
+919840011111
The phone number can have a maximum of 17 characters, including the + sign.
LMS validates only the format of the phone number and not the maximum length.
If the phone number has more than 17 characters, the command will fail when you
deploy the template on the device.
3-6
OL-25941-01
Chapter 3

Table 3-1
Template
Description
SCH on Nexus platform
This template allows you to configure Smart Call Home parameters on Nexus
devices.
Note
You can use this template only on Nexus devices with NX-OS 4.1(3) or
higher software version. SanOS is not supported for the HTTPS transport.
In this template, when you enter the Contact Phone Number, it should be in
international format and begin with a + sign. You can use hyphens but no spaces
in between, for example:
+1-100-100-1000
+11001001000
+919840011111
The phone number can have a maximum of 17 characters, including the + sign.
LMS validates only the format of the phone number and not the maximum length.
If the phone number has more than 17 characters, the command will fail, when you
deploy the template on the device.
SGA Access
The Security Group Access (SGA) Access template allows you to enable SXP on
the Access devices and allows you to propagate the Security Group Tags (SGT)
across network devices that do not have hardware support for Cisco TrustSec.
SGACL-IOS
In security group access lists (SGACLs), you can control the operations based on
assigned security groups. The grouping of permissions into a role simplifies the
management of the security policy. As you add users to the Cisco NX-OS device,
you simply assign one or more security groups and they immediately receive the
appropriate permissions. You can modify security groups to introduce new
privileges or restrict current permissions.
SGACL-NEXUS
In security group access lists (SGACLs), you can control the operations based on
assigned security groups. The grouping of permissions into a role simplifies the
management of the security policy. As you add users to the Cisco NX-OS device,
you simply assign one or more security groups and they immediately receive the
appropriate permissions. You can modify security groups to introduce new
privileges or restrict current permissions.
SGA Core
The Security Group Access (SGA) Core template allows you to enable SXP on the
Nexus devices and allows you to propagate the Security Group Tags (SGT) across
Nexus devices that do not have hardware support for Cisco TrustSec.

OL-25941-01
3-7
Chapter 3
Table 3-1
Template
Description
Small Branch EIGRP DMVPN FaxRelay This Template caters for services ready small branch. The configuration includes
security features like DMVPN (primary and backup), Firewall (Zone based), IPS
and unified communications (SRST).
The WAN link is T1, encapsulation is Frame Relay. Backup is SHSDL with ATM
IMA.
Hardware and Software Pre-requisites
HWIC-1T1/E1, PVDM2-32, AIM-CUE, 128 MB DRAM, 64 MB flash
1800 series with IOS 12.4.(20)T2 K9 and above with advanced enterprise package.
Small Branch EIGRP DMVPN Only
This Template caters for services ready small branch. The configuration includes
security features like DMVPN (primary and backup), Firewall (Zone based), IPS.
IMA.
HWIC-1T, HWIC-2SHDSL, 128 MB DRAM, 64 MB flash
T100 Crads should be available in the device.
Small Branch EIGRP GETVPN

FaxPassThrough
security features like GETVPN (primary) and DMVPN (backup), Firewall ( Zone
based), IPS and unified communications (CME SIP).
The WAN link is T1 encapsulation is PPP. Backup is SHSDL with ATM IMA.
Small Branch OSPF GETVPN

FaxPassThrough
security features like GETVPN (primary) and DMVPN (backup), Firewall ( Zone
based), IPS and unified communications (SIP SRST).
IMA.
SXP-IOS
Some network devices do not support secured group tag (SGT). For such devices,
you can use the SGT Exchange Protocol (SXP) to propagate SGTs. This template
is used for SXP configuration. An SXP peer that sends IP-to-SGT binding
information to another peer is called SXP Speaker. Any device that receives the
binding table and applies it to the ingress port for tagging is called SXP listener.
You must configure the SXP peer connection on both the speaker and the listener.
When using password protection, make sure that you use the same password on
both the speaker and the listener devices.
3-8
OL-25941-01
Chapter 3

Table 3-1
Template
Description
SXP-NEXUS
Some network devices do not support secured group tag (SGT). For such devices,
you can use the SGT Exchange Protocol (SXP) to propagate SGTs. This template
is used for SXP configuration. An SXP peer that sends IP-to-SGT binding
information to another peer is called SXP Speaker. Any device that receives the
binding table and applies it to the ingress port for tagging is called SXP listener.
You must configure the SXP peer connection on both the speaker and the listener.
When using password protection, make sure that you use the same password on
both the speaker and the listener devices.
Video Transcode
The template provides video transcoding services, where video can be converted
from one format to another.
You can configure video transcoding when the bit rate, frame rate, resolution, or
codec is different between two endpoints.
Note
The Basic Small Branch Network provides security and network manageability for the small branch, and
integrates the various network services to the branch office router. To deploy these templates ensure that
device management IP address is configured in Fa 0/0. This template will remove the IP address in all
the other interfaces mentioned in the template.
The above note is applicable for templates such as Small Branch EIGRP DMVPN Only, Small Branch
OSPF GETVPN FaxPassThrough, Small Branch EIGRP DMVPN FaxRelay and Small Branch EIGRP
GETVPN FaxPassThrough.
Supported SBA Templates
LMS provides various SBA templates to configure resilience, QoS, security, and scalability for Smart
Business Architecture networks, for different types of devices. The various SBA templates supported in
this release are:
Name of Template
Description
Access Switch Global Configuration
Use this template to configure Virtual LANs, in-band management, DHCP snooping and ARP inspection on the switch.
Distribution Layer Switch Global

Configuration
Use this template to configure an in-band management interface, IP unicast routing, and IP multicast routing.
Core Switch Global Configuration
Use this template to configure an in-band management interface, IP unicast routing, IP multicast routing. Use this
template to configure an in-band management interface, IP
unicast routing, and IP multicast routing.
LAN Switch Universal Configuration
Use this template to configure the features and services that

are common across all LAN switches, regardless of the type
of platform or role in the network.These are system settings
that simplify and secure the management of the solution.

OL-25941-01
3-9
Chapter 3
Name of Template
Description
Client Connectivity Configuration
Use this template to configure switch interfaces to support

clients and IP phones, port security on the interface, DHCP
snooping, and ARP inspection and BPDU Guard on the interface.
Multicast Source Discovery Protocol

(MSDP) for Core Switches
Use this template to enable Multicast Source Discovery

Protocol (MSDP) for core switches.
Catalyst 4500 Access Switch Global

Configuration
Use this template to configure Virtual LANs, in-band management, DHCP snooping and ARP inspection on the switch.
Catalyst 4500 Distribution Layer Con- Use this template to configure connectivity to access layer
nectivity to Access Layer
switches.
Catalyst 4500 Client Connectivity
Configuration
Use this template to configure switch interfaces to support

clients and IP phones, port security on the interface, DHCP
snooping, ARP inspection and BPDU guard on the interface.
Catalyst 4500 Platform Configuration This is a platform template that defines macros used in
Catalyst 4500 Series templates to apply the platform specific
configuration.
Catalyst 4500 and 6500 LAN Switch
Universal Configuration
Use this template to configure the features and services that

are common across all LAN switches, regardless of the type
of platform or role in the network.These are system settings
that simplify and secure the management of the solution.
Catalyst 6500 Series switches

Platform Configuration
This is a platform template that defines macros used in

Catalyst 6500 Series templates to apply the platform specific
configuration.
Catalyst 6500 Distribution Layer

Switch Global Configuration
Use this template to configure an in-band management interface, IP unicast routing, IP multicast routing.
Catalyst 3750 and 3750X Platform

Configuration

Catalyst 3750 and 3750X series templates to apply the
platform specific configuration.
Catalyst 3750G Distribution Layer

Switch Global Configuration
Use this template to configure an in-band management interface, IP unicast routing, IP multicast routing.
Catalyst 2960-S and 3750-X Platform This is a platform template that defines macros that is used in
Configuration
Catalyst 2960-S and 3750-X series templates to apply the
platform specific configuration.
Distribution Layer Aggregation Configuration
Use this template to configure links in the core layer that are
configured as point-to-point Layer 3 routed EtherChannels.
Connectivity to WAN Routers and

LAN Core
Use this template to configure connectivity to WAN Routers

and LAN Core.
Infrastructure Connectivity to Routers Use this template when connecting to a network infrastrucfor 2960 Switches
ture device that does not support LACP like a router.
Catalyst 4500 Infrastructure Connectivity to Switches
Use this template to connect to another switch when LACP is

set to active on both sides to ensure a proper EtherChannel is
formed.
Catalyst 4500 Infrastructure Connectivity to Routers
Use this template to connect to a network infrastructure

device that does not support LACP like a router.
3-10
OL-25941-01
Chapter 3

Name of Template
Description
Cat6500 Connectivity to WAN

Routers and LAN Core
Use this template to connect to WAN Routers and LAN Core.
Cat6500 Distribution Layer Connectivity to Access Layer
Use this template to configure connectivity to access layer

switches.
3750X 3560X Infrastructure Connectivity to Distribution Switch
Use this template to connect to another switch when Link Aggregation Control Protocol (LACP) is set to active on both
sides to ensure that a proper EtherChannel is formed.
3750X 3560X Infrastructure Connectivity to WAN Router
Use this template to connect to a network infrastructure

device that does not support LACP like a router.
Catalyst 3750 Distribution Layer Con- Use this template to configure connectivity to access layer
nectivity to Access
switches.
Cat 2960S Infrastructure Configuration to Distribution Switches
Use this template to connect to another switch when LACP is

set to active on both sides to ensure that a proper EtherChannel is formed.
Catalyst 3560-X Platform Configuration

Catalyst 3560-X series templates to apply the platform
specific configuration.

OL-25941-01
3-11
Chapter 3

CLI templates are user-defined templates that are created based on your own parameters. CLI templates
allow you to choose the elements in the configurations. LMS provides variables that you replace with
actual values and logic statements.
Prerequisites for Creating CLI Templates
Creating CLI templates is an advanced function that should be done by expert users. Before you create
a CLI template, you should:
Understand to what devices the CLI you create can be applied.
Understand the data types supported by Prime NCS (WAN).
To create a new configuration template:

Step 1
Select Configuration > Tools > Template Center >CLI Template Creation.
Step 2
Enter the name of the template.
Step 3
Enter the help description for the template.
Step 4
Enter the template description.
Step 5
Click the icon to select the device type for applying the configuration template.
Step 6
Select the device type from the device selector and click OK.
Note
You cannot create configuration template, if you select a non supported device type.
Configuration template will be created only for supported device type, if you select both
supported and non-supported device types.
Step 7
Select the OS Name from the dropdown list.
Step 8
Enter the CLI content in the text area provided in the Template Detail pane.
For example, enter hostname
Step 9
Click Manage Variables button to include variables in the CLI content. The Manage Variable window
appears.
To add a new variable to the CLI content:
a.
Click Add Row.
b.
Enter the name of the variable. For example, enter devicehostname.
c.
Select the variable type as String, Interger or IPv4Address. For example, select string.
d.
Enter the display label of the variable. For example, Enter HostName
e.
Enter the help description for the variable.
f.
Select Required checkbox, if you want the variable to appear as mandatory field.
3-12
OL-25941-01
Chapter 3

g.
Click the arrow icon next to Name to enter the range, default value and validation expression for
the variable.
Validation expression indicates an expression which is used to validate the variable. For example,
if the variable is hostname, the following validation expression can be used:
^[\S]+$
The above expression indicates that you can enter only a single word without any spaces as
hostname.
Range field will be disabled, if you select variable type as String or IPv4Address.
h.
Click Save to save the variable details.
i.
Click Add to add the variable to the CLI content. For example, hostname ${devicehostname} will
be displayed.
To close the Manage Variable window, click Close.
You can see the content in form view on clicking the Form View tab.
You can edit or delete the required variable from the Manage Variable window.
You can also filter the variables using the Filter or Advanced Filter option.

OL-25941-01
3-13
Chapter 3
Table 3-2
Filter Details
Field
Description
Quick Filter
You can filter the variable based on the following:
Advanced Filter
Name
Type
Description
Display Name
Required
Select Match type as All or Any.
All - To filter the variables that match all the selected parameters.
Any - To filter the variables that match any of the selected parameter.
Select a parameter for which you want to filter the variables. The values
displayed are:
Default Value
Description
Display Name
Max Value
Min Value
Name
Required
Type
Validation Expression
Select the right criterion with respect to the parameter. The values are:
Contains
Does not contain
Starts with
Ends with
Is empty
Is not empty
Is exactly (or equals)
Does not equal
Is greater than
Is less than
Is greater than or equal to
Is less than or equal to
Enter a value corresponding to the parameter that you have selected.

Manage Preset Filter You can edit or remove a preset filter.
3-14
OL-25941-01
Chapter 3

Deploying Templates
Step 10
Click Save to File to save the newly created template details. To return to the previous page, click
Cancel.
Click Import to Template Center to import the newly created configuration template to Template
Center.
For details on how to use IF and FOREACH statements while generating configuration templates, see
Guidelines for Creating Configuration Templates Using IF and FOREACH Statements.
Deploying Templates
Templates are deployed to devices using Deploy Template job in LMS. You can deploy these templates
for devices, ports and modules.
By default, LMS groups the templates as:
Custom TemplatesLists all the user-defined templates assigned to the current user.
Cisco Best Practises TemplatesLists all the system-defined templates.
You can use the filter option to group the templates.

In LMS 4.2, click the expandable icon before each template (triangle-shaped) to see the details of each
template. For more details, see Template Details.
To deploy a template:
Step 1
Select Configuration > Tools > Template Center > Deploy.

The Template Deployment page appears, displaying Template Selector pane.
You can select templates to deploy configurations.
Table 3-3 describes the Template Selector pane.
Table 3-3
Template Selector
Column/Button
Description
Template Name
Shows the name of the system and user-defined templates.
Features
Shows the feature related to the template.
Type
Shows the type of the template (Partial or Complete).
PartialSupports some of the configurations for the device.
CompleteSupports complete configuration for the device.
Role In Network
Role of the device in the network layer (Edge, Core, Access, Distribution)
Category
Shows the category of the template.
Created By
User who created or imported this template. By default, for all system-defined
template it will be System and for SBA templates it will be Cisco.

OL-25941-01
3-15
Chapter 3
Deploying Templates
Table 3-3
Template Selector
Column/Button
Description
Scope
Shows the scope of the template for device, port, or module.
Filter
Click Filter. Select a Filter By criteria from the drop-down list and enter the details
in the Equals field. Click Go to filter details.
(button)
The following Filter By options are available:
Template NameSelect Template Name and enter the complete name.
TypeSelect Type and enter the type (partial, complete)
Role In NetworkSelect RIN and enter the RIN (access, distribution, core)
CategorySelect Category and enter the device category
Created BySelect Created By and enter the user name
ScopeSelect Scope and enter the scope (device, port, module)
You can also use wild card character (*) along with the search text to filter.
Step 2
Select templates and click Next.

You can select:
One Complete with multiple partial templates
Multiple partial templates
You cannot select multiple Complete templates.

When you select multiple templates, if conflicting features exists between templates, then the deploy
template flow will not proceed and a warning message is shown. See Importing Templates for more
information on conflicting features.
The Choose Device Groups pane appears, displaying the Device Selector. Choose the devices, or device
groups on which you wish to deploy the templates.
The Device Selector displays devices that are common and applicable to the selected templates.
Step 3
Note
Starting from LMS 4.2.2 Release, the single Performance Routing template will be replaced with
three templates namely PfR Basic MC (Master Controller) Template, PfR Basic Border Router,
and PfR Advanced MC Template.
Note
If the devices selected is more than 2000, the progress bar is not shown.
Select devices from the Device Selector and click Next.

If you are unable to view any devices in the Device Selector, you do not have any supported devices for
the template.
If you have selected port-related templates, Choose Port Groups pane appears, displaying the Port
Selector.
Select port groups from the Port Group Selector and click Next.
The Review Port Groups page appears with a list of selected devices and selected ports, from
the previous page, associated with each device.
3-16
OL-25941-01
Chapter 3

Deploying Templates
Unselect the ports that you want to exclude from the deployment.
Step 4
Note
Step 5
If you have selected module-related templates, Choose Module Groups pane appears, displaying the
Device Selector.
Click Next, the corresponding template pane appears, allowing you to enter the applicable values for the
template.
For SGACL-IOS template, the configuration command will fail if the device having SYSOID
1.3.6.1.4.1.9.1.282" and image version "12.2(50)SY" is not present in "adventerprisek9" package.
Enter the values and click Next.
The Adhoc Configuration for Selected Port/Device Groups pane appears, allowing you to enter the
configuration commands that will be deployed on the selected devices or ports in addition to the
commands in the template. The commands that you enter here will not be validated by LMS.
This is optional.
Step 6
Click Next.
The Schedule Deployment pane appears, displaying Scheduler and Job Options details.
Table 3-4 describes the fields and options in the Schedule Deployment pane.
Table 3-4
Schedule Deployment Pane Description
Options/Field
Description
Schedule Options
Specifies the type of schedule for the job:
ImmediateRuns the report immediately.
OnceRuns the report once at the specified date and time.
DailyRuns daily at the specified date and time.
WeeklyRuns weekly on a day of the week and at the specified time.
MonthlyRuns monthly on a day of the month and at the specified

time.
Job Description
Enter a description for the job that you are scheduling. This is a mandatory
field. Accepts alphanumeric values and special characters.
E-mail
Enter the e-mail address to which the job sends messages when the job has
run.
You can enter multiple e-mail addresses separated by comma.
Job Options
The following job options are available:
Copy Startup to Running Config upon failureIf template

deployment job fails, the startup configuration of the device is copied
to running configuration.
Enable Job PasswordSelect Enable Job Password and enter the

Login user name, Login Password and Enable Password details.
Preview CLI
Click Preview CLI to open the Configuration Preview pop-up dialog box.
(button)
You can select the device name from the drop-down list to view the CLI
commands that will be deployed on to the device.

OL-25941-01
3-17
Chapter 3
Managing Templates
Step 7
Enter a Job Description, select the Schedule and Job options and click Finish.
A notification message appears along with the Job ID. The newly created job appears in the Template
Center Jobs.
Template Details
You can see the following details when you click the expandable icon before each template
(triangle-shaped) to see the details of each template:
NameName of the template. For example, Access PortChannel Interface.
DescriptionDescription of the template. For example, Template for configuring Portchannel

Interface on Access Switches.
TaskConfiguration task of the template. For example, Port Configuration.
VersionVersion of the template. For example, 1.0.
FeatureFeatures supported for this template.
HardwareThe hardware platform supported for deploying this template.
ReferenceDisplays any reference text for the template. It can be a link for additional information
about the template, or a file in the server.
TagDisplays the tags that have been specified for the template. You can have multiple tags for a
single template. You can use this for filtering the templates using the Advanced Filter.
Managing Templates
LMS allows you to edit, delete, export and view templates.
By default, LMS groups the templates as:
Custom TemplatesLists all the user-defined templates assigned to the current user.
Cisco Best Practices TemplatesLists all the system-defined templates.
You can use the filter option to group the templates.

This section details:
Editing Templates
Deleting Templates
Exporting Templates
Viewing Template Details
3-18
OL-25941-01
Chapter 3

Managing Templates
Editing Templates
You can edit the default values of a template (system or user-defined) and save it as user-defined
template.
In LMS 4.2, each template has a reference section. In the reference section, you can add a link to provide
additional information about the template. The information that you enter in the Text To Display text
box appears as a link in the expandable pane of the template. When you click the link, it launches the
URL or opens the file specified and provides the additional information. You can provide the additional
information from a URL or from a file in the server.
The link must start with http://. The reference files can have the following extensions: html, txt, csv, pdf,
doc, docx, xls, xlsx, and have to be stored in the location:
NMSROOT\htdocs\config-templates-help (On Windows)
NMSROOT/htdocs/config-templates-help (On Solaris and Soft Appliance)
NMSROOT is the LMS install directory. For Solaris and Soft Appliance, it will be /opt/CSCOpx.
You can also specify tags for your template that can be used as filters for the templates. You can specify
multiple tags for a single template, each tag should be comma separated.
To edit a template:
Step 1
Select Configuration > Tools > Template Center > Manage.

The Manage Templates page appears, displaying the Template Selector pane.
Step 2
Select the template that you need to edit and click Edit.
The Edit Template page appears.
Step 3
You can edit the Reference link.
Step 4
You can edit the Tag.
Step 5
Edit the default values of the template and click Save.

You can create a new template from an existing template (system or user-defined) and click Save As to
save it as user-defined template.
You can edit a Cisco Best Practices Template and click Save As to save the template as a new template.
The Template Management page appears, displaying the Template with edited values.

OL-25941-01
3-19
Chapter 3
Managing Templates
Deleting Templates
You can use the Delete option to remove an existing template from the Template Selector pane.
Note
You cannot delete a system-defined template from the Template Selector pane.
To delete an existing template:
Step 1

Step 2
Select an existing user-defined template from the Template Selector pane.
Step 3
Click Delete.
The selected user-defined template is deleted from the Template Selector pane.
Exporting Templates
You can use the Export option to export an existing template to a remote or a client machine. The
template exported will be in XML format.
To export an existing template:
Step 1

Step 2
Select an existing template from the Template Selector pane.
Step 3
Click Export.
A dialog box appears, prompting you to open or save the template XML file.
3-20
OL-25941-01
Chapter 3

Managing Templates

In LMS 4.2, you can enter multi-line commands like, banner and crypto certificate commands, as a part
of the templates in Template Center. The multi-line commands must be within the tag <MLTCMD> and
</MLTCMD>. The commands within the MLTCMD tags are considered as a single command and will
be downloaded as a single command onto the device.
These tags are case-sensitive and you must enter them only in uppercase. You cannot start this tag with
a space. You can have a blank line within a multi-line command.
Example 1
<MLTCMD> banner login "Welcome to
Cisco Prime LMS - you are using
Multi-line commands" </MLTCMD>
Example 2
cmd1<MLTCMD>cmd2
cmd3
cmd4
cmd5</MLTCMD>cmd6
Example 2
cmd1<MLTCMD>
cmd2
cmd3
cmd4
cmd5</MLTCMD>cmd6
In Example 1 and 2, cmd1,cmd2,cmd3,cmd4,cmd5 and cmd6 are all commands and will be deployed to
the device as a single command.
Viewing Template Details

You can use the View Template option to view the details of an existing template from the Template
Selector pane.
To view the details of an existing template:
Step 1

Step 2
Select an existing template from the Template Selector pane.
Step 3
Click View.
A pop-up window appears, you can view the selected template as XML.

OL-25941-01
3-21
Chapter 3
Importing Templates
Importing Templates
LMS allows you create a user-defined configuration template by importing:
Configuration commands from an existing template (.xml file) stored on a client machine (See
Importing from XML File)
A text file generated using Cisco Configuration Professional tool stored on a client machine (See
Importing from a Cisco Configuration Professional File)
A running configuration from a device (See Importing Running Config from Device)
You can also create a new template file (.xml) using the guideline specified in the XML schema. See
Config Template XML Schema for information.
You can also download config templates from Cisco.com from the URL:
http://www.cisco.com/cisco/software/release.html?mdfid=283434800&flowid=19062&softwareid=283
418816&release=Enterprise%20-%20BN%20SBA&relind=AVAILABLE&rellifecycle=&reltype=lates
t.
Note
When you import a template with a name that is already used by another template in LMS, a message
appears prompting you to overwrite the template (user-defined) in LMS. System-defined templates
cannot be overwritten.
Importing from XML File

To import a template from XML file:
Step 1
Select Configuration > Tools > Template Center > Import.

The Import Templates page appears, displaying Choose Import Mode pane.
Step 2
Select Config Template from Choose Source Type option.
Step 3
Click Browse to select the configuration file (.xml file) stored on a client machine.
Before you import a template, you must ensure that the values of each field do not exceed the respective
character limitation. The details are given in the table below.
If the values of each field exceed the character limitation, you will not be able to import the template.
Field
Maximum Number of Characters
Template Name
64
Author
64
Description
1024
Template Version
64
Task
64
Scope
64
Template Type
64
Features
255
3-22
OL-25941-01
Chapter 3

Importing Templates
Step 4
Field
Maximum Number of Characters
Hardware Platform
600
PIN
64
Reference Text
100
Reference URL
100
Reference Type
10
Tags
1024
Click Finish.
A message appears stating that the template has been imported successfully.
Importing from a Cisco Configuration Professional File

To import a template from a Cisco Configuration Professional file:
Step 1

Step 2
Select CCP Config from Choose Source Type option.
Step 3
Click Browse to select the Cisco Configuration Professional file (.txt format) stored on a client machine.
Step 4
Click Next.
The View and Edit Configuration pane appears, displaying the configuration commands in the text box.
You can edit these configuration commands. You must ensure that the configuration commands are valid
because LMS does not validate these commands.
Step 5
Click Next.
The Choose Device Types pane appears.
You need to:
Step 6
Choose the image platform for applying the imported configuration from the drop-down list.
Enter the minimum supported image version for the image platform.
Choose the device groups for applying the configuration.
Click Next.
The Choose Conflicting Tags pane appears, displaying the List of Conflicting Features dialog box.
Here, you need to add the list of conflicting features in a file and add it in the Import Template flow. This
is optional.
A feature in the template might conflict with a feature of another template. In this case, if you have
selected templates that have feature conflicts with each other, then deploy flow will not proceed, and a
warning message is shown.

OL-25941-01
3-23
Chapter 3
Importing Templates
For example,
In the Template Center, you have the following two templates:
Template ADeploys Auto Smartport feature and the conflicting feature is CDP
Template BDeploys CDP feature
If you have selected both Template A and Template B in the Deploy Template flow, the conflicting
feature CDP of Template A with the CDP feature of Template B creates a conflict and this will prevent
the Deploy Template job flow to proceed, and a warning message is displayed.
In this case, you have to select templates that do not have feature conflicts with each other and then
proceed with the deploy flow.
Table 3-5 describes the fields in the List of Conflicting Features dialog box.
Table 3-5
List of Conflicting Features
Column/Button
Description
Feature
Name of the conflicting feature.
Warning Message
Warning message displayed if the conflicting feature exists
Configuration
Shows the configuration commands of the conflicting feature
Delete
Delete the conflicting feature file.
(Button)
Add
Create a conflicting feature file.
(Button)
Edit
Modify an existing conflicting feature file.
(Button)
Step 7
Click Next.
The Enter Template Details pane appears, allowing you to enter the template details described in table.
Table 3-6 describes the fields in Enter Template Details pane.
Table 3-6
Enter Template Details
Field
Description
Template Name
Enter a valid name for the template. Ensure the template name you enter is
unique.
Note
When you import a template with a name that is already used by another
template in LMS, a message appears prompting you to overwrite the
template (user-defined) in LMS. System-defined templates cannot be
overwritten.
You can enter a maximum of 64 characters.

Description
Provide a description of the template.

Task
Enter the task description of the template.

3-24
OL-25941-01
Chapter 3

Importing Templates
Table 3-6
Enter Template Details
Field
Description
Version
Enter the version of the template.

Scope
Choose the scope of the template. For example, device, port, or module.
Feature
Enter the template feature.

Hardware Platform
Enter the applicable hardware platform for the template.

Step 8
PIN
Choose the PIN (place of the device in the network) for the template. For
example, edge.
Image Feature
Enter the image feature for the template.
Type
Choose the type of the template (Complete, Partial)
Click Finish.
A message appears stating that the template has been created successfully.
Importing Running Config from Device

To import a running config as a template from a device:
Step 1

Step 2
Select Running Config from Device from Choose Source Type option.
Step 3
Select a device from the Device Selector.
Step 4
Click Next.
The View and Edit Configuration pane appears, displaying the configuration commands in the text box.
You can edit these configuration commands. You must ensure that the configuration commands are valid
because LMS does not do any validation on these commands.
Step 5
Click Next.
The Choose Device Types pane appears.
You need to:
Step 6
Choose the applicable image platform from the drop-down list.
Enter the minimum supported image version for the image platform.
Select the applicable device categories from the Device Type Selector.
Click Next.
The Choose Conflicting Tags pane appears, displaying the List of Conflicting Features dialog box.
Table 3-5 describes the fields in the List of Conflicting Features dialog box.

OL-25941-01
3-25
Chapter 3
Step 7
Click Next.
The Enter Template Details pane appears, allowing you to enter the template details described in table.
Table 3-6 describes the fields in Enter Template Details pane.
Step 8
Click Finish.
A message appears stating that the template has been created successfully.

You can assign templates to users with Network Operator and Network Administrator privileges.
A network administrator must assign template access privileges to other users.
Note
View the Permission Report (Reports > System > Users > Permission) to check whether you have the
required privileges to perform this task.
To assign templates to users:
Step 1
Select Configuration > Tools > Template Center > Assign Template to User.
The Assign Templates to Users page appears, displaying the Assign Templates dialog box.
Step 2
Enter the username of the user to whom you want to assign the templates.
This should be a valid LMS user.
Step 3
Select the template that you want to allocate to the user from the Available templates list box and click
Add.
You can select more than one template, by holding down the Shift key while selecting the template.
The selected templates appear in the Selected Templates list box.
To remove assigned templates, select the templates from the Selected Templates list box and click
Remove.
Step 4
Add all the required Templates to the Selected Templates list box.
3-26
OL-25941-01
Chapter 3

Step 5
Click Assign to assign the template access privileges to the specified user.
For a specified user, to see the assigned templates, enter the username in the Username field and click
Show Assigned.
The templates assigned to the user appear in the Selected Templates list box.
Step 6
Click Report to generate the User Template Report.

The User Template Report shows the list of users and the templates assigned for each user.
Note
By default, all the templates are assigned to admin users. Therefore, the User Template Report will not
list the users with Admin privileges.

You can browse the template deployment jobs registered on the system. Using the Template Center Jobs,
you can manage template jobs. That is, you can stop, delete, refresh, or filter jobs using this job browser.
You can also view the template job details such as work order, device details, job summary.
Note
View Permission Report (Reports > System > Users > Permission) to check whether you have the
Select either:
Configuration > Tools > Template Center > Jobs.
Or
Configuration > Job Browsers > Template Center
The Template Center Jobs page appears, displaying the List of Template Deployment Jobs pane and Job
Details pane for a job.
Table 3-7 describes the List of Template Jobs pane in the Template Center Jobs.

OL-25941-01
3-27
Chapter 3
Table 3-7
List of Template Center Jobs
Column/Button
Description
Job ID
Unique number assigned to a template job when it is created.

For periodic jobs such as Daily, Weekly, the job IDs are in the number.x format.
The x represents the number of instances of the job. For example, 1001.3 indicates
that this is the third instance of the Job ID 1001.
Status
Status of the job:
SuccessfulWhen the job is successful.
FailedWhen the job has failed.

The number, within brackets, next to Failed status indicates the count of the
devices that had failed for that job. This count is displayed only if the status is
Failed.
For example, if the status displays Failed(5), then the count of devices that had
failed amounts to 5.
StoppedWhen the job has been stopped.
RunningWhen the job is in progress.
WaitingWhen the job is awaiting approval (if job approval has been
enabled).
RejectedWhen the job has been rejected (if job approval has been enabled).
Description
Description of the job, entered at the time of job creation.
Owner
User who created the job.
Scheduled at
Date and time at which the job was scheduled.
Completed at
Date and time at which the job was completed.
Schedule Type
Type of job scheduleImmediate, Once, Daily, Weekly, Monthly.

For periodic jobs, the subsequent instances will run only after the earlier instance
of the job is complete.
Stop
Stop or cancel a running job.
(button)
Delete
(button)
Deletes the selected job from the Template Center Jobs. You can select more than
one job to delete.
Refresh Job
Select a Job and click Refresh Job.
(button)
The Job Details pane gets refreshed showing the latest status of the job.
3-28
OL-25941-01
Chapter 3

Table 3-7
List of Template Center Jobs
Column/Button
Description
Filter
Click Filter and select a Filter By criteria from the drop-down list and enter the
details in the Equals field.
(button)
Refresh
Job IDSelect Job ID and enter the Job ID number.
StatusSelect Status and enter the status (Successful, Failed, Cancelled,

Running, Waiting, Rejected).
DescriptionSelect Description and enter the complete name.
OwnerSelect Owner and enter the user name.
Scheduled atSelect Scheduled at and enter the schedule time details.
Completed atSelect Completed at and enter the completed time details.
Schedule TypeSelect Schedule Type and enter the type (Immediate, Once,
Daily, Weekly, Monthly)
Click to refresh the List of Template Jobs table.
(icon)
Table 3-8 describes the Job Details pane in the Template Center Jobs.
Table 3-8
Template Deployment Job Details
Tab
Description
Work Order
Shows the work order details for the selected job.
General Info
The General Info in the work order displays the following details:
Job Policies
DescriptionJob description entered at the time of job creation.
OwnerUser who created the job.
Schedule TypeType of job schedule (Immediate, Once, Daily, Weekly,

Monthly).
Schedule TimeTime at which the job was scheduled to run. The Schedule
Time is applicable for periodic jobs and not for Immediate jobs.
The Job Policies in the work order displays the following details:
E-mail NotificationE-mail notification status (Enabled/Disabled)
E-mail IdsE-mail IDs registered for e-mail notification
Execution PolicyJob Execution policy as Parallel
Copy Startup to Running Config upon failureDisplays the status

(Enabled/Disabled)
Job PasswordLogin Password for the job.
Job UserNameLogin Username for the job.

OL-25941-01
3-29
Chapter 3
Table 3-8
Tab
Description
Device and
Template Details
Shows the following Device and Template details of the job:
Device Template Details
Devices List
Port Template Details
Port Group Details
Module Template Details
Module Details
Device Details
Shows the list of devices added in the Template Deployment job.
Device
Shows the device name.
Status
Status of the device (Success, Failure).
Message
Summary
Shows the device status summary.
Show Details
Select the device name and click Show Details. A pop-up window appears,
displaying the following details for the device:
Filter
Device NameName of the device.
Device StatusStatus of the device (Success, Failure).
ProtocolProtocol details running on the device.
SummaryShows the device status summary.
CLI OutputShows the CLI output.
Click Filter. Select a Filter By criteria from the drop-down list and enter the
details in the Equals field. Click Go to filter details.
DeviceSelect Device and enter the first few letters or the complete name of
the device.
StatusSelect Status and enter the status (Success, Failure)
Message SummarySelect Message Summary and enter the first few letters
of the message summary.
3-30
OL-25941-01
Chapter 3

Table 3-8
Tab
Description
Job Summary
Shows the job summary details for the selected job.
General Info
The General Info in the job summary shows the following details:
Job Messages
Device Updates
StatusStatus of the device at the time of job creation.
Start TimeStart time of the job.
End TimeEnd time of the job.
Shows the following job messages:
Pre-job Execution
Post-job Execution
Shows the following update on the devices in the job:
Successful
Failed
Not Attempted
Pending
Guidelines for Creating Configuration Templates Using IF and

FOREACH Statements
The following are the guidelines that have to be followed while creating configuration templates:
Parameter can be specified in two ways:

${vlan-id} - This is how parameters are specified in the old templates. The same can be used in
LMS 4.2.
$vlan-id - Recommended from LMS 4.2.
Parameter name should not start with number. For example, it should not be ${123vlan-id}. The
correct way of representing it is ${vlan-id}.
Parameter name and other special characters ( , or and etc ) / commands should be separated by
space. For example, interface range ${interfaceType} ${port1} , ${interfaceType} ${port2}

OL-25941-01
3-31
Chapter 3
Syntax/Example for IF
The following show the syntax/example of If / if else / nested if statement:
#if( $option == heterogeneous )
dspfarm profile $PROFILE_ID conference video heterogeneous
#elseif ($option == homogeneous)
dspfarm profile $PROFILE_ID conference video homogeneous
#else
dspfarm profile $PROFILE_ID conference video guaranteed-audio
#end
See Sample Template for IF Statement for more details.

Table 3-9 lists the relational and logical operators used in If / if - else / nested - if statement. You can use
short version or text version while creating templates.
Table 3-9
Relational and Logical Operators
Type of operator
short version
text version
Equal
==
eq
not equal
!=
ne
greater than
>
gt
greater or equal than
>=
ge
less than
<
lt
less or equal than
<=
le
logical and
&&
and
logical or
||
or
logical not
not
Example
## logical AND
#if( $foo && $bar )
dspfarm profile $PROFILE_ID
#end
## logical OR
#if( $foo || $bar )
#end
##logical NOT
#if( !$foo )
#end
3-32
OL-25941-01
Chapter 3

Syntax/Example for FOREACH

The following show the syntax/example of foreach:
#foreach( $product in $allProducts )
this is the for loop for $product
#end
This #foreach loop causes the $allProducts list to be looped over for all of the products in the list. Each
time through the loop, the value from $allProducts is placed into the $product variable.
XML Specification for Template

The following are the xml specification for template:
Textarea / Textbox component can be used
Data type should be specified as list
Example
<parameter name="allProducts">
<description>Enter the product ids separated by comma [A,B,C]</description>
<html-component>textarea</html-component>
<default-value/>
<data-type>list</data-type>
<mandatory>true</mandatory>
<isGlobal>true</isGlobal>
<help-description>Enter the product IDs</help-description>
<syntax>
<min/>
<max/>
<pattern/>
</syntax>
</parameter>
You cannot enter special characters such as < and &&, as the parser interprets it as the start of a new
element and character entity.
There are two ways where you can use special character such as < and &&:
Parser ignores the special characters if you enter it within CDATA section. A CDATA section starts
with "<![CDATA[" and ends with "]]>" See Example 1.
Use "and" instead of "&&" and "lt" instead of "<". See Example 2.
Example 1
<![CDATA[
sccp ccm group ${UCM_GROUP_ID}
#foreach ( ${PROFILE_ID} in $ALL-PROFILE_ID )
this is the for loop for $PROFILE_ID
#if (${PROFILE_ID} == "vas" && ${UCM_GROUP_ID =="vvv")
PROFILE_ID is vas
#else
wrong PROFILE_ID : ${PROFILE_ID}
#end
#end

OL-25941-01
3-33
Chapter 3
]]>
Note
Nested CDATA sections are not allowed. The CDATA closing tag "]]>" should not have spaces or line
breaks.
Example 2
#if (${interfaceType} and "FastEthernet")
interface range ${interfaceType} ${port1}, ${interfaceType} ${port2}
#end
#if (${interfaceType} lt "FastEthernet")
interface range ${interfaceType} ${port1}, ${interfaceType} ${port2}
#end
3-34
OL-25941-01
CH A P T E R

This chapter provides information about how to manage Policy Groups, Policy Profiles and check
network devices for compliance against selected compliance rules and user defined policy.
This chapter contains the following:
Managing Policy Groups
Managing Policy Profile
Compliance Management License
Compliance and Audit Reports

Policy Group is a collection of Policies. Policies are defined by a set of rules. LMS supports 293 policies.
In addition to the system defined Policy Groups, you can create your own Policy Groups by selecting a
set of system defined policies.
Adding Policy Groups
Cloning Policy Groups
Editing Policy Groups
Deleting User-Defined Policy Groups
Deleting a Policy from User-Defined Policy Group


OL-25941-01
4-1
Chapter 4
Adding a New Policy Group by Adding New Policies
4-2
OL-25941-01
Chapter 4

To add a new Policy Group from existing System-Defined Policy Group:
Step 1
Select Configuration > Compliance > Compliance and Audit Manager > Compliance Policies and
Groups.
The Compliance Policies and Groups page appears.
Step 2
Select the required System Policy Group from the tree view.
The list of policies associated with the selected Policy Group appears in the Policies and Rules pane.
Step 3
Select a policy for which you want to modify the rules.

The rules corresponding to the selected policy appears.
Step 4
Edit the rules.
Step 5
Repeat Step 3 and Step 4 if you want to modify the rules associated with other policies listed in Policies
and Rules pane.
Step 6
Click Add to add new policies to the group.

The Policy Selector appears.
Step 7
Select the required policies and click Select.

The selected policies will be added to the Policies and Rules pane. To return to Compliance Policies and
Groups page, click Cancel.
Step 8
Select the newly added policy for which you want to modify the rules. The rules corresponding to the
selected policy appears.
Step 9
Edit the rules.
Step 10
Click Save As to save as a new Policy Group.

A Create Group pop-up appears.
Step 11
Enter the name of the new Policy Group.
Step 12
Enter the description of the Policy Group.
Step 13
Click Save to save the newly created Policy Group. To return to Compliance Policies and Groups page,
click Cancel.
The newly created Policy Group will be listed under My Policy Groups.
Related Topics

To add a new Policy Group:

OL-25941-01
4-3
Chapter 4
Step 1
Groups.
Step 2
Click the icon
in the Policy Group Selector section.
Step 3
Click Add Policy Group.
Step 4
Step 5
Step 6
Click Add in the policies and rules pane, to add new policies to the group.
The Policy Selector appears. See Table 4-1 for the list of policies grouped under each policy group.
Step 7

The selected policies will be added to the Policies and Rules pane. To return to the Compliance Policies
and Groups page, click Cancel.
Step 8
Select the newly added policy for which you want to modify the rules.
Step 9
Set values for each rule.
Step 10
Click Save to save the new Policy Group.

Table 4-1
Policy Group Details
Policy Group Name
Policies
Security
ACL on Interfaces
Distributed DoS Attacks
Land Attack
Martian Traffic
Null (Black Hole) Routing
Risky Traffic
SMURF Attack
Traffic Rules
4-4
OL-25941-01
Chapter 4

Table 4-1
Policy Group Name
Policies
Network Protocols
Control Plane Policing

HTTP Server
Hot Standby Router Protocol (HSRP)
ICMP
Miscellaneous Services
Routing and Forwarding
SNMP
SSH Parameters
TCP Parameters
Switching
DHCP Snooping
Dynamic Trunking Protocol (DTP)
IEEE 802.1X Port-Based Authentication
IEEE 802.3 Flow Control
IP Phone Ports
Management VLAN
Port Security
Spanning Tree Protocol (STP)
Unidirectional Link Detection (UDLD)
Unused Ports
VLAN1
VLAN Trunking Protocol (VTP)
Global Configuration
ACLs
CDP
Clock
FTP
Miscellaneous Services On Firewalls
NTP Configuration
Traceroute
Others
Device Version Checks

Device Running outdated OS Versions
Devices with outdated modules
Outdated Devices As Per Vendor Specific
EOL/EOS Announcements

OL-25941-01
4-5
Chapter 4
Table 4-1
Policy Group Name
Policies
Routing Protocols
BGP
EIGRP
OSPF
RIP
Cisco Security Advisories (PSIRT)
For PSIRT policies see Cisco Security Advisory

(PSIRT).
Network Access Services
Loopback Interfaces
Remote Commands
Audit and Management
Banners
Console Access
DHCP
Domain Name
Host Name
Logging and Syslog
Terinal Access
User Passwords
AAA Services
AAA
AAA Accounting - Commands
AAA Accounting - Connections
AAA Accounting - Exec
AAA Accounting - Network
AAA Accounting - System
AAA Authentication - Enable
AAA Authentication - Login
AAA Authorization - Configuration
AAA Authorization - Exec
AAA Authorization - Network
Related Topics
4-6
OL-25941-01
Chapter 4


To clone a Policy Group:
Step 1
Groups.
Step 2
Mouse-hover on the System or My Policy Groups and then mouse-hover on the quick view picker icon
next to System or My Policy Groups.
The policy details such as Group Name, Description and Policy Count appear in the mouse-hover pop-up
window. You can also clone or delete groups.
Note
You cannot delete stem defined Policy groups.
Step 3
Click Clone Group in the mouse-hover pop-up window to create a copy of the selected Policy Group.
Step 4
Enter the name of the Policy Group.
Step 5
Step 6
Click Save to save the Policy Group.

The copy of the selected Policy Group will be listed under My Policy Groups.
Related Topics

To edit a Policy Group:
Step 1
Groups.
Step 2
Select the required System or My Policy Groups from the tree view.
The list of policies associated with the selected Policy Group appears in the Policies and Rules pane.
Step 3
Select a policy for which you want to modify the rules.

Step 4
Edit the rules.

OL-25941-01
4-7
Chapter 4
Step 5
Repeat Step 3 and Step 4 if you want to modify the rules associated with other policies listed in Policies
and Rules pane.
Step 6
Click Add to add new policies to the group.

The Policy Selector appears.
To delete a policy, select a policy and click Delete.
Step 7

The selected policies will be listed in the Policies and Rules pane. To return to Compliance Policies and
Groups page, click Cancel.
Step 8
Select the newly added policy for which you want to modify the rules. The rules corresponding to the
selected policy appears.
Step 9
Edit the rules.
Step 10
Do one of the following:
Click Save to save the changes made in the selected My Policy Group.
You cannot edit and save the System Policy Group. Hence, Save option will be disabled for
System Policy Group.
Note
Or
Click Save As to save it as a new My Policy Groups and follow Step 11.
Step 11
Step 12
Step 13
Click Save to save the new Policy Group. To return to Compliance Policies and Groups page, click
Cancel.
Related Topics

To delete a user-defined Policy Group:
Step 1
Groups.
4-8
OL-25941-01
Chapter 4

Step 2
Mouse-hover the user-defined Policy Group which you want to delete and then mouse-hover on the
quick view picker icon
next to the user-defined Policy Group.
The policy details appear in the mouse-hover pop-up window.
Step 3
Click Delete Group to delete the selected Policy Group.

A warning message appears.
Step 4
Click OK to delete the selected Policy Group. To return to the Compliance Policies and Groups page,
click Cancel.
Related Topics

To delete a policy from the user-defined Policy Group:
Step 1
Groups.
Step 2
Select a a user-defined Policy Group.

A list of policies associated with the selected Policy Group will be displayed in the Policies and Rules
pane.
Step 3
Select a policy and click Delete.

A confirmation message appears.
Step 4
Click OK to delete the selected policy. To return to the Compliance Policies and Groups page, click
Cancel.
Related Topics

OL-25941-01
4-9
Chapter 4

Policy Profile is a set of Policy Groups where each Policy Groups are mapped with set of devices/device
groups.
Adding a New Policy Profile
Cloning Policy Profiles
Editing Policy Profile
Deleting Policy Profiles
Running Compliance Check
Viewing Job History

To add a new Policy Profile:
Step 1
Select Configuration > Compliance > Compliance and Audit Manager > Compliance Profiles and
Execution.
The Compliance Policy Profile page appears.
Step 2
Click the icon
in the Policy Profile Selector section.
Step 3
Click Add Policy Profile.
Step 4
Enter the name of the new Policy Profile.
Step 5
Enter the description of the Policy Profile.
Step 6
Click Add to add new Policy Groups.

The Policy Group Selector appears.
Step 7
Select the required Policy Group and click Select.

The selected Policy Group and a list of devices will be displayed. To return to Compliance Policy Profile
page, click Cancel.
Step 8
Select a device(s) from the device selector.
Step 9
Click Save to save the newly created Policy Profile.
Related Topics
Viewing Job History
4-10
OL-25941-01
Chapter 4


To clone a Policy Profile:
Step 1
Execution.
Step 2
Mouse-hover on the Policy Profile and then mouse-hover on the quick view picker icon
Policy Profile.
next to the

Step 3
Click Clone Policy Profile to create a copy of the selected Policy Profile.
Step 4
Enter a new Policy Profile name.
Step 5
Step 6
Click Save to save the Policy Profile.
Related Topics
Viewing Job History

To edit a Policy Profile:
Step 1
Execution.
Step 2
Select the Policy Profile which you want to edit.

The list of policy groups and devices associated with the selected Policy Profile appears in the Policy
Group Selection and Device Mapping pane.
Step 3
Click Add to add new policy groups.

The Policy Group Selector appears.
To delete a Policy Group, select a Policy Group and click Delete.
Step 4
Select the required Policy Groups and click Select.

The selected Policy Groups will be listed in the Policy Group Selection and Device Mapping pane. To
return to Compliance Policy Profile page, click Cancel.
Step 5
Select the device(s) from the device selector.

OL-25941-01
4-11
Chapter 4
Step 6
Do one of the following:
Click Save to save the changes made in the selected Policy Profile.
Or
Click Save As to save it as a new Policy Profile and follow Step 7.
4-12
OL-25941-01
Chapter 4

Step 7
Enter the name of the new Policy Profile.
Step 8
Step 9
Click Save in the Create Policy Profile pop-up to save the new Policy Profile. To return to Compliance
Policy Profile page, click Cancel.
The newly created Policy Profile will be listed under tree view.
Related Topics
Viewing Job History

To delete a Policy Profile:
Step 1
Execution.
Step 2
Policy Profile.
next to the

Step 3
Click Delete Policy Profile to delete the selected Policy Profile.

A warning message appears.
Step 4
Click OK to delete the selected Policy Profile. To return to the Compliance Policy Profile page, click
Cancel.
Related Topics
Viewing Job History

To run a compliance check:

OL-25941-01
4-13
Chapter 4
Step 1
Execution.
Step 2
Policy Profile.
next to the

Step 3
Click Compliance Check.

The Schedule Compliance window appears.
4-14
OL-25941-01
Chapter 4

Step 4
Select one of these scheduling options:
ImmediateRuns this task immediately.
OnceRuns this task once at the specified date and time.
DailyRuns daily at the specified time.
WeeklyRuns weekly on the specified day of the week and at the specified time.
MonthlyRuns monthly on the specified day of the month and at the specified time.
Step 5
Enter a description for the job.
Step 6
Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job. You
can enter multiple e-mail addresses separated by commas.
Step 7
Click Submit.
A message appears, Job JobID is created successfully.
Step 8
Where JobID is a unique Job number.
Step 9
Click OK.
Compliance Profile Execution Jobs page appears. You can check the status of your scheduled job in this
page.
Related Topics
Viewing Job History
Viewing Job History

To view the job history:
Step 1
Execution.
Step 2
Policy Profile.
next to the

Step 3
Click History to view all the jobs related to the selected profile.
The Compliance Profile Execution Jobs window appears.

OL-25941-01
4-15
Chapter 4
Table 4-2
Compliance Profile Execution Job Details
Column
Description
Job ID
Unique number assigned to this task at creation time. This number

is never reused. There are two formats:
Job ID:
Identifies the task. This does not maintain a history. For
Example:1001
JobID.Instance ID:
Here, in addition to the task, the instance of the task can also be
identified. For example: 1001.1, 1001.2
Status
Provides the status of the current jobs. The status of the current jobs
is displayed as succeeded or failed. It also displays the failure
reasons.
Profile Name
Name of the Profile for which the job is scheduled.
Description
Owner
Username of the job creator.
Job Type
Type of Compliance and Audit Report job. The type include

Compliance, Life Cycle Management, and Service reports.
Scheduled At
Completed At
Schedule Type
Frequency of the job. This can be:
Delete
Once
Immediate
Periodic (calendar/time based).
(button)
Deletes the selected job from the Compliance Profile Execution

Jobs window. You can select more than one job to delete.
Refresh
(button)
The Job Details pane gets refreshed showing the latest status of the
job.
4-16
OL-25941-01
Chapter 4

Table 4-2
Compliance Profile Execution Job Details
Column
Description
View Report
Select a job and click View Report icon.
(icon)
The report is launched in a new browser. You can also click the link
Click here to see Report available in the Job Info pane to launch
the report.
Filter
Click Filter and select a Filter By criteria from the drop-down list
and enter the details in the Equals field.
(button)
StatusSelect Status and enter the status (Successful, Failed,

Cancelled, Running, Waiting, Rejected).
Scheduled atSelect Scheduled at and enter the schedule time

details.
Completed atSelect Completed at and enter the completed

time details.
Schedule TypeSelect Schedule Type and enter the type

(Immediate, Once, Daily, Weekly, Monthly)

OL-25941-01
4-17
Chapter 4
Table 4-3
Job Results Pane Fields
Field
Description
Job Info
Job Description
Job Type
Type of the report (Service or Life Cycle, or Compliance

report)
Profile Name
Name of the Profile.
Job Status
Indicates whether the job is run successfully.
Job Message
Indicates success/failure message.
No of Violations
Indicates the violation count.
No of devices within violations
Indicates the violated device count.
Report Name
Name of the report.
Job Policies
E-mail Notifications
E-mail notification status (Enabled/Disabled)
E-mail IDs
Device Details
E-mail IDs registered for e-mail notification
Total No of Devices
Number of devices that have the report data
No of Devices without Report

Data
Number of devices that do not have the device data
Device List
List of devices in the report
Related Topics

The Profile Violations Fix Report lists all the devices that do not comply with a defined user profile. A
profile is defined as a policy or a set of policies applied on either a device or a set of devices.
To fix a profile violation:
Step 1
Select Configuration > Compliance > Compliance and Audit Manager > Compliance Profile
Execution Jobs.
4-18
OL-25941-01
Chapter 4

The Job Browser Page appears.

Step 2
Select a job and click View Report.

The Compliance Report Page appears.
The View Report button will be disabled if the rules are not violated.
Step 3
Select a device from the Devices table to view the Policies associated with the device. For more details,
see Table 4-4.
Step 4
Select a Policy from the Policies table to view the violation details. For more details, see Table 4-4.
Step 5
Select the violation that have to be fixed, from the Violations table. For more details, see Table 4-4.
Table 4-4
Compliance Violation Details
Column
Description
Devices Table
Device Name
Name of the profile violated device.
Selected Violations
to fix
Number of violations selected to fix.
Total Violations
Total number of violations for the device.
Highest Severity
Highest violation severity for the device.
Policies Table
Policy Name
Name of the violated policy.
Selected Violations
to fix
Number of violations selected for fix.
Total Violations
Total number of violations for the policy
Policy Info
Information about the violated Policy.
Violations Table
Violations with Fix
Lists the violations that can be fixed.
Violations without
Fix
Lists the violations that cannot be fixed.
Violation Description Description about the violation.
Step 6
Severity
Severity of the Violation.
Info
Additional violation information.
Click Fix Violations.

The Fix Compliance Violation Window appears.
Table 4-5
Column
Compliance Violation Fix Details
Description
Review Fix Commands

Devices
Name of the profile violated device.
Commands
Configuration commands for fixing the violation.

OL-25941-01
4-19
Chapter 4
Table 4-5
Column
Description
Schedule
Scheduler
ImmediateRuns the job immediately.
OnceRuns the job once at the specified date and time.
Start Date
Select the start date for the job.
Start Time
Select the start time for the job from the hour and minute drop-down lists.
Job Description
Enter a description for the job that you are scheduling. This is a mandatory field.
Accepts alphanumeric values and special characters.
E-mail
Enter the e-mail address to which the job sends messages when the job has run.
You can enter multiple e-mail addresses separated by semicolon.
Step 7
Select a Scheduler, enter a Job Description, and click Finish.

A notification message appears along with the Job ID. Click OK. The newly created job appears in the
Compliance Profile Violation Fix Job Browser.
Related Topics
Viewing Job History

You can browse the compliance fix violation jobs registered on the system. Using the Compliance Fix
Violation Jobs browser, you can stop, delete, refresh, or filter jobs. You can also view the job details such
as work order, device details and job summary.
Note
Select either:
Configuration > Compliance > Compliance and Audit Manager > Compliance Profile Violation Fix
Jobs.
Or
Configuration > Job Browsers > Compliance Profile Violation Fix Jobs
The Compliance Fix Violation Jobs page appears.
4-20
OL-25941-01
Chapter 4

Compliance Violation Fix Job Details
Table 4-6 describes the List of Compliance Fix Violation Jobs pane.
Table 4-6
List of Compliance Fix Violation Jobs
Column/Button
Description
Job ID
Unique number assigned to a Compliance Fix Violation job when it is created.

For periodic jobs such as Daily, Weekly, the job IDs are in the number.x format.
The x represents the number of instances of the job. For example, 1001.3 indicates
that this is the third instance of the Job ID 1001.
Status
Status of the job:

The number within brackets, next to Failed status indicates the count of the
devices that had failed for that job. This count is displayed only if the status is
Failed.
For example, if the status displays Failed(5), then the count of devices that had
failed accounts to 5.
StoppedWhen the job has been stopped.
Description
Owner
Scheduled at
Completed at
Schedule Type
Type of job scheduleImmediate, Once.
Stop
Stop or cancel a running job.
(button)
Delete
(button)
Deletes the selected job from the Compliance Fix Violation Jobs. You can select
more than one job to delete.
Refresh Job
(button)
The Job Details pane gets refreshed showing the latest status of the job.

OL-25941-01
4-21
Chapter 4
Table 4-6
List of Compliance Fix Violation Jobs
Column/Button
Description
Filter
Click Filter and select a Filter By criteria from the drop-down list and enter the
details in the Equals field.
(icon)
Refresh
StatusSelect Status and enter the status (Successful, Failed, Cancelled,

Running, Waiting, Rejected).
Scheduled atSelect Scheduled at and enter the schedule time details.
Completed atSelect Completed at and enter the completed time details.
Schedule TypeSelect Schedule Type and enter the type (Immediate, Once)
Click to refresh the List of Compliance Fix Violation Jobs table.
(icon)
Table 4-7 describes the Job Details pane in the Compliance Fix Violation Jobs.
Table 4-7
Compliance Fix Violation Job Details
Tab
Description
Work Order
Shows the work order details for the selected job.
General Info
The General Info in the work order displays the following details:
Job Policies
Job ID
Job Type
DescriptionJob description entered at the time of job creation.
Schedule TypeType of job schedule (Immediate, Once, Daily)
Policy Profile Execution Job Id
Profile Name
The Job Policies in the work order displays the following details:
E-mail NotificationE-mail notification status (Enabled/Disabled)
E-mail IdsE-mail IDs registered for e-mail notification
Device Details
Shows the Device List of the job.
Device Details
Shows the list of devices added in the Compliance Fix Violation job.
Device
Shows the device name.
Status
Status of the device (Success, Failure).
Message
Summary
Shows the device status summary.
4-22
OL-25941-01
Chapter 4

Table 4-7
Tab
Description
Filter
Click Filter. Select a Filter By criteria from the drop-down list and enter the
details in the Equals field. Click Go to filter details.
DeviceSelect Device and enter the first few letters or the complete name of
the device.
StatusSelect Status and enter the status (Success, Failure)
Message SummarySelect Message Summary and enter the first few letters
of the message summary.

OL-25941-01
4-23
Chapter 4
Table 4-7
Tab
Description
Job Summary
Shows the job summary details for the selected job.
General Info
The General Info in the job summary shows the following details:
Job Messages
Device Updates
StatusStatus of the device at the time of job creation.
Start TimeStart time of the job.
End TimeEnd time of the job.
Shows the following job messages:
Pre-job Execution
Post-job Execution
Shows the following update on the devices in the job:
Successful
Failed
Not Attempted
Pending
Understanding Compliance and Audit Manager (CAAM)

Policies
This section provides information about the System-defined Policy Groups, Policies supported in each
System-defined Policy Group and the rules in each Policy.
LMS supports the following System-defined Policy Groups:
Center of Internet Security (CIS)
Cisco Security Best Practices (SAFE)
Department Of Homeland Security (DHS)
Defense Information Security Agency (DISA)
End of Life (EOL)
Healthcare Insurance Portability Act (HIPAA)
ISO17799
National Security Agency (NSA) Router
Payment Card Industry (PCI)
Cisco Security Advisory (PSIRT)
SysAdmin, Audit, Network, Security (SANS)
Sarbanes Oxley Act (SOX)
4-24
OL-25941-01
Chapter 4

Center of Internet Security (CIS)

CIS Policy Group supports the following policies:
Note
Banners
Logging and Syslog
Terminal Access
User Passwords
ACL on Interfaces
SMURF Attack
Loopback Interfaces
AAA
HTTP Server
Miscellanous Service
SNMP
SSH Parameters
TCP Parameters
BGP
EIGRP
OSPF
RIP
CDP
Clock
NTP Configuration
The policies listed in CIS Policy Group may vary.

OL-25941-01
4-25
Chapter 4
Cisco Security Best Practices (SAFE)

CiscoSafe Policy Group supports the following policies:
Note
Banners
Console Access
Domain Name
Logging and Syslog
Terminal Access
User Passwords
SMURF Attack
Loopback Interfaces
Remote Commands
AAA
AAA Authorization - EXEC
AAA Authrorization - Network
HTTP Server
SNMP
SSH Parameters
TCP Parameters
OSPF
CDP
Clock
NTP Configuration
The policies listed in CiscoSafe Policy Group may vary.
4-26
OL-25941-01
Chapter 4

Department Of Homeland Security (DHS)

DHS Policy Group supports the following policies:
Note
Banners
Console Access
Domain Name
Logging and Syslog
Terminal Access
User Passwords
AAA
HTTP Server
SNMP
TCP Parameters
BGP
EIGRP
OSPF
CDP
NTP Configuration
The policies listed in DHS Policy Group may vary.
Defense Information Security Agency (DISA)

DISA Policy Group supports the following policies:
Console Access
Logging and Syslog
Terminal Access
Remote Commands
HTTP Server
SNMP
BGP
EIGRP
OSPF
RIP

OL-25941-01
4-27
Chapter 4
Note
The policies listed in DISA Policy Group may vary.
End of Life (EOL)

EOL Policy Group supports the following policies:
Note
Devices Running outdated OS Versions
Outdated Devices As Per Vendor Specific EOL/EOS Announcement
The policies listed in EOL Policy Group may vary.
Healthcare Insurance Portability Act (HIPAA)

HIPAA Policy Group supports the following policies:
Note
Console Access
Terminal Access
User Passwords
AAA
AAA Authorization - Commands
HTTP Server
SNMP
The policies listed in HIPAA Policy Group may vary.
ISO17799
ISO17799 Policy Group supports the following policies:
Banners
Logging and Syslog
Terminal Access
User Passwords
ACL on Interfaces
SMURF Attack
AAA
4-28
OL-25941-01
Chapter 4

Note
HTTP Server
SNMP
BGP
EIGRP
OSPF
RIP
NTP Configuration
The policies listed in ISO17799 Policy Group may vary.
National Security Agency (NSA) Router

NSA Router Policy Group supports the following policies:
Banners
Console Access
Domain Name
Host Name
Logging and Syslog
Terminal Access
User Passwords
SMURF Attack
Dynamic Trunking Protocols (DTP)
Spanning Tree Protocols (STP)
VLAN 1
VLAN Trunking Protocols (VTP)

OL-25941-01
4-29
Chapter 4
Note
Loopback Interfaces
AAA
HTTP Server
SNMP
TCP Parameters
BGP
EIGRP
OSPF
RIP
ACLs
CDP
NTP Configuration
The policies listed in NSA Router Policy Group may vary.
Payment Card Industry (PCI)

PCI Policy Group supports the following policies:
Note
Console Access
Logging and Syslog
Terminal Access
User Passwords
Traffic Rules
AAA
HTTP Server
SNMP
NTP Configuration
The policies listed in PCI Policy Group may vary.
4-30
OL-25941-01
Chapter 4

Cisco Security Advisory (PSIRT)

PSIRT Policy Group supports the following policies:
AAA Command Authorization By-pass - 68840 [IOS]
ARP Table Overwrite - 13600 [IOS]
ASA Crafted IKE Message DoS Vulnerability - 111877 [ASA]
ASA Crafted TCP Segment DoS Vulnerability - 111485 [ASA]
ASA Crypto Accelerator Memory Leak Vulnerability - 108009 [ASA]
ASA NTLMv1 Authentication Bypass Vulnerability - 111485 [ASA]
ASA SCCP Inspection DoS Vulnerability - 111485 [ASA]
ASA SIP Inspection DoS Vulnerability - 111485 [ASA]
ASA TCP Connection Exhaustion DoS Vulnerability - 111485 [ASA]
ASA Three SunRPC Inspection DoS Vulnerability - 111877 [ASA]
ASA Three TLS DoS Vulnerability - 111877 [ASA]
ASA WebVPN DTLS DoS Vulnerability - 111485 [ASA]
Access Point Memory Exhaustion from ARP Attacks - 68715 [IOS]
Access Point Web-browser Interface - 70567 [IOS]
Auth Proxy Buffer Overflow - 66269 [IOS]
Authentication Proxy Vulnerability - 110478 [IOS]
BGP Attribute Corruption - 10935 [IOS]
BGP Logging - 63845 [IOS]
BGP Long AS path Vulnerability - 110457 [IOS]
BGP Packet - 53021 [IOS]
BGP Update Message Vulnerability - 110457 [IOS]
CEF Data Leak - 20640 [IOS]
Call Processing Solutions - 63708 [IOS]
CatOS Catalyst 5000 Series 802.1x Vulnerability - 13617 [CatOS]
CatOS Denial-of-Service of TCP-based services - 43864 [CatOS]
CatOS DoS using Telnet, HTTP and SSH - 52781 [CatOS]
CatOS Embedded HTTP Server Buffer Overflow - 27962 [CatOS]
CatOS Enable Password Bypass Vulnerability - 13619 [CatOS]
CatOS Memory Leak Vulnerability - 13618 [CatOS]
CatOS Multiple SSH Vulnerabilities - 8118 [CatOS]
CatOS NAM (Network Analysis Module) Vulnerability - 81863 [CatOS]
CatOS OpenSSH Server Vulnerabilities - 45322 [CatOS]
CatOS Password Bypass Vulnerability - 42340 [CatOS]
CatOS SNMP Malformed Message Handling - 19296 [CatOS]

OL-25941-01
4-31
Chapter 4
CatOS SNMP Multiple Community String Vulnerabilities - 13629 [CatOS]
CatOS SNMP Version 3 Authentication Vulnerability - 107408 [CatOS]
CatOS SSH Can Cause a Crash - 24862 [CatOS]
CatOS SSH Protocol Mismatch Vulnerability - 10932 [CatOS]
CatOS TCP Conn Reset - 50961 [CatOS]
CatOS TCP State Manipulation DoS Vulnerability - 109444 [CatOS]
CatOS Telnet Buffer Vulnerability - 20776 [CatOS]
Cisco IOS Software IGMP Vulnerability - 112027 [IOS]
Crafted Encryption Packet DoS Vulnerability - 110393 [IOS]
Crafted ICMP Messages DoS for IPSec Tunnels - 64520 [IOS]
Crafted ICMP Messages DoS for L2TPv2 - 64520 [IOS]
Crafted ICMP Messages DoS for TCP over IPv4 - 64520 [IOS]
Crafted IP Option - 81734 [IOS]
Crafted TCP Packet Denial of Service Vulnerability - 111450 [IOS]
Crafted UDP Packet Vulnerability - 108558 [IOS]
Crypto - 91890 [IOS]
DFS ACL Leakage - 13655 [IOS]
DHCP - 63312 [IOS]
DLSw Denial of Service Vulnerabilities - 99758 [IOS]
DLSw Vulnerability - 77859 [IOS]
FTP Server - 90782 [IOS]
Firewall Application Inspection Control Vulnerability - 107716 [IOS]
H.323 Denial of Service Vulnerability - 111265 [IOS]
H.323 Protocol DoS Vulnerability - 110396 [IOS]
H323 DoS Vulnerability - 112021 [IOS]
HTTP - 13627 [IOS]
HTTP Auth - 13626 [IOS]
HTTP Command Injection - 68322 [IOS]
HTTP GET Vulnerability - 44162 [IOS]
HTTP Server Query - 13628 [IOS]
Vulnerability- 111895 [IOS]
IKE Resource Exhaustion Vulnerability - 110559 [IOS]
IKE Xauth - 64424 [IOS]
IPS ATOMIC.TCP Signature Vulnerability - 81545 [IOS]
IPS DoS Vulnerability - 107583 [IOS]
IPS Fragmented Packet Vulnerability - 81545 [IOS]
4-32
OL-25941-01
Chapter 4

IPSec IKE Malformed Packet - 50430 [IOS]
IPsec Vulnerability- 111266 [IOS]
IPv4 - 44020 [IOS]
IPv6 Crafted Packet - 65783 [IOS]
IPv6 Routing Header - 72372 [IOS]
Information Leakage Using IPv6 Routing Header - 97848 [IOS]
Inter Process Communication (IPC) Vulnerabilty - 107661 [IOS]
Layer 2 Tunneling Protocol (l2TP) DoS Vulnerability - 107441
MPLS - 63846 [IOS]
MPLS Forwarding Infrastructure DoS Vulnerability - 107646
MPLS VPN May Leak Information Vulnerability - 107578
Mobile IP and IPv6 Vulnerabilities - 109487
Multicast Virtual Private Network (MVPN) Date Leak - 100374 [IOS]
Multiple Crafted IPv6 Packets - 63844
Multiple DNS Cache Poisioning Attacks - 107064 [IOS]
Multiple Features Crafted TCP Sequence Vulnerability - 109337
Multiple Features IP Sockets Vulnerability - 109333 [IOS]
Multiple Multicase Vulnerabilities - 107550
Multiple SIP DoS Vulnerabilities - 107617
Multiple SSH Vulnerabilities - 8118
Multiprotocol Label Switching Packet Vulnerability - 111458
NAM (Network Analysis Module) Vulnerability - 81863
NAT - 13659
NAT Skinny Call Control Protocol Vulnerability - 111268
NTP - 23445
NTP Packet Vulnerability - 110447
Network Address Translation Vulnerability - 112028
Next Hop Resolution Protocol Vulnerability - 91766
OSPF Malformed Packet- 61365 [IOS]
OSPF, MPLS VPN Vulnerability - 100526 [IOS]
Object-Group ACL Bypass Vulnerability - 110398 [IOS]
OpenSSL Implementation DoS Vulnerability - 45643 [IOS]
OpenSSL Implementation Vulnerability - 49898 [IOS]
PIX Crafted MGCP Packet - 98711 [PIX, ASA]
PIX Crafted TLS Packet - 98711 [PIX, ASA]
PIX Erroneous SIP Processing Vulnerabilities - 107475 [PIX, ASA]

OL-25941-01
4-33
Chapter 4
PIX Buffer overflow - 28947 [PIX, ASA]
PIX CBAC - 23885 [PIX, ASA]
PIX Control Plane Access Control List Vulnerability - 105444 [PIX, ASA]
PIX Crafted TCP ACK Packet Vulnerability - 105444 [PIX, ASA]
PIX Crafted TLS Packet Vulnerability - 105444 [PIX, ASA]
PIX Crypto - 23886 [PIX, ASA]
PIX DoS - 13635 [PIX, ASA]
PIX Device Reload with SIP Inspection Vulnerability - 107475 [PIX, ASA]
PIX Enhanced inspection of Malformed HTTP traffic - 77853 [PIX, ASA]
PIX FTP - 13638 [PIX, ASA]
PIX Firewall Unintentional Password Modification - 70811 [PIX, ASA]
PIX IPSec Client Authentication Processing Vulnerability - 107475 [PIX, ASA]
PIX ISAKMP - 28947 [PIX, ASA]
PIX Inspection of a stream of malformed TCP packets - 77853 [PIX, ASA]
PIX Inspection of malformed SIP packets - 77853 [PIX, ASA]
PIX Instant Message Inspection Vulnerability - 105444 [PIX, ASA]
PIX LDAP Authentication Bypass - 82451 [PIX, ASA]
PIX Mailgaurd - 13636 [PIX, ASA]
PIX Multiple SSH Vulnerabilities - 8118 [PIX, ASA]
PIX OpenSSL Implementation DoS Vulnerability - 45643 [PIX, ASA]
PIX OpenSSL Implementation Vulnerability - 49898[PIX, ASA]
PIX Potential Information Disclosure in Clientless VPNs - 107475 [PIX, ASA]
PIX Privilege escalation - 77853 [PIX, ASA]
PIX SMTP - 15235 [PIX, ASA]
PIX SNMP - 19296 [PIX, ASA]
PIX SNMPv3 - 47284 [PIX, ASA]
PIX SSH - 24862 [PIX, ASA]
PIX SSL VPN DOS - 82451 [PIX, ASA]
PIX SSL VPN Memory Leak Vulnerability - 107475 [PIX, ASA]
PIX Scan Denial of Service Vulnerability - 105444 [PIX, ASA]
PIX TCP Conn Reset - 50961 [PIX, ASA]
PIX TCP Prevention - 68268 [PIX, ASA]
PIX TCP Reset - 13639 [PIX, ASA]
PIX Time-to-Live Vulnerability - 100314 [PIX, ASA]
PIX Traceback When Processing Malformed SIP Requests - 107475[PIX, ASA]
PIX URI Processing Error Vulnerability in SSL VPNs - 107475 [PIX, ASA]
PIX VPN Password Expiry - 82451 [PIX, ASA]
4-34
OL-25941-01
Chapter 4

PIX VPNC - 47284 [PIX, ASA]
PIX/ASA ACL Bypass Vulnerability - 109974 [PIX, ASA]
PIX/ASA Crafted H.323 Packet DoS Vulnerability - 109974 [PIX, ASA]
PIX/ASA Crafted HTTP Packet DoS Vulnerability - 109974 [PIX, ASA]
PIX/ASA Crafted TCP Packet DoS Vulnerability - 109974 [PIX, ASA]
PIX/ASA IPv6 Denial of Service Vulnerability - 108009 [PIX, ASA]
PIX/ASA SQL *Net Packet DoS Vulnerability - 109974 [PIX, ASA]
PIX/ASA TCP State Manipulation DoS Vulnerability - 109444 [PIX, ASA]
PIX/ASA VPN Authentication Bypass Vulnerability - 109974 [PIX, ASA]
PIX/ASA Windows NT Domain Authentication Bypass Vulnerability - 108009
PPTP - 13640 [IOS]
Radius - 65328 [IOS]
Reload After Scanning - 13632[IOS]
SAA Packets - 42744 [IOS]
SGBP Packet - 68793 [IOS]
SIP - 81825 [IOS]
SIP DoS Vulnerabilities - 109322 [IOS]
SIP DoS Vulnerability - 110395 [IOS]
SNMP Malformed Message Handling - 19294 [IOS]
SNMP Message Processing - 50980 [IOS]
SNMP Multiple Community String Vulnerabilities - 13629 [IOS]
SNMP Read-Write ILMI Community String - 13630 [IOS]
SNMP Trap Reveals WEP Key - 46468 [IOS]
SNMP Version 3 Authentication Vulnerability -107408 [IOS]
SSH Can Cause a Crash -24862 [IOS]
SSH Malformed Packet -29581 [IOS]
SSH TACACS+ Authentication -64439 [IOS]
SSL -91888 [IOS]
SSL Packet Processing Vulnerability - 107631 [IOS]
SSL VPN Vulnerability - 112029 [IOS]
Secure Copy Authorization Bypass Vulnerability - 97261 [IOS]
Secure Copy Privilege Escalation Vulnerability - 109323 [IOS]
Secure Shell Denial of Services Vulnerabilities -99725 [IOS]
Session Initiation Protocol Denial of Services Vulnerability -111448 [IOS]
Syslog Crash -13660 [IOS]
TCP -72318 [IOS]
TCP Conn Reset -50960 [IOS]

OL-25941-01
4-35
Chapter 4
Note
TCP Denial of Service Service Vulnerability -112099 [IOS]
TCP ISN -13631 [IOS]
TCP State Manipulation DoS Vulnerability -109444 [IOS]
Telnet DoS -61671 [IOS]
Telnet Option-10939 [IOS]
Timers Heap Overflow -68064 [IOS]
Tunnels DoS Vulnerability -109482 [IOS]
Unified Communications Manager Express Vulnerability -110451
User Datagram protocol delivery issue -100638 [IOS]
Virtual Private Dial-up Network DoS Vulnerability -97278 [IOS]
Vulnerabilities Found by PROTOS IPSec Test Suite -68158 [IOS]
Vulnerability in IOS Firewall Feature Set -9360 [IOS]
WeBVPN and SSLVPN Vulnerabilities -107397 [IOS]
Zone-Based Policy Firewall Vulnerability -110410 [IOS]
cTCP Denial of Service Vulnerability -109314 [IOS]
uBR10012 Series Devices SNMP Vulnerability -107696 [IOS]
The policies listed in PSIRT Policy Group may vary.
SysAdmin, Audit, Network, Security (SANS)

SANS Policy Group supports the following policies:
Note
Banners
Terminal Access
User Passwords
SMURF Attack
AAA
HTTP Server
SNMP
The policies listed in SANS Policy Group may vary.
4-36
OL-25941-01
Chapter 4

Sarbanes Oxley Act (SOX)

SOX Policy Group supports the following policies:
Note
Console Access
Logging and Syslog
Terminal Access
User Passwords
AAA
The policies listed in SOX Policy Group may vary.
Compliance and Audit Manager Policies

Policies are defined by a set of rules. This section explains the various policies that are supported in
LMS.
Banners
Description
General banner and Message Of The Day (MOTD) related vulnerability checks.
Applicable Platforms
Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA devices
References
BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 11.5.1 of Second Edition, 2005-06-15)

Information Technology - Code of practice for information security management.
National Security Agency (NSA) Cisco Router Configuration Guide((Section 4.1.5 Page 58 of Version
1.1c)
The "Router Security Configuration Guide" provides technical guidance intended to help network
administrators and security officers improve the security of their networks. It contains principles and
guidance for secure configuration of IP routers, with detailed instructions for Cisco System routers. The
information presented can be used to control access, help resist attacks, shield other network
components, and help protect the integrity and confidentiality of network traffic.
SANS Router Security Policy(Sections 3.0(6), 3.0(7))
The SANS (SysAdmin, Audit, Network, Security) Institute publishes security policy to help system
administrators with rapid development and implementation of information security policies.
National Security Agency (NSA) Cisco Switch Configuration Guide(Section 5.2, Page 15 of Version
1.0)

OL-25941-01
4-37
Chapter 4
The "Cisco IOS Switch Security Configuration Guide" from National Security Agency (NSA) provides
technical recommendations intended to help network administrators improve the security of their
networks. Using the information presented in this document, the administrators can configure switches
to control access, resist attacks, shield other network systems and protect the integrity and
confidentiality of network traffic. Also, this guide can assist information security officers by describing
the security issues related to critical systems (e.g., switches) which are part of their computer networks.
Cisco SAFE Compliance(1.1b)
SAFE: A Security Blueprint for Enterprise Networks
Department of Homeland Security (DHS) Compliance(Section 2.1, Page 12 of Version 2.0)
This document is being distributed to provide Department of Homeland Security (DHS) Cisco Router
systems administrators with a clear, concise set of procedures that will ensure a minimum baseline of
security when an existing Cisco Router is being installed or configured. All settings and parameters
presented in this document are the baseline security which all Cisco Router systems must meet.
Center for Internet Security, Benchmark for Cisco IOS.(Section 1.1.3, Page:12 of Version 2.2, Nov
2007)
CIS benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system
security. CIS benchmark IOS, contains some security configuration recommendations that affect
functionality, and are therefore of greatest value to system administrators who have sufficient security
knowledge to apply them with consideration to the functions and applications running in their particular
environments. All IOS devices should implement these settings.
Center for Internet Security, Benchmark for Cisco PIX/ASA.(Section 1.1.3, Page: 11 of Version 2.0, Nov
2007)
CIS PIX/ASA benchmark recommends the prudent level of minimum due care for operating system
security. CIS PIX/ASA benchmark contains some security configuration recommendations that affect
environments. All PIX devices should implement these settings.
Rule 1
Rule
Message Of The Day (MOTD) should be configured [IOS, PIX, ASA]

Description
A Message of the day banner, which includes a legal notice, should be setup on each operational router.
A legal notice usually includes a 'no trespassing' warning, a statement that all use of the router must be
authorized by the owning organization, and perhaps a statement about the router being subject to
monitoring.
Cisco IOS Devices

Impact
A proper legal notice protects the ability of the owning organization to pursue legal remedies against an
attacker. Consult your organization's legal staff or general counsel for suitable language to use in your
legal notice.
4-38
OL-25941-01
Chapter 4

Suggested Fix
Configure a Message of the day banner using the command:

[no] banner motd
line vty <begining number > - <end number>
[no] motd-banner
[no] exec-banner
Rule 2
Rule
Message Of The Day should contain given pattern [IOS, PIX, ASA]
Description
A Message of the day banner, which includes a legal notice, should be setup on each operational router.
A legal notice usually includes a 'no trespassing' warning, a statement that all use of the router must be
authorized by the owning organization, and perhaps a statement about the router being subject to
monitoring.
Cisco IOS Devices

Impact
legal notice.
Suggested Fix
Modify a Message of the day banner to contain required information using the command:
banner motd
Rule
Description
Constraints
Match Type
Select if the given input is to be matched as a plain

string or a regular expression.
Required: true
String or Regular
Expression
Default: false
A String(Regular Expression) that should be present Required: true

in Message Of The Day
Rule 3
Rule
Message of The Day should NOT contain given pattern [IOS, PIX, ASA]
Description
A Message of the day banner should not contain network architecture information and router
configuration details. Router model and location information should be included only if necessary. Be
especially careful not to provide information in the banner message that should not be shared with the
general public, or information that is not visible from unprivileged EXEC mode.

OL-25941-01
4-39
Chapter 4
Cisco IOS Devices

Impact
legal notice
Suggested Fix
Modify the Message of the day banner not to contain prohibited information using the command:
banner motd
Rule
Description
Constraints
Match Type

Required: true
A String(Regular Expression) that should be NOT

present in Message Of The Day
Required: true
String or Regular
Expression
Default: false
Rule 4
Rule
Login message should be configured [IOS, PIX, ASA]

Description
A login banner, which includes a legal notice, should be setup on each operational router. A legal notice
usually includes a 'no trespassing' warning, a statement that all use of the router must be authorized by
the owning organization, and perhaps a statement about the router being subject to monitoring.
Cisco IOS Devices

Impact
legal notice.
Suggested Fix
Configure a login banner using the command:

[no] banner login
4-40
OL-25941-01
Chapter 4

Rule 5
Rule
Login message should contain given pattern [IOS, PIX, ASA]

Description
A login banner, which includes a legal notice, should be setup on each operational router. A legal notice
Cisco IOS Devices

Impact
legal notice
Suggested Fix
Modify a login banner to contain required information using the command:

banner login
Rule
Description
Constraints
Match Type

Required: true
String or Regular
Expression
Default: false

in the Login Message
Rule 6
Rule
Login message should NOT contain given pattern [IOS, PIX, ASA]
Description
A login banner should not contain network architecture information and router configuration details.
Router model and location information should be included only if necessary. Be especially careful not
to provide information in the banner message that should not be shared with the general public, or
information that is not visible from unprivileged EXEC mode.
Cisco IOS Devices


OL-25941-01
4-41
Chapter 4
Impact
legal notice.
Suggested Fix
Modify the log banner not to contain prohibited information using the command:
banner login
Rule
Description
Constraints
Match Type

Required: true
A String(Regular Expression) that should NOT be

present in the Login Message
Required: true
String or Regular
Expression
Default: false
Rule 7
Rule
Exec banner should be configured [IOS, PIX, ASA]

Description
A Exec banner, which includes a legal notice, should be setup on each operational router. A legal notice
Cisco IOS Devices

Impact
legal notice.
Suggested Fix
Configure a exec banner using the command:

[no] banner exec
line vty <begining number > - <end number>
[no] exec-banner
4-42
OL-25941-01
Chapter 4

Rule 8
Rule
Exec banner should contain given pattern [IOS, PIX, ASA]

Description
A Exec banner, which includes a legal notice, should be setup on each operational router. A legal notice
Cisco IOS Devices

Impact
legal notice.
Suggested Fix
Modify a exec banner to contain required information using the command:

banner exec
Rule
Description
Constraints
Match Type

Required: true
String or Regular
Expression
Default: false

in Exec Banner
Rule 9
Rule
Exec banner should NOT contain given pattern [IOS, PIX, ASA]
Description
A Exec banner should not contain network architecture information and router configuration details.
Router model and location information should be included only if necessary. Be especially careful not
to provide information in the banner message that should not be shared with the general public, or
information that is not visible from unprivileged EXEC mode.
Cisco IOS Devices


OL-25941-01
4-43
Chapter 4
Impact
legal notice.
Suggested Fix
Modify the exec banner not to contain prohibited information using the command:
banner exec
Rule
Description
Constraints
Match Type

Required: true
A String(Regular Expression) that should be NOT

present in Exec Banner
Required: true
String or Regular
Expression
Default: false
Console Access
Description
Policies related to console and auxiliary terminal access.

Cisco IOS Devices

References
Control Objectives for Information and Related Technology(AI2.4 of 4.0)

COBIT (Control Objectives for Information and Related Technology) is an IT governance framework
and supporting toolset that allows managers to bridge the gap between control requirements, technical
issues and business risks. COBIT is a de-facto standard used by most of the auditors when auditing for
IT section of Sarbanes-Oxley (SOX) Compliance.
National Security Agency (NSA) Cisco Router Configuration Guide(Section 8.1(3) Page 275, Section
3.4.4 Page 49, Section 4.1.6 Page 66 of Version 1.1c)
Payment Card Industry Data Security Standard(PCI).(2.3 of Version 1.1, September, 2006)
The Payment Card Industry (PCI) Data Security Standard resulted from a collaboration between Visa
and MasterCard to create common industry security requirements. Other card companies operating in
the U.S. have also endorsed the Standard within their respective programs. PCI Data Security
requirements apply to all members, merchants and service providers that store, process or transmit
cardholder data.
Health Insurance Portability and Accountability Act.(164.312(a)(1), 164.312(e)(1))
4-44
OL-25941-01
Chapter 4

HIPAA (Health Insurance Portability and Accountability Act.) is designed to protect confidential
healthcare information through improved security standards and federal privacy legislation. It defines
requirements for storing patient information before, during and after electronic transmission. Centers for
Medicare & Medicaid Services (CMS) has provided a Security Rule (45 CFR Part 160 and 164) which
is adopted to implement provisions of the HIPAA.
Defence Information System Agency(Section NET0655 of Dec 2, 2005)
DISA Checklist, sometimes referred to as a lockdown guide, hardening guide, or benchmark
configuration is essentially a document that contains instructions or procedures to verify compliance to
a baseline level of security.
Rule 1
Rule
Check console connection [IOS]]

Description
Permit or block the router access using console ports as desired.

Cisco IOS Devices

Impact
None
Suggested Fix
Enable or disable the console ports using the command:

line con0
[no] exec
Rule
Description
Constraints
Access
Whether to allow connections using console

terminal.
Required: true
Default: true
Rule 2
Rule
Check auxiliary connection [IOS]

Description
Permit or block the router access using auxiliary ports as desired.

OL-25941-01
4-45
Chapter 4
Cisco IOS Devices

Impact
None.
Suggested Fix
Enable or disable the auxiliary ports using the command:

line aux 0
[no] exec
Rule
Description
Constraints
Auxiliary
Whether to allow connections using auxiliary

terminal.
Required: true
Default: true
Domain Name
Description
Using Domain Name Lookup Service, you can use device names in the commands instead of IP
addresses. By default, the DNS lookups are broadcasted to 255.255.255.255. If there are trusted domain
name servers, which can translate the hostnames into IP Addresses, you may configure the devices to
send DNS queries to these servers.
Cisco IOS Devices

References
National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.2.2 Page79 of Version
1.1c)
National Security Agency (NSA) Cisco Switch Configuration Guide(Section 6.2.2, Page 18 of Version
1.0)
Cisco SAFE Compliance(Appendix A, Page 39 of A Security Blueprint for Enterprise Networks)
4-46
OL-25941-01
Chapter 4


Rule 1
Rule
Check state of domain name configuration [IOS, PIX, ASA]

Description
Each device within a given domain should have a domain name to be configured with whatever is the
local/global policy for that domain. Domain names will be used as part of fully qualified host name of
the router and any unqualified name lookups. Setting a domain name is also necessary for using SSH.
Cisco IOS Devices

Impact
SSH can not be enabled with this violation. Also, all the host names would have to be fully qualified.
Suggested Fix
Configure domain name using the command:

[no] ip domain-name (for IOS)
[no] domain-name (for PIX)
Rule
Description
Constraints
State
Select whether the device should be configured with Required: true

a domain name or not.
Default: true
Rule 2
Rule
Check value of domain name [IOS, PIX, ASA]

Description
Each device within a given domain should have a domain name to be configured with whatever is the
local/global policy for that domain. Domain names will be used as part of fully qualified host name of
the router and any unqualified name lookups. Setting a domain name is also necessary for using SSH.
Cisco IOS Devices


OL-25941-01
4-47
Chapter 4
Impact
SSH can not be enabled with this violation. Also, all the host names would have to be fully qualified.
Suggested Fix
Configure domain name using the command:

ip domain-name <domain name>(for IOS)
domain-name <domain name>(for PIX)
Rule
Description
Constraints
Domain Name
Enter the name of the network domain to which this

device belongs to.
Required: true
Rule 3
Rule
Check state of domain lookup configuration [IOS, PIX, ASA]

Description
By default, IOS sends DNS name queries to the broadcast address 255.255.255.255. If you do not want
your router to send queries, turn off DNS name resolution. In general, DNS name resolution should be
enabled on a router only if one or more trustworthy DNS servers are available.
Cisco IOS Devices

Impact
If DNS lookup is disabled, If there are any host names given in the commands, those names will not be
resolved to IP addresses, causing them to be unreachable. The commands with hostnames given in them
instead of plain IP Addresses may not work completely. Also, whenever an IP address is changed, all the
network devices' configurations would have to be updated if they have the old IP address in their
configuration. If the DNS lookup is enabled, then it is advisable to have at least one DNS server is
configured. Otherwise, all the hostname to IP Address resolution will be done by broadcasting the
packets to 255.255.255.255
Suggested Fix
Configure the DNS name resolution (Domain name lookup) using the command:
[no] ip domain lookup (for IOS)
[no] dns domain-lookup (for PIX)
Rule
Description
Constraints
State
Select whether the device should do lookups to

convert host names to IP Addresses.
Required: true
Default: true
4-48
OL-25941-01
Chapter 4

Rule 4
Rule
Domain name servers should contain given hosts [IOS]

Description
All the devices within a network should be configured with a DNS server to be able to do address
resolution.
Cisco IOS Devices

Impact
If the domain look up is enabled but no DNS servers are configured, then all the lookup packets are
broadcasted to 255.255.255.255. Also, it is advisable to configure all the devices within a domain with
the same DNS server so that the host name data base is maintained centrally.
Suggested Fix
Configure one or more of DNS servers using the command:

ip name-server
Rule
Description
Constraints
DNS Servers
Enter the IP address(es) of the DNS Servers that

should be configured on the device.
Required: true
Using DNS Server Editor option, you can add,

remove or update DNS Server details. You can also
change the order of the server details.
Host Name
Description
Host name related policies.

Cisco IOS Devices

References
National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.2.2 Page 78 of Version
1.1c)

OL-25941-01
4-49
Chapter 4
Rule 1
Rule
Host name must be configured [IOS, PIX, ASA]

Description
It is advisable that all the devices are configured with distinct hostnames to identify them uniquely.
Cisco IOS Devices

Impact
No unique way of identifying the device.

Suggested Fix
Configure host name using the command

hostname
Logging and Syslog

Description
Logging a router's activities and status offers several benefits. Using the information in a log, the
administrator can tell whether the router is working properly or whether it has been compromised.
Configuring logging on the router should be done carefully. Send the router logs to a designated log host,
which is a separate computer whose only job is to accept and store logs. Set the level of logging on the
router to meet the needs of your security policy, and expect to modify the log settings as the network
evolves. The logging level may need to be modified based on how much of the log information is useful.
Cisco IOS Devices

References
Payment Card Industry Data Security Standard(PCI).(10 of Version 1.1, September, 2006)
cardholder data.
Control Objectives for Information and Related Technology(DS5.5 of 4.0)
4-50
OL-25941-01
Chapter 4

8.1(17) Page 278, Section 4.5.2 Page 139,142-145 of Version 1.1c)
1.0)
2007)
Center for Internet Security, Benchmark for Cisco IOS.(Section 1.2.3, Page: 28 of Version 2.2, Nov.
2007)

OL-25941-01
4-51
Chapter 4
Rule 1
Rule
Check if logging is enabled to all supported destinations [IOS, PIX, ASA]

Description
Check if state of event logging on the router is not same as that of desired state. Logging a router's
activities and status offers several benefits. Using the information in a log, the administrator can tell
whether the router is working properly or whether it has been compromised. In some cases, it can show
what types of probes or attacks are being attempted against the router or the protected network.
Cisco IOS Devices

Impact
If the logging is disabled, The events that happen on the router are not logged anywhere. This might
make it harder to trouble shoot any network issues. Also, this may cause some of the problems, including
attempts to attacks go un-noticed, as well as not to have any evidence about any un-authorized activity.
If the logging is enabled, make sure the logging messages are sent to only trusted host on a protected
network so that the logs can not be compromised and can not viewed by anyone not authorized to view
them.
Suggested Fix
Configure logging service using the command:

[no] logging on (for IOS)
[no] logging enable (for PIX)
Rule
Description
Constraints
Global Logging State
Whether the global logging should be enabled or

disabled.
Required: true
Default: true
Rule 2
Rule
Check syslog logging related parameters [IOS, PIX, ASA]

Description
Logging level and state should be carefully chosen so that important information is logged but at the
same time, the logging server is not flooded with too many log messages from the devices. Also, the
device should be configured to send log messages to a designated host on the protected network.
Cisco IOS Devices

Cisco PIX Devices Running >= 7.x and ASA device
4-52
OL-25941-01
Chapter 4

Impact
If the logging level and host(s) are not configured according to the policy, it may make it harder to
troubleshoot problems.
Suggested Fix
Configure the logging host(s), level(s) using the command:

[no] logging <desired logging level>
Rule
Description
Constraints
Syslog Logging State
Whether the syslog logging should be enabled or

disabled.
Required: true
Default: true
Syslog Logging Level
Syslog Logging level
Required: false
Default:
informational
Rule 3
Rule
Check syslog host related parameters [IOS]

Description
The device should be configured to send log messages to a designated host on the protected network.
Cisco IOS Devices

Impact
troubleshoot problems.
Suggested Fix
Configure the logging hosts using the command:

logging <hostname or ip address>(for IOS)
logging host <hostname or ip address>(for PIX)

OL-25941-01
4-53
Chapter 4
Rule
Description
Constraints
Minimum number of
syslog servers
Minimum number of syslog server
Required: false
Default: 2
Min Value: 1
Max Value:
2147483647
Syslog Servers
List of syslog servers that a device should be

configured with
Required: false
Using Syslog Server Editor option, you can add,

remove or update DNS Server details. You can also
Rule 4
Rule
Check logging facility [IOS, PIX, ASA]

Description
Check that the specified syslog facility is used when sending logging messages to the remote syslog
server. You can direct log messages to the specified logging facility on your remote syslog server using
the logging facility command. To do this, enable logging and define the UNIX system facility to which
you want to send the log messages.
Cisco IOS Devices

Impact
NConfigure the required logging facility parameters using the command:

logging facility
Suggested Fix
Rule
Description
Constraints
Logging Facility [IOS]
Logging facility to use with syslog logging on

devices running IOS.
Required: false
Default: local7
Logging Facility [PIX]
Logging facility to use with syslog logging on

devices running PIX.
Required: false
Default: 20
Min Value: 16
Max Value: 23
Rule 5
Rule
Check buffer loggin state, level and logging buffer size [IOS, PIX, ASA]
4-54
OL-25941-01
Chapter 4

Description
Setup the buffered logging state, level and size according to your security policy. This lets the device to
log messages to its internal buffers in the memory.
Cisco IOS Devices

Impact
If the buffer logging level and size are set to buffer too many messages, it may cause the device to run
out of memory for other tasks. If it is configured too low, it may cause the messages to be lost in the
buffer too quickly.
Suggested Fix
Configure the required buffered logging parameters using the command logging buffered
Rule
Description
Constraints
Buffer Logging State
Whether the buffer logging should be enabled or

disabled
Required: true
Default: true
Buffer Logging Level
Buffer Logging level
Required: false
Default:
informational
Minimum Buffer Size
Minimum logging buffer size. It would be a violation Required: false

if the device is configured to have any buffer size that Default: 32768
is less than the value given.
Min Value: 4096
Max Value:
2147483647
Rule 6
Rule
Check console logging state and level [IOS, PIX, ASA]

Description
Setup the console logging state, level and size according to your security policy. This lets the device to
log messages to the console terminal. In general, the logging level at the console should be set to display
lots of messages only when the console is in use or its output is being displayed or captured.
Cisco IOS Devices

Impact
No known impact.

OL-25941-01
4-55
Chapter 4
Suggested Fix
Configure the console logging parameters using the command:

[no] logging console
Rule
Description
Constraints
Console Logging State
Whether the console logging should be enabled or

disabled
Required: true
Default: true
Console Logging Level
Console Logging level
Required: false
Default: critical
Rule 7
Rule
Check monitor logging state and level [[IOS, PIX, ASA]

Description
Setup the monitor logging state, level and size according to your security policy. This controls the
messages that are displayed on any terminal that connected to the router.
Cisco IOS Devices

Impact
No known impact
Suggested Fix
Configure the monitor logging parameters using the command:

logging monitor
Rule
Description
Constraints
Monitor Logging State
Whether monitor logging should be enabled or

disabled
Required: true
Default: false
Monitor Logging Level
Monitor Logging level
Required: false
Default:
informational
Rule 8
Rule
Check history logging level [IOS, PIX, ASA]
4-56
OL-25941-01
Chapter 4

Description
Setup the history logging level according to your security policy. The level is used for limiting log
messages stored in the history table and sent to the SNMP network management station. The default for
IOS devices is warning. There is no default for PIX, FWSM, or ASA devices.
Cisco IOS Devices

Impact
Because SNMP traps are potentially unreliable, at least one syslog message, the most recent message, is
stored in a history table on the device. You can view the history table using the show logging history
command. Limit the types of messages stored in the history table based on the severity level your
organization requires.
Suggested Fix
Configure the history logging level using the command:

logging history
Rule
Description
Constraints
History Logging Level
History Logging level
Required: false
Default: warnings
Rule 9
Rule
Check Timestamps in Log Messages [IOS, PIX, ASA]

Description
Check to see if timestamps are displayed in log messages

Cisco IOS Devices

Impact
If the timestamps are not shown in the log messages, it may not be possible to sense the order of events
occurring in the network.
Suggested Fix
Configure the device to show timestamps for log messages using the command:
[no] service timestamps log
Rule
Description
Show Timestamps in Log Whether to show timestamps in each logging

Messages
messages
Constraints
Required: true
Default: true

OL-25941-01
4-57
Chapter 4
Rule 10
Rule
Check Timestamps in Debug Messages

Description
Check to see if timestamps are displayed in debug messages

Cisco IOS Devices

Impact
If the timestamps are not shown in the debug messages, it may not be possible to sense the order of
events occurring in the network.
Suggested Fix
Configure the device to show timestamps for debug messages using the command:
[no] service timestamps debug
Rule
Description
Constraints
Show Timestamps in
Debug Messages
Whether to show timestamps in debugging messages Required: true

Default: true
Rule 11
Rule
Check sequence numbers in log messages [IOS]

Description
Check to see if visible sequence numbering of system logging messages is enabled or not.
Cisco IOS Devices

Impact
If the sequence numbers are not shown in the log messages, it may not be possible to sense the order of
events occurring in the network.
Suggested Fix
Configure the device to show timestamps for log messages using the command:
[no] service sequence-numbers
Rule
Description
Show Sequence Numbers Whether to show sequence numbers in each logging

in Log Messages
message
Constraints
Required: true
Default: true
4-58
OL-25941-01
Chapter 4

Terminal Access
Description
This policy checks for various access controls that need to be put in place to restrict access to the network
device's command line. One primary mechanism for remote administration of Cisco routers is logging
in via Telnet or SSH. These connections are called virtual terminal lines. Login on the virtual terminal
lines should be disabled if remote administration is not absolutely necessary. Remote administration
without encryption is inherently dangerous because anyone with a network sniffer on the right LAN
segment can acquire router passwords and would then be able to take control of the router.
Cisco IOS Devices

References
Control Objectives for Information and Related Technology(AI2.4 of 4.0)

4.1.5 Page 58, 59, 60, Section 4.1.6 Page 61 of Version 1.1c)
BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 10.6.1, 11.2, 11.5.1 of Second Edition, 2005-06-15)
1.0)

OL-25941-01
4-59
Chapter 4
cardholder data.
SANS Router Security Policy(3.0(8))
Defence Information System Agency(Section NET0645,NET0740 of Dec 2, 2005)
Department of Homeland Security (DHS) Compliance(Section 1.3,2.3, Page 10 of Version 2.0)
Center for Internet Security, Benchmark for Cisco PIX/ASA.(Section 1.1.2.4, Page: 9 of Version 2.0,
Nov 2007)
Center for Internet Security, Benchmark for Cisco IOS.(Section 1.1.1.4, Page: 8; Section 1.1.2.3-1.1.2.6,
Page:10-11; of Version 2.2, Nov 2007)
Rule 1
Rule
No more than required VTY lines should be enabled on the device [IOS]
Description
Check that a given device does not have more VTY lines enabled than required.
Cisco IOS Devices

Impact
No known impact
4-60
OL-25941-01
Chapter 4

Suggested Fix
If the router has more VTYs than needed, then either disable or delete the extra ones using the command:
line vty <beg line number> <end line number> no exec
Rule
Description
Constraints
Maximum VTY Lines
Maximum number of VTY lines to be enabled
Required: true
Min Value: 1
Max Value:
2147483647
Rule 2
Rule
Check Authentication parameters on terminal lines [IOS]

Description
Each terminal line should be configured with some type of authentication for logging on the device,
failing to do so can enable an unauthorized user to gain device access. This rule checks other
miscellaneous authentication parameters on the terminal lines including session time out, maximum
default privilege level configured and any access restrictions on the terminal lines.
Cisco IOS Devices

Impact
An unauthorized user may gain access to the device.

Suggested Fix
Configure with some type of authentication for login on the terminal lines using the commands:
line vty <beg line number> <end line number>
login authentication
privilege level
exec-timeout
access-class
You can add, update and delete terminal line configuration details.
Rule
Description
Constraints
Terminal Line Group
Group of terminal lines to apply the policy.
Required: true
Login Authentication
Selected terminal lines should be configured to

authenticate using login.
Required: true
Default: login
Maximum default level

allowed
Maximum default privlege level that should be given Required: false

on lines.
Default: 0
Min Value: 0
Max Value: 15

OL-25941-01
4-61
Chapter 4
Rule
Description
Constraints
Maximum Idle Timeout

(Minutes)
Idle timeout (in minutes) to be enforced on lines. If a Required: false

user leaves the EXEC session idle for this much time, Default: 10
it will be disconnected automatically by the device.
Min Value: 1
Max Value: 3579
Maximum Login
Response Timeout
(Seconds)
Maximum timeout (in seconds), the system will wait Required: false
for login input (such as username and password)
Min Value: 1
before timing out
Max Value: 300
Whether Access to this

teminal lines should be
controlled
Choose whether access to this terminal line should be Required: false

controlled using an access list control or not
Default: false
Rule 3
Rule
Check for allowed incoming connections [IOS]

Description
Make sure that all the terminal lines are configured to block incoming connections using un-authorized
protocols.
Cisco IOS Devices

Impact
An unauthorized user may connect to the device using any undesired protocols violating the set policy.
Suggested Fix
Disable terminal line access for un-authorized incoming connections using the command:
transport input
Rule
Description
Constraints
Terminal Line Group
Required: true
Block all incoming

connections
Block all incoming connections on this group of

terminal lines
Required: true
Default: dontcare
Telnet
Telnet protocol
Required: false
Default: false
SSH
SSH protocol
Required: false
Default: true
4-62
OL-25941-01
Chapter 4

Rule 4
Rule
Check for allowed outgoing connections [IOS]

Description
Make sure that all the terminal lines are configured to block outgoing connections using un-authorized
protocols.
Cisco IOS Devices

Impact
An unauthorized user may connect to other devices from this device using any undesired protocols
violating the set policy.
Suggested Fix
Disable terminal line access for all un-authorized outgoing connections using the command:
transport output
Rule
Description
Constraints
Terminal Line Group
Required: true
Block all outgoing

connections
Block all outgoing connections on this group of

terminal lines
Required: true
Telnet
Telnet protocol
Required: false
SSH
SSH protocol
Required: false
Default: true
Rule 5
Rule
Check that Telnet access is prohibited. [PIX, ASA]

Description
Prohibit telnet access to the PIX device.


Impact
Only use SSH and-or Cisco PDM or ASDM to manage the PIX. Do not use Telnet for remote
administration of the PIX, it offers no confidentiality or integrity protections.

OL-25941-01
4-63
Chapter 4
Suggested Fix
Prohibit Telnet access using the command:

no telnet
Rule 6
Rule
Check the maximum timeout for Console sessions. [PIX, ASA]

Description
Verify timeout is configured to automatically disconnect the console sessions after a fixed idle time.

Impact
This prevents unauthorized users from misusing abandoned sessions.

Suggested Fix
Configure device timeout to disconnect sessions after a fixed idle time, using the command:
console timeout
Rule
Description
Constraints
Maximum Console
Session idle Timeout
(Minutes)
Idle timeout (in minutes) to be enforced on console

lines. If a user leaves the EXEC session idle for this
much time, it will be disconnected automatically by
the device.
Required: true
Default: 10
Min Value: 1
Max Value: 60
Rule 7
Rule
Check the maximum timeout for Telnet sessions. [PIX, ASA]

Description
Verify timeout is configured to automatically disconnect the telnet sessions after a fixed idle time.

Impact

Suggested Fix
telnet timeout
4-64
OL-25941-01
Chapter 4

Rule
Description
Constraints
Maximum Telnet Session Idle timeout (in minutes) to be enforced on lines. If a Required: true
idle Timeout (Minutes)
Min Value: 1
Max Value: 1440
Rule 8
Rule
Check the maximum timeout for SSH sessions. [PIX, ASA]

Description
Verify timeout is configured to automatically disconnect the SSH sessions after a fixed idle time.

Impact

Suggested Fix
ssh timeout
Rule
Description
Constraints
Maximum SSH Session

idle Timeout (Minutes)
Idle timeout (in minutes) to be enforced on lines. If a Required: true

Min Value: 1
Max Value: 60
User Passwords
Description
There are three ways of protection schemes in Cisco IOS.
Plain password where there is no protection and encryption.
Cisco defined encryption algorithm which is known to the commercial security community to be
weak.
Iterated MD5 hash which is much stronger.
Cisco recommends using the MD5 hash encryption for passwords where possible. (See "Configuring
Passwords and Privileges" in the Cisco IOS Security Configuration Guide)

OL-25941-01
4-65
Chapter 4
Cisco IOS Devices

Cisco IOS Devices With AUTO_SECURE Capability
References
Payment Card Industry Data Security Standard(PCI).(8.1, 8.4, 8.5 of Version 1.1, September, 2006)
cardholder data.
Control Objectives for Information and Related Technology(DS5 of 4.0)
National Security Agency (NSA) Cisco Router Configuration Guide(Section 8.1(9) Page 276, 8.1(19)
Page 279, Section 4.1.5 Page 63, Section 4.1.8 Page 66 of Version 1.1c)
Health Insurance Portability and Accountability Act.(164.308(a)(5)(ii), 164.312(d))
is adopted to implement provisions of the HIPAA. BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section
10, Section 11.2, 11.5 of First Edition, 2000-12-01)
Cisco SAFE Compliance(1.1b) SAFE: A Security Blueprint for Enterprise Networks SANS Router
Security Policy(3.0.2) The SANS (SysAdmin, Audit, Network, Security) Institute publishes security
policy to help system administrators with rapid development and implementation of information security
policies. Department of Homeland Security (DHS) Compliance(Section 1.1, Page 6 of Version 2.0) This
document is being distributed to provide Department of Homeland Security (DHS) Cisco Router systems
administrators with a clear, concise set of procedures that will ensure a minimum baseline of security
when an existing Cisco Router is being installed or configured. All settings and parameters presented in
this document are the baseline security which all Cisco Router systems must meet. Center for Internet
Security, Benchmark for Cisco PIX/ASA.(Section 1.1.4, Page: 13 of Version 2.0, Nov 2007) CIS
PIX/ASA benchmark recommends the prudent level of minimum due care for operating system security.
CIS PIX/ASA benchmark contains some security configuration recommendations that affect
4-66
OL-25941-01
Chapter 4

Center for Internet Security, Benchmark for Cisco IOS.(Section 1.1.2.1, Page: 9; Section 1.1.4, Page:15
of Version 2.2, Nov 2007) CIS benchmark Cisco IOS, recommends the prudent level of minimum due
care for operating system security. CIS benchmark IOS, contains some security configuration
recommendations that affect functionality, and are therefore of greatest value to system administrators
who have sufficient security knowledge to apply them with consideration to the functions and
applications running in their particular environments. All IOS devices should implement these settings.
Rule 1
Rule
Passwords should not be shown in clear text in configuration [IOS]

Description
Make sure the passwords are not shown in clear text in the configuration.
Cisco IOS Devices

Impact
When passwords are shown in clear text, anyone who gets hold of a device configuration can access the
router by using the username and password.
Suggested Fix
Encrypt all passwords using the command:

service password-encryption
Rule 2
Rule
Check enable password is configured and uses strong encryption [IOS, PIX, ASA]
Description
Make sure that the enable password is defined and it uses strong encryption.
Cisco IOS Devices

Impact
Access to the privileged EXEC mode (enable mode) should be protected by requiring a password.
Additionally, for Cisco IOS software devices, you can create a strongly encrypted password using the
enable secret command. There are two password protection schemes in Cisco IOS software. Type-7 uses
the Cisco-defined encryption algorithm which is known to the commercial security community to be
weak. Type-5 uses an iterated MD5 hash which is much stronger. Cisco recommends that Type-5
encryption to be used instead of Type-7 where possible. The enable password command uses Type-7
encryption, whereas the enable secret command uses Type-5 encryption.

OL-25941-01
4-67
Chapter 4
Suggested Fix
Use strong encryption to configure enable password using the command:

enable secret [IOS]
enable password [PIX]
Rule 3
Rule
All users must have passwords configured [IOS, PIX, ASA]

Description
Make sure all users have passwords configured.

Cisco IOS Devices

Impact
When users do not have passwords, the device does not ask for password when some one tries to access.
This may lead to an intruder to gain access to the device if they can guess/know the username.
Suggested Fix
Configure passwords for all users using the command:
username <user name> password|secret
Rule 4
Rule
Passwords much be MD5 encrypted [IOS]

Description
Make sure all user Passwords are MD5 encrypted. MD5 is the highest level security provided by Cisco
to store the user passwords. Other methods of password storing (clear text or Cisco proprietary
encoding) are known to be vulnerable for decoding.
Cisco IOS Devices

Impact
User passwords may be decoded and guessed by possible intruder.

Suggested Fix
Encrypt all user passwords with MD5 using the command:

username <user name> secret
4-68
OL-25941-01
Chapter 4

Rule 5
Rule
Check minimum length for user/enable/line passwords [IOS]

Description
The minimum length, in characters, for passwords defined on the device. Specifying a minimum
password length provides enhanced security access to the router by eliminating common passwords that
are prevalent on most networks.

Impact
One method attackers use to crack passwords is to try all possible combinations of characters until the
password is discovered. Longer passwords have exponentially more possible combinations of
characters, making this method of attack much more difficult.
Suggested Fix
Use security passwords min-length command to set the minimum length, in characters, for user/enable
passwords defined on the device. Beware that if you use the security passwords min-length command,
any configured passwords that are less than the specified minimum length will no longer work. Ensure
that the user, enable, secret, and line passwords on the device satisfy the minimum length before using
the command:
security passwords min-length
Rule
Description
Constraints
Minimum length for

passwords should be
atleast
The minimum length, in characters, for passwords

defined on the device.
Required: true
Default: 6
Min Value: 1
Max Value: 16
Rule 6
Rule
Check maximum authentication failure rate [IOS]

Description
The number of times a user can attempt to log into the device before the failure is logged to the syslog
and user access is prohibited for 15 seconds. A device should be configured to lock access after some
predefined number of unsuccessful login attempts whenever possible. One method of cracking
passwords, called the dictionary attack, is to use software that attempts to log in using every word in a
dictionary. This configuration causes access to the router to be locked for a period of 15 seconds after
the predefined unsuccessful login attempts, disabling the dictionary method of attack. In addition to
locking access to the device, this configuration causes a log message to be generated after the predefined
unsuccessful login attempts, warning the administrator of the unsuccessful login attempts.

OL-25941-01
4-69
Chapter 4

Impact
Intruders may make continuous attempts to login into the device.

Suggested Fix
Configure authentication failure rate on the device using the command:

security authentication failure rate
Rule
Description
Constraints
Failure rate threshold

should be at most
The number of times a user can attempt to log into the Required: true
device before the failure is logged to the syslog and Default: 3
user access is prohibited for 15 seconds.
Min Value: 2
Max Value: 1024
Rule 7
Rule
Check unwanted usernames are not configured [IOS, PIX, ASA]

Description
Make sure unwanted usernames are not configured.

Cisco IOS Devices

Impact
This may lead to an intruder to gain access to the device if they can guess/know the username.
Suggested Fix
Delete unwanted username using the command:

no username <user name>
Rule
Description
Constraints
Banned Usernames
Banned usernames to check for.
Required: true
Using Banned Usernames - Editor option, you can

add, update or remove banned username details. You
can also change the order of the banned username
details.
4-70
OL-25941-01
Chapter 4

Rule 8
Rule
Check only one username is configured [IOS, PIX, ASA]

Description
Make sure only one username is configured.

Cisco IOS Devices

Impact
Configuring more than one username may lead to an intruder to gain access to the device if they can
guess/know the username.
Suggested Fix
Delete unwanted username using the command:

no username <user name>
ACL on Interfaces
Description
Policies to make sure the interfaces have required Access Control Lists configured.
Cisco IOS Devices

Rule 1
Rule
Check interfaces have access lists configured [IOS, PIX, ASA]

Description
This rule checks if given interfaces have required ACLs configured and those access lists have valid
configuration.
Cisco IOS Devices

Impact
Interfaces may permit unwanted traffic.

Suggested Fix
Enable Access Control Lists on the interface using the command:

OL-25941-01
4-71
Chapter 4
interface <interface name>

ip access-group <acl number or name> <in|out>
You can add, update or remove the inerface details. You can alsochange the order of the interface details.
Note
Rule
Description
Constraints
Interface Group
Group of interfaces to apply the policy. Example

valid Values: 'Any', 'AnyEthernet', 'FastEthernet',
'GigabitEthernet', 'FastEthernet0/1',
'FastEthernet0/.*' etc.
Required: true
Incoming ACL match

type
ACL Match criterion to enforce for incoming traffic Required: true

on this interface group.
Incoming ACL ID
Incoming ACL ID to be applied on the interface to

filter incoming traffic.
Required: false
Outgoing ACL match

type
ACL Match criterion to enforce for outgoing traffic

Required: true
Outgoing ACL ID
Outgoing ACL ID to be applied on the interface to

filter outgoing traffic.
Required: false
If you select a rule which checks for interface related configuration, compliance check will be done only
for the interfaces which are administratively up and configured with an IP address.

Description
Many administrators configure their routers to filter connections and drop packets using basic and
extended access lists. Access lists provide the administrator with a high degree of precision in selectively
permitting and denying traffic. For example, access lists would allow an administrator to block only
Telnet (TCP port 23) traffic from exiting their network. The fine granuality access lists provide can
impose significant administrative and performance burdens, depending on the network architecture,
router configuration, and traffic load. Backbone routers, in particular, are often too heavily utilized to
permit heavy use of access lists. An alternative to access lists for traffic control is a technique known as
black hole routing, or null routing. Null routing (or black-hole routing) sacrifices the fine selectivity of
access lists, it can be used only to impose a ban on all traffic sharing a specific destination address or
network. There is no simple way to specify which protocols or types of traffic may or may not pass. If
an address or network is null routed, ALL traffic sent to it will immediately be discarded. Because this
type of filtering is done as part of normal routing, it imposes little or no performance burden on normal
packet flow. It is important to note that null routing can only discard traffic based on its addresses
(usually only the destination). This makes it well-suited to mitigating attack situations where 'bad' traffic
into your network is all directed to one or a small number of address ranges. It is also well-suited for
discarding data directed to unassigned or reserved addresses.
Cisco IOS Devices With Static Routing Capability
4-72
OL-25941-01
Chapter 4

References
1.1c)
Rule 1
Rule
Check undesirable packets are directed to NULL interface [IOS]

Description
This rule checks that given ipaddress/mask combinations are black-holed and are routed to null
interfaces. The simple way to configure null routing is to set up a null interface and create a static route
that directs the undesirable packets to it.
Cisco IOS Devices With Static Routing Capability

Impact
Undesired packets will be routed using normal routing table lookup.

Suggested Fix
Configure static routing for these subnets using the commands:

interface <Null interface>
!
ip route <ip address> <network mask> <Null Interface>
You can add, update or remove IP Address and Network Mask details.
Note
Rule
Description
Constraints
IP Address
IP Address of the network to be routed to NULL

interface
Required: true
Network Mask
Network mask of the subnet tht needs to be routed to Required: true

NULL interface.

OL-25941-01
4-73
Chapter 4
SMURF Attack
Description
The Smurf Attack involves sending a large amount of ICMP Echo packets to a subnet's broadcast address
with a spoofed source IP address from that subnet.
Cisco IOS Devices

References
4.3.3 Page 91 of Version 1.1c)
1.0)
SAFE: A Security Blueprint for Enterprise Networks SANS Router Security Policy(3.0(3a))
Rule 1
Rule
Check for SMURF attack vulnerablity [IOS].

Description
The Smurf Attack involves sending a large amount of ICMP Echo packets to a subnet's broadcast address
with a spoofed source IP address from that subnet.
Cisco IOS Devices

Impact
This attack can lead to Denial of Service(DoS).
4-74
OL-25941-01
Chapter 4

Suggested Fix
Disable directed broadcast on the interfaces. Alternatively, an inbound access-list can be used to deny
any packets destined for broadcast addresses using the command:
no ip directed-broadcast
Traffic Rules
Description
Policies to make sure the interfaces have traffic rules

Cisco IOS Devices

References
Payment Card Industry Data Security Standard(PCI).(1.3, 1.4 of Version 1.0, December 15, 2004)
cardholder data.
Rule 1
Rule
Check interfaces have access lists configured [IOS, PIX, ASA]

Description
This rule checks if given interfaces have required access controls configured.
Cisco IOS Devices

Impact
Interfaces may permit unwanted traffic.

Suggested Fix
Enable Access Control Lists on the interface using the command:

ip access-group <acl number or name> <in|out>

OL-25941-01
4-75
Chapter 4
Rule
Description
Constraints
Interface Group

Required: true
Incoming Traffic Rules
Traffic Match criterion to enforce for incoming

traffic on this interface group.
Required: false
You can add, update or remove Action and IP type of

incoming traffic rules. You can also change the order
of theIncoming Traffic Rule details.
Outgoing Traffic Rules
Traffic Match criterion to enforce for outgoing traffic Required: false

You can add, update or remove Action and IP type of
outgoing traffic rules. You can also change the order
of the Outgoing Traffic Rule details.
Note
Dynamic Trunking Protocols (DTP)

Description
Policy to specify required parameters for Dynamic Trunking Protocol (DTP). DTP is a protocol
exchanged between switches to negotiate the trunking mode on the connected ports. Depending on the
configuration on a neighboring port, the ports on this switch will be placed in either trunking mode or
non-trunking mode dynamically. Cisco switches come up in this dynamic trunking mode by default and
if they become trunk ports, it may cause to trunk all the VLANs, which further makes the management
of VLANs harder.
Cisco IOS Switches

References
National Security Agency (NSA) Cisco Switch Configuration Guide(Section 9.5.2 Page 36 of Version
1.0)
4-76
OL-25941-01
Chapter 4

Rule 1
Rule
Check DTP is disabled. [IOS]

Description
This check will make sure that DTP is disabled on the interfaces so that they are placed permanently in
trunking mode or in non-trunking mode.
Cisco IOS Switches

Impact
A port may use the Dynamic Trunking Protocol (DTP) to automatically negotiate which trunking
protocol it will use, and how the trunking protocol will operate. By default, a Cisco Ethernet port's
default DTP mode is "dynamic desirable", which allows the port to actively attempt to convert the link
into a trunk. Even worse, the member VLANs of the new trunk are all the available VLANs on the
switch. If a neighboring port's DTP mode becomes "trunk", "dynamic auto", or "dynamic desirable", and
if the two switches support a common trunking protocol, then the line will become a trunk automatically,
giving each switch full access to all VLANs on the neighboring switch. An attacker who can exploit DTP
may be able to obtain useful information from these VLANs.
Suggested Fix
Set the port in either permanent trunk mode or permanent non-trunk mode using the command:
switchport mode <access|trunk>

Description
In order to handle congestion, Ethernet ports are capable to respond to a flow control frame from a
remote port and stop transmitting for some time. If a Gigabit Ethernet or 10-Gigabit Ethernet port
receive buffer becomes full, the port transmits an IEEE 802.3Z pause frame that requests remote ports
to delay sending frames for a specified time. All Ethernet ports (10 Gbps, 1 Gbps, 100 Mbps, and 10
Mbps) can receive and respond to IEEE 802.3Z pause frames from other devices.
Cisco IOS Switches

References
National Security Agency (NSA) Cisco Switch Configuration Guide(Section 8 Page 29 of Version 1.0)

OL-25941-01
4-77
Chapter 4
Rule 1
Rule
Check Receive Flow Control [IOS]

Description
This check will ensure that the port is configured with a desired state of flow control in receive direction.
Cisco IOS Switches

Impact
802.3X Flow Control allows receiving ports to pause transmission of packets from the sender during
times of congestion. If this feature is enabled, a pause frame can be received, stopping the transmission
of data packets. Flow Control pause frames could be used in a denial of service attack.
Suggested Fix
Configure receiving of flow control frames on the interface using the command:
[no] flowcontrol receive
You can add, update or remove flow control details. You can also change the order of the flow control
details.
Note
Rule
Description
Constraints
Interface Group

Required: true
Desired state of receive

flow control
10-Gigabit Ethernet port receive buffer becomes full, Required: true

the port transmits an IEEE 802.3Z pause frame that
requests remote ports to delay sending frames for a
specified time. All Ethernet ports (10 Gbps, 1 Gbps,
100 Mbps, and 10 Mbps) can receive and respond to
IEEE 802.3Z pause frames from other devices.
Spanning Tree Protocols (STP)

Description
Spanning Tree Protocol (STP), also known as 802.1d, is a Layer 2 protocol designed to prevent loops
within switched networks. Loops can occur when redundant network paths have been configured to
ensure resiliency. Typically, STP goes through a number of states (e.g., block, listen, learn, and forward)
before a port is able to pass user traffic. This process can take between 30 and 50 seconds. In cases where
4-78
OL-25941-01
Chapter 4

a single host is connected to a port, and there is no chance of a loop being created, the STP Portfast
feature can be utilized to immediately transition the port into a forwarding state. However, it will still
participate in STP calculations and move into a blocked state in the event of a network loop. A
vulnerability associated with STP is that a system within the network can actively modify the STP
topology. There is no authentication that would prevent such an action. The bridge ID, a combination of
a two-byte priority and a six-byte MAC address, determines the root bridge within a network. The lower
the bridge ID, the more likely the switch will be elected as the root bridge. A switch with the lowest
bridge ID can become the root bridge, thereby influencing traffic flows and reducing the efficiency of
the network.
Cisco IOS Switches

References
National Security Agency (NSA) Cisco Switch Configuration Guide(Section 10 Page 38 of Version 1.0)
Rule 1
Rule
Check that BPDU Guard is enabled on all the ACCESS ports [IOS]
Description
This check will make sure the BPDU guard is enabled/disabled on given interfaces as per the policy. The
STP Portfast BPDU Guard allows network administrators to enforce the STP topology on ports enabled
with Portfast. Systems attached to ports with the Portfast BPDU Guard enabled will not be allowed to
modify the STP topology. Upon reception of a BPDU message, the port is disabled and stops passing all
network traffic. This feature can be enabled both globally and individually for ports configured with
Portfast. By default, STP BPDU guard is disabled.
Cisco IOS Switches

Impact
A vulnerability associated with STP is that a system within the network can actively modify the STP
the network.
Suggested Fix
Configure BPDU Guard on the ports based on the policy using the command:

OL-25941-01
4-79
Chapter 4
[no] spanning-tree bpduguard
Rule 2
Rule
Check the BPDU State [IOS]

Description
This check will make sure the BPDU guard is enabled/disabled on given interfaces as per the policy. The
STP Portfast BPDU Guard allows network administrators to enforce the STP topology on ports enabled
with Portfast. Systems attached to ports with the Portfast BPDU Guard enabled will not be allowed to
modify the STP topology. Upon reception of a BPDU message, the port is disabled and stops passing all
network traffic. This feature can be enabled both globally and individually for ports configured with
Portfast. By default, STP BPDU guard is disabled.
Cisco IOS Switches

Impact
the network.
Suggested Fix
Configure BPDU Guard on the ports based on the policy using the command:
[no] spanning-tree bpduguard
You can add, update or remove BPDU State details. You can also change the order of the BPDU State
details.
Rule
Description
Constraints
Interface Group

Required: true
Desired state of BPDU

Guard
the administrator must manually put the Layer 2 LAN Required: true
interface back in service. BPDU Guard can be
configured at the interface level. When configured at
the interface level, BPDU Guard shuts the port down
as soon as the port receives a BPDU, regardless of the
PortFast configuration.
4-80
OL-25941-01
Chapter 4

Rule 3
Rule
Check that Root Guard State is enabled on all the ACCESS ports [IOS]
Description
This check will make sure the interface is configured with a proper root guard state. The STP Root Guard
feature is a mechanism used to protect the STP topology. Unlike the BPDU Guard, STP Root Guard
allows participation in STP as long as the attached system does not attempt to become the root. If the
Root Guard is activated, then the port recovers automatically after it quits receiving the superior BPDUs
that would make it the root. Root Guard can be applied to one or more ports on edge switches and on
internal switches on a network. In general, apply this feature to those ports on each switch that should
not become the root.
Cisco IOS Switches

Impact
the network.
Suggested Fix
Configure root Guard on the ports based on the policy using the command:
[no] spanning-tree guard root
Rule 4
Rule
Check the Root Guard State [IOS]

Description
This check will make sure the interface is configured with a proper root guard state. The STP Root Guard
feature is a mechanism used to protect the STP topology. Unlike the BPDU Guard, STP Root Guard
allows participation in STP as long as the attached system does not attempt to become the root. If the
Root Guard is activated, then the port recovers automatically after it quits receiving the superior BPDUs
that would make it the root. Root Guard can be applied to one or more ports on edge switches and on
internal switches on a network. In general, apply this feature to those ports on each switch that should
not become the root.
Cisco IOS Switches

OL-25941-01
4-81
Chapter 4
Impact
the network.
Suggested Fix
Configure root Guard on the ports based on the policy using the command:
[no] spanning-tree guard root
You can add, update or remove Root Guard State details. You can also change the order of the Root
Guard State details.
Rule
Description
Constraints
Interface Group

Required: true
Desired state of STP Root NOTE: Enabling root Guard functionality on a port Required: true
Guard
may disable that port as soon as it receives a superior
BPDU message. The STP root guard feature prevents
a port from becoming root port or blocked port. If a
port configured for root guard receives a superior
BPDU, the port immediately goes to the
root-inconsistent (blocked) state.
Note

Description
The Cisco-proprietary UDLD protocol allows devices connected through fiber-optic or copper (for
example, Category 5 cabling) Ethernet cables connected to LAN ports to monitor the physical
configuration of the cables and detect when a unidirectional link exists. When a unidirectional link is
detected, UDLD shuts down the affected LAN port and alerts the user. Unidirectional links can cause a
variety of problems, including spanning tree topology loops. A unidirectional link occurs whenever
traffic transmitted by the local device over a link is received by the neighbor but traffic transmitted from
the neighbor is not received by the local device. If one of the fiber strands in a pair is disconnected, as
long as autonegotiation is active, the link does not stay up. In this case, the logical link is undetermined,
and UDLD does not take any action. If both fibers are working normally at Layer 1, then UDLD at Layer
2 determines whether those fibers are connected correctly and whether traffic is flowing bidirectionally
between the correct neighbors.
4-82
OL-25941-01
Chapter 4

Cisco IOS Switches

References
National Security Agency (NSA) Cisco Switch Configuration Guide(Section 8 Page 29, 30 of Version
1.0)
Rule 1
Rule
Check UDLD state on all fiber-optic interfaces [IOS]

Description
This check will make sure UDLD state on the fiber-optic interfaces is configured as per the policy.
Cisco IOS Switches

Impact
Directly connected switches running the Unidirectional Link Detection (UDLD) protocol can determine
if a unidirectional link exists between them. If one is detected, then the link is shutdown until manually
restored. UDLD messages could be used in a denial of service attack.
Suggested Fix
configure UDLD on the interface or globally using the command:

[no] udld enable interface <interface name>
[no] udld port
Rule
Description
Constraints
Desired state of UDLD
Desired state of UDLD configuration.
Required: true
Default: false
Rule 2
Rule
Check UDLD state on all copper interfaces [IOS]

Description
This check will make sure UDLD state on the copper interfaces is configured as per the policy.

OL-25941-01
4-83
Chapter 4
Cisco IOS Switches

Impact
Suggested Fix
configure UDLD on the interface or globally using the command:

[no] udld port
Rule
Description
Constraints
Desired state of UDLD
Desired state of UDLD configuration.
Required: true
Default: false
Rule 3
Rule
Check UDLD state on specific interfaces [IOS]

Description
This check will make sure UDLD state on given interfaces is configured as per the policy.
Cisco IOS Switches

Impact
Suggested Fix
Configure UDLD on the interface or globally using the command:

[no] udld port
You can add, update or remove UDLD state details. You can also change the order of the UDLD state
details.
4-84
OL-25941-01
Chapter 4

Rule
Description
Constraints
Interface Group

Required: true
Desired state of STP Root Desired state of UDLD configuration.

Guard
Note
Required: true
VLAN 1
Description
Policy to specify whether to use VLAN 1 on switches. Cisco switches use VLAN 1 as the default VLAN
to assign to their ports, including their management ports. Additionally, Layer 2 protocols, such as CDP
and VTP, need to be sent on a specific VLAN on trunk links, so VLAN 1 was selected. In some cases,
VLAN 1 may span the entire network if not appropriately pruned. It also provides attackers easier access
and extended reach for their attacks.
Cisco IOS Switches

References
National Security Agency (NSA) Cisco Switch Configuration Guide(Section 9.2 Page 32 of Version 1.0)

OL-25941-01
4-85
Chapter 4
Rule 1
Rule
Check to make sure VLAN 1 is not used on any access interface [IOS]
Description
This check makes sure none of the interfaces on the switch use VLAN 1 in either ACCESS mode or trunk
mode. It also makes sure the VLAN 1 is not used as a native VLAN for the trunk ports.
Cisco IOS Switches

Impact
Suggested Fix
Do not use VLAN 1 for either out-of-band management or in-band management. To provide
network-based, out-of-band management, dedicate a physical switch port and VLAN on each switch for
management use. Create a Switch Virtual Interface (SVI) Layer Three interface for that VLAN, and
connect the VLAN to a dedicated switch and communications path back to the management hosts. Do
not allow the operational VLANs access to the management VLAN. Also, do not trunk the management
VLAN off the switch. Remove the access to VLAN1 using the command:
switchport access vlan <any vlan other than 1>
Rule 2
Rule
Check to make sure VLAN 1 is not allowed on any trunk interface [IOS]
Description
Cisco IOS Switches

Impact
Suggested Fix
4-86
OL-25941-01
Chapter 4

VLAN off the switch. Remove the VLAN1 from the trunks using the command:
switchport trunk allowed vlan remove 1
Rule 3
Rule
Check to make sure VLAN 1 is not allowed on any trunk interface as a native VLAN [IOS]
Description
Cisco IOS Switches

Impact
Suggested Fix
VLAN off the switch. Remove the VLAN1 from the trunks as a native VLAN using the command:
switchport trunk allowed vlan remove 1
Rule 4
Rule
Check to make sure VLAN 1 is not configured as a voice vlan on any interface [IOS]
Description
Cisco IOS Switches

Impact

OL-25941-01
4-87
Chapter 4
Suggested Fix
VLAN off the switch. Change the voice VLAN to something other than 1 using the command:
switchport voice vlan <any vlan other than 1>
VLAN Trunking Protocols (VTP)

Description
Policy to specify required parameters for VTP

Cisco IOS Switches

References
National Security Agency (NSA) Cisco Switch Configuration Guide(Section 9.4.2 Page 35 of Version
1.0)
Rule 1
Rule
Check VTP Mode [IOS]

Description
A switch may be in one of three VTP modes: server, transparent and client. Set the VTP mode to desired
state.
Cisco IOS Switches

Impact
Even though VTP simplifies VLAN configuration where large number of VLANs are configured, it may
cause some un-authorized switch to become a server and publish a wrong VLAN database.
Suggested Fix
Set the VTP mode to desired value using the command:

vtp mode
4-88
OL-25941-01
Chapter 4

Rule
Description
Constraints
Desired Mode of VTP
VTP can operate in different modes. Server-In VTP Required: true

server mode, you can create, modify, and delete
VLANs and specify other configuration parameters
(such as VTP version and VTP pruning) for the entire
VTP domain. VTP servers advertise their VLAN
configuration to other network devices in the same
VTP domain and synchronize their VLAN
configuration with other network devices based on
advertisements received over trunk links. VTP server
is the default mode. Client?VTP clients behave the
same way as VTP servers, but you cannot create,
change, or delete VLANs on a VTP client.
Transparent?VTP transparent network devices do not
participate in VTP. A VTP transparent network
device does not advertise its VLAN configuration
and does not synchronize its VLAN configuration
based on received advertisements. However, in VTP
version 2, transparent network devices do forward
VTP advertisements that they receive out their
trunking LAN ports.
Rule 2
Rule
Check VTP Pruning State [IOS]

Description
Enable or Disable VTP pruning for VTP servers based on the desired policy.
Cisco IOS Switches

Impact
None
Suggested Fix
Configure VTP pruning for VTP servers using the command:

[no] vtp pruning
Rule
Description
Constraints
Desired State of VTP

Pruning
Desired state of VTP Pruning
Required: true
Default: false

OL-25941-01
4-89
Chapter 4
Rule 3
Rule
Make sure VTP Domain name is configured [IOS]

Description
This check will make sure VTP domain is configured. By default, all the switches respond to all the VTP
messages in the network. By configuring VTP domains, it can be avoided to have mis-configured switch
to overwrite the network's VLAN database.
Cisco IOS Switches
Impact
A mis-configured switch that is added to the network can result in overwriting the VLAN database.
Suggested Fix
Configure a pre-defined domain name on all the VTP enabled switches using the command:
[no] vtp domain
Rule 4
Rule
Make sure Desired VTP Domain name is configured [IOS]

Description
This check will make sure VTP domain is configured. By default, all the switches respond to all the VTP
messages in the network. By configuring VTP domains, it can be avoided to have mis-configured switch
to overwrite the network's VLAN database.
Cisco IOS Switches

Impact
A mis-configured switch that is added to the network can result in overwriting the VLAN database.
Suggested Fix
Configure a pre-defined domain name on all the VTP enabled switches using the command:
vtp domain
Rule
Description
Constraints
Domain Name
Desired VLAN domain name. All the switches within Required: true
a VLAN domain that want to share VLAN database
should be configured with the same domain name.
4-90
OL-25941-01
Chapter 4

Remote Commands
Description
remote Commands
Cisco IOS Devices

References
Cisco SAFE Compliance

Rule 1
Rule
Remote copy (RCP) service should be [IOS]

Description
Enforce whether RCP service should be enabled or not

Cisco IOS Devices

Impact
None
Suggested Fix
Configure RCP service using the command:

no ip rcmd rcp-enable
Rule
Description
Constraints
Status
Remote Copy Service Status
Required: true
Default: false
Rule 2
Rule
Remote Shell (RSH) service should be [IOS]

Description
Remote Shell (RSH) service.

OL-25941-01
4-91
Chapter 4
Cisco IOS Devices

Impact
None
Suggested Fix
Configure RSH service using the command:

no ip rcmd rsh-enable
Rule
Description
Constraints
Status
Remote Shell Service Status
Required: true
Default: false
AAA
Description
By using AAA along with security server, you can control access to routers and other network services
from a centralized location. This allows for easier management of user accounts and privileges and
provides additional capabilities for auditing of network service usage.
Cisco IOS Devices

References

Payment Card Industry Data Security Standard(PCI).(8.3, 8.5 of Version 1.1, September, 2006)
cardholder data.
National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.1.5 Page 59, Section 4.6
Page 175,176, Section 4.6.2 Page 182, 185 of Version 1.1c)
SANS Router Security Policy(Section 3.0(1))
1.0)
4-92
OL-25941-01
Chapter 4

Control Objectives for Information and Related Technology(PO4, DS5 of 4.0)
Health Insurance Portability and Accountability Act.(164.308(a)(4)(ii), 164.312(a)(1), 164.312(d))
presented in this document are the baseline security which all Cisco Router systems must meet. Center
for Internet Security, Benchmark for Cisco IOS.(Section 1.1.1.1, Page: 6 of Version 2.2, Nov 2007) CIS
benchmark Cisco IOS, recommends the prudent level of minimum due care for operating system
Rule 1
Rule
AAA service should be enabled [IOS]

Description
provides additional capabilities for auditing of network service usage
Cisco IOS Devices

Impact
No known impact

OL-25941-01
4-93
Chapter 4
Suggested Fix
Enable AAA configuration using the command:

aaa new-model
Rule 2
Rule
Minimum Number of Radius Servers Configured Globally [IOS]

Description
Cisco IOS Devices

Impact
No known impact
Suggested Fix
Configure required RADIUS servers using the command:

radius-server host <host name>
Rule
Description
Minimum Radius Servers Number of minimum Desired Radius Servers to be

Configured Gloabally
configured globally.
Constraints
Required: true
Min Value: 1
Max Value:
2147483647
Rule 3
Rule
Minimum Number of TACACS+ Servers Configured Globally [IOS]

Description
Cisco IOS Devices
4-94
OL-25941-01
Chapter 4

Impact
No known impact.
Suggested Fix
Configure required TACACS servers using the command:

tacacs-server host <host name>
Rule
Description
Constraints
Minimum TACACS+
Servers Configured
Globally
Number of minimum Desired TACACS+ Servers to

be configured globally.
Required: true
Min Value: 1
Max Value:
2147483647
Rule 4
Rule
Radius Servers should be authenticated [IOS]

Description
This rule checks to make sure all the radius-servers configured on the router are configured with a shared
key. This rule does not check to see if each radius-server is actually used in AAA or not. A RADIUS
server and a Cisco router use a shared secret text string to encrypt passwords and exchange responses.
To configure RADIUS to use the AAA security commands, you must specify the host running the
RADIUS server daemon and a secret text (key) string that it shares with the router.
Cisco IOS Devices

Impact
Communication between RADIUS server and the device are sent in plain text.
Suggested Fix
Configure RADIUS key using the commands:

radius-server key <password>
radius-server <host name> key <Key Name>
Rule 5
Rule
TACACS Servers should be authenticated [IOS]

OL-25941-01
4-95
Chapter 4
Description
This rule checks to make sure all the tacacs-servers configured on the router are configured with a shared
key. This rule does not check to see if each tacacs-server is actually used in AAA or not. A TACACS+
server and a Cisco router use a shared secret text string to encrypt passwords and exchange responses.
To configure TACACS+ to use the AAA security commands, you must specify the host running the
TACACS+ server daemon and a secret text (key) string that it shares with the router.
Cisco IOS Devices

Impact
Communication between TACACS+ server and the device are sent in plain text.
Suggested Fix
Configure TACACS+ key using the commands:

tacacs-server key <password>
tacacs-server <host name> key <Key Name>

Description
Accounting enables you to track the services users are accessing as well as the amount of network
resources they are consuming. When AAA accounting is activated, the network access server reports
user activity to the RADIUS or TACACS+ security server (depending on which security method you
have implemented) in the form of accounting records. Each accounting record is comprised of
accounting AV pairs and is stored on the access control server. This data can then be analyzed for
network management, client billing, and/or auditing. All accounting methods must be defined through
AAA. As with authentication and authorization, you configure AAA accounting by defining a named list
of accounting methods, and then applying that list to various interfaces.
Commands accounting runs accounting for all commands at the specified privilege level. Valid privilege
level entries are integers from 0 through 15.
Cisco IOS Devices

References

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.6, Page 178 of Version
1.1c)
1.0)
4-96
OL-25941-01
Chapter 4

Center for Internet Security, Benchmark for Cisco IOS.(Section 2.1.1.3,Page:36 of Version 2.2, Nov
2007)
Rule 1
Rule
Minimum Number of TACACS + Server to be used for Comands Accounting [IOS]

Description
Cisco IOS Devices

Cisco IOS Devices

Impact
No known impact.
Suggested Fix
Include TACACS+ servers in AAA Commands accounting methods which are used in the line
configuration using the commands:
aaa new-model
aaa group server tacacs+
server <Hostname or A.B.C.D IP address of server >
!
tacacs-server host <Hostname or A.B.C.D IP address of TACACS server >
aaa accounting commands
line vty 0 15
accounting commands

OL-25941-01
4-97
Chapter 4
Rule
Description
Constraints
No. of Minimum Desired Number of minimum Desired TACACS+ Servers to Required: true
TACACS + Server
be configured to use for accounting.
Min Value: 1
Max Value:
2147483647
Rule 2
Rule
Commands Accounting should include required TACACS + Server [[IOS]

Description
This rule checks that required TACACS+ servers are used for Commands Accounting using AAA.
Cisco IOS Devices

Impact
No known impact.
Suggested Fix
Include TACACS+ servers in AAA Commands accounting methods which are used in the line
aaa new-model
!
aaa accounting commands
line vty 0 15
accounting commands
Rule
Description
Constraints
Included TACACS +
server
List of TACACS+ servers that a device should be

configured to use.
Required: true
Using TACACS+ Server Editor option, you can add,

remove or update TACACS+ Server details. You can
also change the order of the server details.
4-98
OL-25941-01
Chapter 4


Description
Connection accounting provides information about all outbound connections made from the network
access server, such as Telnet, local-area transport (LAT), TN3270, packet assembler/disassembler
(PAD), and rlogin.
Cisco IOS Devices

References

1.1c)
1.0)
2007)

OL-25941-01
4-99
Chapter 4
Rule 1
Rule
Minimum Number of RADIUS Servers to be used for Connection Accounting [IOS]

Description
This rule checks that minimum Number of RADIUS Servers to be used for Connection Accounting
Cisco IOS Devices

Impact
No known impact.
Suggested Fix
Include RADIUS servers in AAA Connection accounting methods which are used in the line
aaa new-model
aaa group server radius
server <Hostname or A.B.C.D IP address of server>
!
radius-server host <Hostname or A.B.C.D IP address of RADIUS server >
aaa accounting connection
line vty 0 15
accounting connection
Rule
Description
Constraints
Number of Minimum
Number of minimum Desired RADIUS Servers to be Required: true
Desired RADIUS Servers configured to use for accounting.
Min Value: 1
Max Value:
2147483647
Rule 2
Rule
Minimum Number of TACACS+ Servers to be used for Connection Accounting [IOS]

Description
This rule checks that minimum Number of TACACS+ Servers to be used for Connection Accounting
Cisco IOS Devices
No known impact.
4-100
OL-25941-01
Chapter 4

Suggested Fix
Include TACACS+ servers in AAA Connection accounting methods which are used in the line
aaa new-model
!
line vty 0 15
Rule
Description
Constraints
Number of Minimum
Desired TACACS+
Servers

Required: true
Min Value: 1
Max Value:
2147483647
Rule 3
Rule
Connection Accounting should include required RADIUS Servers [IOS]

Description
This rule checks that connection Accounting should include required RADIUS Servers
Cisco IOS Devices
Impact
No known impact.
Suggested Fix
Include RADIUS servers in AAA Connection accounting methods which are used in the line
aaa new-model
!
line vty 0 15

OL-25941-01
4-101
Chapter 4
Rule
Description
Constraints
Included RADIUS
Servers
List of RADIUS servers that a device should be

configured to use.
Required: true
Using RADIUS Server Editor option, you can add,

remove or update RADIUS Server details. You can
Rule 4
Rule
Connection Accounting should include required TACACS+ Servers [IOS]

Description
This rule checks that connection Accounting should include required TACACS+ Servers
Cisco IOS Devices
Impact
No known impact.
Suggested Fix
Include TACACS+ servers in AAA Connection accounting methods which are used in the line
aaa new-model
!
line vty 0 15
Rule
Description
Constraints
Include TACACS+
Servers

configured to use.
Required: true

4-102
OL-25941-01
Chapter 4


Description
EXEC accounting provides information about user EXEC terminal sessions (user shells) on the network
access server, including username, date, start and stop times, the access server IP address, and (for
dial-in users) the telephone number the call originated from.
Cisco IOS Devices

References

1.1c)
1.0)
2007)

OL-25941-01
4-103
Chapter 4
Rule 1
Rule
Minimum Number of RADIUS Servers to be used for EXEC Accounting [IOS]

Description
This rule checks that minimum Number of RADIUS Servers to be used for EXEC Accounting
Cisco IOS Devices
Impact
No known impact.
Suggested Fix
Include RADIUS servers in AAA EXEC accounting methods which are used in the line configuration
aaa new-model
!
aaa accounting exec
line vty 0 15
accounting exec
Rule
Description
Constraints
Number of Minimum
Desired RADIUS
Servers

configured to use for accounting.
Min Value: 1
Max Value:
2147483647
Rule 2
Rule
Minimum Number of TACACS+ Servers to be used for EXEC Accounting [IOS]

Description
This rule checks that minimum Number of TACACS+ Servers to be used for EXEC Accounting
Cisco IOS Devices
Impact
No known impact.
4-104
OL-25941-01
Chapter 4

Suggested Fix
Include TACACS+ servers in AAA EXEC accounting methods which are used in the line configuration
aaa new-model
!
aaa accounting exec
line vty 0 15
accounting exec
Rule
Description
Constraints
Number of Minimum
Desired TACACS+
Servers

Required: true
Min Value: 1
Rule 3
Rule
EXEC Accounting should include required RADIUS Servers [IOS]

Description
This rule checks that EXEC Accounting should include required RADIUS Servers
Cisco IOS Devices
Impact
No known impact.
Suggested Fix
Include RADIUS servers in AAA EXEC accounting methods which are used in the line configuration
aaa new-model
!
aaa accounting exec
line vty 0 15
accounting exec

OL-25941-01
4-105
Chapter 4
Rule
Description
Constraints
Include RADIUS Servers

configured to use.
Required: true

Rule 4
Rule
EXEC Accounting should include required TACACS+ Servers [IOS]

Description
This rule checks that EXEC Accounting should include required TACACS+ Servers
Cisco IOS Devices
Impact
No known impact.
Suggested Fix
Include TACACS+ servers in AAA EXEC accounting methods which are used in the line configuration
aaa new-model
!
aaa accounting exec
line vty 0 15
accounting exec
Rule
Description
Constraints
Include TACACS+
Servers

configured to use.
Required: true

4-106
OL-25941-01
Chapter 4


Description
Network accounting provides information for all PPP, SLIP, or ARAP sessions, including packet and
byte counts.
Cisco IOS Devices

References

1.1c)
1.0)
2007)

OL-25941-01
4-107
Chapter 4
Rule 1
Rule
Minimum Number of RADIUS Servers to be used for Network Accounting [IOS]

Description
This rule checks that minimum Number of RADIUS Servers to be used for Network Accounting
Cisco IOS Devices
Impact
No known impact
Suggested Fix
Include RADIUS servers in AAA network accounting methods which are used in the line configuration
aaa new-model
!
aaa accounting network
line vty 0 15
accounting network
Rule
Description
Constraints
Number of Minimum
Desired RADIUS Servers configured to use for accounting
Min Value: 1
Max Value:
2147483647
Rule 2
Rule
Minimum Number of TACACS+ Servers to be used for Network Accounting [IOS]

Description
This rule checks that minimum Number of TACACS+ Servers to be used for Network Accounting
Cisco IOS Devices
Impact
No known impact
4-108
OL-25941-01
Chapter 4

Suggested Fix
Include TACACS+ servers in AAA network accounting methods which are used in the line configuration
aaa new-model
!
tacacs-server host <Hostname or A.B.C.D IP address of RADIUS server >
line vty 0 15
accounting network
Rule
Description
Constraints
Number of Minimum
Desired TACACS+
Servers

be configured to use for accounting
Required: true
Min Value: 1
Max Value:
2147483647
Rule 3
Rule
Network Accounting should include required RADIUS Servers [IOS]

Description
This rule checks that network Accounting should include required RADIUS Servers
Cisco IOS Devices
Impact
No known impact
Suggested Fix
Include RADIUS servers in AAA network accounting methods which are used in the line configuration
aaa new-model
!
line vty 0 15
accounting network

OL-25941-01
4-109
Chapter 4
Rule
Description
Constraints
Included RADIUS
Servers

configured to use.
Required: true

Rule 4
Rule
Network Accounting should include required TACACS+ Servers [IOS]

Description
This rule checks that network Accounting should include required TACACS+ Servers
Cisco IOS Devices
Impact
No known impact
Suggested Fix
Include TACACS+ servers in AAA network accounting methods which are used in the line configuration
aaa new-model
!
line vty 0 15
accounting network
Rule
Description
Constraints
Included TACACS+
Servers

configured to use.
Required: true

4-110
OL-25941-01
Chapter 4


Description
System accounting provides information about all system-level events (for example, when the system
reboots or when accounting is turned on or off).
Cisco IOS Devices

References

1.1c)
1.0)
2007)

OL-25941-01
4-111
Chapter 4
Rule 1
Rule
Minimum Number of RADIUS Servers to be used for System Accounting [IOS]

Description
This rule checks minimum Number of RADIUS Servers to be used for System Accounting
Cisco IOS Devices
Impact
No known impact
Suggested Fix
Include RADIUS servers in AAA system accounting methods which are used in the line configuration
aaa new-model
!
aaa accounting system
line vty 0 15
accounting system
Rule
Description
Constraints
Number of Minimum
Desired RADIUS Servers configured to use for accounting
Min Value: 1
Max Value:
2147483647
Rule 2
Rule
Minimum Number of TACACS+ Servers to be used for System Accounting IOS]

Description
This rule checks minimum Number of TACACS+ Servers to be used for System Accounting
Cisco IOS Devices
Impact
No known impact
Suggested Fix
Include TACACS+ servers in AAA system accounting methods which are used in the line configuration
4-112
OL-25941-01
Chapter 4

aaa new-model
!
line vty 0 15
accounting system
Rule
Description
Constraints
Number of Minimum
Desired TACACS+
Servers

Required: true
Min Value: 1
Max Value:
2147483647
Rule 3
Rule
System Accounting should include required RADIUS Servers [IOS]

Description
This rule checks that system Accounting should include required RADIUS Servers
Cisco IOS Devices
Impact
No known impact.
Suggested Fix
Include RADIUS servers in AAA system accounting methods which are used in the line configuration
aaa new-model
!
line vty 0 15
accounting system

OL-25941-01
4-113
Chapter 4
Rule
Description
Constraints
Included RADIUS
Servers

configured to use.
Required: true

Rule 4
Rule
System Accounting should include required TACACS+ Servers [[IOS]

Description
This rule checks that system Accounting should include required TACACS+ Servers
Cisco IOS Devices
Impact
No known impact
Suggested Fix
Include TACACS+ servers in AAA system accounting methods which are used in the line configuration
aaa new-model
!
line vty 0 15
accounting system
Rule
Description
Constraints
Included TACACS+
Servers

configured to use.
Required: true

4-114
OL-25941-01
Chapter 4


Description
provides additional capabilities for auditing of network service usage. Enable authentication specifies a
series of authentication methods that are used to determine whether a user can access the privileged
EXEC command level.
Cisco IOS Devices

References

Center for Internet Security, Benchmark for Cisco IOS.(Section 1.1.1.3, Page: 7; Section 2.1.1.1,Page:35
of Version 2.2, Nov 2007)
Rule 1
Rule
Minimum Number of RADIUS Servers to be used for Enable Authentication [IOS]

Description
This rule checks minimum Number of RADIUS Servers to be used for Enable Authentication
Cisco IOS Devices
Impact
No known impact
Suggested Fix
Include RADIUS servers in AAA Enable Authentication methods using the commands
aaa new-model
!
aaa authentication enable

OL-25941-01
4-115
Chapter 4
Rule
Description
Constraints
Number of Minimum
Desired RADIUS Servers configured to use for Authentication
Min Value: 1
Max Value:
2147483647
Rule 2
Rule
Minimum Number of TACACS+ Servers to be used for Enable Authentication [IOS]

Description
This rule checks that minimum Number of TACACS+ Servers to be used for Enable Authentication
Cisco IOS Devices

Impact
No known impact.
Suggested Fix
Include TACACS+ servers in AAA Enable Authentication methods using the commands
aaa new-model
!
Rule
Description
Constraints
Number of Minimum
Desired TACACS+
Servers
Number of minimum Desired TACACS+ Servers to Required: true

be configured to use for Authentication
Min Value: 1
Max Value:
2147483647
4-116
OL-25941-01
Chapter 4

Rule 3
Rule
Enable Authentication should include required RADIUS Servers [IOS]

Description
This rule checks that enable Authentication should include required RADIUS Servers
Cisco IOS Devices

Impact
No known impact.
Suggested Fix
Include RADIUS servers in AAA Enable Authentication methods using the commands
aaa new-model
!
Rule
Description
Included RADIUS
Servers

configured to use.
Constraints
Required: true

Rule 4
Rule
Enable Authentication should include required TACACS+ Servers [IOS]

Description
This rule checks that enable Authentication should include required RADIUS Servers
Cisco IOS Devices

Impact
No known impact

OL-25941-01
4-117
Chapter 4
Suggested Fix
Include TATACS+ servers in AAA Enable Authentication methods using the commands
aaa new-model
!
Rule
Description
Constraints
Included TACACS+
Servers

configured to use.
Required: true

Rule 5
Rule
Check for Usage of none in Enable Authentication

Description
This rule checks for usage of "none" in Enable Authentication

Cisco IOS Devices

Impact
If none keyword is used at the end of an AAA Method, authentication is granted if none of the other
authentication methods are available. In this case, users are able to pass authentication even without any
credentials under circumstances where there are no AAA servers are available. If this none keyword is
not used, then it is possible to be locked out of the device when none of the AAA servers are avaialble.
Suggested Fix
Add/remove the none keyword as per the requirement using the command:
aaa new-model
aaa authentication enable [none]
Rule
Description
Constraints
Usage of none for

method
Desired usage of "none" key word in the methods. If Required: true

this keyword is used, authentication is successfull if Default: false
none of the previous methods are available.
4-118
OL-25941-01
Chapter 4


Description
provides additional capabilities for auditing of network service usage. Login authentication specifies a
series of authentication methods that are used to determine whether a user can access network device.
Cisco IOS Devices

References

Payment Card Industry Data Security Standard(PCI).(8.3, 8.5 of Version 1.1, September, 2006)
cardholder data.
National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.1.5 Page 59, Section 4.6
Page 175,176, Section 4.6.2 Page 182, 185 of Version 1.1c)
SANS Router Security Policy(Section 3.0(1))
1.0)

OL-25941-01
4-119
Chapter 4
Health Insurance Portability and Accountability Act.(164.308(a)(4)(ii), 164.312(a)(1), 164.312(d))

Center for Internet Security, Benchmark for Cisco IOS.(Section 1.1.1.2, Page: 7;Section 2.1.1.2,Page:36
of Version 2.2, Nov 2007)
Rule 1
Rule
Minimum Number of RADIUS Servers to be used for User Authentication [IOS]

Description
Cisco IOS Devices

Impact
No known impact
Suggested Fix
Include RADIUS servers in AAA login authentication methods which are used in the line configuration
using the commands:
aaa new-model
!
4-120
OL-25941-01
Chapter 4


aaa authentication login
line vty 0 15
Rule
Description
Number of Minimum
Number of minimum Desired Radius Servers to be
Desired RADIUS Servers configured to use for authentication.
Constraints
Required: true
Min Value: 1
Max Value:
2147483647
Rule 2
Rule
Minimum Number of TACACS+ Servers to be used for User Authentication [IOS]

Description
Cisco IOS Devices

Impact
No known impact
Suggested Fix
Include TACACS+ servers in AAA login authentication methods which are used in the line
aaa new-model
!
line vty 0 15

OL-25941-01
4-121
Chapter 4
Rule
Description
Constraints
Number of Minimum
Desired TACACS+
Servers
Number of minimum Desired TACACS+ Servers to Required: true

be configured to use for authentication.
Min Value: 1
Max Value:
2147483647
Rule 3
Rule
Authentication method should not contain noneat the end [IOS]

Description
AAA authentication login method should not contain none at the end.
Cisco IOS Devices

Impact
User may be able to login into the device without proper user name and password under situation when
other authentication methods are not available for whatever reason
Suggested Fix
Remove none keyword at the end of authentication method in the command:

aaa new-model
aaa authentication login [none]
Rule 4
Rule
Login authentication should use external AAA server IOS]

Description
Cisco IOS Devices

Impact
No known impact
4-122
OL-25941-01
Chapter 4

Suggested Fix
Include RADIUS or TACACS+ servers in AAA login authentication methods which are used in the line
aaa new-model
aaa group server <tacacs+|radius>
line vty 0 15
Rule
Description
Constraints
Included RADIUS
Servers

configured to use.
Required: false

Rule
Description
Constraints
Included TACACS+
Servers

configured to use.
Required: false

Rule 5
Rule
All authentication methods should ask Username and Password [IOS]

Description
It is always important to choose the right order for the methods on a method list for 'AAA authentication'.
For AAA login authentication, the first method on the list determines whether the user will be prompted
for a username. Methods requiring only a password (e.g. the line method) should never be placed ahead
of methods requiring a both username and password, because the user will never be prompted for a
username and the mechanism will always fail.
Cisco IOS Devices

Impact
If the authentication method does not ask for username and password, all subsequent authentication
methods in the list will fail.

OL-25941-01
4-123
Chapter 4
Suggested Fix
Re-arrange the order of aaa authentication methods so that enable and line are always at the end in the
command:
aaa new-model
Rule 6
Rule
At least one local username should be defined if local or local-case is used in AAA Authentication
login methods [IOS]
Description
AAA authentication login method local uses local username database to authenticate users. If there is no
username configured in the database, using local is not useful.
Cisco IOS Devices

Impact
none
Suggested Fix
Add some users to the local username database using the command:
username <user name>
Rule 7
Rule
AAA Authentication login methods should include local or local-case [IOS]

Description
AAA authentication login methods should include local or local-case. Including local or local-case on
your method list will guarantee that if the security server(s) is not available, administrators will still be
able to gain remote access by using a username and password defined locally on the router.
Cisco IOS Devices

Impact
If all the security servers are down and can not authenticate users, there will be no way to gain access to
the router
4-124
OL-25941-01
Chapter 4

Suggested Fix
Add local username database as an authentication mechanism using the command:

aaa new-model
aaa authentication login <list of groups> local

Description
AAA authorization enables you to limit the services available to a user. When AAA authorization is
enabled, the network access server uses information retrieved from the user's profile, which is located
either in the local user database or on the security server, to configure the user's session. Once this is
done, the user will be granted access to a requested service only if the information in the user profile
allows it. Commands authorization applies to the EXEC mode commands a user issues. Command
authorization attempts authorization for all EXEC mode commands, including global configuration
commands, associated with a specific privilege level.
Cisco IOS Devices

References

1.1c)
1.0)
Health Insurance Portability and Accountability Act.(164.308(a)(3)(ii))

OL-25941-01
4-125
Chapter 4
Rule 1
Rule
Minimum Number of TACACS+ Servers to be used for Commands Authorization [IOS]

Description
This rule checks that minimum number of TACACS+ Servers are used for Commands Authorization
using AAA
Cisco IOS Devices

Impact
No known impact
Suggested Fix
Include TACACS+ servers in AAA Commands Authorization methods which are used in the line
aaa new-model
!
aaa authorization commands
Rule
Description
Constraints
Number of Minimum
Desired TACACS+
Servers

be configured to use for authorization.
Required: true
Min Value: 1
Max Value:
2147483647
Rule 2
Rule
Commands Authorization should include Required TACACS+ Servers [IOS]

Description
This rule checks that required TACACS+ Servers are used for Commands Authorization using AAA
Cisco IOS Devices

Impact
No known impact.
4-126
OL-25941-01
Chapter 4

Suggested Fix
Include TACACS+ servers in AAA Commands Authorization methods which are used in the line
aaa new-model
!
aaa authorization commands
line vty 0 15
authorization commands
Rule
Description
Constraints
Included TACACS+
Servers

configured to use.
Required: true


Description
allows it. Configuration authorization applies to downloading configurations from the AAA server.
Cisco IOS Devices

References

1.1c)

OL-25941-01
4-127
Chapter 4
1.0)
Rule 1
Rule
Minimum Number of RADIUS Servers to be used for Configuration Authorization [IOS]

Description
This rule checks that minimum Number of RADIUS Servers to be used for Configuration Authorization
Cisco IOS Devices

Impact
No known impact
Suggested Fix
Include RADIUS servers in AAA Configuration Authorization methods which are used in the line
aaa new-model aaa group server radius
!
aaa authorization configuration
line vty 0 15
authorization configuration
Rule
Description
Constraints
Number of Minimum
Desired RADIUS Servers configured to use for authorization.
Min Value: 1
Max Value:
2147483647
4-128
OL-25941-01
Chapter 4

Rule 2
Rule
Minimum Number of TACACS+ Servers to be used for Configuration Authorization [IOS]

Description
This rule checks that minimum Number of TACACS+ Servers to be used for Configuration
Authorization
Cisco IOS Devices

Impact
No known impact.
Suggested Fix
Include TACACS+ servers in AAA Configuration Authorization methods which are used in the line
aaa new-model
!
line vty 0 15
Rule
Description
Constraints
Number of Minimum
Desired TACACS+
Servers

Required: true
Min Value: 1
Max Value:
2147483647
Rule 3
Rule
Configuration Authorization should include required RADIUS Servers [IOS]

Description
This rule checks that configuration Authorization should include required RADIUS Servers
Cisco IOS Devices

OL-25941-01
4-129
Chapter 4
Impact
No known impact.
Suggested Fix
Include RADIUS servers in AAA Configuration Authorization methods which are used in the line
aaa new-model
!
line vty 0 15
Rule
Description
Constraints
Included RADIUS
Servers

configured to use.
Required: true

Rule 4
Rule
Configuration Authorization should include required TACACS+ Servers [IOS]

Description
This rule checks that configuration Authorization should include required TACACS+ Servers
Cisco IOS Devices

Impact
No known impact
Suggested Fix
Include TACACS+ servers in AAA Configuration Authorization methods which are used in the line
aaa new-model
4-130
OL-25941-01
Chapter 4

!
line vty 0 15
Rule
Description
Constraints
Included TACACS+
Servers

configured to use.
Required: true


Description
allows it. EXEC authorization applies to the attributes associated with a user EXEC terminal session.
Cisco IOS Devices

References

1.1c)
1.0)

OL-25941-01
4-131
Chapter 4
Rule 1
Rule
Minimum Number of RADIUS Servers to be used for EXEC Authorization [IOS]

Description
This rule checks that minimum Number of RADIUS Servers to be used for EXEC Authorization
Cisco IOS Devices

Impact
No known impact.
Suggested Fix
Include RADIUS servers in AAA EXEC Authorization methods which are used in the line configuration
using the commands:
aaa new-model
!
aaa authorization exec
line vty 0 15
authorization exec
Rule
Description
Constraints
Number of Minimum
Desired RADIUS Servers configured to use for authorization.
Min Value: 1
Max Value:
2147483647
Rule 2
Rule
Minimum Number of TACACS+ Servers to be used for EXEC Authorization [IOS]

Description
This rule checks that minimum Number of TACACS+ Servers to be used for EXEC Authorization
Cisco IOS Devices
4-132
OL-25941-01
Chapter 4

Impact
No known impact.
Suggested Fix
Include TACACS+ servers in AAA EXEC Authorization methods which are used in the line
aaa new-model
!
line vty 0 15
authorization exec
Rule
Description
Constraints
Number of Minimum
Desired TACACS+
Servers

Required: true
Min Value: 1
Max Value:
2147483647
Rule 3
Rule
EXEC Authorization should include required RADIUS Servers [IOS]

Description
This rule checks that EXEC Authorization should include required RADIUS Servers
Cisco IOS Devices

Impact
No known impact.
Suggested Fix
Include RADIUS servers in AAA EXEC Authorization methods which are used in the line configuration
using the commands:
aaa new-model aaa group server radius
!

OL-25941-01
4-133
Chapter 4
line vty 0 15
authorization exec
Rule
Description
Constraints
Included RADIUS
Servers

configured to use.
Required: true

Rule 4
Rule
EXEC Authorization should include required TACACS+ Servers [IOS]

Description
This rule checks that EXEC Authorization should include required TACACS+ Servers
Cisco IOS Devices

Impact
No known impact
Suggested Fix
Include TACACS+ servers in AAA EXEC Authorization methods which are used in the line
aaa new-model
!
line vty 0 15
authorization exec
Rule
Description
Constraints
Included TACACS+
Servers

configured to use.
Required: true

4-134
OL-25941-01
Chapter 4


Description
allows it. Network authorization applies to network connections. This can include a PPP, SLIP, or ARAP
connection.
Cisco IOS Devices

References

1.1c)
1.0)
Rule 1
Rule
Minimum Number of RADIUS Servers to be used for Network Authorization [IOS]

Description
This rule checks that minimum Number of RADIUS Servers to be used for Network Authorization
Cisco IOS Devices

Impact
No known impact.

OL-25941-01
4-135
Chapter 4
Suggested Fix
Include RADIUS servers in AAA Network Authorization methods which are used in the line
aaa new-model
!
aaa authorization network
line vty 0 15
authorization network
Rule
Description
Number of Minimum
Desired RADIUS Servers be configured to use for authorization.
Constraints
Required: true
Min Value: 1
Max Value:
2147483647
Rule 2
Rule
Minimum Number of TACACS+ Servers to be used for Network Authorization [IOS]

Description
This rule checks that minimum Number of TACACS+ Servers to be used for Network Authorization
Cisco IOS Devices

Impact
No known impact.
Suggested Fix
Include TACACS+ servers in AAA Network Authorization methods which are used in the line
aaa new-model
!
4-136
OL-25941-01
Chapter 4


line vty 0 15
Rule
Description
Constraints
Number of Minimum
Desired TACACS+
Servers

be configured to use for authorization
Required: true
Min Value: 1
Max Value:
2147483647
Rule 3
Rule
Network Authorization should include required RADIUS Servers [IOS]

Description
This rule checks that network Authorization should include required RADIUS Servers
Cisco IOS Devices

Impact
No known impact.
Suggested Fix
Include RADIUS servers in AAA Network Authorization methods which are used in the line
aaa new-model
!
aaa authorization
network line vty 0 15

OL-25941-01
4-137
Chapter 4
Rule
Description
Constraints
Included RADIUS
Servers

configured to use.
Required: true

Rule 4
Rule
Network Authorization should include required TACACS+ Servers [IOS]

Description
This rule checks that network Authorization should include required TACACS+ Servers
Cisco IOS Devices

Impact
No known impact
Suggested Fix
Include TACACS+ servers in AAA Network Authorization methods which are used in the line
aaa new-model
!
line vty 0 15
Rule
Description
Constraints
Included RADIUS
Servers

configured to use.
Required: true

4-138
OL-25941-01
Chapter 4


Description
Policies related to Control Plane Policing. Control Plane Policing (CoPP) is a Cisco IOS feature that you
can employ to counter resource starvation-based DoS attacks that target the central processor of a router
(control plane and management plane). CPP protects the central processor via policies that filter or rate
limit traffic directed to the processor. The Control Plane Policing feature allows users to configure a
quality of service (QoS) filter that manages the traffic flow of control plane packets to protect the control
plane of Cisco IOS routers and switches against reconnaissance and denial-of-service (DoS) attacks. In
this way, the control plane (CP) can help maintain packet forwarding and protocol states despite an
attack or heavy traffic load on the router or switch.
Cisco IOS Devices With CoPP Capability

References
1.1c)
Rule 1
Rule
Check input Control Plane Policy is configured [IOS]

Description
This rule checks to make sure that a Control Plane Policy is configured in input direction. The Control
Plane Policing feature allows users to configure a quality of service (QoS) filter that manages the traffic
flow of control plane packets to protect the control plane of Cisco IOS routers and switches against
reconnaissance and denial-of-service (DoS) attacks. In this way, the control plane (CP) can help
maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or
switch.

Impact
There is no classification of the data that needs to be handled by the device's central processor, and hence
is not protected from various DDoS attacks

OL-25941-01
4-139
Chapter 4
Suggested Fix
Configure Control Plane Policing using the commands

control-plane
service-policy input <policy name>
exit
Rule
Description
Constraints
Name of desired input

policy
Desired input policy Name (Leave this blank if you

dont want to check any specific policy name)
Required: false
Rule 2
Rule
Check output Control Plane Policy is configured [IOS]

Description
This rule checks to make sure that a Control Plane Policy is configured in output direction. The Control
Plane Policing feature allows users to configure a quality of service (QoS) filter that manages the traffic
flow of control plane packets to protect the control plane of Cisco IOS routers and switches against
reconnaissance and denial-of-service (DoS) attacks. In this way, the control plane (CP) can help
maintain packet forwarding and protocol states despite an attack or heavy traffic load on the router or
switch.

Impact
There is no classification of the data that needs to be handled by the device's central processor, and hence
is is not protected from various DDoS attacks
Suggested Fix
Configure Control Plane Policing using the commands

control-plane
service-policy output <policy name>
exit
Rule
Description
Constraints
Name of desired output

policy
Desired output policy Name (Leave this blank if you Required: false
dont want to check any specific policy name)
4-140
OL-25941-01
Chapter 4

HTTP Server
Description
HTTP Server allows web based remote administration of the router.

Cisco IOS Devices

Cisco IOS Devices With HTTPS Capability
References
cardholder data.
4.2.1 Page 71, Section 4.2.2 Page 73,74 of Version 1.1c)
1.0)
SANS Router Security Policy(3.0(3f))

OL-25941-01
4-141
Chapter 4

Nov 2007)
Center for Internet Security, Benchmark for Cisco IOS.(Section 1.1.2.5, Page: 24 of Version 2.2, Nov
2007)
Rule 1
Rule
Check state of HTTP server [IOS]

Description
HTTP Server allows web based remote administration of the router. It is useful primarily when
intervening routers or firewalls prevent use of Telnet for that purpose. However, it is important to note
that both Telnet and web-based remote administration reveal critical passwords in clear text. Further,
web-based administration imposes the requirement that users log in at full (level 15) privilege.
Therefore, web-based remote administration should be avoided
Cisco IOS Devices

Impact
Can be exploited to access the router.

Suggested Fix
Configure HTTP server using the command

[no] ip http server
4-142
OL-25941-01
Chapter 4

Rule
Description
Constraints
Server Status
HTTP server status
Required: true
Default: false
Rule 2
Rule
Check HTTP server port value [IOS]

Description
TCP port number that the HTTP server listens on.

Cisco IOS Devices

Impact
HTTP Server may not be accessible if the port is not configured properly
Suggested Fix
Configure port for HTTP server using the command

ip http port <port number>
Rule
Description
Constraints
Port
Port for HTTP server
Required: true
Default: 80 Min
Value: 1025 Max
Value: 65535
Rule 3
Rule
Check state of HTTP Secure (HTTPS) server [PIX, ASA, IOS]

Description
Therefore, web-based remote administration should be avoided, , then it is preferable
Cisco PIX Devices Running >= 7.x and ASA devices Cisco IOS Devices With HTTPS Capability

OL-25941-01
4-143
Chapter 4
Impact
Can be exploited to access the router.

Suggested Fix
Configure HTTPS server using the command

[no] ip http secure-server (for IOS)
[no] http server enable (for PIX)
Rule
Description
Constraints
Secure Server Status
HTTP Secured server status
Required: true
Default: false
Rule 4
Rule
Check HTTP Secure (HTTPS) server port value [PIX, ASA, IOS]
Description
TCP port number that the HTTP Secure server listens on.

Cisco IOS Devices With HTTPS Capability
Impact
HTTPS Server may not be accessible if the port is not configured properly
Suggested Fix
Configure port for HTTPS server using the command

ip http secure-port <port number>(for IOS)
http server enable <port number>(for PIX)
Rule
Description
Secure Server Port (IOS) Port for HTTP Secured server
Constraints
Required: false
Default: 443 Min
Value: 1025 Max
Value: 65535
4-144
OL-25941-01
Chapter 4

Rule
Description
Secure Server Port (PIX) Port for HTTP Secured server
Constraints
Required: false
Default: 443 Min
Value: 1 Max
Value: 65535
Rule 5
Rule
ACL must be configured for restricting access to HTTP server [IOS]

Description
If web-based remote administration is required, HTTP server should be enabled and access must be
restricted to the trusted users.
Cisco IOS Devices

Impact
Unauthorized users may gain access if not restricted using an access-list.

Suggested Fix
Configure an access list to restrict the access to the HTTP server on the device using the command
ip http access-class <1-99
Rule
Description
Constraints
ACL
Access List for HTTP server
Required: true
Min Value: 1
Max Value: 99
Rule 6
Rule
Restrict access to HTTP server [IOS]

Description
If web-based remote administration is required, HTTP server should be enabled and access must be
restricted to the trusted users.
Cisco IOS Devices

Impact
Unauthorized users may gain access if not restricted using an access-list.

OL-25941-01
4-145
Chapter 4
Suggested Fix
Configure an access list to restrict the access to the HTTP server on the device, using the command
ip http access-class <1-99>
Rule
Description
Constraints
Allowed Subnets
Access List for HTTP server.
Required: true
Using Allowed Subnets Editor option, you can add,

remove or update Allowed Subnets details. You can
Rule 7
Rule
Check HTTP server authentication methods [IOS]

Description
Specify the desired type of authentication for HTTP connections.

Cisco IOS Devices

Impact
Unauthorized users can gain access if authentication is not used.

Suggested Fix
Set up usernames and passwords for all administrators. If possible, use AAA user access control which
will give more control and better audit. Configure required authentication using
ip http authentication
Rule
Description
Constraints
Auth Method
HTTP server authentication method. Violations

cannot be fixed if you specify multiple methods for
the input.
Required: true
Using Auth method Editor option, you can add,

remove or update Auth method details. You can also
change the order of the server details
Rule 8
Rule
Check management access via ASDM is restricted [PIX, ASA]
4-146
OL-25941-01
Chapter 4

Description
Adaptive Security Device Manager (ASDM) ip address should be defined.


Impact
Management access via the ASDM should be restricted to management workstations.

Suggested Fix
Define the Adaptive Security Device Manager (ASDM) ip address using the command
no http 0.0.0.0 0.0.0.0 <interface-name>
http <ip-address> <mask> <interface-name>
Description
Policies governing miscellaneous TCP(echo, discard, chargen, day time) and UDP(echo, discard,
chargen) services on the device.
Cisco IOS Devices

Cisco IOS Devices With BOOTP Capability
Cisco IOS Devices With SCP Capability
References
cardholder data.
National Security Agency (NSA) Cisco Router Configuration Guide(Section 8.1(1) Page 274,275, 8.1(7)
Page 276, Section 8.1(18) Page 278, Section 4.2.1 Page 70,71,72 of Version 1.1c)
SANS Router Security Policy(Sections 3.0(1), 3.0(2), 3.0(3))
1.0)

OL-25941-01
4-147
Chapter 4
This document is being distributed to provideDepartment of Homeland Security (DHS) Cisco Router
Center for Internet Security, Benchmark for Cisco IOS.(Section 1.2.2.2-1.2.2.4,1.2.2.6, Page: 23 Section
1.2.2.9-1.2.2.11,page:26; section 1.3.1.2,Page:34; Section 2.3.3.3,Page:47 of Version 2.2, Nov 2007)
Rule 1
Rule
Disable TCP small servers [IOS]

Description
TCP small servers are servers (daemons, in Unix parlance) that run in the router which are useful for
diagnostics.
The TCP small servers are:
Echo: Echoes back whatever you type through the telnet x.x.x.x echo command.
Chargen: Generates a stream of ASCII data. Use the telnet x.x.x.x chargen command.
Discard: Throws away whatever you type. Use the telnet x.x.x.x discard command.
Daytime: Returns system date and time, if it is correct. It is correct if you run Network Time
Protocol (NTP), or have set the date and time manually from the exec level. Use the telnet x.x.x.x
daytime command.
Replace x.x.x.x with the IP address of your router. Most routers inside Cisco run the small servers.
The TCP small servers are enabled by default on Cisco IOS Software Version 11.2 and earlier. They are
disabled by default on Cisco IOS Software Versions 11.3 and later.
Cisco IOS Devices
4-148
OL-25941-01
Chapter 4

Impact
It is recommended that you do not enable these services unless it is absolutely necessary. These services
could be exploited indirectly or directly to gain information about the target system.
Suggested Fix
Disable TCP small servers using the command

no service tcp-small-servers
Rule 2
Rule
Disable UDP small servers [IOS]

Description
UDP small servers are servers (daemons, in Unix parlance) that run in the router which are useful for
diagnostics.
The UDP small servers are:
Echo: Echoes the payload of the datagram you send.
Discard: Silently pitches the datagram you send.
Chargen: Pitches the datagram you send, and responds with a 72-character string of ASCII
characters terminated with a CR+LF.
The UDP small servers are enabled by default on Cisco IOS Software Version 11.2 and earlier. They are
disabled by default on Cisco IOS Software Versions 11.3 and later.
Cisco IOS Devices

Impact
It is recommended that you do not enable these services unless it is absolutely necessary. These services
could be exploited indirectly or directly to gain information about the target system.
Suggested Fix
Disable UDP small servers using the command

no service udp-small-servers
Rule 3
Rule
Disable Finger server [IOS]

OL-25941-01
4-149
Chapter 4
Description
Finger is a utility that displays information about system users(login name, home directory, name, how
long they've been logged in,etc.).
Cisco IOS Devices

Impact
The information obtained from the finger server can be used in gaining unauthorized access to the
device.
Suggested Fix
Disable finger server on the device using the command

no service finger
Rule 4
Rule
Disable BOOTP server [IOS]

Description
BOOTP (BOOTstrap Protocol) was originally created for loading diskless computers. It was later used
to allow a host to obtain all the required TCP/IP information to use the Internet. BOOTP allows a host
to broadcast a request onto the network, and obtains information required from a BOOTP server. The
BOOTP server is a computer that listens for incoming BOOTP requests and generates responses from a
configuration database for the BOOTP clients on that network. BOOTP differs from DHCP in that it has
no concept of lease or lease expiration. All IP addresses allocated by a BOOTP server are permanent.
Cisco IOS Devices With BOOTP Capability

Impact
This is rarely needed and may open a security hole.

Suggested Fix
Disable BOOTP server using the command

no ip bootp server
Rule 5
Rule
Disable configuration auto-laoding from TFTP server [IOS]
4-150
OL-25941-01
Chapter 4

Description
Configuration autoloading enables autoloading of configuration files from a network server.

Cisco IOS Devices

Impact
Can be exploited to load wrong configuration files.

Suggested Fix
Disable configuration autoloading using the command

no service config
Rule 6
Rule
Disable IP Source Routing [IOS]

Description
Source Routing is a technique whereby the sender of a packet can specify the route that a packet should
take through the network. Source routing is useful when the default route that a connection will take fails
or is suboptimal for some reason, or for network diagnostic purposes.
Cisco IOS Devices

Impact
When used in conjunction with traceroute, an attacker can find all the routes between points on the
network.
Also, sometimes machines will be on the Internet, but will not be reachable. (It may be using a private
address like 10.0.0.1). However, there may be some other machine that is reachable to both sides that
forwards packets. Someone can then reach that private machine from the Internet by source routing
through that intermediate machine.
Suggested Fix
Disable IP Source Routing using the command

no ip source-route
Rule 7
Rule
Disable X.25 PAD service [IOS]

OL-25941-01
4-151
Chapter 4
Description
Packet assembler/disassembler(PAD) is configured to enable X.25 connections between network

devices. A PAD is a device that receives a character stream from one or more terminals, assembles the
character stream into packets, and sends the data packets out to a host. A PAD can also do the reverse.
It can take data packets from a network host and translate them into a character stream that can be
understood by the terminals. A PAD is defined by Recommendations X.3, X.28, and X.29 of the
International Telecommunication Union Telecommunication Standardization Sector (ITU-T).
PADs can also be configured to work with a protocol translation application.
Cisco IOS Devices

Impact
No known impact
Suggested Fix
Disable PAD service using the command

no service pad
Rule 8
Rule
Disable Gratuitous ARPs [IOS]

Description
A gratuitous ARP is an ARP broadcast in which the source and destination MAC addresses are the same.
It is used primarily by a host to inform the network about its IP address.
Cisco IOS Devices

Impact
A spoofed gratuitous ARP message can cause network mapping information to be stored incorrectly,
causing network malfunction.
Suggested Fix
IP gratuitous Address Resolution Protocol (ARP) requests should be disabled whenever possible using
the command no ip gratuitous-arps
Rule 9
Rule
Disable Identification service [IOS]

Description
The identification protocol provides a means to determine the identity of a user of a particular TCP
connection.
4-152
OL-25941-01
Chapter 4

Cisco IOS Devices

Impact
The information revealed about users, entities, objects, or processes might normally be considered
private and can be exploited to attack the device.
Suggested Fix
Disable Identification service using the command no ip identd
Rule 10
Rule
Disable MOP (Maintenance Operation Protocol) [IOS]

Description
System utility services on DECnet networks uses MOP protocol. It is enabled by default on Ethernet
interfaces.
Cisco IOS Devices

Impact
Unless you are using DECnet, you should disable MOP. MOP enabled when you do not need it only
provides another facility that can be attacked.
Suggested Fix
Disable MOP service on the device using the command interface <interface name> no mop enabled
Rule 11
Rule
Disable TFTP server [IOS]

Description
Disable TFTP Server on the device.

Cisco IOS Devices

Impact
The Trivial File Transfer Protocol (TFTP) provides an easy way to transfer files between network
devices. However, TFTP is not a secure service and normally should not be running on any device in a
secure network.

OL-25941-01
4-153
Chapter 4
Suggested Fix
Disable TFTP service on the device using

no tftp-server
Rule 12
Rule
Tunnel interfaces should not be configured [IOS]

Description
Check that no tunnel interfaces are defined on the device.

Cisco IOS Devices

Impact
Tunnel interfaces are virtual interfaces on the router. These interfaces can be used by an attacker. Unless
absolutely necessary, do not create any tunnel interfaces.
Suggested Fix
Delete a tunnel interface using

no interface Tunnel
Rule 13
Rule
Disable DHCP service[IOS]

Description
Check that DHCP service is disabled on the device.

Cisco IOS Devices

Impact
No known impact
Suggested Fix
Disable DHCP service using the command

no service dhcp
4-154
OL-25941-01
Chapter 4

Rule 14
Rule
Disable Booting from Network Configuration File [IOS]

Description
Check that booting from network configuration file is disabled.

Cisco IOS Devices

Impact
No known impact
Suggested Fix
Disable booting from network configuration file using the command

no boot network
Rule 15
Rule
IP Classless Fowarding must be [IOS]

Description
Check that IP Classless forwarding is configured as required.

Cisco IOS Devices

Impact
No known impact
Suggested Fix
Enable or disable IP classless forwarding using the command

[no] ip classless
Rule
Description
Constraints
Ip Classeless State
Whether IP classless forwarding should be enabled or Required: true

disable
Default: true

OL-25941-01
4-155
Chapter 4
Rule 16
Rule
Enable SCP server [IOS]

Description
This rule checks that SCP Server is enabled on the device.

Cisco IOS Devices With SCP Capability

Impact
The router administrators can not use the SCP protocol to transfer configuration or image files to and
from the router.
Suggested Fix
Enable SCP service on the device using he commands

ip scp server enable
Rule 17
Rule
Disable FTP server [IOS]

Description
Disable FTP Server on the device.

Cisco IOS Devices

Impact
The File Transfer Protocol (FTP) provides an easy way to transfer files between network devices.
However, FTP is not a secure service and normally should not be running on any device in a secure
network.
Suggested Fix
Disable FTP service on the device using

no ftp-server

Description
Policies governing Routing and Forwarding related services on the device.
4-156
OL-25941-01
Chapter 4

Cisco IOS Devices

Cisco IOS Devices With SPD Capability
References

National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.3.6, Page 95, Section
1.0)
2007)
Rule 1
Rule
Description
Check that Selective Packet Discard (SPD) is configured to be desired state.


OL-25941-01
4-157
Chapter 4
Impact
Selective Packet Discard (SPD) is a mechanism that manages the process-level input queues on the route
processor. The goal of SPD is to provide priority to routing protocol packets and other important traffic
control Layer 2 keepalives during periods of process-level queue congestion. Disabling the feature might
create routing inconsistencies during periods of high volume traffic.
Suggested Fix
Configure Selective Packet Discard (SPD) using the command [no] spd enable
Rule
Description
Constraints
Desired SPD State
Desired state of SPD
Required: true
Default: false
Rule 2
Rule
Check Minimum SPD Headroom [IOS]

Description
Check that SPD headroom is configured to be at least given number of packets. Even with SPD, the
behavior of normal IP packets is not changed; however, routing protocol packets are given higher
priority because SPD recognizes routing protocol packets by the IP precedence field. Hence, if the IP
precedence is set to 6, then the packet is given priority. SPD prioritizes these packets by allowing the
software to enqueue them into the process level input queue above the normal input queue limit. The
number of packets allowed in excess of the normal limit is called the spd headroom, the default being
100, which means that a high precedence packet is not dropped if the size of the input hold queue is lower
than 175 (input queue default size + spd headroom size).

Impact
Suggested Fix
Configure SPD headroom to be the desired value using command

spd headroom
4-158
OL-25941-01
Chapter 4

Rule
Description
Constraints
Desired Minimum SPD

Headroom
Required: true
packets by allowing the software to enqueue them
into the process level input queue above the normal Min Value: 0
input queue limit. The number of packets allowed in Max Value: 65535
excess of the normal limit is called the spd headroom,
the default being 100, which means that a high
precedence packet is not dropped if the size of the
input hold queue is lower than 175 (input queue
default size + spd headroom size).
Rule 3
Rule
Check Minimum SPD Extended Headroom [IOS]

Description
Check that SPD extended headroom is configured to be at least given number of packets. Non-IP
packets, such as Connectionless Network Service Intermediate System-to-Intermediate System (CLNS
ISIS) packets, Point-to-Point Protocol (PPP) packets, and High-Level Data Link Control (HDLC)
keepalives were, until recently, treated as normal priority as a result of being Layer 2 instead of Layer
3. In addition, Interior Gateway Protocols (IGPs) operating at Layer 3 or higher were given priority over
normal IP packets, but given the same priority as BGP packets. So, during BGP convergence or during
times of very high BGP activity, IGP hellos and keepalives were often dropped, causing IGP adjacencies
to go down. Since IGP and link stability are more tenuous and more crucial than BGP stability, such
packets are now given the highest priority and are given extended SPD headroom with a default of 10
packets. This means that these packets are not dropped if the size of the input hold queue is lower than
185 (input queue default size + spd headroom size + spd extended headroom).

Impact
Suggested Fix
Configure SPD extended headroom to be the desired value using command
spd extended-headroom

OL-25941-01
4-159
Chapter 4
Rule
Description
Constraints
Check Minimum SPD

Extended Headroom
stability are more tenuous and more crucial than BGP Required: true
Min Value: 0
stability, such packets are now given the highest
priority and are given extended SPD headroom with Max Value: 65535
a default of 10 packets. This means that these packets
are not dropped if the size of the input hold queue is
lower than 185 (input queue default size + spd
headroom size + spd extended headroom).
Rule 4
Rule
Check that Cisco Express Fowarding (CEF) is enabled [IOS]

Description
Check that Cisco Express Forwarding (CEF) or Distributed CEF are enabled whenever they are
available.
Cisco IOS Devices

Impact
The CEF switching mode replaces the traditional Cisco routing cache with a data structure that mirrors
the entire system routing table. Because there is no need to build cache entries when traffic starts arriving
for new destinations, CEF behaves more predictably than other modes when presented with large
volumes of traffic addressed to many destinations.
Although most flooding denial of service attacks send all of their traffic to one or a few targets and
therefore do not tax the traditional cache maintenance algorithm, many popular SYN flooding attacks
use randomized source addresses. The host under attack replies to some fraction of the SYN flood
packets, creating traffic for a large number of destinations. Routers configured for CEF therefore
perform better under SYN floods (directed at hosts, not at the routers themselves) than do routers using
the traditional cache. CEF is recommended when available.
Suggested Fix
Enable CEF or Distributed CEF whenever they are available using the command
ip cef
Rule 5
Rule
Check that Unicast Reverse Path Fowarding (RPF) is enabled on interfaces [IOS]
4-160
OL-25941-01
Chapter 4

Description
Check that unicast reverse path forwarding (RPF) is enabled on interfaces.

In almost all Cisco IOS software versions that support Cisco Express Forwarding (CEF), you can have
the device check the source address of any packet against the interface through which the packet entered
the device. If the input interface is not a feasible path to the source address according to the routing table,
the packet is dropped. This look-back feature is called unicast reverse path forwarding (RPF).
You can use unicast RPF in any single-homed environment where there is essentially only one access
point out of the network, that is, one upstream connection. Networks having one access point offer the
best example of symmetric routing, which means that the interface where a packet enters the network is
also the best return path to the source of the IP packet. Unicast RPF is best used at the network perimeter
for Internet, intranet, or extranet environments, or in ISP environments for customer network
terminations
Cisco IOS Devices

Impact
Many network attacks rely on an attacker falsifying (spoofing) the source addresses of IP datagrams.
Some attacks depend on spoofing, while other attacks are much harder to trace if the attacker can use
somebody else's address. Therefore, you should prevent spoofing wherever feasible.
Suggested Fix
Configure RPF check on the interfaces using the command

ip verify unicast reverse-path
Rule 6
Rule
Check that Netflow switching for routing is enabled on all interfaces [IOS]
Description
Check that NetFlow switching for routing is enabled on all interfaces.

Cisco IOS Devices

Impact
NetFlow efficiently provides the metering base for a key set of applications, including accounting and
billing, network planning, network monitoring, and outbound marketing for both service provider and
enterprise users.
NetFlow has two key components: first, the NetFlow cache or data source that stores IP Flow
information and second, the NetFlow export or transport mechanism that sends NetFlow data to a
network management collector for data reporting.

OL-25941-01
4-161
Chapter 4
Suggested Fix
Enable NetFlow switching using the command on all the interfaces.

ip route-cache flow
Rule 7
Rule
Check that the Committed Access Rate (CAR) is configured on all interfaces [IOS]
Description
Check that the committed access rate is configured on all interfaces.

Cisco IOS Devices

Impact
You can use the rate-limit command to allocate different traffic rates to selected types of traffic. This can
help you reserve part of the interface bandwidth for critical traffic, preventing an attack from
overwhelming the interface. You can also use the command during an attack to throttle the attack.
Suggested Fix
Configure committed access rate (CAR) using the command interface

<interface name>
rate-limit
Rule
Description
Constraints
Check for traffic
Whether it should be checked for incoming traffic or Required: true

outgoing traffic or both
Default: 3
Rule 8
Rule
Check filtering of packets with IP options [IOS]

Description
The ip options command allows you to filter IP options packets, either to drop or to ignore packets with
IP options. Drop and ignore modes are mutually exclusive; that is, if the drop mode is configured and
then the ignore mode is configured, the ignore mode will override the drop mode.
Cisco IOS Devices

Impact
This can be used to mitigate the effects of IP options on the router, and on downstream routers and hosts.
4-162
OL-25941-01
Chapter 4

Suggested Fix
Configure filtering of IP options packet filtering using the command

[no] ip options
Rule
Description
Constraints
Action
Desired behaviour for packets with IP options
Required: true
Default: 1
Rule 9
Rule
Check that scheduler allocate or scheduler interval command is configured [IOS]

Description
When a Cisco router is fast-switching a large number of packets, it is possible for the router to spend so
much time responding to interrupts from the network interfaces that no other work gets done. You can
reduce this effect by using the scheduler interval or scheduler allocate commands to set aside time for
the device to handle process rather than respond to interrupts.
The scheduler allocate command is a newer command and is not supported on all Cisco routers. With
this command, you can specify a period for running with interrupts enabled, and another period for
running with interrupts masked, so that process tasks can be handled. For example, a typical
configuration might include the scheduler allocate 30000 2000 command
Cisco IOS Devices

Impact
This can be exploited to cause DoS attacks on the device.

Suggested Fix
Configure scheduler parameters using the command

scheduler interval
scheduler allocate
SNMP
Description
The Simple Network Management Protocol (SNMP) is the standard Internet protocol for automated
remote monitoring and administration. There are several different versions of SNMP, with different
security properties. If a network has a deployed SNMP infrastructure in place for administration, then
all routers on that network should be configured to securely participate in it. In the absence of a deployed
SNMP scheme, all SNMP facilities on all routers should be disabled. While SNMP is helpful because it
allows an administrator to remotely configure the router, it also offers a potentially dangerous conduit
into a network.

OL-25941-01
4-163
Chapter 4
Cisco IOS Devices

References
cardholder data.
4.2.1 Page 70, Section 4.5.3 Page 152 of Version 1.1c)
SANS Router Security Policy(Sections 3.0(4))
1.0)
SAFE: A Security Blueprint for Enterprise Networks BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section
10.6.2 of Second Edition, 2005-06-15)
4-164
OL-25941-01
Chapter 4

2007)
Center for Internet Security, Benchmark for Cisco IOS.(Section 1.1.5, Page:17 of Version 2.2, Nov
2007)
Rule 1
Rule
Check the state of SNMP server [IOS, PIX, ASA]

Description
Check the state of SNMP server on the device.

Cisco IOS Devices

Impact
into a network.
Suggested Fix
The safest way to ensure that SNMP is really unavailable to an attacker, and will remain so, is to list the
established SNMP community strings and explicitly unset all of them. It is also recommended to disable
[SNMP trap] and [system shutdown] features and finally disabling SNMP Server on the device using the
command
[no] snmp-server (for IOS)
[no] snmp-server enable (for PIX)

OL-25941-01
4-165
Chapter 4
Rule
Description
Constraints
SNMP Server Should be
Choose the desired SNMP state
Required: true
Default: false
Rule 2
Rule
Check that SNMP Reload is disabled [IOS]

Description
Using SNMP packets, a network management tool can send messages to users on virtual terminals and
the console. This facility operates in a similar fashion to the [EXEC send] command; however, the
SNMP request that causes the message to be issued to the users also specifies the action to be taken after
the message is delivered. One possible action is a shutdown request. After a system is shut down,
typically it is reloaded.
Cisco IOS Devices

Impact
This can be exploited by attackers to reload the system.

Suggested Fix
Disable SNMP Reload feature using the command

no snmp-server system-shutdown
Rule 3
Rule
Check that SNMP Traps are disabled [IOS, PIX, ASA]

Description
SNMP trap messages are generated by the device for configuration event notifications or security alerts.
Cisco IOS Devices

Impact
SNMP traps carry information in clear text. This information can be easily captured to retrieve sensitive
information.
Suggested Fix
Disable SNMP Traps using the command no snmp-server host
4-166
OL-25941-01
Chapter 4

Rule 4
Rule
Check that desired servers are configured for receiving SNMP Traps [IOS, PIX, ASA]
Description
SNMP trap messages are generated by the device for configuration event notifications or security alerts.
If you use SNMP and enable the network devices to send SNMP traps, you should ensure that the correct
trap servers are configured on the devices.
Logging SNMP traps can be useful because Cisco devices can record information about a variety of
events, many of which have security significance. Logs can be invaluable in characterizing and
responding to security incidents. Logging the messages from devices and analyzing them in real time or
offline provides an insight into the network to troubleshoot security issues. A syslog server is an
inexpensive and widely available application that stores log entries from network devices. This facility
allows you permanent storage for logging information, which is especially valuable when physical
access to the network device is impractical. A syslog server also affords greater detail within the logs
themselves (less reliance on the device's logging buffer). The level of detail of the syslog server-stored
logs is set using the logging trap command. There is minimal performance impact to the device,
regardless of the level of logging detail.
Cisco IOS Devices

Impact
SNMP traps will not be sent to required hosts.

Suggested Fix
Configure SNMP to send traps to required hosts using the command snmp-server host
Rule
Description
Constraints
Included Trap Servers
List of desired servers to receive SNMP Traps.
Required: true
Using Trap Server Editor option, you can add,

remove or update Trap Server details. You can also
Rule 5
Rule
SNMP should be configured with these community strings [IOS, PIX, ASA]
Description
Make sure SNMP is configured with the given community strings.

Cisco IOS Devices

OL-25941-01
4-167
Chapter 4
Impact
Use of the same community string ensures that security of the devices can be easily managed. Users
might use a different community string than the standard one for troubleshooting and then forget to turn
it off. An attacker gaining access to a device might change the community string and then access the
device later. In certain cases, turning off SNMP is not an option since there are applications that use
SNMP to manage the device. In order to manage the network using SNMP and yet not compromise on
security, it is essential that ACLs be enabled for device access. This will limit the SNMP access to the
authorized subnets or hosts.
Suggested Fix
Configure the given community strings using the command

snmp-server community
Rule
Description
Constraints
Included Community
Strings
Community string that must be included.
Required: true
Using Community String Editor option, you can add,

remove or update Community String details. You can
Rule 6
Rule
SNMP should be configured with the community string [PIX, ASA]

Description
Make sure SNMP is configured with the given community string.


Impact
Use of the same community string ensures that security of the devices can be easily managed. Users
might use a different community string than the standard one for troubleshooting and then forget to turn
it off. An attacker gaining access to a device might change the community string and then access the
device later. In certain cases, turning off SNMP is not an option since there are applications that use
SNMP to manage the device. In order to manage the network using SNMP and yet not compromise on
security, it is essential that ACLs be enabled for device access. This will limit the SNMP access to the
authorized subnets or hosts.
Suggested Fix
Configure the given community strings using the command

snmp-server community
4-168
OL-25941-01
Chapter 4

Rule
Description
Constraints
Community String
Community string that must be configured
Required: true
Using Community String Editor option, you can add,

remove or update Community String details. You can
also change the order of the server details
Rule 7
Rule
SNMP should not be configured with these well known community strings [IOS, PIX, ASA]
Description
Make sure SNMP is not configured with the well known community strings like public,private, etc.
Cisco IOS Devices

Impact
Use of well known community strings will make the network vulnerable since attackers can easily gain
access to the network information.
Suggested Fix
Do not use well known community strings with SNMP like 'public', 'private',etc. Remove the prohibited
community strings using the command no snmp-server community
Rule
Description
Constraints
Banned Community
Strings
Well known strings to check for.
Required: true
Using Banned Community Strings Editor option, you

can add, remove or update Banned Community
Strings details. You can also change the order of the
server details
Rule 8
Rule
Check that writeable community strings are not configured [IOS]

Description
Configuring SNMP community strings with write access allows users to change the system state. Care
should be taken while doing so.

OL-25941-01
4-169
Chapter 4
Cisco IOS Devices

Impact
While SNMP is helpful because it allows an administrator to remotely configure the router, it also offers
a potentially dangerous conduit into a network. Care should be taken while configuring SNMP
community strings with write access since an attacker can change the system state.
Suggested Fix
Do not configure write access for SNMP community strings, give 'Read-Only' access. Change them to
ReadOnly community strings using the command
snmp-server community <community string> ro
Rule 9
Rule
Check that SNMP access is restricted with ACLs [IOS]

Description
ACLs can be configured with SNMP community strings to restrict access to SNMP server.
Cisco IOS Devices

Impact
Configuring an SNMP community string with no ACL allows users from any host to access the SNMP
server if they know the community string. This can be exploited by an attacker who can change the
system state.
Suggested Fix
Configure ACLs for SNMP community strings to allow access from trusted networks/hosts using the
command
snmp-server community <community string> <ro|rw> <access-list name or number>
TCP Parameters
Description
Policies to enforce TCP related parameter values.

Cisco IOS Devices

Cisco IOS Devices With TCP_INTERCEPT Capability
4-170
OL-25941-01
Chapter 4

References
National Security Agency (NSA) Cisco Router Configuration Guide(1.1b)

4.1.6 Page 66, Section 4.2.1 Page 70, Section 4.3.3 Page 90 of Version 1.1c)
1.0)
Center for Internet Security, Benchmark for Cisco IOS.(Section 1.2.2.7-1.2.2.8, Page:25-26 of Version
2.2, Nov 2007)
Rule 1
Rule
TCP keep-alives on incoming network connections [IOS]

Description
Enable/disable generation of TCP keep-alive messages on idle incoming network connections (those
initiated by the remote host)

OL-25941-01
4-171
Chapter 4
Cisco IOS Devices Cisco IOS Devices With TCP_INTERCEPT Capability

Impact
The TCP keepalive service allows a router to detect when the host with which it is communicating
experiences a system failure, even if data stops being sent (in either direction). This capability is most
useful on incoming connections. For example, if a host failure occurs while the router is communicating
with a printer, the router might never notice because the printer does not generate any traffic in the
opposite direction. If keepalives are enabled, they are sent once every minute on otherwise idle
connections. If 5 minutes pass and no keepalives are detected, the connection is closed. The connection
is also closed if the host replies to a keepalive packet with a reset packet. This will happen if the host
crashes and comes back up again. An unclosed, stale connection might be used by an attacker to gain
unauthorized entry into the device.
Suggested Fix
Enable/Disable generation of TCP keep-alive messages on idle incoming network connections using the
command
[no] service tcp-keepalives-in
Rule
Description
Constraints
State
State of TCP keep alives on incoming network

connections.
Required: true
Default: true
Rule 2
Rule
TCP keep-alives on outgoing network connections [IOS]

Description
Enable/disable generation of TCP keep-alive messages on idle outgoing network connections (those
initiated by the user on the device).
Cisco IOS Devices Cisco IOS Devices With TCP_INTERCEPT Capability

Impact
The TCP keepalive service allows a router to detect when the host with which it is communicating
experiences a system failure, even if data stops being sent (in either direction).
Suggested Fix
Enable/Disable generation of TCP keep-alive messages on idle outgoing network connections using the
command [no] service tcp-keepalives-out.
4-172
OL-25941-01
Chapter 4

Rule
Description
Constraints
State
State of TCP keep alives on outgoing network

connections
Required: true
Default: true
Rule 3
Rule
Check maximum TCP SYN wait time [IOS]

Description
Establishing a successful TCP connection involves the originator sending a connection request, the
receiver sending an acknowledgement and then the originator sending an acceptance of that
acknowledgement. This is called a 3-way handshake. Once this three-phase handshake is complete, the
connection is complete and data transfer can begin. SYN wait time determines how long a device waits
before bringing down the incomplete connections.
Cisco IOS Devices

Impact
This can be exploited by a hacker to do a SYN flooding attack on the device. A SYN flooding attack
involves sending repeated connection requests to a device but never sending the acceptance of
acknowledgements to complete those connections. This creates increasingly more incomplete
connections at the device. Since the buffer for incomplete connections is usually smaller than the buffer
for completed connections, this can overwhelm and disable the host to receive further incoming
connections denying the service for legitimate users.
Suggested Fix
Configure syn wait time, so that the device shutdowns the incomplete connections, using the command
ip tcp synwait-time
Rule
Description
Constraints
SYN Wait Time in

Seconds
Time (in seconds) the software waits while

attempting to establish a TCP connection.
Required: true
Default: 10 Min
Value: 5 Max
Value: 300
Rule 4
Rule
Check state of TCP interception [IOS]

OL-25941-01
4-173
Chapter 4
Description
The TCP intercept feature implements software to protect TCP servers from TCP SYN-flooding attacks,
which are a type of denial-of-service attack.
A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection.
Because these messages have unreachable return addresses, the connections cannot be established. The
resulting volume of unresolved open connections eventually overwhelms the server and can cause it to
deny service to valid requests, thereby preventing legitimate users from connecting to a web site,
accessing e-mail, using FTP service, and so on.

Impact
Enabling TCP intercept feature helps in avoiding DoS attacks on TCP server services.
Suggested Fix
Enforce that TCP interception be enabled or disabled using the command [no] ip tcp intercept
Rule
Description
Constraints
State
State of TCP interception.
Required: true
Default: true
Rule 5
Rule
Check maximum TCP intercept watch-timeout[IOS]

Description
Cisco IOS Devices With TCP_INTERCEPT Capability.

Impact
Suggested Fix
Configure TCP intercept Watch Timeout using the command

ip tcp intercept watch-timeout
4-174
OL-25941-01
Chapter 4

Rule
Description
Constraints
TCP intercept
watch-timeout in
seconds.
Timeout (in seconds) seconds for a watched

connection to reach established state before sending
a Reset to the server.
Required: true
Default: 30 Min
Value: 1 Max
Value: 2147483
Rule 6
Rule
Check maximum TCP intercept connection-timeout[IOS]

Description

Impact
Suggested Fix
Configure TCP intercept Connection Timeout using the command

ip tcp intercept connection-timeout
Rule
Description
TCP intercept connection Time (in seconds) the device will manage a
timeout in seconds
connection after no activity.
Constraints
Required: true
Default: 86400
Min Value: 1
Max Value:
2147483
BGP
Description
BGP Related policies

Cisco IOS Devices With BGP Routing Capability

OL-25941-01
4-175
Chapter 4
References
1.1c)
BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 11.4.7 Page 69 of Second Edition, 2005-06-15)
Department of Homeland Security (DHS) Compliance(Section 4.1,4.2, Page 18,20 of Version 2.0)
2007)
Rule 1
Rule
Check MD5 Authentication [IOS]

Description
This rule checks to make sure that BGP autonomous systems use MD5 authentication. Router neighbor
authentication is a mechanism that, when applied correctly, can prevent many routing attacks. Each
router accomplishes authentication by the possession of an authentication key. That is, routers connected
to the same network segment all use a shared secret key. Each sending router then uses this key to 'sign'
each route table update message. The receiving router checks the shared secret to determine whether the
message should be accepted.

Impact
This router is vulnerable to various routing attacks by spoofing the route table update messages.
4-176
OL-25941-01
Chapter 4

Suggested Fix
Configure BGP MD5 Authentication using the command

router bgp <AS Number>
neighbor <Peer Group Name or Neighbor Address> password <Authentication Password>
Rule 2
Rule
Check that incoming BGP route filtering is configured [IOS]

Description
This rule checks that some kind of route filtering is configured for each BGP neighbor or globally for
all interfaces for accepting route updates. BGP Route Filtering can be configured either using access list
based filtering (using distribute-list) or using the prefix lists based filtering (prefix-list).
Communications between routers for routing table updates involve routing protocols. These updates
provide directions to a router on which way traffic should be routed. You can use access lists to restrict
what routes the router will accept (in) or advertise (out) via some routing protocols.

Impact
Router may accept route update messages from unintended entities.

Suggested Fix
Configure route filtering for all BGP neighbors using the commands
router bgp <autonomous system number>
distribute-list <acl number> in
neighbor <neighbor address or peer group> distribute-list <acl number> in
distribute-list prefix <prefix-list name> in
neighbor <neighbor address or peer group> prefix-list <prefix-list name> in !
Rule
Description
Constraints
Route Filter Type
Desired route filter type to be enforce
Required: true
Default: dontcare
Rule
Description
Constraints
ACL to be enforced
Desired ACL to be enforced. Leave blank to enforce Required: false

no particular ACL ID.

OL-25941-01
4-177
Chapter 4
Rule
Description
Prefix List to be enforced Desired prefix-list to be enforced. Leave blank to

enforce no particular prefix-list.
Constraints
Required: true
Default: dontcare
Rule 3
Rule
Check that outgoing BGP route filtering is configured [IOS]

Description
This rule checks that some kind of route filtering is configured for each BGP neighbor or globally for
all interfaces for advertising route updates. BGP Route Filtering can be configured either using access
list based filtering (using distribute-list) or using the prefix lists based filtering (prefix-list).
what routes the router will accept (in) or advertise (out) via some routing protocols.

Impact
Router may advertise route update messages to unintended entities.

Suggested Fix
Configure route filtering for all BGP neighbors using the commands router bgp <autonomous system
number> distribute-list <acl number> out neighbor <neighbor address or peer group> distribute-list
<acl number> out distribute-list prefix <prefix-list name> out neighbor <neighbor address or peer
group> prefix-list <prefix-list name> out !
Rule
Description
Constraints
Route Filter Type
Desired route filter type to be enforced
Required: true
Default: dontcare
4-178
OL-25941-01
Chapter 4

Rule
Description
ACL to be enforced

Rule
Description
Prefix List to be enforced Desired prefix-list to be enforced. Leave blank to

enforce no particular prefix-list
Constraints
Constraints
Required: false
Rule 4
Rule
Check TTL security [IOS]

Description
This rule checks to make sure that BGP autonomous systems use either TTL Security mechansim using
ttl-security feature or ebgp-multihop feature. The Generalized TTL Security Mechanism (GTSM),
documented in RFC 3682 [32] and introduced in Cisco IOS 12.0(27)S and 12.3(7)T, utilizes the
Time-to-Live (TTL) field of the IP header to protect exterior BGP (eBGP) peering sessions from remote
attacks. This mechanism uses the TTL value in a received packet and compares it to an administrator
defined hop count. If the received IP packet contains a TTL value greater than or equal to the expected
TTL value (i.e. 255 minus an administrator defined hop count), then the packet is processed. Otherwise,
the packet is silently discarded. Since remote attacks originate multiple router hops away from an
intended target, limiting the hop count to the actual number of hops between eBGP peers will help
prevent attacks initiated on any network that does not lie between the peers.
This feature protects the eBGP peering session by comparing the value in the TTL field of received IP
packets against a hop count that is configured locally for each eBGP peering session. If the value in the
TTL field of the incoming IP packet is greater than or equal to the locally configured value, the IP packet
is accepted and processed normally. If the TTL value in the IP packet is less than the locally configured
value, the packet is silently discarded and no ICMP message is generated. This is designed behavior; a
response to a forged packet is unnecessary.

Impact
Router may be vulnerable to CPU utilization-based attacks. These types of attacks are typically brute
force Denial of Service (DoS) attacks that attempt to disable the network by flooding the network with
IP packets that contain forged source and destination IP addresses.

OL-25941-01
4-179
Chapter 4
Suggested Fix
Configure BGP TTL Security mechanism or use ebgp-multihop feature using the command
neighbor <Peer Group Name or Neighbor Address> ttl-security hops <hop-count>
neighbor <Peer Group Name or Neighbor Address> ebgp-multihop <hop-count> !
Rule 5
Rule
Check BGP Dampening is configured [IOS]

Description
This rule checks to make sure BGP dampening is configured. Route flap dampening is a method that
may be used to provide router CPU and network stability while BGP routes are converging. Damping
controls the effect of route flapping which occurs when a route constantly transitions from an
up-to-down or down-to-up state. These transitions cause excessive BGP route update messages (i.e.
add/withdraw routes) to propagate through the network. ISPs and other backbone providers may
configure BGP dampening to mitigate route flapping.

Impact
Too many BGP route flaps may effect CPU and network stability.
Suggested Fix
Configure BGP dampening using the command

bgp dampening !
EIGRP
Description
EIGRP Related policies

Cisco IOS Devices With EIGRP Routing Capability

References
National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.3.2 Page 88, Section
4-180
OL-25941-01
Chapter 4

2007)
Rule 1
Rule
Check all participating interfaces use MD5 authentication [IOS]

Description
This rule checks to make sure that all the interfaces in all the EIGRP autonomous systems use MD5
authentication. Router neighbor authentication is a mechanism that, when applied correctly, can prevent
many routing attacks. Each router accomplishes authentication by the possession of an authentication
key. That is, routers connected to the same network segment all use a shared secret key. Each sending
router then uses this key to 'sign' each route table update message. The receiving router checks the shared
secret to determine whether the message should be accepted.

Impact
Suggested Fix
Configure EIGRP MD5 Authentication using the command

ip authentication mode eigrp <autonomous system number> md5 !

OL-25941-01
4-181
Chapter 4
Rule 2
Rule
Check interface state of EIGRP routing updates [IOS]

Description
This rule checks that all the given interfaces are blocked/allowed from participating in EIGRP routing
updates. It goes through for every network in every EIGRP autonomous system, and then gets a list of
interfaces that belong to that network. It checks to see that if the given interfaces belong to the list above.
If so, The interface is checked to see if it is passive or active interface and compared against the given
policy. The passive-interface command is used to prevent other routers on the network from learning
about routes dynamically. It can also be used to keep any unnecessary parties from learning about the
existence of certain routes or routing protocols used. It is typically used when the wildcard specification
on the network router configuration command configures more interfaces than desirable.

Impact
This interface may receive and transmit in EIGRP routing updates, which means, unnecessary parties
may learn about the existence of certain routes or routing protocols used. This also leads to higher chance
of spoofed routing update attacks.
Suggested Fix
Configure the interface as a passive/active interface using the commands

router eigrp <autonomous system number>
[no] passive-interface <interface name> !
Rule
Description
Constraints
Interface Group
List of interface groups to apply this policy.
Required: true
Using Interface Group Editor option, you can add,

remove or update Interface Group details. You can
EIGRP State
Desired EIGRP State of this interface

Using EIGRP State Editor option, you can add,
remove or update EIGRP State details. You can also
Required: true
Default: dontcare
Rule 3
Rule
Check that EIGRP incoming distribute-list is configured [IOS}
4-182
OL-25941-01
Chapter 4

Description
This rule checks that ip distribute-list is configured for each EIGRP autonomous system for accepting
route updates. Communications between routers for routing table updates involve routing protocols.
These updates provide directions to a router on which way traffic should be routed. You can use access
lists to restrict what routes the router will accept (in) or advertise (out) via some routing protocols. The
distribute-list acl-num out command is used to restrict routes that get distributed in routing updates,
while the distribute-list acl-num in command may be used to filter routes that will be accepted from
incoming routing updates.

Impact

Suggested Fix
Configure distribute-list for all EIGRP autonomous systems using the commands
distribute-list <acl number> in !
Rule
Description
Constraints
ACL to be enforced

no particular ACL ID
Rule 4
Rule
Check that EIGRP outgoing distribute-list is configured [IOS]

Description
This rule checks that ip distribute-list is configured for each EIGRP autonomous system for advertising
route updates. Communications between routers for routing table updates involve routing protocols.
These updates provide directions to a router on which way traffic should be routed. You can use access
lists to restrict what routes the router will accept (in) or advertise (out) via some routing protocols. The
distribute-list acl-num out command is used to restrict routes that get distributed in routing updates,
while the distribute-list acl-num in command may be used to filter routes that will be accepted from
incoming routing updates.

Impact

Suggested Fix
Configure distribute-list for all EIGRP autonomous systems using the commands

OL-25941-01
4-183
Chapter 4

distribute-list <acl number> out !
Note
Rule
Description
Constraints
ACL to be enforced

OSPF
Description
OSPF Related policies

Cisco IOS Devices With OSPF Capability

References
1.1c)
Cisco SAFE Compliance(Appendix A, Page 39 of A Security Blueprint for Enterprise Networks)
2007)
4-184
OL-25941-01
Chapter 4

Rule 1
Rule
Check MD5 Authentication [IOS]

Description
This rule checks to make sure that all the areas defined in all the OSPF processes use MD5
authentication. Router neighbor authentication is a mechanism that, when applied correctly, can prevent
many routing attacks. Each router accomplishes authentication by the possession of an authentication
key. That is, routers connected to the same network segment all use a shared secret key. Each sending
router then uses this key to 'sign' each route table update message. The receiving router checks the shared
secret to determine whether the message should be accepted.

Impact
Suggested Fix
Configure OSPF MD5 Authentication using the command

router ospf <process ID>
area <Area ID> authentication message-digest !
Rule 2
Rule
Check interface state of OSPF routing updates [IOS]

Description
This rule checks that all the given interfaces are blocked/allowed from participating in OSPF routing
updates. It goes through for every network in every OSPF process, and then gets a list of interfaces that
belong to that network. It checks to see that if the given interfaces belong to the list above. If so, The
interface is checked to see if it is passive or active interface and compared against the given policy. The
passive-interface command is used to prevent other routers on the network from learning about routes
dynamically. It can also be used to keep any unnecessary parties from learning about the existence of
certain routes or routing protocols used. It is typically used when the wildcard specification on the
network router configuration command configures more interfaces than desirable.

OL-25941-01
4-185
Chapter 4
Impact
This interface may receive and transmit in OSPF routing updates, which means, unnecessary parties may
learn about the existence of certain routes or routing protocols used. This also leads to higher chance of
spoofed routing update attacks.
Suggested Fix

[no] passive-interface <interface name> !
Rule
Description
Constraints
Interface Group
List of interface groups to apply this policy
Required: true

Rule
Description
Constraints
OSPF State
Desired OSPF State of this interface
Required: true
Default: do not care
Using OSPF State Editor option, you can add,

remove or update OSPF State details. You can also
Rule 3
Rule
Check that OSPF incoming distribute-list is configured [IOS]

Description
This rule checks that ip distribute-list is configured for each OSPF process for accepting route updates.
what routes the router will accept (in) or advertise (out) via some routing protocols. The distribute-list
acl-num out command is used to restrict routes that get distributed in routing updates, while the
distribute-list acl-num in command may be used to filter routes that will be accepted from incoming
routing updates.

Impact
4-186
OL-25941-01
Chapter 4

Suggested Fix
Configure distribute-list for all OSPF processes using the commands

distribute-list <acl number> in
!
Rule
Description
Constraints
ACL to be enforced

Rule 4
Rule
Check that OSPF outgoing distribute-list is configured [IOS]

Description
This rule checks that ip distribute-list is configured for each OSPF process for advertising route updates.
routing updates.

Impact

Suggested Fix
Configure distribute-list for all OSPF processes using the commands

distribute-list <acl number> out
Note
Rule
Description
Constraints
ACL to be enforced


OL-25941-01
4-187
Chapter 4
RIP
Description
Routing Information Protocol (RIP) Related policies

Cisco IOS Devices With RIP Routing Capability

References
2007)
Rule 1
Rule
Check State of RIP [IOS]

Description
This rule checks if RIP is enabled/disabled on the router based on the given policy.

Impact
None
4-188
OL-25941-01
Chapter 4

Suggested Fix
Enable/Disable RIP using the commands

router rip
network <ip address>
Rule
Description
Constraints
RIP State
Desired state of RIP.
Required: true
Default: true
Rule 2
Rule
Check global version of RIP [IOS]

Description
This Rule checks that the RIP is enabled with correct version. Note that this rule does not check the per
interface override of the RIP version. By default, the software receives RIP Version 1 and Version 2
packets, but sends only Version 1 packets. You can configure the software to receive and send only
Version 1 packets. Alternatively, you can configure the software to receive and send only Version 2
packets.

Impact
None
Suggested Fix
Configure required version of RIP using the commands

router rip
version <RIP version>
Rule
Description
Constraints
RIP State
Desired version of RIP.
Required: true
Default: 2
Rule 3
Rule
Check all participating interfaces use MD5 Authentication [IOS]

OL-25941-01
4-189
Chapter 4
Description
This Rule checks all interfaces that receive/transmit RIP information are configured with version 2 AND
are configured with MD5 authentication. Router neighbor authentication is a mechanism that, when
applied correctly, can prevent many routing attacks. Each router accomplishes authentication by the
possession of an authentication key. That is, routers connected to the same network segment all use a
shared secret key. Each sending router then uses this key to 'sign' each route table update message. The
receiving router checks the shared secret to determine whether the message should be accepted.

Impact
Suggested Fix
Configure interface to use MD5 authentication for RIP communications the commands
router rip
version 2
interface <interface name >
ip rip receive version 2
ip rip send version 2
ip rip authentication mode md5
Rule 4
Rule
Check that RIP incoming distribute-list is configured

Description
This rule checks that ip distribute-list is configured in RIP for accepting route updates. Communications
between routers for routing table updates involve routing protocols. These updates provide directions to
a router on which way traffic should be routed. You can use access lists to restrict what routes the router
will accept (in) or advertise (out) via some routing protocols. The distribute-list acl-num out command
is used to restrict routes that get distributed in routing updates, while the distribute-list acl-num in
command may be used to filter routes that will be accepted from incoming routing updates.

Impact

Suggested Fix
Configure distribute-list for RIP using the commands

router rip distribute-list <acl number> in
4-190
OL-25941-01
Chapter 4

Rule
Description
Constraints
ACL to be enforced

Rule 5
Rule
Check that RIP outgoing distribute-list is configured

Description
This rule checks that ip distribute-list is configured in RIP for advertising route updates.
routing updates.

Impact

Suggested Fix
Configure distribute-list for RIP using the commands

router rip
distribute-list <acl number> out
Rule
Description
Constraints
ACL to be enforced
Desired ACL to be enforced. Leave blank to enforce

Required: false
Rule 6
Rule
Check interface state of RIP routing updates [IOS]

Description
This rule checks that all the given interfaces are blocked/allowed from participating in RIP routing
updates. It goes through for every network in RIP process, and then gets a list of interfaces that belong
to that network. It checks to see that if the given interfaces belong to the list above. If so, The interface
is checked to see if it is passive or active interface and compared against the given policy. The
passive-interface command is used to prevent other routers on the network from learning about routes

OL-25941-01
4-191
Chapter 4
dynamically. It can also be used to keep any unnecessary parties from learning about the existence of
certain routes or routing protocols used. It is typically used when the wildcard specification on the
network router configuration command configures more interfaces than desirable.

Impact
This interface may receive and transmit in RIP routing updates, which means, unnecessary parties may
learn about the existence of certain routes or routing protocols used. This also leads to higher chance of
spoofed routing update attacks.
Suggested Fix

router RIP
[no] passive-interface <interface name>
Rule
Description
Constraints
Interface Group
Required: true

Rule
Description
Constraints
RIP State
Required: true
Using RIP State Editor option, you can add, remove

or update RIP State details. You can also change the
order of the server details
Note
ACLs
Description
Policies related to Access Control List Configurations.

Cisco IOS Devices

Cisco IOS Devices With RECEIVE_ACL Capability
Cisco IOS Devices With TURBO_ACL Capability
4-192
OL-25941-01
Chapter 4

References
4.3.5, Page 95 of Version 1.1c)
Rule 1
Rule
Check if all ACLs have established keywords [IOS]

Description
This rule will check to make sure that all extended ACLs, that are used on any interface, has atleast one
Access Entry that permits traffic with TCP 'established' (ack or rst) flag. This will help in blocking
packets from an external network that have only the SYN flag set. Thus, it allows traffic from TCP
connections that were established from the internal network, and it denies anyone coming from any
external network from starting any TCP connection. This is one of the ways to prevent TCP SYN attack,
which involves transmitting a volume of connections that cannot be completed at the destination. This
attack causes the connection queues to fill up, thereby denying service to legitimate TCP users.
Cisco IOS Devices

Impact
This device may be vulnerable to TCP SYN attack originated from external network devices.
Suggested Fix
Modify the ACL by adding 'established' TCP flag for the permitted traffic in the access-list commands
access-list <number/name> <deny/permit> tcp <source> <destination> established
Rule 2
Rule
Check if Turbo ACLs are used [IOS]

Description
This rule checks if Turbo ACL feature is enabled on the device. The Turbo ACL feature compiles the
ACLs into a set of lookup tables, while maintaining the first match requirements. Packet headers are
used to access these tables in a small, fixed number of lookups, independently of the existing number of
ACL entries.
Cisco IOS Devices With TURBO_ACL Capability

OL-25941-01
4-193
Chapter 4
Impact
Device performance can be improved by making use of this Turbo ACL feature
Suggested Fix
Enable Turbo ACL feature by using the command access-list compiled
Rule 3
Rule
ACL logging should not be turned on [IOS]

Description
ACL logging should not be turned on.

Cisco IOS Devices

Impact
Turning on ACL logging can severely impact the system performance.

Suggested Fix
Do not turn on ACL logging in the access-list commands

ip access-list ... [log
Rule 4
Rule
Check for Recieve ACL [IOS]

Description
IP Receive ACL can be used to restrict traffic that is destined to the router

Impact
No known impact.
Suggested Fix
Configure a receive ACL using the command:

ip receive access-list
4-194
OL-25941-01
Chapter 4

Rule
Description
Constraints
Recieve ACL ID
Receive ACL ID . Valid values are 1-199 [IP access

list (standard or extended)] or 1300-2699 [IP
expanded access list (standard or extended)].
Required: true
Min Value:
-2147483648
Max Value:
2147483647
Rule 5
Rule
Recieve ACL should not have entries with any source address [IOS]
Description
IP Receive ACL can be used to restrict traffic that is destined to the router.

Impact
If any of the ACL entry has source address as any, the device accepts traffic from all the sources
defeating the purpose of having Receive ACL.
Suggested Fix
Configure a receive ACL using ip receive access-list and make sure that none of the ACL entries has any
as the source address.
ip receive access-list <ACL>
CDP
Description
Cisco Discovery Protocol (CDP) is primarily used to obtain protocol addresses of neighboring devices
and discover the platform of those devices. CDP can also be used to show information about the
interfaces your router uses. CDP is media and protocol-independent, and runs on all Cisco-manufactured
equipment including routers, bridges, access servers, and switches.
Cisco IOS Devices

References
National Security Agency (NSA) Cisco Router Configuration Guide(Section 8.1(1) Page 274, 4.2.1 Page
70,72 of Version 1.1c)

OL-25941-01
4-195
Chapter 4

1.0)
Department of Homeland Security (DHS) Compliance(section 4.2, Page 22 of Version 2.0)
2007)
Rule 1
Rule
Check for CDP protocol state [IOS]

Description
The Cisco Discovery Protocol is a proprietary protocol that Cisco devices use to identify each other on
a LAN segment. It is primarily used to obtain protocol addresses of neighboring devices and discover
the platform of those devices. CDP can also be used to show information about the interfaces your router
uses. CDP is media and protocol-independent, and runs on all Cisco-manufactured equipment including
routers, bridges, access servers, and switches.
Cisco IOS Devices

Impact
CDP is useful only in specialized situations, and is considered deleterious to security.

Suggested Fix
To turn off CDP entirely, use the global configuration command no cdp run. In the unlikely event that
CDP is needed for part of a network, it can be enabled and disabled for each interface. To enable CDP
use the cdp run command in global configuration mode, and then disable it on each interface where it is
not needed using the no cdp enable command in interface configuration mode. To enable/disable CDP
globally, use the command: [no] cdp run
4-196
OL-25941-01
Chapter 4

Rule
Description
Constraints
State
CDP protocol state on the device
Required: true
Default: false
Rule 2
Rule
le
Check for CDP protocol state on the interface [IOS]

Description
routers, bridges, access servers, and switches.
Cisco IOS Devices

Impact

Suggested Fix
To turn off CDP entirely, use the global configuration command no cdp run. In the unlikely event that
CDP is needed for part of a network, it can be enabled and disabled for each interface. To enable CDP
use the cdp run command in global configuration mode, and then disable it on each interface where it is
not needed using the command:
[no] cdp enable
Rule
Description
Constraints
Interface State
CDP protocol state on the selected interfaces
Required: true
Default: false
Rule
Description
Constraints
Interfaces
List of interfaces or interface groups that should

carry management traffic. Example valid Values:
'Any', 'AnyEthernet', 'FastEthernet',
Required: true
Default: [Any]

OL-25941-01
4-197
Chapter 4
Note
Clock
Description
Clock and time zone related policies.

Cisco IOS Devices

References
Cisco SAFE Compliance(Clock of none)

1.0)
Rule 1
Rule
Summer time should not be configured [IOS,PIX, ASA]

Description
Check that summer time clock is not configured

Cisco IOS Devices Cisco PIX Devices Running >= 7.x and ASA devices
Impact
Log files time-stamped with different time zones are difficult to correlate. This difficulty increases if the
time stamps of individual logs need to be adjusted for summer time clock settings. These time-stamp
adjustments can lead to errors when you correlate logs for several devices during root cause analysis in
case of an attack on the network. If you are not using the local time zone on a device (that is, you are
using UTC time zone across your network), do not use the summer time clock.
4-198
OL-25941-01
Chapter 4

Suggested Fix
Disable summer time using the command

no clock summer-time
Rule 2
Rule
Check the configured Summer time [IOS,PIX, ASA]

Description
Check that the user defined summer time clock is configured.

Cisco IOS Devices

Impact
If you use local time zones, you should also configure the clock for summer time settings so that you
can more easily compare log file entries with your current time.
Suggested Fix
Configure time zone and summer time mode setting using the command clock summer-time
Rule
Description
Constraints
Time Zone Name
Required: false
The name of the time zone (for example, PDT for
Pacific Daylight Time) to be displayed when summer
time is in effect.
Rule
Description
Constraints
Mode
Whether the change to summer time is defined by a

recurring rule that applies each year (Recurring), or
by specific dates just for a single year (By Date).
Required: false
Rule 3
Rule
Check the configured time zone [IOS,PIX, ASA]

Description
Check that the device is configured to use the required time zone for the clock.

OL-25941-01
4-199
Chapter 4
Cisco IOS Devices

Impact
Log files time-stamped with different time zones are difficult to correlate. This difficulty increases if the
time stamps of individual logs need to be adjusted for different time zone settings. These time-stamp
adjustments can lead to errors when you correlate logs for several devices during root cause analysis in
case of an attack on the network. If you manage devices in more than one time zone, consider using a
single time zone for the clock.
Suggested Fix
Configure timezone using the command

clock timezone
Rule
Description
Constraints
Time Zone Name
The name of the time zone. The default is UTC
Required: false
Rule
Description
Constraints
Offset, in hours, from

UTC
The offset, in hours, from UTC. The default is 0
Required: false
Min Value: -23
Max Value: 23
Rule
Description
Constraints
Offset, in minutes
Offset, in minutes. The default is 0.
Required: false
Min Value: 0
Max Value: 59

Description
Miscellaneous policies specific to Firewall devices.

Cisco PIX Devices Running >= 7.x and ASA device

References

Center for Internet Security, Benchmark for Cisco PIX/ASA.(Section 1.2.2.1, Page: 19; Section 1.3.1.3,
Section 1.3.1.4, Page: 27 ; Section 1.3.1.7, Page: 29; Section 1.3.3.1, Page: 33 of Version 2.0, Nov 2007)
4-200
OL-25941-01
Chapter 4

Rule 1
Rule
Check that DHCP server is not configured [PIX. ASA]

Description
The Dynamic Host Configuration Protocol (DHCP) server supplies automatic configuration parameters
to Internet hosts.

Impact
DHCP provides a service that can be used for denial-of-service (DoS) attacks.
Suggested Fix
Use a dedicated server to provide DHCP services instead of the firewall. Disable dhcp server using the
command: no dhcpd enable <interface>
Rule 2
Rule
Check maximum NAT translation timeout [PIX. ASA]

Description
Check that the specified address translation slot timeout value is configured on the device.

Impact

Suggested Fix
Configure the NAT Translation Slot Timeout with the desired value using the command:
timeout xlate

OL-25941-01
4-201
Chapter 4
Rule
Description
Constraints
Translation Slot Timeout The length of time used to identify the translation slot Required: true
(minutes)
as idle.
Default: 180 Min
Value: 1 Max
Value: 71580
Rule 3
Rule
Check maximum allowed packet fragements [PIX. ASA]

Description
By default, the PIX Firewall accepts up to 24 fragments to reconstruct a full IP packet. Based on your
network security policy, consider configuring the PIX Firewall to prevent fragmented packets from
traversing the firewall
Impact
Fragmented packets are often used as Denial-of-Service attacks
Suggested Fix
Configure fragment chain command on each interface to allow desired number of packet fragments.
Select a value of 1 to prevent receiving packet fragments.
fragment chain 1 <interface name>
Rule
Description
Constraints
Max Packet Fragements

Allowed
Required: true
Maximum number of packets fragments allowed on
an interface. A value of 1 indicates that fragments are Default: 1 Min
Value: 1 Max
not allowed.
Value: 2147483647
Rule 4
Rule
Check that Unicast Reverse Path Forwarding (RPF) is enabled on interfaces [PIX, ASA]
Description
Check that unicast reverse path forwarding (RPF) is enabled on interfaces.

4-202
OL-25941-01
Chapter 4

Impact
Many network attacks rely on an attacker falsifying (spoofing) the source addresses of IP datagrams.
Some attacks depend on spoofing, while other attacks are much harder to trace if the attacker can use
somebody else's address. Therefore, you should prevent spoofing wherever feasible.
Suggested Fix
Configure RPF check on the interfaces using command:

ip verify reverse-path interface <interface name >
Rule 5
Rule
Check maximum timeout for idle session [PIX, ASA]

Description
Check that the specified timeout for idle sessions is configured on the device.

Impact
This timeout command sets the idle time for connection slots. If the slot has not been used for the idle
time specified, the resource is returned to the free pool. This reduces the risk of someone from accessing
an already established but idle connection.
Suggested Fix
Configure the Idle Session Timeout with the desired value using the command:
timeout conn
Rule
Description
Constraints
Idle Session
Timeout(Minutes)
The length of time used to identify the session as idle. Required: true
Default: 60 Min
Value: 1 Max
Value: 71580
NTP Configuration
Description
The Network Time Protocol (NTP) is a protocol designed to time-synchronize a network of machines.
NTP is designed to make time synchronization automatic and efficient across all devices in the network.
Having accurate time is important for security, especially for intrusion and forensic analysis.

OL-25941-01
4-203
Chapter 4
Cisco IOS Devices With SNTP Capability

Cisco IOS Devices With NTP_CLIENT Capability
Cisco IOS Devices With NTP_SERVER Capability
Cisco IOS Devices
References
cardholder data.
BS 7799, ISO/IEC 17799, ISO/IEC 27001(Section 10.6, 11 of Second Edition, 2005-06-15)
1.0)
Center for Internet Security, Benchmark for Cisco IOS.(Section 1.2.4, Page: 31 of Version 2.2, Nov
2007)
4-204
OL-25941-01
Chapter 4

Rule 1
Rule
Check device state as NTP server [IOS]

Description
All devices in the network should be configured to synchronize their times with an authoritative NTP
Server. It is recommended that the border router be configured to synchronize time from at least two
reliable NTP servers and all the devices in the protected network can be configured as clients to this
border router.

Impact
Unless all the devices are properly configured to synchronize the time, the event logs coming from
different devices would have different time stamps. This makes it very hard to analyze the logs in terms
of intrusion detection and forensics.
Suggested Fix
Configure ntp server using the command

[no] ntp master
Rule
Description
Constraints
NTP server
Desired state of the NTP server configuration
Required: true
Default: false
Rule 2
Rule
Check device state as NTP/SNTP Client [IOS]

Description
border router.

OL-25941-01
4-205
Chapter 4

Impact
of intrusion detection and forensics.
Suggested Fix
Configure ntp client using the commands

[no] ntp server
Rule
Description
Constraints
NTP Client
Desired state of the NTP client configuration
Required: true
Default: true
Rule 3
Rule
Check to allow NTP only from these interfaces [IOS]

Description
This rule checks whether all the interfaces that should not participate in NTP communications, are
blocked from receiving any NTP packets. Please note that it does not check whether given interfaces are
enabled/disabled to receive NTP packets, but checks to make sure all other interfaces are blocked.

Impact
Non-necessary interfaces will be participating in NTP communications and will act as NTP servers.
Suggested Fix
Disable NTP on the interface using the commands interface

<interface name> ntp disable
4-206
OL-25941-01
Chapter 4

Rule
Description
Constraints
Interface Groups
Desired list of interfaces to make sure all other

interfaces are blocked from using NTP. (Empty list
means all interfaces should be blocked from using
NTP).
Required: false
Using Interface Groups Editor option, you can add,

or remove Interface Groups details. You can also
Rule 4
Rule
Checkif NTP servers are configured [IOS, PIX, ASA]

Description
border router.

Impact
Unless all the devices are properly configured to synchronize the time, event logs coming from different
devices would have different time stamps. This makes it very hard to analyze the logs in terms of
intrusion detection and forensics.
Suggested Fix
Configure the device to synchronize clock from the desired NTP servers using the command
Rule
Description
Constraints
Servers
IP Address(es) of desired NTP Server(s).
Required: true
Using Servers Editor option, you can add, remove or

update Servers details. You can also change the order
of the server details
Rule 5
Rule
Checkif configured number of NTP servers is at least[IOS, PIX, ASA]

OL-25941-01
4-207
Chapter 4
Description
border router.

Impact
Unless all the devices are properly configured to synchronize the time, event logs coming from different
devices would have different time stamps. This makes it very hard to analyze the logs in terms of
intrusion detection and forensics.
Suggested Fix
Configure the device to synchronize clock from the desired NTP servers using the command
ntp server
Rule
Description
Constraints
Minimum number of
NTP servers
Minumim number of NTP servers
Required: true
Min Value: 1
Max Value:
2147483647
Rule 6
Rule
Make sure NTP packets are authenticated[IOS, PIX, ASA]

Description
Whenever possible, all the packets should be configured to be authenticated.

Cisco IOS Devices With NTP_CLIENT Capability Cisco PIX Devices Running >= 7.x and ASA devices
Impact
NTP packets are not authenticated

Suggested Fix
Configure the device to use authentication of NTP packets using the command ntp authenticate
4-208
OL-25941-01
Chapter 4

Rule 7
Rule
Check NTP Server Access is restricted [IOS, PIX, ASA]

Description
Make sure that NTP server access is controlled.


Impact
NTP packets are not controlled.

Suggested Fix
Configure the device to control the NTP packets using the command
ntp access-group (peer | serve | server-only | query-only) <acl-number>
Note

Description
This policy verifies the operating system versions on the devices and make sure they are as per the
defined requirements.
NA
References
National Security Agency (NSA) Cisco Router Configuration Guide(Section 4.1.2, Page 57 of Version
1.1c)
Nov 2007)

OL-25941-01
4-209
Chapter 4
Rule 1
Rule
Check for Required OS Versions

Description
This rule checks that all selected devices are running accepted OS versions
Impact
No known impact.
Suggested Fix
Change the OS version of the device by loading one of the accepted versions.
Rule
Description
Constraints
Operating System Type
Type of Operating System.
Required: true
Using Operating System Type Editor option, you can

add, remove or update Operating System Type
details. You can also change the order of the server
details
Rule
Description
Constraints
Match Condition Type
Required: true
Select whether all the version expressions should
match or at least one of the version expression should Default: false
match in order for the validation to be successful.
Using Match Condition Type Editor option, you can
add, remove or update Match Condition Type details.
You can also change the order of the server details
Rule
Description
Constraints
Accepted Version
Expressions
List of OS Version Expressions that are acceptable. A Required: true

"Version Expression" is an operator followed by
version string. Valid operators are "=" (equals), "!="
(Not Equals), ">" (Greater Than), ">=" (Greater
Than Or Equals), "<" (Less Than), "<=" (Less Than
Or Equals), "~" (Matches a regular expression), "!~"
(Does not match a regular expression).
Using Accepted Version Expressions Editor option,
you can add, remove or update Accepted Version
Expressions details. You can also change the order of
the server details
4-210
OL-25941-01
Chapter 4

Devices Running outdated OS Versions

Description
This policy verifies if any of the devices selected are running outdated operating systems as per the End
Of Life/End Of Sales Announcements by vendors.
Cisco IOS Devices Cisco PIX and ASA Firewalls Cisco CATOS Devices
References
Cisco End Of Life/End Of Sales Announcements

Products reach the end of their Product Life Cycle for a number of reasons. These reasons may be due
to market demands, technology innovation and development driving changes in the product, or the
products simply mature over time and are replaced by functionally richer technology.
Rule 1
Rule
Verify that software is not announced to be End Of Life [IOS, PIX, ASA, CatOS]
Description
products simply mature over time and are replaced by functionally richer technology. It is important to
make sure all the devices are still supported by the vendor to make sure they be serviced and upgraded
whenever needed. Refer to Cisco End-Of-Life Policy for more details.
Cisco IOS Devices

Cisco PIX and ASA Firewalls
Cisco CATOS Devices
Impact
If the device is not upgraded to the next version of operating system, the support of this device may end
soon.
Suggested Fix
Upgrade to next available version of software as soon as possible
Rule 2
Rule
Verify that software has not reached End Of Sale [IOS, PIX, ASA, CatOS]

OL-25941-01
4-211
Chapter 4
Description
Software running on this device has reached End of Sale milestone. The software release may no longer
be ordered. Releases which reach this milestone are still available for customers under maintenance
contract or for Customer Service Engineering (CSE) support until they reach the "End-of-Life"
milestone. Products reach the end of their Product Life Cycle for a number of reasons. These reasons
may be due to market demands, technology innovation and development driving changes in the product,
or the products simply mature over time and are replaced by functionally richer technology. It is
important to make sure all the devices are still supported by the vendor to make sure they be serviced
and upgraded whenever needed. Refer to Cisco End-Of-Life Policy for more details.
Cisco IOS Devices

Cisco CATOS Devices
Impact
soon.
Suggested Fix
Rule
Description
Constraints
Time
Time in years.
Required: true
Default: Right Now
Rule 3
Rule
Verify that software has not reached End Of Engineering Maintenance [IOS, PIX, ASA, CatOS]
Description
Software running on this device has reached End of Engineering milestone. After this milestone, no
scheduled maintenance releases will be produced for the major release. Releases which reach this
milestone are still available for customers under maintenance contract or for CSE support until they
reach the "End-of-Life" milestone. Products reach the end of their Product Life Cycle for a number of
reasons. These reasons may be due to market demands, technology innovation and development driving
changes in the product, or the products simply mature over time and are replaced by functionally richer
technology. It is important to make sure all the devices are still supported by the vendor to make sure
they be serviced and upgraded whenever needed. Refer to Cisco End-Of-Life Policy for more details.
4-212
OL-25941-01
Chapter 4

Impact
soon.
Suggested Fix
Rule
Description
Constraints
Time
Time in years.
Required: true
Default: Right Now
Rule 4
Rule
Verify that software has not reached End Of Contract Renewal Maintenance [IOS, PIX, ASA, CatOS]
Description
This software has reached End of Contract Renewal milestone. After this milestone, service contracts
are no longer renewed
Cisco IOS Devices

Cisco CATOS Devices
Impact
If the device is not upgraded to the next family of devices, the support of this device may end soon.
Suggested Fix
Upgrade to next available family of devices as soon as possible

Rule
Description
Constraints
Time
Time in years.
Required: true
Default: Right Now
Rule 5
Rule
Verify that software has not reached End Of Life (Support) [IOS, PIX, ASA, CatOS]
Description
Software running on this device has reached End of Life milestone. After this milestone date, the
software release is no longer officially supported by the vendor. Products reach the end of their Product
Life Cycle for a number of reasons. These reasons may be due to market demands, technology
innovation and development driving changes in the product, or the products simply mature over time and

OL-25941-01
4-213
Chapter 4
are replaced by functionally richer technology. It is important to make sure all the devices are still
supported by the vendor to make sure they be serviced and upgraded whenever needed. Refer to Cisco
End-Of-Life Policy for more details.
Cisco IOS Devices

Cisco CATOS Devices
Impact
soon.
Suggested Fix
Rule
Description
Constraints
Tim e
Time in years.
Required: true
Default: Right Now

Description
This policy verifies if any of the devices selected are installed with outdated modules as per the End Of
Life/End Of Sales Announcements by vendors.
References

Rule 1
Rule
Verify that none of the modules are announced to be End Of Life [IOS, PIX, ASA, CatOS]
Description
4-214
OL-25941-01
Chapter 4

Cisco IOS Devices

Cisco CATOS Devices
Impact
If the device is not migrated to the prescribed modules, the support of these modules may end soon.
Suggested Fix
Migrate to the prescribed modules.
Rule 2
Rule
Verify that none of the modules have reached End Of Sale [IOS, PIX, ASA, CatOS]
Description
This device has modules that reached End of Sale milestone. The hardware may no longer be ordered.
Modules which reach this milestone are still available for customers under maintenance contract or for
Customer Service Engineering (CSE) support until they reach the "End-of-Life" milestone. Products
reach the end of their Product Life Cycle for a number of reasons. These reasons may be due to market
demands, technology innovation and development driving changes in the product, or the products simply
mature over time and are replaced by functionally richer technology. It is important to make sure all the
devices are still supported by the vendor to make sure they be serviced and upgraded whenever needed.
Refer to Cisco End-Of-Life Policy for more details.
Cisco IOS Devices

Cisco CATOS Devices
Impact
Suggested Fix
Rule
Description
Constraints
Time
Time in years.
Required: true
Default: Right Now

OL-25941-01
4-215
Chapter 4
Rule 3
Rule
Verify that none of the modules have reached End Of Engineering Maintenance [IOS, PIX, ASA, CatOS]
Description
This device has modules that reached End of Engineering milestone. The hardware may no longer be
ordered. After this milestone, no scheduled maintenance releases will be produced for the major release.
Modules which reach this milestone are still available for customers under maintenance contract or for
CSE support until they reach the "End-of-Life" milestone. Products reach the end of their Product Life
Cycle for a number of reasons. These reasons may be due to market demands, technology innovation and
development driving changes in the product, or the products simply mature over time and are replaced
by functionally richer technology. It is important to make sure all the devices are still supported by the
vendor to make sure they be serviced and upgraded whenever needed. Refer to Cisco End-Of-Life Policy
for more details.
Cisco IOS Devices

Cisco CATOS Devices
Impact
Suggested Fix
Rule
Description
Constraints
Time
Time in years.
Required: true
Default: Right Now
Rule 4
Rule
Verify that none of the modules have reached End Of Contract Renewal Maintenance [IOS, PIX, ASA,
CatOS]
Description
This device has modules that have reached End of Contract Renewal milestone. After this milestone,
service contracts are no longer renewed
Cisco IOS Devices

Cisco CATOS Devices
4-216
OL-25941-01
Chapter 4

Impact
If the device is not upgraded to the prescribed modules, the support of these modules may end soon.
Suggested Fix
Upgrade to prescribed modules as soon as possible
Rule
Description
Constraints
Time
Time in years.
Required: true
Default: Right Now
Rule 5
Rule
Verify that none of the modules reached End Of Life (Support) [IOS, PIX, ASA, CatO]
Description
This device has modules that reached End of Life milestone. After this milestone date, the modules are
no longer officially supported by the vendor. Products reach the end of their Product Life Cycle for a
number of reasons. These reasons may be due to market demands, technology innovation and
development driving changes in the product, or the products simply mature over time and are replaced
by functionally richer technology. It is important to make sure all the devices are still supported by the
vendor to make sure they be serviced and upgraded whenever needed. Refer to Cisco End-Of-Life Policy
for more details.
Cisco IOS Devices

Cisco CATOS Devices
Impact
If the device is not upgraded to the prescribed modules, the support of these modules may end soon.
Suggested Fix
Upgrade to prescribed modules as soon as possible
Rule
Description
Constraints
Time
Time in years.
Required: true
Default: Right Now

OL-25941-01
4-217
Chapter 4
Outdated Devices As Per Vendor Specific EOL/EOS Announcement

Description
This policy verifies if any of the devices selected are outdated as per the Cisco Hardware End Of
Life/End Of Sales Announcements.
Cisco IOS Devices

Cisco CatOS Devices
References

Rule 1
Rule
Verify that device is announced to be End Of Life [IOS, PIX, ASA, CatOS]
Description
Cisco IOS Devices

Cisco CatOS Devices
Impact
Suggested Fix
Rule 2
Rule
Verify that device has not reached to be End Of Sale [IOS, PIX, ASA, CatOS]
4-218
OL-25941-01
Chapter 4

Description
This device has reached End of Sale milestone. The hardware may no longer be ordered. Devices which
reach this milestone are still available for customers under maintenance contract or for Customer Service
Engineering (CSE) support until they reach the "End-of-Life" milestone. Products reach the end of their
Product Life Cycle for a number of reasons. These reasons may be due to market demands, technology
Cisco IOS Devices

Cisco CatOS Devices
Impact
Suggested Fix
Rule
Description
Constraints
Time
Time in years.
Required: true
Default: Right Now
Rule 3
Rule
Verify that device has not reached End Of Engineering Maintenance [IOS, PIX, ASA, CatOS]
Description
This device has reached End of Engineering milestone. After this milestone, no scheduled maintenance
releases will be produced for the major release. Upgrades and releases for devices which reach this
Cisco IOS Devices

Cisco CatOS Devices

OL-25941-01
4-219
Chapter 4
Impact
Suggested Fix
Rule
Description
Constraints
Time
Time in years.
Required: true
Default: Right Now
Rule 4
Rule
Verify that device has not reached End Of Contract Renewal Maintenance [IOS, PIX, ASA, CatOS]
Description
This device has reached End of Contract Renewal milestone. After this milestone, service contracts are
no longer renewed
Cisco IOS Devices Cisco PIX and ASA Firewalls Cisco CatOS Devices
Impact
Suggested Fix
Rule
Description
Constraints
Time
Time in years.
Required: true
Default: Right Now
Rule 5
Rule
Verify that device has not reached End Of Life (Support)[IOS, PIX, ASA, CatOS]
Description
This device has reached End of Life milestone. After this milestone date, the device is no longer
officially supported by the vendor. Products reach the end of their Product Life Cycle for a number of
4-220
OL-25941-01
Chapter 4

Cisco IOS Devices

Cisco CatOS Devices
Impact
Suggested Fix
Rule
Description
Constraints
Time
Time in years.
Required: true
Default: Right Now
IEEE 802.1X Port-Based Authentication

Description
The IEEE 802.1X standard defines a client-server-based access control and authentication protocol that
restricts unauthorized clients from connecting to a LAN through publicly accessible ports. The
authentication server authenticates each client connected to a switch port and assigns the port to a VLAN
before making available any services offered by the switch or the LAN. Until the client is authenticated,
802.1X access control allows only Extensible Authentication Protocol over LAN (EAPOL) traffic
through the port to which the client is connected. After authentication is successful, normal traffic can
pass through the port.
Cisco IOS Switches With DOT1X Capability

References
National Security Agency (NSA) Cisco Switch Configuration Guide (Section 13.2 Page 52 of Version
1.0)
The Cisco IOS Switch Security Configuration Guide from National Security Agency (NSA) provides
the security issues related to critical systems (for example, switches) which are part of their computer
networks.
Rule 1
Rule
Check global state of IEEE 802.1X Port-Based Authentication state [IOS]

OL-25941-01
4-221
Chapter 4
Description
This check will make sure IEEE 802.1X Port-Based Authentication state on the device to required state
as per the policy.

Impact
Any device connected to an unused port on the switch can start receiving/transmitting packets from/to
the switch.
Suggested Fix
Configure dot1x authentication on the device globally using the command:

[no] dot1x system-auth-control
Rule
Description
Constraints
Desired state of 802.1X

Authentication
Desired state of 802.1X Authentication
Required: true
Default: false
Rule 2
Rule
Check state of IEEE 802.1X Port-Based Authentication state on given interfaces [IOS].
Description
This check will make sure IEEE 802.1X Port-Based Authentication state on the given interfaces to
required state as per the policy.

Impact
Any device connected to an unused port on the switch can start receiving/transmitting packets from/to
the switch.
Suggested Fix
Configure dot1x authentication on the device globally and/or on specific interfaces using the commands:
[no] dot1x system-auth-control
dot1x port-control
Note
You can add or remove the interface group and authentication state. You can also change the order of the
details.
4-222
OL-25941-01
Chapter 4

Note
Rule
Description
Interface Group
Shows the interface group.
802.1X Authentication
State
Shows the 802.1X authentication state.
IOS Software SIP DoS Vulnerability - 112248

Description
Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS
Software and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to cause a
reload of an affected device or trigger memory leaks that may result in system instabilities. Affected
devices would need to be configured to process SIP messages for these vulnerabilities to be exploitable.
Cisco IOS Devices

References
CISCO PSIRT Advisories and Notices (112248 of 1.1)

Security Advisories for security issues that directly impact Cisco products and action is necessary to
repair the Cisco product. Security Notices for issues that require a response to information posted to a
public forum, or recommendations to mitigate general problems affecting network stability.
Rule 1
Rule
PSIRT - 112248: Verify IOS Software SIP DoS Vulnerability [IOS].

Description
Cisco devices are affected when they are running affected Cisco IOS Software and Cisco IOS XE
Software versions that are configured to process SIP messages.
Recent versions of Cisco IOS Software do not process SIP messages by default. Creating a dial peer by
issuing the dial-peer voice configuration command will start the SIP processes, causing the Cisco IOS
device to process SIP messages. In addition, several features within Cisco Unified Communications
Manager Express, such as ePhones, will also automatically start the SIP process when they are
configured, causing the device to start processing SIP messages.

OL-25941-01
4-223
Chapter 4
An example of an affected configuration follows:

dial-peer voice <Voice dial-peer tag> voip
...
!
In addition to inspecting the Cisco IOS device configuration for a dial-peer command that causes the
device to process SIP messages, administrators can also use the show processes | include SIP command
to determine whether Cisco IOS Software is running the processes that handle SIP messages. In the
following example, the presence of the processes CCSIP_UDP_SOCKET or CCSIP_TCP_SOCKET
indicates that the Cisco IOS device will process SIP messages:
Router# show processes | include SIP
149 Mwe 40F48254
4
150 Mwe 40F48034
4
Note
1
1
400023108/24000
400023388/24000
0 CCSIP_UDP_SOCKET
0 CCSIP_TCP_SOCKET
Because there are several ways a device running Cisco IOS Software can start processing SIP messages,
it is recommended that the show processes | include SIP command be used to determine whether the
device is processing SIP messages instead of relying on the presence of specific configuration
commands.
Cisco Unified Border Element images are also affected by two of these vulnerabilities.
Note
The Cisco Unified Border Element feature (CUBE previously known as the Cisco Multiservice
IP-to-IP Gateway) is a special Cisco IOS Software image that runs on Cisco multiservice gateway
platforms. It provides a network-to-network interface point for billing, security, call admission control,
quality of service, and signaling interworking.
To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log
in to the device and issue the show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying text similar to Cisco Internetwork
Operating System Software or Cisco IOS Software. The image name displays in parentheses, followed
by Version and the Cisco IOS Software release name. Other Cisco devices do not have the show version
command or may provide different output.
The following example identifies a Cisco product that is running Cisco IOS Software Release 15.0(1)M1
with an installed image name of C3900-UNIVERSALK9-M:
Router> show version
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1,
RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 02-Dec-09 17:17 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming conventions is available in the white
paper Cisco IOS and NX-OS Software Reference Guide available at:
http://www.cisco.com/web/about/security/intelligence/ios-ref.html.
Cisco IOS XE Software is affected by these vulnerabilities.
Note
Cisco Unified Communications Manager is affected by one of the vulnerabilities described in this
advisor. A separate Cisco Security Advisory has been published to disclose the vulnerability that affects
the Cisco Unified Communications Manager at the following location:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20110928-cucm
4-224
OL-25941-01
Chapter 4

Cisco IOS Devices

Impact
Successful exploitation of the vulnerabilities in this advisory may result in system instabilities or a
reload of an affected device. Repeated exploitation could result in a sustained denial of service
condition.
Suggested Fix
If the affected Cisco IOS device requires SIP for VoIP services, SIP cannot be disabled, and no
workarounds are available. Users are advised to apply mitigation techniques to help limit exposure to
the vulnerabilities. Mitigation consists of allowing only legitimate devices to connect to affected
devices. To increase effectiveness, the mitigation must be coupled with anti-spoofing measures on the
network edge. This action is required because SIP can use UDP as the transport protocol.
Additional mitigations that can be deployed on Cisco devices within the network are available in the
companion document Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the
Multiple Vulnerabilities in Cisco Voice Products.
Disabling SIP Listening Ports
For devices that do not require SIP to be enabled, the simplest and most effective workaround is to
disable SIP processing on the device. Some versions of Cisco IOS Software allow administrators to
disable SIP with the following commands:
sip-ua
no transport udp
no transport tcp
no transport tcp tls
Warning
When applying this workaround to devices that are processing Media Gateway Control Protocol
(MGCP) or H.323 calls, the device will not stop SIP processing while active calls are being processed.
Under these circumstances, this workaround should be implemented during a maintenance window when
active calls can be briefly stopped.
The show udp connections, show tcp brief all, and show processes | include SIP commands can be
used to confirm that the SIP UDP and TCP ports are closed after applying this workaround.
Depending on the Cisco IOS Software version in use, when SIP is disabled the output from the show ip
sockets command may still show the SIP ports open, but sending traffic to them will cause the SIP
process to emit the following message:
*Jun 2 11:36:47.691: sip_udp_sock_process_read: SIP UDP Listener is DISABLED

For devices that need to offer SIP services, it is possible to use Control Plane Policing (CoPP) to block
SIP traffic to the device from untrusted sources. Cisco IOS Releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4,
and 12.4T support the CoPP feature. CoPP may be configured on a device to protect the management
and control planes to minimize the risk and effectiveness of direct infrastructure attacks by explicitly
permitting only authorized traffic sent to infrastructure devices in accordance with existing security
policies and configurations.

OL-25941-01
4-225
Chapter 4
The following example can be adapted to specific network configurations:

!-- The 192.168.1.0/24 network and the 172.16.1.1 host are trusted.
!-- Everything else is not trusted. The following access list is used
!-- to determine what traffic needs to be dropped by a control plane
!-- policy (the CoPP feature): if the access list matches (permit)
!-- then traffic will be dropped and if the access list does not
!-- match (deny) then traffic will be processed by the router.
access-list 100 deny udp 192.168.1.0 0.0.0.255 any eq 5060
access-list 100 deny tcp 192.168.1.0 0.0.0.255 any eq 5060
access-list 100 deny udp host 172.16.1.1 any eq 5060
access-list 100 deny tcp host 172.16.1.1 any eq 5060
access-list 100 permit udp any any eq 5060
access-list 100 permit tcp any any eq 5060
!-- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!-- traffic in accordance with existing security policies and
!-- configurations for traffic that is authorized to be sent
!-- to infrastructure devices.
!-- Create a Class-Map for traffic to be policed by
!-- the CoPP feature.
class-map match-all drop-sip-class
match access-group 100
!-- Create a Policy-Map that will be applied to the
!-- Control-Plane of the device.
policy-map control-plane-policy
class drop-sip-class
drop
!-- Apply the Policy-Map to the Control-Plane of the
!-- device.
control-plane
service-policy input control-plane-policy
Note
Because SIP can use UDP as a transport protocol, it is possible to spoof the source address of an IP
packet, which may bypass access control lists that permit communication to these ports from trusted IP
addresses.
In the above CoPP example, the access control entries (ACEs) that match the potential exploit packets
with the permit action result in these packets being discarded by the policy-map drop function, while
packets that match the deny action (not shown) are not affected by the policy-map drop function.
Additional information on the configuration and use of the CoPP feature can be found at
http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html and
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html.
Management VLAN
Description
Management VLAN allows out-of band management of network devices separating management traffic
from user traffic.
Cisco IOS Switches
4-226
OL-25941-01
Chapter 4

References
National Security Agency (NSA) Cisco Switch Configuration Guide (Section 9.2 Page 32 of Version 1.0)
networks.
Rule 1
Rule
Check management VLAN is configured [IOS].

Description
This check will make sure there is a designated VLAN is configured for management and that the policy
requirements given in other rules in the policy are satisfied for this management VLAN. It is a good
practice to separate the management VLAN from the user or server VLAN. With this separation, any
broadcast/packet storm that occurs in the user or server VLAN does not affect the management of
switches. Do not use VLAN 1 for management. All ports in Cisco switches default to VLAN 1, and any
devices that connect to nonconfigured ports are in VLAN 1. The use of VLAN 1 for management can
cause potential issues for the management of switches, as the first tip explains.
Cisco IOS Switches

Impact
None
Suggested Fix
Separate the management VLAN from the user or server VLAN. With this separation, any
broadcast/packet storm that occurs in the user or server VLAN does not affect the management of
switches. Do not use VLAN 1 for management. To provide network-based, out-of-band management,
dedicate a physical switch port and VLAN on each switch for management use. Create a Switch Virtual
Interface (SVI) Layer Three interface for that VLAN, and connect the VLAN to a dedicated switch and
communications path back to the management hosts. Do not allow the operational VLANs access to the
management VLAN. Also, do not trunk the management VLAN off the switch. To configure a
management VLAN interface on the switch, use the command:
interface vlan<management vlan ID>
Rule
Description
Constraints
Designated Management
VLAN
VLAN number designated as a management VLAN
Required: true
Min Value: 1
Max Value: 4094

OL-25941-01
4-227
Chapter 4
Rule 2
Rule
Check management traffic allowed only on these interfaces/interface groups [IOS].

Description
This check will make sure that only designated management interfaces allow the management traffic.
Cisco IOS Switches

Impact
Management traffic will be allowed by interfaces that are not designated to receive it.
Suggested Fix
Remove management VLAN from non-management interfaces using the command:

switchport access vlan
or
switchport trunk allowed vlan remove <management vlan ID>
Rule
Description
Constraints
Management interfaces
List of interfaces or interface groups that should Required: true

carry management traffic.
Valid ValuesAny, AnyEthernet, FastEthernet,
GigabitEthernet, FastEthernet0/1,
FastEthernet0/.*, and so on.
Rule 3
Rule
Check management VLAN access is restricted using an Access Control List [IOS].
Description
This check will make sure that management VLAN access is restricted with a given access control.
Cisco IOS Switches

Impact
Management VLAN access is not restricted and could be exploited.
4-228
OL-25941-01
Chapter 4

Suggested Fix
Restrict management VLAN with an access control list using the command:
interface vlan<management vlan ID>
ip access-group <access list number or name> in
Note
Rule
Description
Constraints
Access Control List
Access Control List to restrict the management

traffic.
Required: true
IOS Software IPv6 DoS Vulnerability - 112252

Description
Cisco IOS Software contains a vulnerability in the IP version 6 (IPv6) protocol stack implementation
that could allow an unauthenticated, remote attacker to cause a reload of an affected device that has IPv6
operation enabled. The vulnerability is triggered when an affected device processes a malformed IPv6
packet.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT - 112252: Verify IOS Software IPv6 DoS Vulnerability [IOS]

Description
Cisco devices that are running an affected version of Cisco IOS Software and configured for IPv6
operation are affected. A device that is running Cisco IOS Software and that has IPv6 enabled will show
some interfaces with assigned IPv6 addresses when the show ipv6 interface brief command is executed.
The show ipv6 interface brief command will produce an error message if the running version of Cisco
IOS Software does not support IPv6, or will not show any interfaces with IPv6 address if IPv6 is
disabled. The system is not vulnerable in either of these scenarios.
Sample output of the show ipv6 interface brief command on a system that is configured for IPv6
operation follows:
router>show ipv6 interface brief
FastEthernet0/0
[up/up]

OL-25941-01
4-229
Chapter 4
FE80::222:90FF:FEB0:1098
2001:DB8:2:93::3
200A:1::1
FastEthernet0/1
[up/up]
FE80::222:90FF:FEB0:1099
2001:DB8:2:94::1
Serial0/0/0
[down/down]
unassigned
Serial0/0/0.4
[down/down]
unassigned
Serial0/0/0.5
[down/down]
unassigned
Serial0/0/0.6
[down/down]
unassigned
Alternatively, the IPv6 protocol is enabled if the interface configuration command ipv6 address <IPv6
address> or ipv6 enable is present in the configuration. Both may be present, which the vulnerable
configuration in the following example shows:
interface FastEthernet0/1
ipv6 address 2001:0DB8:C18:1::/64 eui-64
!
ipv6 enable
A device that is running Cisco IOS Software and has IPv6 enabled on a physical or logical interface is
vulnerable even if ipv6 unicast-routing is globally disabled (that is, the device is not routing IPv6
packets). FIXMERemove this since it is at the top. Administrators can use the show ipv6 interface
brief command to determine whether IPv6 is enabled on any interface.
Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M1, RELEASE
SOFTWARE (fc1)
paper Cisco IOS and NX-OS Software Reference Guide.
Cisco IOS Devices

Impact
Successful exploitation of the vulnerability that is described in this advisory may cause a reload of an
affected device. Repeated exploitation could result in a sustained denial of service condition.
Suggested Fix
There are no workarounds for this vulnerability if IPv6 configuration is required.
4-230
OL-25941-01
Chapter 4

IOS Software Data Link Switching Vulnerability - 112254

Description
Cisco IOS Software contains a memory leak vulnerability in the Data-Link Switching (DLSw) feature
that could result in a device reload when processing crafted IP Protocol 91 packets.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT - 112254: Verify IOS Software Data Link Switching Vulnerability [IOS].
Description
Cisco IOS devices with the DLSw promiscuous feature enabled are affected by the vulnerability
described in this advisory. Devices with the DLSw promiscuous feature enabled contain a line in the
configuration defining a local DLSw peer with the promiscuous keyword. This configuration can be
observed by issuing the command show running-config. Systems configured with the DLSw
promiscuous feature enabled contain a line similar to one of the following:
dlsw local-peer promiscuous
or
dlsw local-peer peer-id <IP address> promiscuous
To determine the software that runs on a Cisco IOS device, log in to the device and issue the show
version command to display the system banner. Cisco IOS Software identifies itself as Cisco
Internetwork Operating System Software or Cisco IOS Software. Other Cisco devices do not have the
show version command or give different output.
The following example shows output from a device running IOS version 15.0(1)M1:
SOFTWARE (fc1)
paper Cisco IOS and NX-OS Software Reference Guide at:
Cisco IOS Devices

OL-25941-01
4-231
Chapter 4
Impact
Successful exploitation of the vulnerability may result in a memory leak that can lead to a denial of
service condition. Memory exhaustion can cause an affected Cisco IOS device to reload or become
unresponsive; a power cycle might be required to recover from the condition.
To identify the memory leak caused by this vulnerability, issue the show dlsw peers | include
FST.*DISCONN command; a monotonically increasing list of FST peers that remain in the DISCONN
state indicates that memory is being held, as shown in the following example:
Router> show dlsw peers | include FST.*DISCONN
FST 176.74.146.194 DISCONN
1
0
FST 9.180.128.186
DISCONN
1
0
FST 139.71.105.39
DISCONN
1
0
FST 138.150.39.18
DISCONN
1
0
FST 253.240.220.167 DISCONN
1
0
FST 252.186.119.224 DISCONN
1
0
FST 41.255.172.252 DISCONN
1
0
! --- Output truncated
Router>
prom
prom
prom
prom
prom
prom
prom
0
0
0
0
0
0
0
Suggested Fix
This vulnerability can be mitigated by using Control Plane Policing (CoPP) to only allow IP Protocol 91
packets sent by valid peers.
Mitigation techniques that can be deployed on Cisco devices within the network are available in the
Cisco Applied Mitigation Bulletin companion document.
Control Plane Policing (CoPP) can be used to block untrusted IP Protocol 91 packets sent to the affected
device. Cisco IOS Software Releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP
feature. CoPP may be configured on a device to protect the management and control planes to minimize
the risk and effectiveness of direct infrastructure attacks by explicitly permitting, and if configured,
rate-limiting only authorized traffic that is sent to infrastructure devices in accordance with existing
security policies and configurations.
4-232
OL-25941-01
Chapter 4

The following example, which uses 192.168.100.1 to represent a trusted host, can be adapted to your
network.
!-- Deny FST traffic on IP protocol 91 from trusted
!-- hosts to all IP addresses configured on all interfaces of the affected device
!-- so that it will be allowed by the CoPP feature
access-list 111 deny 91 host 192.168.100.1 any

!-- Permit all other FST traffic on IP protocol 91
!-- sent to all IP addresses configured on all interfaces of the affected
!-- device so that it will be policed and dropped by the CoPP feature
access-list 111 permit 91 any any

!-!-!-!--
Permit (Police or Drop)/Deny (Allow) all other Layer3

and Layer4 traffic in accordance with existing security
policies and configurations for traffic that is authorized
to be sent to infrastructure devices

!-- the CoPP feature
class-map match-all drop-fst-91-class

policy-map input-CoPP-policy
class drop-fst-91-class
drop
!-- device
control-plane
service-policy input input-CoPP-policy
In the above CoP example, the access control list entries (ACEs) that match the potential exploit packets
with the permit action result in these packets being discarded by the policy map drop function, while
packets that match the deny action (not shown) are not affected by the policy-map drop function. Note
that in the 12.2S and 12.0S Cisco IOS trains the policy-map syntax is different, as shown in the following
example:
policy-map input-CoPP-policy
class drop-fst-91-class
police 32000 1500 1500 conform-action drop exceed-action drop
Additional information on the CoPP feature is available at:

Control Plane Policing Implementation Best Practices

OL-25941-01
4-233
Chapter 4
Cisco 10000 Series DoS Vulnerability - 113032

Description
The Cisco 10000 Series Router is affected by a denial of service (DoS) vulnerability where an attacker
could cause a device reload by sending a series of ICMP packets.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT - 113032: Verify Cisco 10000 Series DoS Vulnerability [IOS].

Description
Cisco 10000 Series Routers that are running an affected version of Cisco IOS are affected.
SOFTWARE (fc1)
http://www.cisco.com/web/about/security/intelligence/ios-ref.html
Cisco IOS Devices

Impact
Successful exploitation of this vulnerability could cause an affected device to reload. Repeated
exploitation could result in a sustained DoS condition.
4-234
OL-25941-01
Chapter 4

Suggested Fix
Traffic destined to the device or transit traffic could trigger the effects of this vulnerability.
Subsequently, the only workaround available is to block ICMP packets destined to the affected device
and all ICMP transit traffic.
IOS Software NAT H.323 Vulnerability - 112253

Description
The Cisco IOS Software network address translation (NAT) feature:
H.323 protocol
Cisco has released free software updates that address these vulnerabilities.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT - 112253: Verify IOS Software NAT H.323 Vulnerability [IOS].

Description
NAT of H.323 Packets DoS Vulnerability

Transit crafted H.323 packets on TCP port 1720 could cause a reload of the vulnerable device.
Cisco IOS Devices

Impact
Successful exploitation of these vulnerability can cause the device to reload or become unresponsive.
Suggested Fix
NAT for Crafted H.323 Packets DoS Vulnerability Mitigation

Mitigation for this vulnerability consists of disabling NAT for H.323 and H.225.0 using the no ip nat
service h225 global configuration command.

OL-25941-01
4-235
Chapter 4

Description
Four different Cisco product lines are susceptible to multiple vulnerabilities discovered in the Secure
Shell (SSH) protocol version 1.5. These issues have been addressed, and fixes have been integrated into
the Cisco products that support this protocol.
By exploiting the weakness in the SSH protocol, it is possible to insert arbitrary commands into an
established SSH session, collect information that may help in brute force key recovery, or brute force a
session key.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT - 8118: Verify Multiple SSH Vulnerabilities [IOS].

Description
An implementation of SSH in multiple Cisco products are vulnerable to three different vulnerabilities.
These vulnerabilities are:
CRC-32 integrity check vulnerabilityThis vulnerability has been described in a CORE SDI S.A.
paper entitled An attack on CRC-32 integrity checks of encrypted channels using CBC and CFB modes.
In order for this attack to succeed, an attacker must possess one or two known ciphertext/plaintext pairs.
This should not be difficult since every session starts with a greeting screen which is fixed and which
can be determined. This also implies that an attacker must be somewhere along the session path in order
to be able to sniff the session and collect corresponding ciphertext.
While fixing this vulnerability, we have not made the implementation mistake described by VU#945216
(see http://www.kb.cert.org/vuls/id/945216) which is being actively exploited.
Traffic analysisThis issue has been described in an analysis jointly made by Dug Song and Solar
Designer. It can be found at http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt, and
is entitled Passive Analysis of SSH (Secure Shell) Traffic. To exploit this vulnerability, an attacker must
be able to capture packets. When sending a packet using the SSH protocol, it is padded to the next 8-byte
boundary, but the exact length of the data (without the padding) is sent unencrypted. The timing between
packets may yield additional information, such as the relative position of a letter on the keyboard, but
that depends on overall jitter in the network and the typing habits of the person. For additional
information, see http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt.
Key recovery in SSH protocol 1.5This has been discovered by CORE SDI S.A. and the paper
describing it can be viewed at http://www.securityfocus.com/archive/1/161150. The subject line is SSH
protocol 1.5 session key recovery vulnerability. In order to exploit this vulnerability, an attacker must
be able to sniff the SSH session and be able to establish a connection to the SSH server. In order to
4-236
OL-25941-01
Chapter 4

recover the server key, an attacker must perform an additional 2^20+2^19=1572864 connections. Since
the key has a lifespan of about an hour, this means that an attacker must perform around 400 connections
per second. For further details, see http://www.securityfocus.com/archive/1/161150.
Cisco IOS Devices

Impact
CRC-32 integrity check vulnerabilityBy exploiting this protocol weakness, the attacker can insert
arbitrary commands in the session after the session has been established.
Traffic analysisThis vulnerability exposes the exact lengths of the passwords used for login
authentication. This is only applicable to an interactive session that is being established over the tunnel
protected by SSH. This can significantly help an attacker in guessing the password using the brute force
attack.
Key recovery in SSH protocol 1.5This vulnerability may lead to the compromise of the session key.
Once the session key is determined, the attacker can proceed to decrypt the stored session using any
implementation of the crypto algorithm used. This will reveal all information in an unencrypted form.
Suggested Fix
There are no workarounds for these vulnerabilities.
IOS Software Smart Install Vulnerability - 113030

Description
A vulnerability exists in the Smart Install feature of Cisco Catalyst Switches running Cisco IOS Software
that could allow an unauthenticated, remote attacker to perform remote code execution on the affected
device.
Cisco IOS Devices

References

Security Advisories For security issues that directly impact Cisco products and action is necessary to
repair the Cisco product. Security Notices For issues that require a response to information posted to a
Rule 1
Rule
PSIRT - 113030: Verify IOS Software Smart Install Vulnerability [IOS]

Description
Devices configured as a Smart Install client or director are affected by this vulnerability. To display
Smart Install information, use the show vstack config privileged EXEC command on the Smart Install
director or client. The outputs of the show commands are different when entered on the director or on
the client. The following is the output of the show vstack config in a Cisco Catalyst Switch configured
as a Smart Install client:

OL-25941-01
4-237
Chapter 4
switch#show vstack config

Role: Client
Vstack Director IP address: 10.1.1.163
The following is the output of the show vstack config in a Cisco Catalyst Switch configured as a Smart
Install director:
Director# show vstack config
Role: Director
Vstack Director IP address: 10.1.1.163
Vstack Mode: Basic
Vstack default management vlan: 1
Vstack management Vlans: none
Vstack Config file: tftp://10.1.1.100/default-config.txt
Vstack Image file: tftp://10.1.1.100/c3750e-universalk9-tar.122Join Window Details:
Window: Open (default)
Operation Mode: auto (default)
Vstack Backup Details:
Mode: On (default)
Repository: flash:/vstack (default)
Operating System Software" or "Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the
show version command or may provide different output.
SOFTWARE (fc1)
http://www.cisco.com/web/about/security/intelligence/ios-ref.html
Cisco IOS Devices

Impact
Successful exploitation could allow an unauthenticated, remote attacker to perform remote code
execution on the affected device.
Suggested Fix
There are no workarounds available to mitigate this vulnerability other than disabling the Smart Install
feature. The Smart Install Feature is enabled by default in client switches. No configuration is needed in
client switches.
4-238
OL-25941-01
Chapter 4

SSH Parameters
Description
Policies to enforce SSH related parameters.

Cisco IOS Devices With SSH Capability

References
Control Objectives for Information and Related Technology (DS5.8 of 4.0)

National Security Agency (NSA) Cisco Router Configuration Guide (Section 5.3.1 Page 228 of 1.1c)
National Security Agency (NSA) Cisco Switch Configuration Guide (Section 6.2.2, Page 18 of Version
1.0)
networks.
BS 7799, ISO/IEC 17799, ISO/IEC 27001 (Section 10.6.1 of Second Edition, 2005-06-15)
Information Technology Code of practice for information security management.

OL-25941-01
4-239
Chapter 4
Defence Information System Agency (Section NET0681,NET0682 of Dec 2, 2005)

Center for Internet Security, Benchmark for Cisco IOS (Section 1.1.2.2, Page: 9 of Version 2.2, Nov
2007)
Rule 1
Rule
Check the state of SSH server [IOS].

Description
Check the state of SSH server on the device. SSH provides secure access to the device.

Impact
Using unsecured access to the device like telnet is not suggested since the communication is not
encrypted.
Suggested Fix
Enable SSH server on the device for secure access of the device using the commands:
crypto key generate
Rule
Description
Constraints
State
SSH server state
Required: true
Default: true
Rule 2
Rule
Check maximum number of SSH authentication retries [IOS].

Description
Maximum number of authentication retries for SSH before the session is reset.
4-240
OL-25941-01
Chapter 4

Impact
If not limited, an unauthorized user may keep retrying to gain access to the device by guessing different
username/passwords.
Suggested Fix
Limit the number of retires before the session is reset using the command:
ip ssh authentication-retries
Rule
Description
Constraints
Max Authentication
Retries
The number of attempts after which the session is

reset.
Required: true
Default: 3
Min Value: 0
Max Value: 5
Rule 3
Rule
Check maximum Time-out interval for SSH negotiations [IOS].

Description
The time interval that the router waits for the SSH client to respond. This setting applies to the SSH
negotiation phase. Once the EXEC session starts, the standard timeouts configured for the vty apply. By
default, there are 5 vtys defined (0-4), therefore 5 terminal sessions are possible. After the SSH executes
a shell, the vty timeout starts. The vty timeout defaults to 10 minutes.

Impact
None.
Suggested Fix
Configure desired time-out value using the command:

ip ssh time-out
Rule
Description
Constraints
Max timeout in seconds
The time interval (in seconds) that the router waits

for the SSH client to respond.
Required: true
Default: 120
Min Value: 1
Max Value: 120

OL-25941-01
4-241
Chapter 4
IOS Software IPv6 over Multiprotocol Label Switching Vulnerability - 113058

Description
Cisco IOS Software is affected by Cisco IOS device to reload when processing IP version 6 (IPv6)
packets over a Multiprotocol Label Switching (MPLS) domain.
Crafted IPv6 Packet May Cause MPLS-Configured Device to Reload
Cisco IOS Devices

References

Rule 1
Rule
PSIRT - 113058: Verify IOS Software IPv6 over Multiprotocol Label Switching Vulnerability [IOS].
Description
Crafted IPv6 Packet May Cause MPLS-Configured Device to Reload

A crafted IPv6 packet may cause the device to crash when the packet is processed by Cisco IOS Software
because the MPLS TTL has expired. The crafted packet used to exploit this vulnerability would be
silently discarded in Cisco IOS Software if received on an interface where the packet did not have an
MPLS label.
Cisco IOS Software or Cisco IOS XE Software devices (hereafter both referenced as Cisco IOS Software
in this document) that are running vulnerable versions of Cisco IOS Software and configured for MPLS
are affected by two vulnerabilities related to IPv6 traffic that traverses an MPLS domain. The two
vulnerabilities are independent of each other.
Note
IPv6 does not need to be configured on the affected devices themselves. The vulnerabilities do require
the MPLS label switched packets to have specific IPv6 payloads to be exploited.
To determine whether a device is configured for MPLS, log in to the device and issue the command-line
interface (CLI) command show mpls interface. If the IP state is Yes, the device is vulnerable. The
following example shows a device that has MPLS configured on interface Ethernet0/0:
Router#show mpls interface
Interface
IP
Ethernet0/0
Yes (ldp)
Router#
No
Tunnel
No
BGP
No
Static Operational
Yes
4-242
OL-25941-01
Chapter 4

The following two examples show responses from a device with MPLS forwarding disabled. The first
example shows a return of no interfaces:
router#show mpls interface
Interface
IP
routers#
Tunnel
BGP Static Operational
In the second example, the device provides a message indicating that MPLS forwarding is not
configured:
no MPLS apps enabled or MPLS not enabled on any interfaces
router#
confirms that the device is running Cisco IOS Software by displaying text similar to "Cisco Internetwork
Cisco IOS Devices

Impact
Successful exploitation of these vulnerabilities may cause the device to reload. Repeated exploitation
could result in a sustained denial of service condition.
Suggested Fix
For both vulnerabilities the following workaround applies:

Disabling MPLS TTL Propagation
Disabling MPLS TTL propagation will prevent exploitation of these vulnerabilities. MPLS TTL
propagation will have to be disabled on all PE routers in the MPLS domain. To disable MPLS TTL
propagation, enter the global configuration command no mpls ip propagate-ttl. If only no mpls ip
propagate-ttl forward is configured, the vulnerabilities could still be exploited from within the MPLS
domain.
For more information about the MPLS TTL propagation command, refer to the configuration guide at
http://www.cisco.com/en/US/docs/ios/mpls/command/reference/mp_m1.html#wp1013846.

OL-25941-01
4-243
Chapter 4
IOS Software ICMPv6 over Multiprotocol Label Switching Vulnerability - 113058

Description
Cisco IOS Software is affected by Cisco IOS device to reload when processing IP version 6 (IPv6)
packets over a Multiprotocol Label Switching (MPLS) domain.
ICMPv6 Packet May Cause MPLS-Configured Device to Reload
Cisco IOS Devices

References

Rule 1
Rule
PSIRT - 113058: Verify IOS Software ICMPv6 over Multiprotocol Label Switching Vulnerability [IOS].
Description
ICMPv6 Packet May Cause MPLS-Configured Device to Reload

A valid ICMPv6 packet may cause the device to crash when the packet is processed by Cisco IOS
Software because the MPLS TTL has expired. The packet used to exploit this vulnerability would not
affect Cisco IOS Software if received on an interface where the packet did not have an MPLS label.
Cisco IOS Software or Cisco IOS XE Software devices (hereafter both referenced as Cisco IOS Software
in this document) that are running vulnerable versions of Cisco IOS Software and configured for MPLS
are affected by two vulnerabilities related to IPv6 traffic that traverses an MPLS domain. The two
vulnerabilities are independent of each other.
Note
IPv6 does not need to be configured on the affected devices themselves. The vulnerabilities do require
the MPLS label switched packets to have specific IPv6 payloads to be exploited.
To determine whether a device is configured for MPLS, log in to the device and issue the command-line
interface (CLI) command show mpls interface. If the IP state is Yes, the device is vulnerable. The
following example shows a device that has MPLS configured on interface Ethernet0/0:
Router#show mpls interface
Interface
IP
Ethernet0/0
Yes (ldp)
Router#
Tunnel
No
BGP
No
Static
No
Operational
Yes
4-244
OL-25941-01
Chapter 4

The following two examples show responses from a device with MPLS forwarding disabled. The first
example shows a return of no interfaces:
Interface
IP
routers#
Tunnel
BGP Static Operational
In the second example, the device provides a message indicating that MPLS forwarding is not
configured:
no MPLS apps enabled or MPLS not enabled on any interfaces
router#
Cisco IOS Devices

Impact
Successful exploitation of these vulnerabilities may cause the device to reload. Repeated exploitation
could result in a sustained denial of service condition.
Suggested Fix
Disabling MPLS TTL Propagation

Disabling MPLS TTL propagation will prevent exploitation of these vulnerabilities. MPLS TTL
propagation will have to be disabled on all PE routers in the MPLS domain. To disable MPLS TTL
propagation, enter the global configuration command no mpls ip propagate-ttl. If only no mpls ip
propagate-ttl forward is configured, the vulnerabilities could still be exploited from within the MPLS
domain.
For more information about the MPLS TTL propagation command, see the configuration guide at:
http://www.cisco.com/en/US/docs/ios/mpls/command/reference/mp_m1.html#wp1013846.

OL-25941-01
4-245
Chapter 4
FTP
Description
Policies to enforce FTP related parameter values.

Cisco IOS Devices

References
None
Rule 1
Rule
Check FTP username configured [IOS].

Description
Check FTP username configured.

Cisco IOS Devices

Impact
None
Suggested Fix
Configure FTP username using the command:

ip ftp username
Rule 2
Rule
Check FTP password is configured [IOS].

Description
Check that FTP password is configured.

Cisco IOS Devices

Impact
None
Suggested Fix
Configure FTP password using the command:

ip ftp password
4-246
OL-25941-01
Chapter 4

Cisco ASA Internet Locator Service Inspection DoS vulnerability - 113097

Description
Cisco ASA 5500 Series Adaptive Security Appliances:
Internet Locator Service (ILS) Inspection Denial of Service vulnerability
Cisco ASA Devices

References

Rule 1
Rule
PSIRT - 113097: Verify ASA Internet Locator Service Inspection DoS vulnerability [ASA].
Description
ILS Inspection Denial of Service Vulnerability

The ILS inspection engine provides NAT support for Microsoft NetMeeting, SiteServer, and Active
Directory products that use LDAP to exchange directory information with an ILS server.
A DoS vulnerability affects the ILS inspection feature of Cisco ASA 5500 Series Adaptive Security
Appliances. During successful exploitation, an unauthenticated attacker could cause the affected device
to reload and may result in a sustained DoS condition.
Cisco ASA Devices

Impact
Successful exploitation of all the DoS vulnerabilities could cause an affected device to reload. Repeated
Suggested Fix
ILS Inspection DoS Vulnerability

Administrators can mitigate this vulnerability by disabling ILS inspection if it is not required.
Administrators can disable ILS inspection by issuing the no inspect ils command in class configuration
sub-mode in the policy map configuration. Disabling ILS inspection may cause ILS traffic to stop
through the security appliance.

OL-25941-01
4-247
Chapter 4
IP Phone + Host Ports

Description
Policy to enforce parameters for ports connected to IP Phone AND hosts.

Cisco IOS Switches

References
National Security Agency (NSA) Cisco Switch Configuration Guide (Section 7.2 Page26 of Version 1.0)
networks.
Rule 1
Rule
Check configuration on IP Phone ports that are connected to Host as well [IOS].
Description
This check makes sure configuration on IP Phone ports is according to the policy.
Cisco IOS Switches

Impact
None
Suggested Fix
Make sure all the IP Phone ports are configured as switch ports in access mode using the command:
switchport
switchport mode access
Rule
Description
Constraints
IP Phone Ports
Group of ports to make sure unused port

configuration is enforced. Example valid values:
'FastEthernet0/.*', and so on.
Required: true
Default: [Voice and
Hosts]
Using IP Phone Ports Editor option, you can add, or remove IP Phone Ports details. You can also change
the order of the port details.
4-248
OL-25941-01
Chapter 4

Rule 2
Rule
Check all IP Phone ports are assigned to voice VLAN [IOS].

Description
This check makes sure all IP Phone ports are assigned to a voice VLAN.
Cisco IOS Switches

Impact
None
Suggested Fix
Assign all IP Phone ports to a specific voice VLAN using the command:
switchport voice vlan <vlan number>
Rule
Description
Constraints
Voice VLAN
VLAN assigned to carry IP Phone traffic in the

network.
Required: true
Min Value: 1
Max Value: 4094
Rule 3
Rule
Check the Access VLAN [IOS].

Description
This check makes sure all IP Phone + host ports are assigned to an access VLAN.
Cisco IOS Switches

Impact
None
Suggested Fix
Assign all IP Phone + host ports to a specific access VLAN using the command:
switchport access vlan <vlan number>

OL-25941-01
4-249
Chapter 4
Rule
Description
Constraints
Access VLAN
Access VLAN assigned to carry traffic to/from the

host connected
Required: true
Min Value: 1
Max Value: 4094
Rule 4
Rule
Check all IP Phone ports block unknown multicast frames [IOS].

Description
This check will make sure all IP Phone ports are configured to block unknown multicast frames.
Cisco IOS Switches

Impact
By default, a switch floods packets with unknown destination MAC addresses to all ports. If unknown
unicast and multicast traffic is forwarded to a switch port, there might be security issues. To prevent
forwarding such traffic, you can configure a port to block unknown unicast or multicast packets.
Suggested Fix
Configure IP Phone ports to block unknown multicast packets using the command:
switchport block multicast
Rule 5
Rule
Check all IP Phone ports block unknown unicast frames [IOS].

Description
This check will make sure all IP Phone ports are configured to block unknown unicast frames.
Cisco IOS Switches

Impact
4-250
OL-25941-01
Chapter 4

Suggested Fix
Configure IP Phone ports to block unknown unicast packets using the command:
switchport block unicast
Rule 6
Rule
Check all IP Phone ports are enabled with port security [IOS].
Description
This check will make sure all IP Phone ports are configured port security to block devices with unknown
MAC addresses to be connected.
Cisco IOS Switches

Impact
None
Suggested Fix
Configure IP Phone ports with port security using the command:

switchport port-security
Rule
Description
Constraints
Maximum MAC
addresses allowed
Maximum MAC addresses allowed to be connected

to this port. Please note that each IP Phone may
require 2 entries.
Required: false
Default: 3
Min Value: 1
Max Value: 5120
Rule 7
Rule
Check all IP Phone ports are configured not to override COS of incoming packets [IOS].
Description
This check will make sure the IP Phone ports are configured not to override Class Of Service of packets
with default cos.
Cisco IOS Switches

OL-25941-01
4-251
Chapter 4
Impact
All the incoming packets will be overwritten with a default class of service replacing the original class
of service in the packet. This will cause the voice traffic to share the same queues as data coming from
PC and hence may cause degradation in voice quality.
Suggested Fix
Configure IP Phone ports not to override cos using the command:

no mls qos cos override
Rule 8
Rule
Check all IP Phone ports are configured to trust priority fields [IOS].
Description
This check will make sure the IP Phone ports are configured to trust the priority fields of an incoming
packet when classifying a packet for QoS purposes.
Cisco IOS Switches

Impact
None
Suggested Fix
Configure IP Phone ports to trust DSCP bits/COS bits/IP Precedence bits using the command:
mls qos trust
Rule
Description
Constraints
Classification Based On
Field in the packet to be used for classifying packets. Required: true

Default:
Default:DSCP bits
Rule 9
Rule
Check all IP Phone ports have CDP enabled [IOS].

Description
In a typical network, you connect a Cisco IP Phone. Traffic sent from the telephone to the switch is
typically marked with a tag that uses the 802.1Q header. The header contains the VLAN information and
the CoS 3-bit field, which determines the priority of the packet. For most Cisco IP Phone configurations,
the traffic sent from the telephone to the switch is trusted to ensure that voice traffic is properly
prioritized over other types of traffic in the network. By using the mls qos trust cos interface
4-252
OL-25941-01
Chapter 4

configuration command, you can configure the switch port to which the telephone is connected to trust
the CoS labels of all traffic received on that port. However, if a user bypasses the telephone and connects
the PC directly to the switch, the CoS labels generated by the PC are trusted by the switch (because of
the trusted CoS setting) and can allow misuse of high-priority queues. The trusted boundary feature
solves this problem by using the CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP
Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the trusted
boundary feature disables the trusted setting on the switch port and prevents misuse of a high-priority
queue.
Cisco IOS Switches

Impact
It may not be possible to recognize a voice phone connected to the switch port and this may cause quality
of service issues.
Suggested Fix
Configure IP Phone ports to use CDP using the command:

cdp enable
Rule 10
Rule
Check all IP Phone ports are configured to trust Cisco IP Phones [IOS].
Description
Switch port uses CDP to detect an IP Phone connected to it. So, it is required to CDP to be enabled on
the switch port. In a typical network, you connect a Cisco IP Phone. Traffic sent from the telephone to
the switch is typically marked with a tag that uses the 802.1Q header. The header contains the VLAN
information and the CoS 3-bit field, which determines the priority of the packet. For most Cisco IP
Phone configurations, the traffic sent from the telephone to the switch is trusted to ensure that voice
traffic is properly prioritized over other types of traffic in the network. By using the mls qos trust cos
interface configuration command, you can configure the switch port to which the telephone is connected
to trust the CoS labels of all traffic received on that port. However, if a user bypasses the telephone and
connects the PC directly to the switch, the CoS labels generated by the PC are trusted by the switch
(because of the trusted CoS setting) and can allow misuse of high-priority queues. The trusted boundary
feature solves this problem by using the CDP to detect the presence of a Cisco IP Phone (such as the
Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the trusted
queue.
Cisco IOS Switches

Impact
If a PC is connected directly to a Voice port, the switch will trust the priority coming from the PC, which
may cause the LAN Quality of service to mis-behave.

OL-25941-01
4-253
Chapter 4
Suggested Fix
Configure IP Phone ports to trust Cisco IP Phones using the command:

mls qos trust device cisco-phone
Rule 11
Rule
Check all IP Phone ports are configured to set COS value for attached device [IOS].
Description
This check will make sure the IP Phone + Host ports are configured properly to instruct IP Phones to
rewrite the PC traffic with a given COS.
Cisco IOS Switches

Impact
Host may generate frames with higher cos value there by disrupting quality of service on the port.
Suggested Fix
Configure switch IP Phone + Host port to overwrite PC traffic using the command:
switchport priority extend cos
Rule
Description
Constraints
Class of Service Value
Class of Service Value that will be used to overwrite Required: true

PC traffic with.
Default: 0
Min Value: 0
Max Value: 7
Note
Port Security
Description
You can use port security with dynamically learned and static MAC addresses to restrict a port's ingress
traffic by limiting the MAC addresses that are allowed to send traffic into the port. When you assign
secure MAC addresses to a secure port, the port does not forward ingress traffic that has source addresses
outside the group of defined addresses. If you limit the number of secure MAC addresses to one and
assign a single secure MAC address, the device attached to that port has the full bandwidth of the port.
4-254
OL-25941-01
Chapter 4

Cisco IOS Switches

References
National Security Agency (NSA) Cisco Switch Configuration Guide (Section 7.2 Page 24 of Version 1.0)
networks.
Rule 1
Rule
Check State of Port Security [IOS].

Description
This check makes sure the state and configuration of port security is as per the required policy. Port
security limits the number of valid MAC addresses allowed on a port. All switch ports or interfaces
should be secured before the switch is deployed. In this way the security features are set or removed as
required instead of adding and strengthening features randomly or as the result of a security incident.
Please note that Since IP phones may use both untagged packets (e.g., Layer 2 CDP protocol) and Voice
VLAN tagged packets, the IP phone's MAC address will be seen on both the native VLAN and the Voice
VLAN. Therefore it will be counted twice. Set the maximum MAC count for a port connected to an IP
phone to account for this plus the number of computers attached to the IP phone. Computers that
legitimately transmit using multiple MAC address (for example, Network Load Balancing protocol)
must also be taken into account.
Cisco IOS Switches

Impact
A switch that does not provide port security allows an attacker to attach a system to an unused, enabled
port and to perform information gathering or attacks. A switch can be configured to act like a hub, which
means that every system connected to the switch can potentially view all network traffic passing through
the switch to all systems connected to the switch. Thus, an attacker could collect traffic that contains
usernames, passwords or configuration information about the systems on the network.
Suggested Fix
Configure Port security on given interfaces using the command:

switchport port-security maximum
switchport port-security violation
You can add, remove, or update the port security details. You can also change the order of the port
security details.

OL-25941-01
4-255
Chapter 4
Note
ASA SCCP Inspection DoS Vulnerability - 112881

Description
Cisco ASA 5500 Series Adaptive Security Appliances are affected by the:
Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability
Cisco ASA Devices

References

Rule 1
Rule
PSIRT - 112881: Verify SCCP Inspection DoS Vulnerability [ASA].

Description
SCCP Inspection Denial of Service Vulnerability

A denial of service vulnerability affects the SCCP inspection feature of Cisco ASA 5500 Series Adaptive
Security Appliances.
Administrators can determine if SCCP inspection is enabled by issuing the show service-policy |
include skinny command and confirming that output, such as what is displayed in the following
example, is returned.
ciscoasa# show service-policy | include skinny
Inspect: skinny, packet 0, drop 0, reset-drop 0
Alternatively, a device that has SCCP inspection enabled has a configuration similar to the following:
class-map inspection_default
match default-inspection-traffic
!
policy-map global_policy
class inspection_default
...
inspect skinny
...
!
service-policy global_policy global
Note
The service policy could also be applied to a specific interface instead of globally, which is displayed in
the previous example.
4-256
OL-25941-01
Chapter 4

SCCP inspection is enabled by default.

Cisco ASA Devices

Impact
Successful exploitation of this vulnerability could cause a reload of the affected device. Repeated
exploitation may result in a sustained denial of service condition.
Suggested Fix
Administrators can mitigate this vulnerability by disabling SCCP inspection if it is not required.
Administrators can disable SCCP inspection by issuing the no inspect skinny command in class
configuration submode in the policy map configuration.
Password Rules
Description
Default user name should not configured.

Cisco Wireless LAN Controller (WLC) Devices

References
User Defined
Rule 1
Rule
Check default username should not be configured (WLC).

Description
Default user should not be configured.

Cisco Wireless LAN Controller (WLC) Devices.

Impact
Default user name vulnerable.

Suggested Fix
Default user can delete using command:

mgmtuser delete admin
ASA Unauthorized File System Access Vulnerability - 112881

Description

OL-25941-01
4-257
Chapter 4
Unauthorized File System Access Vulnerability
Cisco ASA Devices

References

Rule 1
Rule
PSIRT - 112881: Verify Unauthorized File System Access Vulnerability [ASA].

Description
An unauthorized file system access vulnerability affects Cisco ASA 5500 Series Adaptive Security
Appliances when a security appliance is configured as a local Certificate Authority (CA). An affected
configuration consists of the following minimum commands:
crypto ca trustpoint <trustpoint name>
keypair <keypair name>
crl configure
crypto ca server
crypto ca certificate chain <trustpoint name>
certificate ca 01
...
!
http server enable
The local CA server is not enabled by default.

Cisco ASA Devices

Impact
Successful exploitation of this vulnerability could allow unauthorized, unauthenticated users to retrieve
files that are stored in an affected appliance's file system, which may contain sensitive information.
Suggested Fix
There are no workarounds for this vulnerability.
IOS Software IPS and Zone Based Firewall Memory Leak Vulnerability - 113057
Description
Cisco IOS Intrusion Prevention System (IPS) and Cisco IOS Zone-Based Firewall features.
Memory leak in Cisco IOS Software
Cisco IOS Devices
4-258
OL-25941-01
Chapter 4

References

Rule 1
Rule
PSIRT - 113057: Verify IOS Software IPS and Zone Based Firewall Memory Leak Vulnerability [IOS].
Description
Cisco IOS devices running vulnerable versions of Cisco IOS Software are affected by two vulnerabilities
in Cisco IOS IPS and Cisco IOS Zone-Based Firewall. The two vulnerabilities are independent of each
other. Details to confirm affected configurations are provided below.
Memory leak in Cisco IOS Software
A device that is configured for either Cisco IOS IPS or Cisco IOS Zone-Based Firewall (or both), may
experience a memory leak under high rates of new session creation flows through the device.
To determine if a device is configured with Cisco IOS IPS, log into the device and issue the show ip ips
interfaces CLI command. If the output shows an IPS rule either in the inbound or outbound direction
set, then the device is vulnerable. This example, shows a device with an IPS rule set on Interface Gigabit
Ethernet 0/0 in the inbound direction:
Router#show ip ips interfaces
Interface Configuration
Interface GigabitEthernet0/0
Inbound IPS rule is example_ips_rule
Outgoing IPS rule is not set
Router#
A device that is not configured for Cisco IOS IPS will return a blank line. The following example shows
a device on which Cisco IOS IPS is not configured:
Router#
To determine whether a device is configured with Zone-Based Firewall, log into the device and issue the
show zone security CLI command. If the output shows a member interface under a zone name, then the
device is vulnerable. This example, shows a device with Zone-Based Firewall rules configured on both
GigabitEthernet0/0 and GigabitEthernet0/1
Router#show zone security
zone self
Description: System defined zone
zone inside
Description: *** Inside Network ***
Member Interfaces:
GigabitEthernet0/0
zone outside
Description: *** Outside Network ***
Member Interfaces:
GigabitEthernet0/1
Router#

OL-25941-01
4-259
Chapter 4
Note
The device is vulnerable if configured with Zone-Based Firewall, regardless of the type of packet
inspection being performed.
Cisco IOS Devices

Impact
Memory leak in Cisco IOS Software The device may run out of memory resulting in instability or the
device crashing.
Suggested Fix
There are no workarounds available.
ASA Transparent Firewall Packet Buffer Exhaustion Vulnerability - 112881

Description
Transparent Firewall Packet Buffer Exhaustion Vulnerability.
Cisco ASA Devices

References

Rule 1
Rule
PSIRT - 112881: Verify Cisco Transparent Firewall Packet Buffer Exhaustion Vulnerability [ASA].
Description
Transparent Firewall Packet Buffer Exhaustion Vulnerability

A packet buffer exhaustion vulnerability affects multiple versions of Cisco ASA Software when a
security appliance is configured to operate in the transparent firewall mode. Transparent firewall mode
is enabled on the appliance if the command firewall transparent is present in the configuration. The
default firewall mode is routed, not transparent. The show firewall command can also be used to
determine the firewall operation mode:
ciscoasa# show firewall
Firewall mode: Transparent
Cisco ASA Devices
4-260
OL-25941-01
Chapter 4

Impact
Successful exploitation of this vulnerability could cause a decrease in the number of available packet
buffers. Repeated exploitation could eventually deplete all available packet buffers, which may cause an
appliance to stop forwarding traffic.
Suggested Fix
There is no workaround for this vulnerability.
IP Phone Ports
Description
Policy to enforce parameters for ports connected to IP Phone.

Cisco IOS Switches

References
networks.
Rule 1
Rule
Check configuration on IP Phone ports [IOS].

Description
This check makes sure configuration on IP Phone ports is according to the policy.
Cisco IOS Switches

Impact
None
Suggested Fix
Make sure all the IP Phone ports are configured as switch ports in access mode using the command:
switchport

OL-25941-01
4-261
Chapter 4
Rule
Description
Constraints
IP Phone Ports
Group of ports to make sure unused port

configuration is enforced. Example valid Values:
Required: true
Default: [Voice]
Using IP Phone Ports Editor option, you can add, or remove IP Phone Ports details. You can also change
the order of the port details.
Rule 2
Rule
Check all IP Phone ports are assigned to voice VLAN [IOS].

Description
This check makes sure all IP Phone ports are assigned to a voice VLAN.
Cisco IOS Switches

Impact
None
Suggested Fix
Assign all IP Phone ports to a specific voice VLAN using the command:
switchport voice vlan <vlan number>
Rule
Description
Constraints
Voice VLAN
VLAN assigned to carry IP Phone traffic in the

network.
Required: true
Min Value: 1
Max Value: 4094
Rule 3
Rule
Check all IP Phone ports block unknown multicast frames [IOS].

Description
This check will make sure all IP Phone ports are configured to block unknown multicast frames.
Cisco IOS Switches
4-262
OL-25941-01
Chapter 4

Impact
Suggested Fix
Configure IP Phone ports to block unknown multicast packets using the command:
Rule 4
Rule
Check all IP Phone ports block unknown unicast frames [IOS].

Description
This check will make sure all IP Phone ports are configured to block unknown unicast frames.
Cisco IOS Switches

Impact

OL-25941-01
4-263
Chapter 4
Suggested Fix
Configure IP Phone ports to block unknown unicast packets using the command:
Rule 5
Rule
Check all IP Phone ports are enabled with port security [IOS].
Description
This check will make sure all IP Phone ports are configured port security to block devices with unknown
Cisco IOS Switches

Impact
None
Suggested Fix
Configure IP Phone ports with port security using the command:

Rule
Description
Constraints
Maximum MAC
addresses allowed
Maximum MAC addresses allowed to be connected

to this port. Please note that each IP Phone may
require 2 entries.
Required: false
Default: 2
Min Value: 1
Max Value: 5120
Rule 6
Rule
Check all IP Phone ports are configured not to override COS of incoming packets [IOS].
Description
This check will make sure the IP Phone ports are configured not to override Class Of Service of packets
with default cos.
Cisco IOS Switches
4-264
OL-25941-01
Chapter 4

Impact
All the incoming packets will be overwritten with a default class of service replacing the original class
of service in the packet. This will cause the voice traffic to share the same queues as data coming from
PC and hence may cause degradation in voice quality.
Suggested Fix
Configure IP Phone ports not to override cos using the command:

no mls qos cos override
Rule 7
Rule
Check all IP Phone ports are configured to trust priority fields [IOS].
Description
This check will make sure the IP Phone ports are configured to trust the priority fields of an incoming
packet when classifying a packet for QoS purposes.
Cisco IOS Switches

Impact
None
Suggested Fix
Configure IP Phone ports to trust DSCP bits/COS bits/IP Precedence bits using the command:
mls qos trust
Rule
Description
Constraints
Classification Based On
Field in the packet to be used for classifying packets. Required: true

Default:
Default:DSCP bits
Rule 8
Rule
Check all IP Phone ports have CDP enabled [IOS].

Description
In a typical network, you connect a Cisco IP Phone. Traffic sent from the telephone to the switch is
typically marked with a tag that uses the 802.1Q header. The header contains the VLAN information and
the CoS 3-bit field, which determines the priority of the packet. For most Cisco IP Phone configurations,
the traffic sent from the telephone to the switch is trusted to ensure that voice traffic is properly
prioritized over other types of traffic in the network. By using the mls qos trust cos interface

OL-25941-01
4-265
Chapter 4
configuration command, you can configure the switch port to which the telephone is connected to trust
the CoS labels of all traffic received on that port. However, if a user bypasses the telephone and connects
the PC directly to the switch, the CoS labels generated by the PC are trusted by the switch (because of
the trusted CoS setting) and can allow misuse of high-priority queues. The trusted boundary feature
solves this problem by using the CDP to detect the presence of a Cisco IP Phone (such as the Cisco IP
Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the trusted
queue.
Cisco IOS Switches

Impact
It may not be possible to recognize a voice phone connected to the switch port and this may cause quality
of service issues.
Suggested Fix
Configure IP Phone ports to use CDP using the command:

cdp enable
Rule 9
Rule
Check all IP Phone ports are configured to trust Cisco IP Phones [IOS].
Description
Switch port uses CDP to detect an IP Phone connected to it. So, it is required to CDP to be enabled on
the switch port. In a typical network, you connect a Cisco IP Phone. Traffic sent from the telephone to
the switch is typically marked with a tag that uses the 802.1Q header. The header contains the VLAN
information and the CoS 3-bit field, which determines the priority of the packet. For most Cisco IP
Phone configurations, the traffic sent from the telephone to the switch is trusted to ensure that voice
traffic is properly prioritized over other types of traffic in the network. By using the mls qos trust cos
interface configuration command, you can configure the switch port to which the telephone is connected
to trust the CoS labels of all traffic received on that port. However, if a user bypasses the telephone and
connects the PC directly to the switch, the CoS labels generated by the PC are trusted by the switch
(because of the trusted CoS setting) and can allow misuse of high-priority queues. The trusted boundary
feature solves this problem by using the CDP to detect the presence of a Cisco IP Phone (such as the
Cisco IP Phone 7910, 7935, 7940, and 7960) on a switch port. If the telephone is not detected, the trusted
queue.
Cisco IOS Switches

Impact
If a PC is connected directly to a Voice port, the switch will trust the priority coming from the PC, which
may cause the LAN Quality of service to mis-behave.
4-266
OL-25941-01
Chapter 4

Suggested Fix
Configure IP Phone ports to trust Cisco IP Phones using the command:

mls qos trust device cisco-phone
Note
ASA Routing Information Protocol DoS Vulnerability - 112881

Description
Routing Information Protocol (RIP) Denial of Service Vulnerability
Cisco ASA Devices

References

Rule 1
Rule
PSIRT - 112881: Verify Routing Information Protocol DoS Vulnerability [ASA].

Description
RIP Denial of Service Vulnerability

A denial of service vulnerability affects the RIP implementation in Cisco ASA 5500 Series Adaptive
Security Appliances when both RIP and the Cisco Phone Proxy feature are enabled on the same device.
The following example displays an affected configuration (Cisco ASA Software version 8.0 and 8.1):
router rip
...
!
phone-proxy <instance name>
media-termination address <IP address>
...
<Rest of phone proxy feature configuration>

OL-25941-01
4-267
Chapter 4
Or (Cisco ASA Software version 8.2 and later):

router rip
...
!
media-termination <instance name>
address <IP address>
!
<Rest of phone proxy feature configuration>
A security appliance is vulnerable if it is processing RIP messages (router rip) and if a global media
termination address is configured for the Cisco Phone Proxy feature (refer to previous example). Note
that Cisco ASA Software versions 8.0 and 8.1 only allow a global media termination address. However,
in Cisco ASA Software version 8.2 and later, it is possible to tie a media termination address to an
interface. This configuration, which is accomplished by issuing the command address <IP address>
interface <interface name> in media termination configuration mode, is not affected.
Neither RIP nor the Cisco Phone Proxy feature is enabled by default.
Cisco ASA Devices

Impact
Successful exploitation of this vulnerability could cause a reload of the affected device. Repeated
exploitation may result in a sustained denial of service condition.
Suggested Fix
There are no workarounds for Cisco ASA Software version 8.0 and 8.1. On Cisco ASA Software version
8.2 and later, administrators can configure a non-global media termination address by specifying a
termination address that will be tied to a specific interface. For example:
router rip
...
!
media-termination <instance name>
address <IP address> interface <interface name>
!
<Rest of phone proxy feature configuration
Outdated Devices As Per Vendor Specific EOL/EOS Announcements

Description
This policy verifies if any of the devices selected are outdated as per the Cisco Hardware End Of
Life/End Of Sales Announcements.
Cisco IOS Devices

Cisco CatOS Devices
4-268
OL-25941-01
Chapter 4

References

Rule 1
Rule
Verify that device is not announced to be End Of Life (IOS, PIX, ASA, CatOS).
Description
Cisco IOS Devices

Cisco CatOS Devices
Impact
Suggested Fix
Upgrade to next available family of devices as soon as possible.
Rule 2
Rule
Verify that device has not reached to be End Of Sale (IOS, PIX, ASA, CatOS).
Description
This device has reached End of Sale milestone. The hardware may no longer be ordered. Devices which
reach this milestone are still available for customers under maintenance contract or for Customer Service
Engineering (CSE) support until they reach the "End-of-Life" milestone. Products reach the end of their
Product Life Cycle for a number of reasons. These reasons may be due to market demands, technology
Cisco IOS Devices

Cisco CatOS Devices

OL-25941-01
4-269
Chapter 4
Impact
Suggested Fix

Rule
Description
Constraints
Time
Time in years.
Required: true
Default: Right Now
Rule 3
Rule
Verify that device has not reached to be End Of Engineering Maintenance (IOS, PIX, ASA, CatOS).
Description
This device has reached End of Engineering milestone. After this milestone, no scheduled maintenance
releases will be produced for the major release. Upgrades and releases for devices which reach this
Cisco IOS Devices

Cisco CatOS Devices
Impact
Suggested Fix

Rule
Description
Constraints
Time
Time in years.
Required: true
Default: Right Now
Rule 4
Rule
Verify that device has not reached to be End Of Contract Renewal Maintenance (IOS, PIX, ASA,
CatOS).
4-270
OL-25941-01
Chapter 4

Description
This device has reached End of Contract Renewal milestone. After this milestone, service contracts are
no longer renewed.
Cisco IOS Devices

Cisco CatOS Devices
Impact
Suggested Fix
Rule
Description
Constraints
Time
Time in years.
Required: true
Default: Right Now
Rule 5
Rule
Verify that device has not reached to be End Of Life (Support) (IOS, PIX, ASA, CatOS).
Description
This device has reached End of Life milestone. After this milestone date, the device is no longer
officially supported by the vendor. Products reach the end of their Product Life Cycle for a number of
Cisco IOS Devices

Cisco CatOS Devices
Impact
Suggested Fix

OL-25941-01
4-271
Chapter 4
Rule
Description
Constraints
Time
Time in years.
Required: true
Default: Right Now
Cisco ASA TACACS+ Authentication Bypass vulnerability - 113097

Description
TACACS+ Authentication Bypass vulnerability
Cisco ASA Devices

References

Rule 1
Rule
PSIRT - 113097: Verify ASA TACACS+ Authentication Bypass vulnerability [ASA].

Description
TACACS+ Authentication Bypass Vulnerability

An authentication bypass vulnerability affects the TACACS+ implementation of Cisco ASA 5500 Series
Adaptive Security Appliances.
In order to enable TACACS+ for authentication, authorization, or accounting (AAA), you must first
create at least one AAA server group per AAA protocol and add one or more servers to each group with
the aaa-server command. You identify AAA server groups by name. The following example shows how
a AAA server group is configured for TACACS+ authentication:
aaa-server my-tacacs-sever protocol tacacs+
aaa-server my-tacacs-server (inside) host 203.0.113.11
Cisco ASA Devices

Impact
Successful exploitation of the TACACS+ authentication bypass vulnerability could allow an attacker to
bypass authentication of VPN, firewall and/or administrative sessions.
Suggested Fix
TACACS+ Authentication Bypass Vulnerability
4-272
OL-25941-01
Chapter 4

There are no workarounds available for this vulnerability other than using a different authentication
protocol such as RADIUS, Active Directory, and so on.
Content Services Gateway Service policy bypass - 112206

Description
A service policy bypass vulnerability exists in the Cisco Content Services Gateway - Second Generation
(CSG2), which runs on the Cisco Service and Application Module for IP (SAMI). Under certain
configurations this vulnerability could allow:
Customers to access sites that would normally match a billing policy to be accessed without being
charged to the end customer
Customers to access sites that would normally be denied based on configured restriction policies
Cisco IOS Devices

References

Rule 1
Rule
PSIRT - 112206: Verify Cisco Content Services Gateway Service policy bypass Vulnerability [IOS].
Description
The service policy bypass vulnerability affects all versions of the Cisco IOS Software for the CSG2 prior
to the first fixed release, as indicated in the "Software Versions and Fixes" section of this advisory.
Cisco IOS Devices

Impact
Successful exploitation of the service policy bypass can allow customers to obtain access to sites that
would normally be accounted and billed according to the billing policy without the billing policy being
engaged. Additionally, customers could gain access to URLs that are configured in the Cisco CSG2 to
be explicitly denied.
Suggested Fix
IOS Software NAT LDAP Vulnerability - 112253

Description

OL-25941-01
4-273
Chapter 4
NetMeeting Directory (Lightweight Directory Access Protocol, LDAP)
Cisco IOS Devices

References

Rule 1
Rule
PSIRT - 112253: Verify IOS Software NAT LDAP Vulnerability [IOS].

Description
NAT for NetMeeting Directory (LDAP) Vulnerability

LDAP is a protocol for querying and modifying data of directory services implemented in IP networks.
NAT for NetMeeting Directory, also known as the Internet Locator Service (ILS), translates LDAP
packets on TCP port 389. The inspected port is not configurable.
This vulnerability is triggered by malformed transit LDAP traffic that needs to be processed by the NAT
for NetMeeting Directory feature.
Cisco IOS Devices

Impact
Successful exploitation of this vulnerability can cause the device to reload or become unresponsive.
Suggested Fix
NAT LDAP Vulnerability Mitigation

To disable NAT of LDAP, port-based address translation needs to be configured to disable LDAP
inspection using the no-payload keyword. This will still allow the NAT of LDAP packets at Layer 3
(non-port specific). Translation of other non-LDAP protocols translation will not be affected.
Applications that use embedded IP addresses in LDAP, such as NetMeeting Directory, will be negatively
impacted if the embedded IP addresses need to be translated.
4-274
OL-25941-01
Chapter 4

The following is an example configuration that includes the mitigation for two NAT rules.
!-- NAT rule for port TCP/389 to disable IP NAT for LDAP translation
!-- Takes precedence over the non-port translation rule.
ip nat outside source static tcp 192.168.0.1 389 192.168.1.1 389 no-payload
ip nat outside source static tcp 192.168.0.3 389 192.168.1.3 389 no-payload
!-- Translation rule for all other protocols
ip nat outside source static 192.168.0.1 192.168.1.1
ip nat outside source static 192.168.0.3 192.168.1.3
interface GigabitEthernet0/0
ip nat inside
ip nat outside
Each NAT translation rule in the configuration will need to be updated to include a per-port rule that
disables translation of TCP packets on port 389.
DHCP
Description
Policies to enforce DHCP related parameter values.

Cisco IOS Devices With DHCP_SERVER Capability

References
None
Rule 1
Rule
Check DHCP service on the device [IOS].

Description
Enable/disable DHCP service.


Impact
None
Suggested Fix
Enable/Disable DHCP service using the command:

[no] service dhcp

OL-25941-01
4-275
Chapter 4
Rule
Description
Constraints
DHCP Service State
Required state of DHCP Service on the device.
Required: true
Default: true
Rule 2
Rule
Check DHCP lease time should be at least [IOS].

Description
Make sure that DHCP lease time should be at least.


Impact
None
Suggested Fix
Configure DHCP lease time using the command:

ip dhcp pool <pool-name>
lease <number>
Rule
Description
DHCP lease time in days The amount of time (in days) that the assigned ip
address is valid.
Constraints
Required: true
Default: 1
Min Value: 0
Max Value: 365
IOS Software IP Service Level Agreement Vulnerability - 113056

Description
The Cisco IOS IP Service Level Agreement (IP SLA) feature contains a denial of service (DoS)
vulnerability. The vulnerability is triggered when malformed UDP packets are sent to a vulnerable
device. The vulnerable UDP port numbers depend on the device configuration. Default ports are not used
for the vulnerable UDP IP SLA operation or for the UDP responder ports.
Cisco IOS Devices

References
4-276
OL-25941-01
Chapter 4

Rule 1
Rule
PSIRT - 113056: Verify IOS Software IP Service Level Agreement Vulnerability [IOS].
Description
Cisco devices that are running Cisco IOS Software are vulnerable when they are configured for IP SLA,
either as responders or as originators of vulnerable IP SLA operations.
The following example shows output from a device that runs a Cisco IOS Software image:
Cisco IOS Devices

Impact
Successful exploitation of the vulnerability described in this document may result in the reload of a
vulnerable device. Repeated exploitation could result in a DoS condition.
Suggested Fix
There are no workarounds for this vulnerability, but there are mitigations that can be deployed on a
general IP SLA responder to reduce the exposure to this vulnerability.
General IP SLA Responder Mitigation
For devices that are configured as general responders, a mitigation is to restrict IP SLA control packets
on UDP port 1967 that are addressed to the vulnerable device to permit only trusted probe originators to
open UDP ports that could be exploited. This can be accomplished using techniques such as
Infrastructure Access list or Control Plane Protection.
For devices configured as general responders, mitigation techniques that can be deployed on Cisco
devices within the network are available in the Cisco Applied Mitigation Bulletin companion document.
IP SLA Permanent Responder Mitigation
For the permanent responder, the mitigation is to filter UDP packets addressed to the configured UDP
port of each permanent responder to permit packets from the IP addresses of trusted devices.

OL-25941-01
4-277
Chapter 4
IP SLA Source Devices Mitigation

For IP SLA source devices, a mitigation is to allow only UDP packets from trusted devices (that is,
devices that are the target of IP SLA operations).
DHCP Status
Description
DHCP server should be disabled.


References
User Defined
Rule 1
Rule
DHCP should be disabled (WLC).

Description
Disable DHCP service.

Cisco Wireless LAN Controller (WLC) Device

Impact
None
Suggested Fix
Make sure that no dhcp scopes defined.
4-278
OL-25941-01
Chapter 4

Cisco ASA Four SunRPC Inspection Denial of Service vulnerability - 113097

Description
Four SunRPC Inspection Denial of Service vulnerability
Cisco ASA Devices

References

Rule 1
Rule
PSIRT - 113097: Verify ASA Four SunRPC Inspection Denial of Service Vulnerability [ASA].
Description
SunRPC Inspection Denial of Service Vulnerabilities

Four DoS vulnerabilities affect the SunRPC inspection feature of Cisco ASA 5500 Series Adaptive
Security Appliances.
SunRPC inspection is enabled by default.
To check if SunRPC inspection is enabled, issue the show service-policy | include sunrpc command
and confirm that output, such as what is displayed in the following example, is returned.
ciscoasa# show service-policy | include sunrpc
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
The following configuration commands are used to enable SunRPC inspection in the Cisco ASA.
class-map inspection_default
match default-inspection-traffic
!
...
inspect sunrpc
...
!
Cisco ASA Devices

Impact

OL-25941-01
4-279
Chapter 4
Suggested Fix
SunRPC Inspection DoS Vulnerabilities

Administrators can mitigate this vulnerability by disabling SunRPC inspection if it is not required.
Administrators can disable SunRPC inspection by issuing the no inspect sunrpc command in class
configuration sub-mode in the policy map configuration. Disabling SunRPC inspection may cause
SunRPC traffic to stop through the security appliance.
Content Services Gateway DOS Vulnerability - 112206

Description
Cisco IOS Software Release 12.4 (24)MD1 on the Cisco CSG2 contains two vulnerabilities that can be
exploited by a remote, unauthenticated attacker to create a denial of service condition that prevents
traffic from passing through the CSG2. These vulnerabilities require only a single content service to be
active on the Cisco CSG2 and can be exploited via crafted TCP packets. A three-way handshake is not
required to exploit either of these vulnerabilities.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT - 112206: Verify Cisco Content Services Gateway DOS Vulnerability [IOS].
Description
The Denial of service vulnerabilities only affect Cisco IOS Software Release 12.4 (24) MD1 on the
Cisco CSG2. No other Cisco IOS Software releases are affected.
Cisco IOS Devices

Impact
Successful exploitation of either denial of service vulnerability could result in the Cisco CSG2 reloading
or potentially hanging.
Suggested Fix
4-280
OL-25941-01
Chapter 4

IOS Software IPS and Zone Based Firewall crafted HTTP packets Vulnerability - 113057
Description
Cisco IOS Intrusion Prevention System (IPS) and Cisco IOS Zone-Based Firewall features.
Cisco IOS Software Denial of Service when processing specially crafted HTTP packets
Cisco IOS Devices

References

Rule 1
Rule
PSIRT - 113057: Verify IOS Software IPS and Zone Based Firewall crafted HTTP packets Vulnerability
[IOS].
Description
Cisco IOS Software Denial of Service when processing specially crafted HTTP packets.
A device is vulnerable if configured under the following circumstances:
HTTP Layer 7 Application Control and Inspection and Cisco IOS IPS are enabled.
HTTP Layer 7 Application Control and Inspection with match request arg regex parameter on the
HTTP class map. This configuration is affected regardless if Cisco IOS IPS is enabled or not.
The device is not vulnerable under other configurations. A summary of different configurations and their
affect by this vulnerability is provided below:
Configuration on Device
Affected or not Affected
Only Cisco IOS IPS enabled
Not Affected
HTTP Layer 4 Stateful Inspection with Cisco IOS IPS

enabled
Not Affected
HTTP Layer 4 Stateful Inspection with Cisco IOS IPS

disabled
Not Affected
HTTP Layer 7 Application Control and Inspection with Affected

Cisco IOS IPS enabled
HTTP Layer 7 Application Control and Inspection with Affected
match arg regex parameter. With or without Cisco IOS
IPS enabled.
HTTP Layer 7 Application Control and Inspection
without match arg regex parameter. With or without
Cisco IOS IPS enabled.
Not Affected

OL-25941-01
4-281
Chapter 4
The following example shows an affected device configured with HTTP Layer 7 Application Control
and Inspection and Cisco IOS IPS enabled:
!
ip ips name myips
!
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
!
!
class-map type inspect match-any layer4-classmap
match protocol http
!
class-map type inspect http match-any layer7-classmap
match request arg length gt 15
!
!
policy-map type inspect http layer7-policymap
class type inspect http layer7-classmap
reset
log
policy-map type inspect layer4-policymap
class type inspect layer4-classmap
inspect
service-policy http layer7-policymap
class class-default
drop
!
zone security inside
description ** Inside Network **
zone security outside
description ** Outside Network **
zone-pair security in2out source inside destination outside
description ** Zone Pair - inside to outside **
service-policy type inspect layer4-policymap
!
!
ip address 192.168.0.6 255.255.255.0
ip ips myips in
zone-member security inside
!
ip address 192.168.1.1 255.255.255.0
zone-member security outside
!
4-282
OL-25941-01
Chapter 4

The following example shows an affected device configured with HTTP Layer 7 Application Control
and Inspection with the match request arg regex parameter on the HTTP class map:
!
parameter-map type regex example
pattern [^\x00-\x80]
!
match protocol http
!
match request arg regex example
!
!
reset
log
inspect
class class-default
drop
!
!
ip address 192.168.0.6 255.255.255.0
zone-member security inside
!
ip address 192.168.1.1 255.255.255.0
zone-member security outside
!
SOFTWARE (fc1)

OL-25941-01
4-283
Chapter 4
Cisco IOS Devices

Impact
If the device supports and is configured with scheduler isr-watchdog then the device will reset and
reload if the vulnerability is exploited, rather than just hang. For more information on the scheduler
isr-watchdog command consult the Cisco IOS Configuration Fundamentals Command Reference at the
following link:
http://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_r1.html#wp1079401.
Suggested Fix
There are no workarounds available.
Secure Webmode Access

Description
Therefore, web-based remote administration should be avoided, then it is preferable.

References
User Defined
Rule 1
Rule
Check secureweb mode should be disabled (WLC).

Description
HTTP Server allows web based remote administration of the device. It is useful primarily when
Therefore, web-based remote administration should be avoided, then it is preferable.

Impact
Can be exploited to access the device.
4-284
OL-25941-01
Chapter 4

Suggested Fix
Secure webmode can be disabled using the command:

network secureweb disable
Unused Ports
Description
Policy to enforce parameters for unused ports configuration.

Cisco IOS Switches

References
networks.
Rule 1
Rule
Check configuration on unused ports [IOS].

Description
This check makes sure configuration on unused ports is according to the policy.
Cisco IOS Switches

Impact
None
Suggested Fix
None
Rule
Description
Constraints
Unused Interfaces
Group of interfaces to make sure unused port

configuration is enforced. Example Valid Values:
Required: true

OL-25941-01
4-285
Chapter 4
Using Unused Interfaces Editor option, you can add, or remove the unused interface details. You can
also change the order of the interface details.
Rule 2
Rule
Check all unused ports are shutdown [IOS].

Description
This check makes sure all unused ports are in shutdown state.
Cisco IOS Switches

Impact
Any device connected to this unused port may have a complete access to the switch and can start
receiving/transmitting packets from/to the switch.
Suggested Fix
Shutdown unused interfaces using the command:

shutdown
Rule 3
Rule
Check all unused ports are configured in access mode [IOS].

Description
This check makes sure all unused ports are in access mode.
Cisco IOS Switches

Impact
None
Suggested Fix
Configure unused ports in access mode using the command:

Rule 4
Rule
Check all unused ports are assigned to unused VLAN [IOS].
4-286
OL-25941-01
Chapter 4

Description
This check makes sure all unused ports are assigned to an unused VLAN.
Cisco IOS Switches

Impact
None
Suggested Fix
Assign all unused to ports to a specific unused VLAN using the command:
switchport access vlan
Rule
Description
Constraints
Unused VLAN
All unused ports will be forced to use this VLAN.
Required: true
Min Value: 1
Max Value: 4094
Rule 5
Rule
Check all unused ports block unknown multicast frames [IOS].

Description
This check will make sure all unused ports are configured to block unknown multicast frames.
Cisco IOS Switches

Impact
Suggested Fix
Configure unused ports to block unknown multicast packets using the command:
Rule 6
Rule
Check all unused ports block unknown unicast frames [IOS].

OL-25941-01
4-287
Chapter 4
Description
This check will make sure all unused ports are configured to block unknown unicast frames.
Cisco IOS Switches

Impact
Suggested Fix
Configure unused ports to block unknown unicast packets using the command:
Rule 7
Rule
Check all unused ports are enabled with port security [IOS].
Description
This check will make sure all unused ports are configured port security to block devices with unknown
Cisco IOS Switches

Impact
None
Suggested Fix
Configured unused ports with port security using the command:

Rule 8
Rule
Check all unused ports force devices to be un-authorized [IOS].

Description
This check will make sure all unused ports are configured to force all connected devices as unauthorized.
Cisco IOS Switches
4-288
OL-25941-01
Chapter 4

Impact
Unauthorized clients may use network resources using unused ports.

Suggested Fix
Configured unused ports with IEEE 802.1x port-based authentication using the command:
dot1x port-control
Note
Cisco ASA MSN Instant Messenger Inspection DoS vulnerability - 113097

Description
MSN Instant Messenger (IM) Inspection Denial of Service vulnerability.
Cisco ASA Devices

References

Rule 1
Rule
PSIRT - 113097: Verify ASA MSN IM Inspection DoS vulnerability [ASA].

Description
MSN IM Inspection Denial of Service Vulnerability

The MSN IM inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances is affected by
a DoS vulnerability.
MSN IM inspection is not enabled by default.

OL-25941-01
4-289
Chapter 4
Administrators can enable MSN IM inspection and specify actions when a message violates a parameter,
create an IM inspection policy map. You can then apply the inspection policy map when you enable IM
inspection, as shown in the following example:
policy-map type inspect im MY-MSN-INSPECT
parameters
match protocol msn-im
log
!
inspect im MY-MSN-INSPECT
Cisco ASA Devices

Impact
Suggested Fix
MSN Instant Messenger (IM) Inspection DoS Vulnerability

Administrators can mitigate this vulnerability by disabling MSN IM inspection if it is not required.
Administrators can disable MSN IM inspection by issuing the no inspect im command in class
configuration sub-mode in the policy map configuration. Disabling MSN IM inspection may cause MSN
IM traffic to stop through the security appliance.
DHCP Snooping
Description
DHCP snooping is a DHCP security feature that provides security by filtering untrusted DHCP messages
and by building and maintaining a DHCP snooping binding table. An untrusted message is a message
that is received from outside the network or firewall and that can cause traffic attacks within your
network. DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. It also gives
you a way to differentiate between untrusted interfaces connected to the end-user and trusted interfaces
connected to the DHCP server or another switch.
Cisco IOS Devices With DHCP_SNOOPING Capability

References
networks.
4-290
OL-25941-01
Chapter 4

Rule 1
Rule
Check state of DHCP Snooping [IOS].

Description
DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP
messages and by building and maintaining a DHCP snooping binding database (also referred to as a
DHCP snooping binding table).
To use any DHCP snooping features, you must globally enable DHCP snooping on the switch. DHCP
snooping is not active until DHCP snooping is enabled on a VLAN.

Impact
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You can use DHCP
snooping to differentiate between untrusted interfaces connected to the end user and trusted interfaces
connected to the DHCP server or another switch.
Suggested Fix
Configure DHCP snooping using the command:

[no] ip dhcp snooping
Rule
Description
Constraints
DHCP Snooping State
The required state of DHCP Snooping on the switch. Required: true

Default: false
Rule 2
Rule
Check that DHCP Snooping is enabled for the given Vlans [IOS].
Description
This check makes sure that the DHCP snooping is enabled for the given VLANs.

Impact
None
Suggested Fix
Enable DHCP snooping for required VLANs using the command:

ip dhcp snooping vlan

OL-25941-01
4-291
Chapter 4
Rule
Description
Constraints
Vlan List
List of VLANs to enable DHCP snooping.
Required: true
Rule 3
Rule
Check that DHCP Snooping is enabled to verify MAC addresses [IOS].

Description
This check makes sure that the DHCP snooping is enabled to verify MAC addresses.

Impact
None
Suggested Fix
Configure DHCP snooping to verify MAC addresses using the command:

[no] ip dhcp snooping verify mac-address
Rule
Description
Constraints
Verify MAC Addresses
Enable or disable MAC address verification.
Required: true
Default: false
IOS Software NAT SIP Vulnerability - 112253

Description
Session Initiation Protocol (Multiple vulnerabilities)
Cisco IOS Devices

References

Rule 1
Rule
PSIRT - 112253: Verify IOS Software NAT SIP Vulnerability [IOS].
4-292
OL-25941-01
Chapter 4

Description
NAT for SIP DoS Vulnerabilities

Four vulnerabilities in the NAT for SIP feature are described in this document:
NAT of SIP over TCP vulnerability
Crafted SIP packets on TCP port 5060 could cause unpredictable results, including the reload of the
vulnerable device. Translation of SIP over TCP packets will be disabled by default with the fix for this
vulnerability.
Provider edge Multiprotocol Label Switching (MPLS) NAT of SIP over UDP packets DoS
vulnerability
A malformed SIP packet on UDP 5060 that transits an MPLS enabled vulnerable device that needs an
MPLS tag to be imposed on the malformed packet might reload the device.
NAT of crafted SIP over UDP packets DoS vulnerabilities
There are two DoS vulnerabilities related to similar crafted packets on UDP port 5060 that require SIP
translation: the first is a vulnerability that will cause the device to reload and the second will cause a
memory leak that could lead to a DoS condition, including reload of the vulnerable device.
Cisco IOS Devices

Impact
Successful exploitation of these vulnerability can cause the device to reload or become unresponsive.
Suggested Fix
NAT for SIP over TCP DoS Vulnerability Mitigation

Mitigation for this vulnerability consists of disabling NAT for SIP over the TCP transport by using the
no ip nat service sip tcp port 5060 global configuration command.
NAT of Crafted SIP over UDP Packets DoS Vulnerability Mitigation
Mitigation of these vulnerabilities consists of disabling NAT for SIP over the UDP transport by using
the no ip nat service sip udp port 5060 global configuration command.
Hot Standby Router Protocol (HSRP)

Description
Policies related to Hot Standby Router Protocol (HSRP) protocol configuration.

Cisco IOS Devices With HSRP Capability

References
None
Rule 1
Rule
Check that HSRP authentication is configured as non-default [IOS].

OL-25941-01
4-293
Chapter 4
Description
Check that HSRP authentication is configured to non-default key.

Cisco IOS Devices With HSRP Capability

Impact
HSRP authentication uses default string which makes it possible for crafted packets to claim to be the
primary device and there by bringing down the HSRP.
Suggested Fix
Configure HSRP authentication using the command:

standby <groupId> authentication
Note
Rule
Description
Constraints
Interface Group

'FastEthernet0/.*' , and so on.
Required: true
AAA Command Authorization By-pass - 68840 [IOS]

Description
A vulnerability exists within Cisco Internetwork Operating System (IOS) Authentication, Authorization,
and Accounting (AAA) command authorization feature, where command authorization checks are not
performed on commands executed from the Tool Command Language (Tcl) exec shell. This may allow
authenticated users to bypass command authorization checks in some configurations resulting in
unauthorized privilege escalation.
Devices not running AAA command authorization feature, or do not support Tcl functionality are not
affected by this vulnerability.
Cisco IOS Devices

References
CISCO PSIRT Advisories and Notices(68840 of 2.0)

4-294
OL-25941-01
Chapter 4

Rule 1
Rule
PSIRT-68840: Verify AAA Command Authorization By-pass Vulnerability [IOS]

Description
A vulnerability exists within Cisco Internetwork Operating System (IOS) Authentication, Authorization,
and Accounting (AAA) command authorization feature, where command authorization checks are not
performed on commands executed from the Tool Command Language (Tcl) exec shell. This may allow
authenticated users to bypass command authorization checks in some configurations resulting in
unauthorized privilege escalation.
Devices not running AAA command authorization feature, or do not support Tcl functionality are not
Cisco IOS Devices

Impact
Devices impacted by this vulnerability, will allow users to execute any IOS EXEC command at the users
authenticated privilege level from within the Tcl shell mode.
A separate issue exists that exacerbates this vulnerability. An authenticated user may be placed into Tcl
Shell mode automatically (without the evidence of the (tcl) within the router prompt), without any
intermediate step of manually entering into Tcl Shell mode via the tclsh command, only if a previous
user goes into Tcl Shell mode and terminates the session before leaving the Tcl Shell mode.
If a privileged user initiates a Tcl Shell and exits the Tcl Shell mode without issuing the Tcl Shell
command tclquit then the Tcl Shell process will remain active and attached to the corresponding virtual
type terminal VTY or teletypewriter (TTY - line). The next authenticated user that accesses the device
over the same line will have access to the Tcl Shell process, and may bypass AAA command.
Suggested Fix
Adding IOS configuration command authorization checking with the global configuration command aaa
authorization config-commands forces AAA command authorization to occur within Tcl Shell mode.
Caution
By enabling IOS configuration command authorization all commands within EXEC configuration mode
will be subject to command authorization checks.
ARP Table Overwrite - 13600 [IOS]

Description
It is possible to send an Address Resolution Protocol (ARP) packet on a local broadcast interface (for
example, Ethernet, cable, Token Ring, FDDI) which could cause a router or switch running specific
versions of Cisco IOS Software Release to stop sending and receiving ARP packets on the local router
interface. This will in a short time cause the router and local hosts to be unable to send packets to each
other. ARP packets received by the router for the router's own interface address but a different Media
Access Control (MAC) address will overwrite the router's MAC address in the ARP table with the one
from the received ARP packet. This was demonstrated to attendees of the Black Hat conference and

OL-25941-01
4-295
Chapter 4
should be considered to be public knowledge. This attack is only successful against devices on the
segment local to the attacker or attacking host.. See "Cisco IOS ARP Table Overwrite Vulnerability." at
Cisco Security Advisories website.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-13626: Verify ARP Table Overwrite Vulnerability [IOS]

Description
ARP packets, both request and reply, received by the router for the router's own interface address or
global Network Address Translation (NAT) entries, but with a different MAC address, will overwrite the
router's MAC address in the router's ARP table with the one in the ARP request or reply. Cisco IOS
router devices will defend the MAC address of an interface for several attempts, but in an attempt to
prevent an ARP storm, the device will accept the incorrect information into the ARP table, which causes
the interface to stop accepting new ARP entries, and entries will not be accepted or updated in the ARP
table. This behavior has been repaired to properly defend the interface MAC address, with rate limiting
the response to avoid an ARP storm on the local network. This attack can only be carried out from the
local network. This defect also impacts HSRP virtual interfaces.
Cisco IOS Devices

Impact
This issue can cause a Cisco Router to be vulnerable to a Denial-of-Service attack, once the ARP table
entries time out. This defect does not result in a failure of confidentiality of information stored on the
unit, nor does this defect allow hostile code to be loaded onto a Cisco device. This defect may cause a
Denial-of-Service on the management functions of a Cisco Layer 2 Switch, but does not affect traffic
through the device.
Suggested Fix
The workaround for this vulnerability is to enter the router interface MAC address into the arp table with
a configuration entry, sometimes known as "hard coding" the ARP table entry.
The syntax for this command for routers and switches running IOS is as follows:
arp <ip-address> <hardware-address> <type>
The caveat to this workaround is identified with defect CSCdv04366, which will clear all manually
entered MAC addresses from the ARP table, when they are the same as the interface MAC address, when
the command "clear arp" is issued on the router. This workaround does not survive a reboot of the router,
and must be re-written to the configuration after any reload or reboot.
4-296
OL-25941-01
Chapter 4

ASA Crafted IKE Message DoS Vulnerability - 111877 [ASA]

Description
Cisco ASA 5500 Series Adaptive Security Appliances are affected with:
Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability
Cisco ASA Devices

References

Rule 1
Rule
PSIRT-111877: Verify ASA Crafted IKE Message DoS Vulnerability [IOS]

Description
IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IKE is a
key management protocol standard that is used in conjunction with the IPsec standard. A DoS
vulnerability exists in the IKE implementation of the Cisco ASA. During successful exploitation, an
unauthenticated attacker may cause an affected device to reload.
Note
Only traffic that is destined to the appliance may trigger this vulnerability when the affected device is
configured for IPsec remote access or site-to-site VPNs.
Cisco ASA Devices

Impact
Successful exploitation of this vulnerability cause the affected device to reload. Repeated exploitation
could result in a sustained DoS condition.
Suggested Fix
There are no workarounds for this vulnerability apart from disabling IKE on the affected device. The no
crypto isakmp enable <interface-name> command can be used to disable IKE on a specific interface.
ASA Crafted IKE Message DoS Vulnerability - 111877

Description
Cisco ASA 5500 Series Adaptive Security Appliances are affected with :
Crafted Internet Key Exchange (IKE) Message Denial of Service Vulnerability

OL-25941-01
4-297
Chapter 4
Cisco ASA Devices

References

Rule 1
Rule
PSIRT-111877: Verify Cisco ASA Crafted IKE Message DoS Vulnerability [ASA]
Description
IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IKE is a
key management protocol standard that is used in conjunction with the IPsec standard. A DoS
vulnerability exists in the IKE implementation of the Cisco ASA. During successful exploitation, an
unauthenticated attacker may cause an affected device to reload.
Note
Only traffic that is destined to the appliance may trigger this vulnerability when the affected device is
configured for IPsec remote access or site-to-site VPNs.
Cisco ASA Devices

Impact
Suggested Fix
There are no workarounds for this vulnerability apart from disabling IKE on the affected device. The no
crypto isakmp enable <interface-name> command can be used to disable IKE on a specific interface.
ASA Crafted TCP Segment DoS Vulnerability - 111485 [ASA]

Description
Crafted TCP Segment Denial of Service Vulnerability
Cisco ASA Devices

References

4-298
OL-25941-01
Chapter 4

Rule 1
Rule
PSIRT-111485: Verify ASA Crafted TCP Segment DoS Vulnerability [IOS]

Description
Cisco ASA 5500 Series Adaptive Security Appliances are affected by a vulnerability that may cause an
appliance to reload when all of the following conditions are met:
1.
A malformed, transit TCP segment is received.
2.
The TCP segment matches a static NAT translation that has the "nailed" option configured on it.
3.
The TCP segment is also processed by the Cisco AIP-SSM, which is configured for inline mode of
operation.
A TCP three-way handshake is not necessary to exploit this vulnerability.

Cisco ASA Devices

Impact
Successful exploitation of this vulnerability may cause a reload of the affected appliance. Repeated

OL-25941-01
4-299
Chapter 4
Suggested Fix
Possible workarounds for this vulnerability are the following:
Migrate from "nailed" static NAT entries to TCP-state bypass.
Use the Cisco AIP-SSM in promiscuous mode. This mode can be configured by issuing the ips
promiscuous command in "class" configuration mode.
Disable IPS inspection for "nailed" static NAT entries.
If possible, change "nailed" static NAT entries to standard static NAT entries.
ASA Crypto Accelerator Memory Leak Vulnerability - 108009 [ASA]

Description
Crypto Accelerator Memory Leak Vulnerability exists in the Cisco ASA 5500 Series Adaptive Security
Appliances.
Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate
some of these vulnerabilities are available.
Cisco ASA Devices

References

Rule 1
Rule
PSIRT-108009: Verify ASA Crypto Accelerator Memory Leak Vulnerability [IOS]

Description
Crypto Accelerator Memory Leak Vulnerability

The Cisco ASA security appliances may experience a memory leak triggered by a series of packets. This
memory leak occurs in the initialization code for the hardware crypto accelerator.
Note
Only packets destined to the device (not transiting the device) may trigger this vulnerability.
The following Cisco ASA features use the services the crypto accelerator provides, and therefore may
be affected by this vulnerability:
Clientless WebVPN, SSL VPN Client, and AnyConnect Connections
ASDM (HTTPS) Management Sessions
Cut-Through Proxy for Network Access
TLS Proxy for Encrypted Voice Inspection
IP Security (IPsec) Remote Access and Site-to-site VPNs
4-300
OL-25941-01
Chapter 4

Secure Shell (SSH) Access
Cisco ASA Devices

Impact
Repeated exploitation could result in a sustained DoS condition.

Suggested Fix
ASA NTLMv1 Authentication Bypass Vulnerability - 111485 [ASA]

Description
NT LAN Manager version 1 (NTLMv1) Authentication Bypass Vulnerability
Cisco ASA Devices

References

Rule 1
Rule
PSIRT-111485: Verify ASA NTLMv1 Authentication Bypass Vulnerability [IOS]

Description
Cisco ASA 5500 Series Adaptive Security Appliances contain a vulnerability that could result in
authentication bypass when the affected appliance is configured to authenticate users against Microsoft
Windows servers using the NTLMv1 protocol.
Users can bypass authentication by providing an an invalid, crafted username during an authentication
request. Any services that use a AAA server group that is configured to use the NTLMv1 authentication
protocol is affected. Affected services include:
Telnet access to the security appliance
SSH access to the security appliance
HTTPS access to the security appliance (including Cisco ASDM access)
Serial console access
Privileged (enable) mode access
Cut-through proxy for network access
VPN access

OL-25941-01
4-301
Chapter 4
Cisco ASA Devices

Impact
Successful exploitation of this vulnerability could result in unauthorized access to the network or
appliance.
Suggested Fix
If NTLMv1 authentication is required, there are no workarounds for this vulnerability. If NTLMv1
authentication can be substituted by other authentication protocols (LDAP, RADIUS, TACACS+, etc.),
it is possible to mitigate the vulnerability.
ASA SCCP Inspection DoS Vulnerability - 111485 [ASA]

Description
ASA 5500 Series Adaptive Security Appliances are affected with:
Skinny Client Control Protocol (SCCP) Inspection Denial of Service Vulnerability
Cisco ASA Devices

References

Rule 1
Rule
PSIRT-111485: Verify ASA SCCP Inspection DoS Vulnerability [IOS]

Description
p>Cisco ASA 5500 Series Adaptive Security Appliances are affected by a vulnerability that may cause
the appliance to reload during the processing of malformed skinny control message. Appliances are only
vulnerable when SCCP inspection is enabled.
Only transit traffic can trigger this vulnerability; traffic that is destined to the appliance will not trigger
the vulnerabily.
Cisco ASA Devices
Impact
Suggested Fix
This vulnerability can be mitigated by disabling SCCP inspection if it is not required. Administrators
can disable SCCP inspection by issuing the no inspect skinny command in class configuration sub-mode
within the policy-map configuration.
4-302
OL-25941-01
Chapter 4


Description
SIP Inspection Denial of Service Vulnerabilities
Cisco ASA Devices

References

Rule 1
Rule
PSIRT-111485: Verify ASA SIP Inspection DoS Vulnerability [IOS]

Description
Cisco ASA 5500 Series Adaptive Security Appliances are affected by two denial of service
vulnerabilities that may cause an appliance to reload during the processing of SIP messages. Appliances
are only vulnerable when SIP inspection is enabled.
Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not
trigger the vulnerabilities.
Cisco ASA Devices
Impact

OL-25941-01
4-303
Chapter 4
Suggested Fix
SIP Inspection Denial of Service Vulnerabilities

These vulnerabilities can be mitigated by disabling SIP inspection if it is not required. Administrators
can disable SIP inspection by issuing the no inspect sip command in class configuration sub-mode within
policy-map configuration.

Description
Cisco ASA 5500 Series Adaptive Security Appliances are affected with :
Session Initiation Protocol (SIP) Inspection Denial of Service Vulnerability
Cisco ASA Devices

References

Rule 1
Rule
PSIRT-111877: Verify Cisco ASA SIP Inspection DoS Vulnerability [IOS]

Description
SIP, as defined by the Internet Engineering Task Force (IETF), enables call handling sessions,
particularly two-party audio conferences, or "calls." SIP works with SDP for call signalling. SDP
specifies the ports for the media stream. Using SIP, the Cisco ASA can support any SIP VoIP gateways
and VoIP proxy servers. To support SIP calls through the Cisco ASA, signaling messages for the media
connection addresses, media ports, and embryonic connections for the media must be inspected, because
while the signaling is sent over a well-known destination port (UDP/TCP 5060), the media streams are
dynamically allocated. Also, SIP embeds IP addresses in the user-data portion of the IP packet. SIP
inspection applies NAT for these embedded IP addresses.
A DoS vulnerability affects the SIP inspection feature of Cisco ASA 5500 Series Adaptive Security
Appliances. SIP inspection is enabled by default. During successful exploitation, an unauthenticated
attacker may cause the affected device to reload.
Cisco ASA Devices
Impact
4-304
OL-25941-01
Chapter 4

Suggested Fix
This vulnerability can be mitigated by disabling SIP inspection if it is not required. Administrators can
disable SIP inspection by issuing the no inspect sip command in class configuration sub-mode within
policy-map configuration.
ASA TCP Connection Exhaustion DoS Vulnerability - 111485 [ASA]

Description
ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:
TCP Connection Exhaustion Denial of Service Vulnerability
Cisco ASA Devices

References

Rule 1
Rule
PSIRT-111485: Verify Cisco ASA TCP Connection Exhaustion DoS Vulnerability [IOS]
Description
The Cisco ASA 5500 Series Adaptive Security Appliance is a modular platform that provides security
and VPN services. It offers firewall, intrusion prevention (IPS), anti-X, and VPN services.
Cisco ASA 5500 Series Adaptive Security Appliances are affected by the following vulnerabilities:
Cisco ASA 5500 Series Adaptive Security Appliances may experience a TCP connection exhaustion
condition (no new TCP connections are accepted) when specific TCP segments are received during the
TCP connection termination phase.
This vulnerability is triggered only when specific TCP segments are sent to certain TCP-based services
that terminate on the affected appliance. Although exploitation of this vulnerability requires a TCP
three-way handshake, authentication is not required.
Cisco ASA Devices
Impact
Successful exploitation of this vulnerability may lead to an exhaustion condition where the affected
appliance cannot accept new TCP connections. A reload of the appliance is necessary to recover from
the TCP connection exhaustion condition. If a TCP-based protocol is used for device management (like
telnet, SSH, or HTTPS), a serial console connection may be needed to access to the appliance.
Suggested Fix

OL-25941-01
4-305
Chapter 4
It is possible to mitigate this vulnerability for TCP-based services that are offered to known clients. For
example, it may be possible to restrict SSH, Cisco ASDM/HTTPS, and Telnet administrative access to
known hosts or IP subnetworks. For other services like remote access SSL VPN, where clients connect
from unknown hosts and networks, no mitigations exist.
ASA Three SunRPC Inspection DoS Vulnerability - 111877 [ASA]

Description
Three SunRPC Inspection Denial of Service Vulnerabilities
Cisco ASA Devices

References

Rule 1
Rule
PSIRT-111877: Verify Cisco ASA Three SunRPC Inspection DoS Vulnerability [IOS]
Description
The Sun RPC inspection engine enables or disables application inspection for the Sun RPC protocol. Sun
RPC is used by Network File System (NFS) and Network Information Service (NIS). Sun RPC services
can run on any port. When a client attempts to access a Sun RPC service on a server, it must learn the
port that service is running on. The client does this by querying the port mapper process, usually rpcbind,
on the well-known port of 111. Three DoS vulnerabilities affect the SunRPC inspection feature of Cisco
ASA 5500 Series Adaptive Security Appliances, in which an unauthenticated attacker may cause the
affected device to reload.
Note
Only transit traffic can trigger these vulnerabilities; traffic that is destined to the appliance will not
trigger the vulnerabilities. These vulnerabilities can be triggered by using UDP packets, not TCP.
Cisco ASA Devices
Impact
Successful exploitation of this may cause the affected device to reload. Repeated exploitation could
result in a sustained DoS condition.
Suggested Fix
These vulnerabilities can be mitigated by disabling SunRPC inspection if it is not required.

Administrators can disable SunRPC inspection by issuing the no inspect sunrpc command in class
configuration sub-mode within policy-map configuration.
4-306
OL-25941-01
Chapter 4

ASA Three TLS DoS Vulnerability - 111877 [ASA]

Description
Three Transport Layer Security (TLS) Denial of Service Vulnerabilities
Cisco ASA Devices

References

Rule 1
Rule
PSIRT-111877: Verify Cisco ASA Three TLS DoS Vulnerability [IOS]

Description
TLS and its predecessor, SSL, are cryptographic protocols that provide security for communications
over IP data networks such as the Internet.
Three vulnerabilities exist on the Cisco ASA security appliances that can be triggered by a series of
crafted TLS packets. An unauthenticated attacker may cause the affected device to reload. A Cisco ASA
device configured for SSL VPN, TLS Proxy for Encrypted Voice Inspection, or configured to accept
ASDM management connections is vulnerable.
Cisco ASA Devices
Impact
Successful exploitation of this may cause the affected device to reload. Repeated exploitation could
result in a sustained DoS condition.
Suggested Fix
If SSL VPN (clientless or client-based) is not needed, it can be disabled by issuing the clear configure
webvpn command.
Administrators should make sure that ASDM connections are only allowed from trusted hosts.
To identify the IP addresses from which the security appliance accepts HTTPS connections for ASDM,
configure the http command for each trusted host address or subnet. The following example, shows how
a trusted host with IP address 192.168.1.100 is added to the configuration:
hostname(config)# http 192.168.1.100 255.255.255.255
The TLS Proxy for Encrypted Voice Inspection feature is affected by these vulnerabilities. This feature
can be disabled if it is not needed. Temporarily disabling the feature will mitigate these vulnerabilities.

OL-25941-01
4-307
Chapter 4
The Cut-Through Proxy for Network Access feature, when configured for HTTPS, is affected by these
vulnerabilities. The only workaround is to disable the feature if not needed. To disable HTTPS
Cut-Through Proxy authentication use the no aaa authentication listener https command, as shown in
the following example:
ASA(config)# no
aaa authentication listener https inside port 443
ASA WebVPN DTLS DoS Vulnerability - 111485 [ASA]

Description
ASA 5500 Series Adaptive Security Appliances are affected with:
WebVPN Datagram Transport Layer Security (DTLS) Denial of Service Vulnerability
Cisco ASA Devices

References

Rule 1
Rule
PSIRT-111485: Verify Cisco ASA WebVPN DTLS DoS Vulnerability [IOS]

Description
Cisco ASA 5500 Series Adaptive Security Appliances are affected by a vulnerability that may cause the
appliance to reload when a malformed DTLS message is sent to the DTLS port (by default UDP port
443). Appliances are only vulnerable when they are configured for WebVPN and DTLS transport.
This vulnerability is only triggered by traffic that is destined to the appliance; transit traffic will not
trigger the vulnerability.
Cisco ASA Devices
Impact
Suggested Fix
This vulnerability can be mitigated by disabling DTLS transport for WebVPN. Administrators can
disable DTLS by issuing the no svc dtls enable command under the "webvpn" attributes section of the
corresponding group policy.
4-308
OL-25941-01
Chapter 4

Access Point Memory Exhaustion from ARP Attacks - 68715 [IOS]

Description
A vulnerability exists in Cisco Aironet Wireless Access Points (AP) running IOS which may allow a
malicious user to send a crafted attack via IP address Resolution Protocol (ARP) to the Access point
which will cause the device to stop passing traffic and/or drop user connections.
Repeated exploitation of this vulnerability will create a sustained DoS (denial of service).
See "Access Point Memory Exhaustion from ARP Attacks" at Cisco Security Advisories website for
more information.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-68715: Verify Access Point Memory Exhaustion from ARP Attacks Vulnerability [IOS]
Description
The Address Resolution Protocol (ARP) is used to dynamically map physical hardware addresses to an
IP address. Network devices and workstations maintain internal tables in which these mappings are
stored for some period of time.
An attacker, who has successfully associated with a Cisco IOS Wireless Access Point, may be able to
spoof ARP messages to the management interface on the Access Point. The attacker could add entries
to the ARP table on the device until physical memory has been completely exhausted. This will leave
the device in a state where it is unable to pass traffic until the device has been reloaded by cycling the
power.
Cisco IOS Devices
Impact
Successful exploitation of this vulnerability may result in a denial of service (DoS) impacting the
availability of the Wireless Access Point. Management and packet forwarding services will be
unavailable.
Suggested Fix
After upgrading the Access Point (see Software Versions and Fixes), add the command L2-FILTER
BLOCK-ARP to each radio interface. For example:
!
interface Dot11Radio0 l2-filter block-arp !

OL-25941-01
4-309
Chapter 4
Access Point Web-browser Interface - 70567 [IOS]

Description
The Cisco web-browser interface for Cisco access points contains a vulnerability that could, under
certain circumstances, remove the default security configuration from the managed access point and
allow administrative access without validation of administrative user credentials. Cisco has made free
software available to address this vulnerability for affected customers. There are workarounds available
to mitigate the effects of this vulnerability.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-70567: Access Point Web-browser Interface Vulnerability [IOS]

Description
The web-browser interface contains management pages that are used to change the wireless device
settings, upgrade firmware, and monitor and configure other wireless devices on the network. The
web-browser interface is enabled by default, and is indicated by the configuration command ip http
server or ip http secure-server.
An access point running a default configuration will use the default enable secret password for
administrative access. This can be modified via the web-browser interface tab Security > Admin Access
> Default Authentication (Global Password) or via the CLI with the configuration command enable
secret [new_secret] .
Local User List Only (Individual Passwords) allows administrators of the access points to define a
local unique username/password database for their administrators, so that a common global password is
not shared.
A vulnerability exists in the access point web-browser interface when Security > Admin Access is
changed from Default Authentication (Global Password) to Local User List Only (Individual
Passwords). This results in the access point being re-configured with no security, either Global
Password or Individual Passwords, enabled. This allows for open access to the access point via the
web-browser interface or via the console port with no validation of user credentials.
Access points configured for Local User List Only (Individual Passwords) and running
non-vulnerable versions of Cisco IOS which are subsequently upgraded to a vulnerable version of IOS
are not affected by this vulnerability as long as the configuration is not altered after the upgrade.
Cisco IOS Devices
4-310
OL-25941-01
Chapter 4

Impact
Successful exploitation of this vulnerability will result in unauthorized administrative access to the
access point via the web management interface or via the console port.
Suggested Fix
Either of the following workarounds and mitigations may be used to help mitigate the effects of this
vulnerability:
Disable Web-Based Management
To prevent the use of the web-browser interface via:

Web-Based ManagementSelect the Disable Web-Based Management check box on the
Services > HTTP-Web Server page and click Apply.

CLILog into the device and issue these configuration commands (save the configuration upon
exiting):
ap(config)#no ip http server
,/br> ap(config)#no ip http secure-server
ap(config)#exit
Configure via CLI
Enabling Local User List Only (Individual Passwords) via the CLI rather than the web-browser
interface will provide the access point with the desired protected configuration. Log into the device and
issue these configuration commands (save the configuration upon exiting):
ap#configure terminal
!--- Setup the username password pair first.
ap(config)#username test privilege 15 password test
!--- Enable AAA.
ap(config)#aaa new-model
!--- Enable aaa authentication to the local database.
ap(config)#aaa authentication login default local
!--- Enable aaa authorization to the local database.
ap(config)#aaa authorization exec default local
!--- Enable http authentication to AAA.
ap(config)#ip http authentication aaa
ap(config)#exit
Configure RADIUS/TACACS Server first
Via the web-browser interface enabling any RADIUS/TACACS+ server within Security > Server
Manager > Corporate Servers and then performing the option of Security > Admin Access as Local
User List Only (Individual Passwords) will provide a workaround to this vulnerability.

OL-25941-01
4-311
Chapter 4
Auth Proxy Buffer Overflow - 66269 [IOS]

Description
The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions
of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition. Devices that
do not support, or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services
are not affected. Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not
affected. Only devices running certain versions of Cisco IOS are affected. See "Cisco IOS Firewall
Authentication Proxy for FTP and Telnet Sessions Buffer Overflow." at Cisco Security Advisories
website.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-66269: Verify Firewall Authentication Proxy for FTP and TELNET Sessions Buffer Overflow
[IOS]
Description
The Cisco IOS Firewall Authentication Proxy feature allows network administrators to apply specific
security policies on a per-user basis. With the Firewall Authentication Proxy for FTP and/or Telnet
Sessions feature, users can log into the network services via FTP and/or Telnet, and their specific access
profiles are automatically retrieved and applied from a Remote Authentication Dial In User Service
(RADIUS), or Terminal Access Controller Access Control System Plus (TACACS+) authentication
server.
Cisco IOS Software is vulnerable to a Denial of Service (DoS) and potentially an arbitrary code
execution attack when processing the user authentication credentials from an Authentication Proxy
Telnet/FTP session. To exploit this vulnerability an attacker must first complete a TCP connection to the
IOS device running affected software and receive an auth-proxy authentication prompt.
Cisco IOS Devices
Impact
Successful exploitation of the vulnerability on Cisco IOS may result in a reload of the device or
execution of arbitrary code. Repeated exploitation could result in a sustained DoS attack or execution of
arbitrary code on Cisco IOS devices.
Suggested Fix
In networks where Cisco IOS Firewall Authentication Proxy feature for Telnet/FTP sessions is not
required but enabled, disabling the feature on an IOS device will eliminate exposure to this vulnerability.
4-312
OL-25941-01
Chapter 4

Configure the device with Cisco IOS Firewall Authentication Proxy feature for HTTP and/or HTTPS
sessions and allow the Telnet and FTP services within the per-user TACACS+/RADIUS profile. Disable
Authentication proxy for Telnet/FTP sessions to eliminate exposure.
Authentication Proxy Vulnerability - 110478 [IOS]

Description
Cisco IOS Software configured with Authentication Proxy for HTTP(S), Web Authentication or the
consent feature, contains a vulnerability that may allow an unauthenticated session to bypass the
authentication proxy server or bypass the consent webpage.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-110478: Verify Authentication Proxy Vulnerability [IOS]

Description
Devices running affected versions of Cisco IOS Software and configured with Authentication Proxy for
HTTP(S) or Web Authentication or the consent feature are vulnerable.
The following example identifies a Cisco product that is running Cisco IOS Software Release 12.3(26)
with an installed image name of C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Copyright ) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
<output truncated>

OL-25941-01
4-313
Chapter 4
The following example shows a product that is running Cisco IOS Software release 12.4(20)T with an
image name of C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE
SOFTWARE (fc3)
Copyright ) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
<output truncated>
Additional information about Cisco IOS Software release naming conventions is available in "White
Paper: Cisco IOS Reference Guide" at the following link:
http://www.cisco.com/warp/public/620/1.html.
To determine if your device is configured with either Authentication Proxy for HTTP(S), Web
Authentication or the consent feature, log into the device and issue the show running-config command.
The following example identifies firewall authentication proxy services using the ip auth-proxy under
the proxy rule name example_auth_proxy_name:
Router#show running-config
<output truncated>
!
! Set up the aaa new model to use the authentication proxy.
!
aaa authorization auth-proxy default group

!
! Apply a name to the authentication proxy configuration rule.
!
ip auth-proxy name example_auth_proxy_name http

!
! Apply the authentication proxy rule at an interface.
!
interface e0
ip auth-proxy example_auth_proxy_name
!
<output truncated>
4-314
OL-25941-01
Chapter 4

The following example identifies firewall authentication proxy services running for HTTP under the
proxy rule name example_auth_proxy_name, using the ip admission commands. This is the same
configuration as Web Authentication:
<output truncated>
!
! Set up the aaa new model to use the authentication proxy.
!
aaa authorization auth-proxy default group

!
! Apply a name to the authentication proxy configuration rule.
!
ip admission name example_auth_proxy_name proxy http inactivity-time 60

!
! Apply the authentication proxy rule at an interface.
!
ip admission example_auth_proxy_name
!
<output truncated>
The following example identifies a device configured with the consent feature under the consent rule
name example_consent_rule:
<output truncated>
!
! Apply a name to the consent configuration rule.
!
ip admission name example_consent_rule consent

!
! Apply the consent rule at an interface.
!
interface FastEthernet 0/0

OL-25941-01
4-315
Chapter 4
ip admission consent-rule_rule
!
<output truncated>
Cisco IOS Devices
Impact
Successful exploitation of the vulnerability may result in an unauthenticated and unauthorized user
bypassing the authentication proxy services offered in Cisco IOS Authentication Proxy for HTTP(S)
and/or bypassing the consent accept webpage.
Suggested Fix
BGP Attribute Corruption - 10935 [IOS]

Description
A Border Gateway Protocol (BGP) UPDATE contains Network Layer Reachability Information (NLRI)
and attributes that describe the path to the destination. An unrecognized transitive attribute can cause
failures in Cisco IOS routers, ranging from a crash upon receipt of the unrecognized transitive attribute,
to a later failure upon attempt to clear the unrecognized transitive attribute. Specific but common
configurations are affected, and described below. The failure was discovered because of a malfunction
in the BGP implementation of another vendor. There is no workaround. Affected customers are urged to
upgrade to fixed code.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-10935: Verify BGP Attribute Corruption Vulnerability [IOS]

Description
A Border Gateway Protocol (BGP) UPDATE contains Network Layer Reachability Information (NLRI)
and attributes that describe the path to the destination. Each path attribute is a type, length, value (TLV)
object. This failure occurs as a result of memory corruption and only in configurations using specific
inbound route filtering. The failure was discovered because of a malfunction in the BGP implementation
of another vendor.
4-316
OL-25941-01
Chapter 4

Cisco IOS Devices

Impact
The vulnerability can be exercised repeatedly, affecting core routers, creating widespread network
outages. This vulnerability can only be exercised in configurations that include both BGP and inbound
route filtering on affected software.
Suggested Fix
There are no known workarounds for this vulnerability. Please upgrade to fixed versions.
BGP Logging - 63845 [IOS]

Description
A Cisco device running IOS Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DoS)
attack from a malformed BGP packet. Only devices with either the command bgp log-neighbor-changes
configured or the command snmp-server enable traps bgp are vulnerable. The BGP protocol is not
enabled by default, and must be configured in order to accept traffic from an explicitly defined peer.
Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult
to inject a malformed packet.
This issue is tracked by CERT/CC VU#689326.
See "Cisco IOS Misformed BGP Packet Causes Reload" at Cisco Security Advisories website for more
information.
Cisco IOS Devices

Rule 1
Rule
PSIRT-63845: Verify Misformed BGP Packet Causes Reload Vulnerability [IOS]

Description
A Cisco device running IOS Border Gateway Protocol (BGP) is vulnerable to a Denial of Service (DoS)
attack from a malformed BGP packet. Only devices with either the command bgp log-neighbor-changes
configured or the command snmp-server enable traps bgp are vulnerable. The BGP protocol is not
enabled by default, and must be configured in order to accept traffic from an explicitly defined peer.
Unless the malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult
to inject a malformed packet.
This issue is tracked by CERT/CC VU#689326.
See "Cisco IOS Misformed BGP Packet Causes Reload" at Cisco Security Advisories website for more
information.
Cisco IOS Devices

OL-25941-01
4-317
Chapter 4
Impact
Successful exploitation of this vulnerability on an IOS device results in a reload of the device. Repeated
exploitation could result in a sustained DoS attack.
Suggested Fix
Under normal circumstances, due to inherent security factors in the TCP protocol, such as sequence
number checks, it is difficult, but possible to forge an appropriate packet to exploit this problem.
Configuring your Cisco IOS device for BGP MD5 authentication greatly increases the work necessary
to forge a valid packet from a remote peer. This will not protect your peering session if a valid BGP peer
generates an invalid packet.
BGP Long AS path Vulnerability - 110457 [IOS]

Description
Affect only devices running Cisco IOS Software with support for four-octet AS number space (here after
referred to as 4-byte AS number) and BGP routing configured.
This vulnerability could cause an affected device to reload when processing a BGP update that contains
autonomous system (AS) path segments made up of more than one thousand autonomous systems.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-110457 : Verify BGP Long AS path Vulnerability [IOS]

Description
This vulnerability affects only devices running Cisco IOS and Cisco IOS XE Software (here after both
referred to as simply Cisco IOS) with support for RFC4893 and that have been configured for BGP
routing.
BGP is configured in Cisco IOS Software with the configuration command router bgp [AS Number] .
The device is vulnerable if it is running affected Cisco IOS version and has BGP configured, regardless
of whether the device is configured with a 2 or 4 byte AS number under the router bgp configuration
command.
A Cisco IOS software version that has support for RFC4893 will allow configuration of AS numbers
using 4 Bytes. The following example identifies a Cisco device that has 4 byte AS number support:
Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#router bgp ?
<1-65535>
Autonomous system number
4-318
OL-25941-01
Chapter 4

<1.0-XX.YY> 4 Octets Autonomous system number
Or:
<1-4294967295> Autonomous system number
<1.0-XX.YY>
The following example identifies a Cisco device that has 2 byte AS number support:
A router that is running the BGP process will contain a line in the configuration that defines the
autonomous system number (AS number), which can be seen by issuing the command line interface
(CLI) command "show running-config".
The canonical textual representation of four byte AS Numbers is standardized by the IETF through
RFC5396 (Textual Representation of Autonomous System (AS) Numbers). Two major ways for textual
representation have been defined as ASDOT and ASPLAIN. Cisco IOS routers support both textual
representations of AS numbers. For further information about textual representation of four byte AS
numbers in Cisco IOS Software consult the document "Explaining 4-Byte Autonomous System (AS)
ASPLAIN and ASDOT Notation for Cisco IOS" at the following link:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/white_paper_c11_51682
9.html
Cisco IOS Software with support for RFC4893 is affected by both vulnerabilities if BGP routing is
configured using either ASPLAIN or ASDOT notation, regardless if the AS Number is a 2 byte or 4 byte
number.
The following example identifies a Cisco device that is configured for BGP using ASPLAIN notation:
router bgp 65536
The following example identifies a Cisco device that is configured for BGP using ASDOT notation:
router bgp 1.0
Cisco IOS Devices
Impact
Successful exploitation of the vulnerability described in this document may result in a reload of the
device. The issue could result in repeated exploitation to cause an extended DoS condition.

OL-25941-01
4-319
Chapter 4
Suggested Fix
For this vulnerability, there are no workarounds on the affected device. Neighbors could be configured
to discard routes that have more than one thousand AS numbers in the AS-path segments. This
configuration will help prevent the further propagation of BGP updates with the AS path segments made
up of greater than one thousand AS numbers.
Note
Configuring "bgp maxas-limit [value]" on the affected device does not mitigate this vulnerability.
BGP Packet - 53021 [IOS]

Description
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a
Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by
default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the
malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a
malformed packet.
(See "Cisco IOS Malformed BGP Packet Causes Reload" at Cisco Security Advisories website for more
information.)
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-53021: Verify Malformed BGP Packet Causes Reload Vulnerability [IOS]

Description
A Cisco device running IOS and enabled for the Border Gateway Protocol (BGP) is vulnerable to a
Denial of Service (DOS) attack from a malformed BGP packet. The BGP protocol is not enabled by
default, and must be configured in order to accept traffic from an explicitly defined peer. Unless the
malicious traffic appears to be sourced from a configured, trusted peer, it would be difficult to inject a
malformed packet.
(See "Cisco IOS Malformed BGP Packet Causes Reload" at Cisco Security Advisories website for more
information.)
Cisco IOS Devices
Impact
Successful exploitation of this vulnerability results in a reload of the device. Repeated exploitation could
result in a sustained DoS attack.
4-320
OL-25941-01
Chapter 4

Suggested Fix
Under normal circumstances, due to inherent security factors in the TCP protocol such as sequence
number checks, it is difficult but possible to forge an appropriate packet to exploit this problem.
Configuring your Cisco IOS device for BGP MD5 authentication is a valid workaround to protect the
vulnerable device.
BGP Update Message Vulnerability - 110457 [IOS]

Description
Affect only devices running Cisco IOS Software with support for four-octet AS number space (here after
referred to as 4-byte AS number) and BGP routing configured.
This vulnerability could cause an affected device to reload when the affected device processes a
malformed BGP update that has been crafted to trigger the issue.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-110457: Verify BGP Update Message Vulnerability [IOS]

Description
These vulnerabilities affect only devices running Cisco IOS and Cisco IOS XE Software (here after both
referred to as simply Cisco IOS) with support for RFC4893 and that have been configured for BGP
routing.
BGP is configured in Cisco IOS Software with the configuration command router bgp [AS Number] .
The device is vulnerable if it is running affected Cisco IOS version and has BGP configured, regardless
of whether the device is configured with a 2 or 4 byte AS number under the router bgp configuration
command.
A Cisco IOS software version that has support for RFC4893 will allow configuration of AS numbers
using 4 Bytes. The following example identifies a Cisco device that has 4 byte AS number support:
<1-65535>
<1.0-XX.YY> 4 Octets Autonomous system number
Or:

OL-25941-01
4-321
Chapter 4
<1.0-XX.YY>
The following example identifies a Cisco device that has 2 byte AS number support:
A router that is running the BGP process will contain a line in the configuration that defines the
autonomous system number (AS number), which can be seen by issuing the command line interface
(CLI) command "show running-config".
The canonical textual representation of four byte AS Numbers is standardized by the IETF through
RFC5396 (Textual Representation of Autonomous System (AS) Numbers). Two major ways for textual
representation have been defined as ASDOT and ASPLAIN. Cisco IOS routers support both textual
representations of AS numbers. For further information about textual representation of four byte AS
numbers in Cisco IOS Software consult the document "Explaining 4-Byte Autonomous System (AS)
ASPLAIN and ASDOT Notation for Cisco IOS" at the following link:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/white_paper_c11_51682
9.html
Cisco IOS Software with support for RFC4893 is affected by both vulnerabilities if BGP routing is
configured using either ASPLAIN or ASDOT notation, regardless if the AS Number is a 2 byte or 4 byte
number.
The following example identifies a Cisco device that is configured for BGP using ASPLAIN notation:
router bgp 65536
The following example identifies a Cisco device that is configured for BGP using ASDOT notation:
router bgp 1.0
Cisco IOS Devices
Impact
Successful exploitation of the vulnerabilities described in this document may result in a reload of the
device. The issue could result in repeated exploitation to cause an extended DoS condition
Suggested Fix
For this vulnerability, configuring "bgp maxas-limit [value]" on the affected device does mitigate this
vulnerability. Cisco is recommends using a conservative value of 100 to mitigate this vulnerability.
Consult the document "Protecting Border Gateway Protocol for the Enterprise" at the following link for
additional best practices on protecting BGP infrastructures:
http://www.cisco.com/web/about/security/intelligence/protecting_bgp.html
4-322
OL-25941-01
Chapter 4

CEF Data Leak - 20640 [IOS]

Description
Excluding Cisco 12000 Series Internet Routers, all Cisco devices running Cisco IOS software that have
Cisco Express Forwarding (CEF) enabled can leak information from previous packets that have been
handled by the device. This can happen if the packet length described in the IP header is bigger than the
physical packet size. Packets like these will be expanded to fit the IP length and, during that expansion,
an information leak may occur. Please note that an attacker can only collect parts of some packets but
not the whole session.. See "Data Leak with Cisco Express Forwarding Enabled." at Cisco Security
Advisories website
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-20640: Verify CEF Data Leak with CEF Vulnerability [IOS]

Description
When a router receives a packet where MAC level packet length is shorter than is indicated by the IP
level, the router will "extend" the packet to the size indicated by the IP level. This extension will be done
by padding the packet with an arbitrary data. The issue here is that padding may contain data from a
previous packet that has not been erased.
Although it is possible to trigger this vulnerability on command, it is not possible to predict what
information would be collected this way. It is not possible for an attacker to selectively capture desired
packets (for example, packets with username and password combination).
This vulnerability is specific to CEF. Fast switching is not affected by it.
Cisco IOS Devices
Impact
By sending malformed packets, and capturing them after they have been processed by CEF, an attacker
may find remnants of previous packets in them. The remnant data may contain whatever the previous
packet has carried. That may be parts of a document, mail or any other content.
Suggested Fix
The workaround is to disable CEF on a router.

OL-25941-01
4-323
Chapter 4
Call Processing Solutions - 63708 [IOS]

Description
Cisco Internetwork Operating System (IOS) Software release trains 12.1YD, 12.2T, 12.3 and 12.3T,
when configured for the Cisco IOS Telephony Service (ITS), Cisco CallManager Express (CME) or
Survivable Remote Site Telephony (SRST) may contain a vulnerability in processing certain malformed
control protocol messages.
See "Vulnerability in Cisco IOS Embedded Call Processing Solutions" at Cisco Security Advisories
website
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-63708: Verify Vulnerabilities in Cisco IOS Embedded Call Processing Solutions Vulnerability
[IOS]
Description
ITS, CME and SRST are features that allow a Cisco device running IOS to control IP Phones using the
Skinny Call Control Protocol (SCCP). SCCP is the Cisco CallManager native signaling protocol.
Certain malformed packets sent to the SCCP port on an IOS device configured for ITS, CME or SRST
may cause the target device to reload.
More information about Cisco's IOS Telephony Service (ITS) and Cisco CallManager Express (CME)
can be found here:
http://www.cisco.com/en/US/products/sw/voicesw/ps4625/index.html
More information on Cisco's Survivable Remote Site Telephony (SRST) can be found here:
Cisco IOS Devices
Impact
Successful exploitation of the vulnerability may result in a device reload. Repeated exploitation could
result in a Denial of Service (DoS) attack.
Suggested Fix
Affected devices that must run ITS, CME or SRST are vulnerable, and there are not any specific
configurations that can be used to protect them. Applying access lists on interfaces that should not accept
ITS, CME or SRST traffic and putting firewalls in strategic locations may greatly reduce exposure until
an upgrade can be performed.
4-324
OL-25941-01
Chapter 4

The IP Telephony Security in Depth SAFE paper at the URL below discusses a variety of best practices
that should keep your voice network isolated from the Internet. These best practices may help to reduce
the risk of exposure, although attacks from within the local network should always be considered a
potential risk.
CatOS Catalyst 5000 Series 802.1x Vulnerability - 13617 [CatOS]

Description
When an 802.1x frame is received by an affected Catalyst 5000 series switch on a STP blocked port it
is forwarded in that VLAN instead of being dropped. This causes a performance impacting 802.1x
frames network storm in that part of the network, which is made up of the affected Catalyst 5000 series
switches. This network storm only subsides when the source of the 802.1x frames is removed or one of
the workarounds in the workaround section is applied. This vulnerability can be exploited to produce a
denial of service (DoS) attack.
Cisco CATOS Devices

References

Rule 1
Rule
CATOS PSIRT-13617: Verify Catalyst 5000 Series 802.1x Vulnerability [IOS]

Description
When an 802.1x (IEEE standard for port based network access control) frame is received by an affected
Catalyst 5000 series switch on a STP (Spanning Tree Protocol) blocked port it is forwarded in that
VLAN (Virtual Local Area Network) instead of being dropped. This causes a performance impacting
802.1x frames network storm in that part of the network, which is made up of the affected Catalyst 5000
series switches. This network storm only subsides when the source of the 802.1x frames is removed or
one of the workarounds in the workaround section is applied.
Cisco CATOS Devices
Impact
When an affected Catalyst 5000 series switch network receives an 802.1x frame it causes an 802.1x
frames network storm. This network storm degrades the performance of the network. Slower ports on
the affected Catalyst 5000 series switches may stop passing user data. The affected Catalyst 5000 series
switches may not respond to any management inquiries via SNMP, Telnet or HTTP. However,
management via the console port on the switches is still possible and can be used to apply the
workarounds.

OL-25941-01
4-325
Chapter 4
Suggested Fix
The following workarounds will prevent the 802.1x frames from causing an 802.1x frames network
storm in an affected Catalyst 5000 series switch network.
These workarounds can also be applied to a network experiencing an 802.1x frames network storm.
1.
Configure permanent MAC address entries for the entire reserved STP range 01-80-c2-00-00-02 to
01-80-c2-00-00-0f to be directed out an unused port for each VLAN on each affected switch in the
network. The commands to configure are given below.
set cam permanent 01-80-c2-00-00-02 <mod#>/<port#> <VLAN>



set cam permanent 01-80-c2-00-00-0a <mod#>/<port#> <VLAN>
set cam permanent 01-80-c2-00-00-0b <mod#>/<port#> <VLAN>
set cam permanent 01-80-c2-00-00-0c <mod#>/<port#> <VLAN>

set cam permanent 01-80-c2-00-00-0d <mod#>/<port#> <VLAN>
set cam permanent 01-80-c2-00-00-0e <mod#>/<port#> <VLAN>
set cam permanent 01-80-c2-00-00-0f <mod#>/<port#> <VLAN>

2.
Break the STP loop by either
Disabling the redundant (STP blocked ports) or
Disconnecting the cable from these ports
Remove all the sources of 802.1x frames before re-enabling the ports or reconnecting the cables.
3.
Power down the Catalyst 5000 switch(es) that create the spanning-tree loop (any switch with STP
blocked ports).
Remove all the sources of 802.1x frames before powering up the switches.
4-326
OL-25941-01
Chapter 4

CatOS Denial-of-Service of TCP-based services - 43864 [CatOS]

Description
After receiving eight TCP connection attempts using a non-standard TCP flags combination, a Catalyst
switch will stop responding to further TCP connections to that particular service. In order to re-establish
functionality of that service, the switch must be rebooted. There is no workaround. This vulnerability
affects only CatOS. No other Cisco products are affected.
Cisco CATOS Devices

References

Rule 1
Rule
CATOS PSIRT-43864: Verify Denial-of-Service of TCP-based services Vulnerability [IOS]

Description
After receiving eight connection attempts on any TCP service, the switch will stop responding to any
further connection attempts to that service. These attempts must use a non-standard combination of TCP
flags. The switch will continue to pass other switched traffic normally and the console is also not
affected. Only the service to which connections were made will become unresponsive. Standard TCP
services include HTTP, Telnet, and SSH.
Cisco CATOS Devices
Impact
By exploiting this vulnerability, an attacker can prevent further use of the specified TCP-based service.
Depending on the configuration of the device, if SSH or Telnet are enabled and exploited, the availability
of those services could be affected, possibly resulting in a loss of management capability using those
same services. However, UDP-based services such as Simple Network Management Protocol (SNMP)
would still be available and unaffected.
Suggested Fix
There is no workaround. In order to continue using an affected TCP service, the switch must be rebooted.
It is possible to mitigate the exposure by configuring VLAN Access Control Lists (VACLs) on the switch
(where they are supported) that will allow only legitimate hosts to connect to the desired services. This
must be combined with Unicast Reverse Path Forwarding (uRPF), or some other anti-spoofing
technique, on the network edge to protect against spoofed packets from the outside of the network.

OL-25941-01
4-327
Chapter 4
CatOS DoS using Telnet, HTTP and SSH - 52781 [CatOS]

Description
Cisco CatOS is susceptible to a TCP-ACK Denial of Service (DoS) attack on the Telnet, HTTP and SSH
service. If exploited, the vulnerability causes the Cisco CatOS running device to stop functioning and
reload.
Cisco CATOS Devices

References

Rule 1
Rule
CATOS PSIRT-52781: Verify Telnet, HTTP, and SSH Vulnerability [IOS]

Description
Cisco CatOS is susceptible to a TCP-ACK Denial of Service (DoS) attack on the Telnet, HTTP and SSH
service. If exploited, the vulnerability causes the Cisco CatOS running device to stop functioning and
reload.
A TCP-ACK DoS attack is conducted by not sending the regular final ACK required for a 3-way TCP
handshake to complete, and instead sending an invalid response to move the connection to an invalid
TCP state. This attack can be initiated from a remote spoofed source.
This vulnerability is currently known to be exploitable only if you have the Telnet, HTTP or SSH service
configured on a device which is running Cisco CatOS.
Cisco CATOS Devices
Impact
When exploited, the vulnerability causes the Cisco CatOS running device to stop functioning and reload.
Suggested Fix
Implement the best practice of assigning all switch management interfaces to a dedicated VLAN and
apply appropriate access controls on routers switching between the switch management interface VLAN
and the rest of the network.
Apply ACLs on routers / switches / firewalls in front of the vulnerable switches such that traffic destined
for the Telnet TCP port 23, HTTP TCP port 80 and SSH TCP port 22 on the vulnerable switches is only
allowed from the network management workstations. Refer to
http://www.cisco.com/warp/public/707/iacl.html for examples on how to apply access control lists
(ACLs) on Cisco routers.
On the Catalyst 6000 series switches, if the VLAN Access Control List (VACL) feature is available in
the code base, you can use VACLs to enable Telnet, HTTP and SSH access to the switch's management
interface only from the network management workstations
4-328
OL-25941-01
Chapter 4

Please note, these workarounds will not prevent spoofed IP packets with the source IP address set to that
of the network management station from reaching the switch's management interface. For more
information on anti-spoofing refer to
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
#sec_ip
http://www.ietf.org/rfc/rfc2827.txt
The Unicast Reverse Path Forwarding (Unicast RPF) feature helps to mitigate problems that are caused
by malformed or forged IP source addresses that are passing through a router.
IP Permit Lists will not provide any mitigation against this vulnerability.
The Cisco PSIRT recommends that affected users upgrade to a fixed software version of code.
CatOS Embedded HTTP Server Buffer Overflow - 27962 [CatOS]

Description
Cisco Catalyst switches running specific versions of Cisco CatOS software are vulnerable to a buffer
overflow in an embedded HTTP server. Only CatOS versions from 5.4 up to and including 7.3 which
contain a "cv" in the image name are affected. If the HTTP server is enabled a buffer overflow can be
remotely exploited which will cause the switch to fail and reload. The vulnerability can be exploited
repeatedly and result in a denial of service.
Workarounds are available that limit the ability to exploit the vulnerability.
Cisco CATOS Devices

References

Rule 1
Rule
CATOS PSIRT-27962: Verify Embedded HTTP Server Buffer Overflow Vulnerability [IOS]
Description
If the HTTP server is enabled on a Cisco Catalyst switch running an affected CiscoView image, an overly
long HTTP query can be received by the embedded HTTP server that will cause a buffer overflow and
result in a software reset of the switch. Once the switch has recovered and has resumed normal
processing it is vulnerable again. It remains vulnerable until the HTTP server is disabled, HTTP queries
to the switch management port are blocked, or the switch's software has been upgraded to a fixed
version.
The HTTP server is disabled by default. It is typically enabled to allow web based management of the
switch using CiscoView. Only a small subset of CatOS images contain this embedded HTTP server.
Cisco CATOS Devices

OL-25941-01
4-329
Chapter 4
Impact
The exploitation of this issue can result in a software forced reset of this device. Repeated exploitation
may lead to a denial of service until the workaround for this vulnerability has been implemented or a
fixed version of software has been loaded onto the device.
Suggested Fix
The HTTP server can be disabled on the on the Cisco switch.

This example shows how to disable the HTTP server:
Console (enable) set ip http server disable
HTTP server disabled.
The default setting for the HTTP server is disabled.
You may also choose to block access to port 80 for your Cisco switch. This can be done with any device
with traffic filtering capabilties.
CatOS Enable Password Bypass Vulnerability - 13619 [CatOS]

Description
Cisco Catalyst software permits unauthorized access to the enable mode in the 5.4(1) release. Once
initial access is granted, access can be obtained for the higher level "enable" mode without a password.
This problem is resolved in version 5.4(2). Customers with vulnerable releases are urged to upgrade as
soon as possible.
Cisco CATOS Devices
4-330
OL-25941-01
Chapter 4

References

Rule 1
Rule
CATOS PSIRT-13619: Verify Enable Password Bypass Vulnerability [IOS]

Description
soon as possible.
Anyone who can obtain ordinary console access to an affected switch can bypass password
authentication to obtain "enable" mode access without knowledge of the "enable" password. This
vulnerability can be exploited through the network using telnet or via the physical console.
This problem was introduced in software version 5.4(1), and is corrected in version 5.4(2). Due to this
defect, software version 5.4(1) is deferred. Customers are urged to upgrade to version 5.4(2).
Cisco CATOS Devices
Impact
This vulnerability permits unauthorized access to the configuration mode and unauthorized
configuration changes on a Catalyst switch.
Suggested Fix
There are no known workarounds for this vulnerability. Strictly limiting telnet access to the device will
prevent the initial connection required to exploit this vulnerability. Telnet access can be controlled with
the following command set:
set ip permit <address> <mask> telnet
set ip permit enable
This command set will deny all traffic not specified in the permit statement.
CatOS Memory Leak Vulnerability - 13618 [CatOS]

Description
A series of failed telnet authentication attempts to the switch can cause the Catalyst Switch to fail to pass
traffic or accept management connections until the system is rebooted or a power cycle is performed. All
types of telnet authentication are affected, including Kerberized telnet, and AAA authentication.
This vulnerability has been assigned Cisco bug ID CSCds66191.
Cisco CATOS Devices

OL-25941-01
4-331
Chapter 4
References

Rule 1
Rule
CATOS PSIRT-13618: Verify Memory Leak Vulnerability [IOS]

Description
The telnet process fails to release resources upon a failed authentication, or a successful login of
extremely short duration such as a telnet from within an automated script. This memory leak eventually
results in the failure of the switch to perform any other processes, such as forwarding traffic or
management; a power cycle or reboot is required for recovery.
Cisco CATOS Devices
Impact
This vulnerability enables a Denial of Service attack on the Catalyst switch.

Suggested Fix
There is no configuration workaround to eliminate the problem. However, if you are unable to upgrade
to an unaffected version, you may use other devices to strictly control or prohibit telnet access to the
switch, permitting only connections from your local network.
Access control lists on the switch can limit the remote exploitation of the vulnerability. To limit access
to known hosts use the following commands:
set ip permit enable telnet
set ip permit <addr> [mask]
Remote management of the switch can also be disabled.
The above workarounds are provided as an option; however, the recommendation is to upgrade to fixed
code as soon as possible.
CatOS Multiple SSH Vulnerabilities - 8118 [CatOS]

Description
4-332
OL-25941-01
Chapter 4

session key.
Cisco CATOS Devices

References

Rule 1
Rule
CATOS PSIRT-8118: Verify Multiple SSH Vulnerability [IOS]

Description
CRC-32 integrity check vulnerability -- This vulnerability has been described in a CORE SDI S.A. paper
entitled "An attack on CRC-32 integrity checks of encrypted channels using CBC and CFB modes".
In order for this attack to succeed, an attacker must possess one or two known ciphertext/plaintext pairs.
This should not be difficult since every session starts with a greeting screen which is fixed and which
can be determined. This also implies that an attacker must be somewhere along the session path in order
to be able to sniff the session and collect corresponding ciphertext.
While fixing this vulnerability, we have not made the implementation mistake described by VU#945216
(see http://www.kb.cert.org/vuls/id/945216) which is being actively exploited.
Traffic analysis -- This issue has been described in an analysis jointly made by Dug Song and Solar
Designer. It can be found at:
http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt, and is entitled "Passive Analysis
of SSH (Secure Shell) Traffic". To exploit this vulnerability, an attacker must be able to capture packets.
When sending a packet using the SSH protocol, it is padded to the next 8-byte boundary, but the exact
length of the data (without the padding) is sent unencrypted. The timing between packets may yield
additional information, such as the relative position of a letter on the keyboard, but that depends on
overall jitter in the network and the typing habits of the person. For additional information, please see
http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt.
Key recovery in SSH protocol 1.5 -- This has been discovered by CORE SDI S.A. and the paper
describing it can be viewed at http://www.securityfocus.com/archive/1/161150. The subject line is "SSH
protocol 1.5 session key recovery vulnerability". In order to exploit this vulnerability, an attacker must
be able to sniff the SSH session and be able to establish a connection to the SSH server. In order to
recover the server key, an attacker must perform an additional 2^20+2^19=1572864 connections. Since
the key has a lifespan of about an hour, this means that an attacker must perform around 400 connections
per second. For further details, please see http://www.securityfocus.com/archive/1/161150.
Cisco CATOS Devices

OL-25941-01
4-333
Chapter 4
Impact
CRC-32 integrity check vulnerability -- By exploiting this protocol weakness, the attacker can
insert arbitrary commands in the session after the session has been established.
Traffic analysis -- This vulnerability exposes the exact lengths of the passwords used for login
authentication. This is only applicable to an interactive session that is being established over the
tunnel protected by SSH. This can significantly help an attacker in guessing the password using the
brute force attack.
Key recovery in SSH protocol 1.5 -- This vulnerability may lead to the compromise of the session
key. Once the session key is determined, the attacker can proceed to decrypt the stored session using
any implementation of the crypto algorithm used. This will reveal all information in an unencrypted
form.
Suggested Fix
CatOS NAM (Network Analysis Module) Vulnerability - 81863 [CatOS]

Description
Cisco Catalyst 6000, 6500 series and Cisco 7600 series that have a Network Analysis Module installed
are vulnerable to an attack, which could allow an attacker to gain complete control of the system. Only
Cisco Catalyst systems that have a NAM on them are affected. This vulnerability affects systems that
run Internetwork Operating System (IOS) or Catalyst Operating System (CatOS).
Cisco has made free software available to address this vulnerability for affected customers.
Cisco CATOS Devices

References

Rule 1
Rule
CATOS PSIRT-81863: NAM Vulnerability [IOS]

Description
NAMs are deployed in Catalyst 6000, 6500 series and Cisco 7600 series to monitor and analyze network
traffic by using Remote Monitoring (RMON), RMON2, and other MIBs.
NAMs communicate with the Catalyst system by using the Simple Network Management Protocol
(SNMP). By spoofing the SNMP communication between the Catalyst system and the NAM an attacker
may obtain complete control of the Catalyst system.
Devices running both Cisco IOS and Cisco CatOS are affected by this vulnerability. This vulnerability
is introduced in CatOS at 7.6(15) and 8.5(1). Older CatOS images are not vulnerable.
4-334
OL-25941-01
Chapter 4

Cisco CATOS Devices

Impact
By successfully exploiting this vulnerability, an attacker may gain complete control of the device.
Suggested Fix
No workarounds exist for this vulnerability.

This vulnerability requires an attacker to spoof SNMP packets from the IP address of the NAM. Filtering
SNMP traffic to an affected device can be used as a mitigation. Filtering SNMP traffic needs to be done
on systems that are deployed in front of an affected device, since it is ineffective to filter against such
spoofed packets on the device itself.
Anti-spoofing measures and infrastructure access-lists can also be deployed at your network edge as a
potential mitigation technique.
Refer to http://www.cisco.com/warp/public/707/iacl.html for examples on how to apply ACLs on Cisco
routers for infrastructure protection.
Cisco Applied Intelligence companion document.
CatOS OpenSSH Server Vulnerabilities - 45322 [CatOS]

Description
New vulnerabilities in the OpenSSH implementation for SSH servers have been announced.
An affected network device, running an SSH server based on the OpenSSH implementation, may be
vulnerable to a Denial of Service (DoS) attack when an exploit script is repeatedly executed against the
same device. There are workarounds available to mitigate the effects of these vulnerabilities.
Cisco CATOS Devices

OL-25941-01
4-335
Chapter 4
References
CISCO PSIRT Advisories and Notices(45322 of 1.6 INTERIM)

Rule 1
Rule
CATOS PSIRT-45322: Verify OpenSSH Server Vulnerability [IOS]

Description
The buffer size or the number of channels in the fixed code is now correctly incremented only after a
successful allocation where as initially they were being set before an allocation. Upon an allocation
failure, which could be externally triggered, memory contents would be incorrectly erased by the
cleanup process. This would result in a corruption of the memory which would eventually lead to a crash
for the process using that memory.
If SSH is disabled the Catalyst switch will not be vulnerable to these vulnerabilities. CatOS K9 (crypto)
release 6.1 was the first CatOS release which incorporated the SSH feature. To verify if SSH has been
configured on the switch type show crypto key. If this shows you the RSA key then SSH has been
configured and enabled on the switch. To remove the crypto key type clear crypto key RSA and this will
disable the SSH server on the switch.
Cisco CATOS Devices
Impact
An affected device, running an SSH server based on the OpenSSH implementation, may be vulnerable
to a DoS attack when an exploit script is repeatedly executed against the same device.
Suggested Fix
TThe Cisco PSIRT recommends that affected users upgrade to a fixed software version of code as soon
as it is available.
The following workarounds can be implemented for CatOS based switches.

Apply IP Permit List for SSH to enable access to the switch's management interface only from
the network management workstations.

On the Catalyst 6000 series switches, if the VLAN Access Control List (ACL) (VACL) feature
is available in the code base, you can use VACLs instead of the IP Permit List workaround
above.
Implement the best practice to assign all of the management interfaces of all the switches in the
network to a different VLAN, and apply appropriate ACLs on the router switching between the
VLANs.
Apply ACLs on routers / switches / firewalls in front of the vulnerable switches such that traffic
destined for the SSH TCP port 22 on the vulnerable switches is only allowed from the network
management workstations.
4-336
OL-25941-01
Chapter 4

To turn off SSH access on the Cisco Network Analysis Modules (NAM), type the exsession off ssh
command.
Wherever possible, restrict access to the SSH server on the network device. Allow access to the
network device only from trusted workstations by using ACLs / MAC filters that are available on
the affected platforms.
CatOS Password Bypass Vulnerability - 42340 [CatOS]

Description
soon as possible.
Cisco CATOS Devices

References

Rule 1
Rule
CATOS PSIRT- 42340: Verify Cisco Catalyst Enable Password Bypass Vulnerability [IOS]
Description
Anyone who can obtain command line access to an affected switch can bypass password authentication
to obtain "enable" mode access without knowledge of the "enable" password. If local user authentication
is enabled, any username can be used to gain access to the switch without a valid password. This same
local user could then enter enable without a valid password. Command line access is provided through
the console, telnet access, or ssh access methods; http access mode is not affected. This problem was
introduced with the local user authentication feature in software version 7.5(1), and is corrected in
version 7.6(1).
Cisco CATOS Devices
Impact
This vulnerability permits unauthorized access to the configuration mode and unauthorized
configuration changes on a Catalyst switch.
Suggested Fix
Use of AAA authentication configurations will eliminate this vulnerability unless configured for
fallback to local authentication. AAA configuration information and examples are provided in
Configuring TACACS+, RADIUS, and Kerberos on Cisco Catalyst Switches, available at:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094ea4.shtml.

OL-25941-01
4-337
Chapter 4
Strictly limiting telnet and/or ssh access to the device will prevent the initial connection required to
exploit this vulnerability. Telnet and/or ssh access can be controlled with the following command set:
set ip permit <address> <mask> telnet
set ip permit <address> <mask> ssh
set ip permit enable
This command set will deny all traffic not specified in the permit statements for each protocol.
Additionally, out-of-band management solutions and isolated management VLAN configurations can
help mitigate this vulnerability by limiting the initial access necessary for exploitation.
CatOS SNMP Malformed Message Handling - 19296 [CatOS]

Description
Multiple Cisco products contain vulnerabilities in the processing of Simple Network Management
Protocol (SNMP) messages. These vulnerabilities can be repeatedly exploited to produce a denial of
service. In most cases, workarounds are available that may mitigate the impact. Some of these
vulnerabilities are identified by various groups as VU#617947, VU#107186, OUSPG #0100,
CAN-2002-0012, and CAN-2002-0013.
A companion document describes this vulnerability for products that run Cisco IOS Software,
http://www.cisco.com/warp/public/707/cisco-malformed-snmp-msgs-pub.shtml.
Cisco CATOS Devices

References

Rule 1
Rule
CATOS PSIRT-19296: Verify Malformed SNMP Message-Handling Vulnerability [IOS]

Description
service.
SNMP defines a standard mechanism for remote management and monitoring of devices in an Internet
Protocol (IP) network.
There are three general types of SNMP operations: "get" requests to request information, "set" requests
which modify the configuration of the remote device, and "trap" messages which provide a monitoring
function. SNMP requests and traps are transported over User Datagram Protocol (UDP) and are received
at the assigned destination port numbers 161 and 162, respectively.
4-338
OL-25941-01
Chapter 4

The largest group of vulnerabilities described in this advisory result from insufficient checking of SNMP
messages as they are received and processed by an affected system. Malformed SNMP messages
received by affected systems can cause various parsing and processing functions to fail, which may
result in a system crash and reload (or reboot) in most circumstances. Some Cisco products may not
reload but will become unresponsive instead. Some of the affected products are not directly vulnerable
to malformed SNMP messages, but fail under extended testing or large volumes of SNMP messages due
to memory leaks or other unrelated problems.
These vulnerabilities can be easily and repeatedly demonstrated with the use of the University of Oulu
Secure Programming Group (OUSPG) "PROTOS" Test Suite for SNMPv1. The test suite is generally
used to analyze a protocol and produce messages that probe various design limits within an
implementation of a protocol. Test packets containing overly-long or malformed object identifiers and
other combinations of exceptional values in various fields can be programmatically generated and then
transmitted to a network device under test. The PROTOS test suite for SNMPv1, as distributed, contains
approximately 53,000 individual test cases.
Although the test suite itself applies only to SNMPv1, similar vulnerabilities likely exist in SNMPv2c
and SNMPv3. Cisco has attempted to resolve those additional potential vulnerabilities simultaneously.
Independent security advisories have implicated TCP or UDP port 1993 in this vulnerability. Port 1993
is assigned to Cisco for SNMP over TCP, but it appears only in Cisco IOS Software releases prior to
11.x. It is not currently supported nor employed in any current Cisco products.
Cisco CATOS Devices
Impact
The vulnerabilities can be exploited to produce a Denial of Service (DoS) attack. When the
vulnerabilities are exploited, they can cause an affected Cisco product to crash and reload.
SNMP messages are transported using User Datagram Protocol (UDP) and are subject to IP source
address spoofing which could be used to circumvent the access control mechanisms.
If an attacker is able to guess or otherwise obtain a read-only community string for an affected device,
then he or she could bypass SNMP access control relying on the community string.
Suggested Fix
Apply IP Permit List for SNMP to enable access to the switch's management interface only from the
network management workstations.
Please note that this will not prevent spoofed IP packets with the source IP address set to that of the
network management station from reaching the switch's management interface.
CatOS SNMP Multiple Community String Vulnerabilities - 13629 [CatOS]

Description
Multiple Cisco IOS Software and CatOS software releases contain several independent but related
vulnerabilities involving the unexpected creation and exposure of SNMP community strings. These
vulnerabilities can be exploited to permit the unauthorized viewing or modification of affected devices.
See "Cisco IOS Software Multiple SNMP Community String Vulnerabilities." at Cisco Security
Advisories website.
Cisco CATOS Devices

OL-25941-01
4-339
Chapter 4
References

Rule 1
Rule
CATOS PSIRT-13629: Verify Multiple SNMP Community String Vulnerability [IOS]

Description
See "Cisco IOS Software Multiple SNMP Community String Vulnerabilities." at Cisco Security
Advisories website
Cisco CATOS Devices
Impact
These vulnerabilities could be exploited separately or in combination to gain access to or modify the
configuration and operation of any affected devices without authorization.
Suggested Fix
Disable SNMP access to the device.
CatOS SNMP Version 3 Authentication Vulnerability - 107408 [CatOS]

Description
Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network
Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when
processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network
information or may enable an attacker to perform configuration changes to vulnerable devices. The
SNMP server is an optional service that is disabled by default in Cisco products. Only SNMPv3 is
impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the
vulnerabilities described in this document.
The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note
VU#878044 to these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has also been assigned to
these vulnerabilities.
Cisco CATOS Devices

References
4-340
OL-25941-01
Chapter 4

Rule 1
Rule
CATOS PSIRT-107408: Verify SNMP Version 3 Authentication Vulnerability [IOS]

Description
There are three general types of SNMP operations: "get" requests to request information, "set" requests
that modify the configuration of a remote device, and "trap" messages that provide a monitoring
function. SNMP requests and traps are transported over User Datagram Protocol (UDP) and are received
at the assigned destination port numbers 161 and 162, respectively.
SNMPv3 provides secure access to devices by authenticating and encrypting packets over the network.
RFC2574 defines the use of HMAC-MD5-96 and HMAC-SHA-96 as the possible authentication
protocols for SNMPv3.
Vulnerabilities have been identified in the authentication code of multiple SNMPv3 implementations.
This advisory identifies two vulnerabilities that are almost identical. Both are specifically related to
malformed SNMPv3 packets that manipulate the Hash Message Authentication Code (HMAC). The two
vulnerabilities may impact both Secure Hashing Algorithm-1 (SHA-1) and Message-Digest Algorithm
5 (MD5). The vulnerabilities described in this document can be successfully exploited using spoofed
SNMPv3 packets.
Cisco CATOS Devices
Impact
Successful exploitation of these vulnerabilities could result in the disclosure of sensitive information on
a device or allow an attacker to make configuration changes to a vulnerable device that is based on the
SNMP configuration.
Suggested Fix
CatOS SSH Can Cause a Crash - 24862 [CatOS]

Description
While fixing vulnerabilities mentioned in the Cisco Security Advisory: Multiple SSH Vulnerabilities we
inadvertently introduced an instability in some products. When an attacker tries to exploit the
vulnerability VU#945216 (described in the CERT/CC Vulnerability Note at
http://www.kb.cert.org/vuls/id/945216) the SSH module will consume too much of the processor's time,
effectively causing a DoS. In some cases the device will reboot. In order to be exposed SSH must be
enabled on the device.. See "Scanning for SSH Can Cause a Crash." at Cisco Security Advisories
website.

OL-25941-01
4-341
Chapter 4
Cisco CATOS Devices

References

Rule 1
Rule
CATOS PSIRT-24862 : Verify Scanning for SSH Can Cause a Crash Vulnerability [IOS]
Description
While fixing the vulnerabilities (Cisco Security Advisory: Multiple SSH Vulnerabilities) an instability
is introduced in some products. When exposed to an overly large packet, the SSH process will consume
a large portion of the processor's instruction cycles, effectively causing a DoS. The capability to create
such a packet is available in publicly available exploit code. In some cases this availability attack may
result in a reboot of the device. In order to be exposed SSH must be enabled on the device.
The vulnerability in question is named CRC-32. It is also marked as VU#945216 and described in the
CERT/CC Vulnerability Note at http://www.kb.cert.org/vuls/id/945216.
Cisco CATOS Devices
Impact
By repeatedly exploiting this vulnerability an attacker can cause a denial of service, though Cisco
products remain unaffected to the exploits that are trying to exploit vulnerabilities.
Suggested Fix
It is possible to mitigate this vulnerability in two ways:
Block all SSH connections on the border on your network, or
On each individual device allow SSH connections only from the required IP addresses and block all
others.
Blocking all SSH connections, and all other protocols that are not supposed to come from the outside,
on the network edge should be an integral part of the network security best practice.
CatOS SSH Protocol Mismatch Vulnerability - 10932 [CatOS]

Description
Non-Secure Shell (SSH) connection attempts to an enabled SSH service on a Cisco Catalyst 6000, 5000,
or 4000 switch might cause a "protocol mismatch" error, resulting in a supervisor engine failure. The
supervisor engine failure causes the switch to fail to pass traffic and reboots the switch. This problem is
resolved in release 6.1(1c). Due to a very limited number of customer downloads, Cisco has chosen to
notify affected customers directly.
This vulnerability has been assigned Cisco bug ID CSCds85763.
4-342
OL-25941-01
Chapter 4

Cisco CATOS Devices

References

Rule 1
Rule
CATOS PSIRT-10932: Verify SSH Protocol Mismatch Vulnerability [IOS]

Description
Non SSH protocol connection attempts to the SSH service cause a "protocol mismatch" error, which
causes a switch to reload. SSH is not enabled by default, and must be configured by the administrator.
Cisco CATOS Devices
Impact
This vulnerability enables a Denial of Service attack on the Catalyst switch.

Suggested Fix
The workaround for this vulnerability is to disable SSH service. For most customers using this image,
SSH support is necessary, so the recommended action is to upgrade to a fixed version.
CatOS TCP Conn Reset - 50961 [CatOS]

Description
A vulnerability in the Transmission Control Protocol (TCP) specification (RFC793) has been discovered
by an external researcher. The successful exploitation enables an adversary to reset any established TCP
connection in a much shorter time than was previously discussed publicly. Depending on the application,
the connection may get automatically re-established. In other cases, a user will have to repeat the action
(for example, open a new Telnet or SSH session). Depending upon the attacked protocol, a successful
attack may have additional consequences beyond terminated connection which must be considered. This
attack vector is only applicable to the sessions which are terminating on a device (such as a router,
switch, or computer), and not to the sessions that are only passing through the device (for example,
transit traffic that is being routed by a router). In addition, the attack vector does not directly compromise
data integrity or confidentiality.
All Cisco products which contain a TCP stack are susceptible to this vulnerability.
Cisco CATOS Devices

References

OL-25941-01
4-343
Chapter 4
Rule 1
Rule
CATOS PSIRT-50961: Verify TCP Connection Reset Vulnerability [IOS]

Description
TCP is the transport layer protocol designed to provide connection-oriented reliable delivery of a data
stream. To accomplish this, TCP uses a mixture of flags to indicate state and sequence numbers to
identify the order in which the packets are to be reassembled. TCP also provides a number, called an
acknowledgement number, that is used to indicate the sequence number of the next packet expected. The
packets are reassembled by the receiving TCP implementation only if their sequence numbers fall within
a range of the acknowledgement number (called a "window"). The acknowledgement number is not used
in a packet with the reset (RST) flag set because a reset does not expect a packet in return.
Cisco CATOS Devices
Impact
The impact is different for each specific protocol. While, in the majority of cases, a TCP connection will
be automatically re-established, in some specific protocols a second order of consequences may have a
larger impact than tearing down the connection itself.
Suggested Fix
There are no workarounds available to mitigate the effects of this vulnerability. It is possible to mitigate
the exposure on this vulnerability by applying anti-spoofing measures on the edge of the network.
CatOS TCP State Manipulation DoS Vulnerability - 109444 [CatOS]

Description
Multiple Cisco products are affected by denial of service (DoS) vulnerability that manipulate the state
of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection,
an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If
enough TCP connections are forced into a long-lived or indefinite state, resources on a system under
attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system
reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker
must be able to complete a TCP three-way handshake with a vulnerable system.
Cisco CATOS Devices

References

4-344
OL-25941-01
Chapter 4

Rule 1
Rule
CATOS PSIRT-109444: Verify TCP State Manipulation DoS Vulnerability [IOS]

Description
ll Cisco CatOS Software versions are affected by these vulnerabilities. A device running Cisco CatOS
Software that is under attack will have numerous hung TCP connections in the FIN_WAIT_1 state. The
show netstat command can be used to display the hung TCP connections. The following is example
output showing an attack in progress.
Console> (enable) show netstat
Active Internet connections (including servers)
Proto
Recv-Q
Send-Q
Local Address
Foreign Address
(state)
tcp
83
192.168.1.10.23
192.168.1.20.46056 FIN_WAIT_1
tcp
83
192.168.1.10.23
192.168.1.20.16305 FIN_WAIT_1
tcp
83
192.168.1.10.23
192.168.1.20.14628 FIN_WAIT_1
tcp
83
192.168.1.10.23
192.168.1.20.7275
tcp
83
192.168.1.10.23
192.168.1.20.39559 FIN_WAIT_1
FIN_WAIT_1
Cisco CATOS Devices
Impact
Successful exploitation of the TCP state manipulation vulnerabilities may result in a DoS condition
where new TCP connections are not accepted on an affected system. Repeated exploitation may result
in a sustained DoS condition. A reboot may be required to recover affected systems.
Suggested Fix
Cisco CatOS software provides VLAN Access Control Lists (VACL) to mitigate against the TCP state
manipulation vulnerabilities. For more information on configuring VACLs on CatOS 7.x software
versions, please consult the following link:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/7.x/configuration/guide/acc_list.ht
ml
For more information on configuring VACLs on CatOS 8.x software versions, please consult the
following link:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/catos/8.x/configuration/guide/acc_list.ht
ml.
CatOS Telnet Buffer Vulnerability - 20776 [CatOS]

Description
Some Cisco Catalyst switches, running certain CatOS based software releases, have a vulnerability
wherein a buffer overflow in the Telnet option handling can cause the Telnet daemon to crash and result
in a switch reload.

OL-25941-01
4-345
Chapter 4
This vulnerability can be exploited to initiate a denial of service (DoS) attack. This vulnerability is
documented as Cisco bug ID CSCdw19195. There are workarounds available to mitigate the
vulnerability.
Cisco CATOS Devices

References

Rule 1
Rule
CATOS PSIRT-20776: Verify Telnet Buffer Vulnerability [IOS]

Description
Some Cisco Catalyst switches, running certain CatOS-based software releases, have a vulnerability
wherein a buffer overflow in the Telnet option handling can cause the Telnet daemon to crash and result
in a switch reload. This vulnerability can be exploited to initiate a denial of service (DoS) attack. Once
the switch has reloaded, it is still vulnerable and the attack can be repeated as long as the switch is IP
reachable on port 23 and has not been upgraded to a fixed version of CatOS switch software.
Cisco CATOS Devices
Impact
This vulnerability can be exploited to produce a denial of service (DoS) attack. When the vulnerability
is exploited it can cause the Cisco Catalyst switch to crash and reload.
Suggested Fix
The following workarounds can be implemented.
If the ssh feature is available in the code base, use ssh instead of Telnet and disable Telnet. For
instructions on how to do this, please refer to
http://www.cisco.com/warp/public/707/ssh_cat_switches.html.
Apply IP Permit List for Telnet to enable access to the switch's management interface only from the
network management workstations. Please note, this will not prevent spoofed IP packets with the
source IP address set to that of the network management station from reaching the switch's
management interface.
On the Catalyst 6000 series switches, if the VLAN Access Control List (ACL) (VACL) feature is
available in the code base, you can use VACLs instead of the IP Permit List workaround above.
Please note, this will not prevent spoofed IP packets with the source IP address set to that of the
network management station from reaching the switch's management interface.
Implement the best practice to assign all of the management interfaces of all the switches in the
network to a different VLAN, and apply appropriate ACLs on the router switching between the
VLANs.
4-346
OL-25941-01
Chapter 4

Apply ACLs on routers / switches / firewalls in front of the vulnerable switches such that traffic
destined for the Telnet port 23 on the vulnerable switches is only allowed from the network
management workstations.
Cisco IOS Software IGMP Vulnerability - 112027 [IOS]

Description
A vulnerability in the Internet Group Management Protocol (IGMP) version 3 implementation of Cisco
IOS Software and Cisco IOS XE Software allows a remote unauthenticated attacker to cause a reload
of an affected device. Repeated attempts to exploit this vulnerability could result in a sustained denial
of service (DoS) condition. Cisco has released free software updates that address this vulnerability.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-112027: Verify Cisco IOS Software IGMP Vulnerability [IOS]

Description
show version command or may provide different output. The following example identifies a Cisco
product that is running Cisco IOS Software Release 12.4(20)T with an installed image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE
SOFTWARE (fc3)
Additional information about Cisco IOS Software release naming conventions is available in White
Paper: Cisco IOS and NX-OS Software Reference Guide.
Cisco IOS Devices

OL-25941-01
4-347
Chapter 4
Impact
Successful exploitation of this vulnerability may cause the affected device vulnerable device to reload.
Repeated exploitation may result in a sustained DoS condition.
Suggested Fix
IGMP version 2
Customers who do not require the Source Specific Multicast (SSM) functionality can use IGMP version
2 as a workaround.
ip address 192.168.0.1 255.255.255.0
ip pim sparse-mode
ip igmp version 2
A partial mitigation of the vulnerability described in this document is to block IGMP packets with an IP
Time to Live (TTL) field value that is not equal to 1. RFC1054 , "Host Extensions for IP Multicasting"
RFC2236 , "Internet Group Management Protocol Version 2", and RFC3376 , "Internet Group
Management Protocol Version 3", indicate that every IGMP message is sent with an IP TTL of 1.
CoPP may be configured on a device to protect the management and control planes, and minimize the
risk and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic sent
to infrastructure devices in accordance with existing security policies and configurations. The following
example can be adapted to your network. Drop of IGMP packets with unicast IP destination addresses
can also be implemented with CoPP if the network is using all multicast applications that utilize only
multicast group destination addresses for IGMP packets.
!
!-- The following access list is used
!-- policy (the CoPP feature.) If the access list matches (permit),
!-- then traffic will be dropped. If the access list does not
!-- match (deny), then traffic will be processed by the router.
!-- all IGMP packets with ttl different from 1 will be selected
!-- by this acl and the "drop" action will be applied in the
!-- corresponding CoPP polisy
!
ip access-list extended IGMP-ACL

permit igmp any any ttl neq 1
4-348
OL-25941-01
Chapter 4

!-- Create a class map for traffic that will be policed by
!
class-map match-all drop-IGMP-class

match access-group name IGMP-ACL
!
!-- Create a policy map that will be applied to the
!-- Control Plane of the device, and add the "drop-tcp-traffic"
!-- class map.
!
policy-map CoPP-policy
class drop-IGMP-class
drop
!
!-- Apply the policy map to the control plane of the
!-- device.
!
control-plane
service-policy input CoPP-policy
Additional information on the configuration and use of the CoPP feature is available in the Control Plane
Policing Implementation Best Practices.
Crafted Encryption Packet DoS Vulnerability - 110393 [IOS]

Description
Cisco IOS Software contains a vulnerability that could allow an attacker to cause a Cisco IOS device to
reload by remotely sending a crafted encryption packet.

OL-25941-01
4-349
Chapter 4
Cisco has released free software updates that address this vulnerability.
Cisco IOS Devices
4-350
OL-25941-01
Chapter 4

References

Rule 1
Rule
PSIRT-110393: Verify Crafted Encryption Packet DoS Vulnerability [IOS]

Description
A Cisco IOS device that is configured for SSLVPN or SSH may reload when it receives a specially
crafted TCP packet on TCP port 443 (SSLVPN) or TCP port 22 (SSH). Completion of the three-way
handshake to the associated TCP port number of these features is required for the vulnerability to be
successfully exploited; however, authentication is not required. A Cisco IOS device that is configured
for IKE encrypted nonces may reload when it receives a specially crafted UDP packet on port 500 or
4500 (if configured for NAT Traversal (NAT-T)).
Cisco IOS Devices
Impact
device. The issue could be repeatedly exploited to cause an extended DoS condition.
Suggested Fix
There are no available workarounds other than disabling the affected features and protecting SSH access
with the use of VTY access control lists.
Use the no webvpn enable command to disable SSL VPN use.
For Cisco IOS the SSH server can be disabled by applying the command crypto key zeroize rsa while
in configuration mode. The SSH server is enabled automatically upon generating an RSA key pair.
Zeroing the RSA keys is the only way to completely disable the SSH server.
Access to the SSH server on Cisco IOS Software may also be disabled by removing SSH as a valid
transport protocol. This action can be done by reapplying the transport input command with 'ssh'
removed from the list of permitted transports on vty lines while in configuration mode. For example:
line vty 0 4
transport input telnet
end
If SSH server functionality is desired, access to the server can be restricted to specific source IP
addresses or blocked entirely through the use of Access Control Lists (ACLs) on the vty lines as shown
in the following URL:
http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_9_ea1/configuratio
n/guide/swacl.html#xtocid14
More information on configuring ACLs can be found on Cisco's public website:
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.sht
ml

OL-25941-01
4-351
Chapter 4
The following is an example of a vty access-list:

access-list 2 permit 10.1.1.0 0.0.0.255
access-list 2 deny any
line vty 0 4
access-class 2 in
In the previous example, only the 10.1.1.0/24 network is allowed to SSH to the Cisco IOS device.
To disable IKE encrypted nonces use the no authentication rsa-encr command under an ISAKMP
policy, as shown in the following example:
crypto isakmp policy
no authentication rsa-encr
Crafted ICMP Messages DoS for IPSec Tunnels - 64520 [IOS]

Description
A document that describes how the Internet Control Message Protocol (ICMP) could be used to perform
a number of Denial of Service (DoS) attacks against the Transmission Control Protocol (TCP) has been
made publicly available. This document has been published through the Internet Engineering Task Force
(IETF) Internet Draft process, and is entitled "ICMP Attacks Against TCP"
(draft-gont-tcpm-icmp-attacks-03.txt)
These attacks, which only affect sessions terminating or originating on a device itself, can be of three
types:
Attacks that use ICMP "hard" error messages
Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known
as Path Maximum Transmission Unit Discovery (PMTUD) attacks
Attacks that use ICMP "source quench" messages
Successful attacks may cause connection resets or reduction of throughput in existing connections,
depending on the attack type.
See "Crafted ICMP Messages Can Cause Denial of Service" at Cisco Security Advisories website.
Cisco IOS Devices

Rule 1
Rule
PSIRT-64520: Verify Crafted ICMP Messages DoS for IPSec Tunnels Vulnerability [IOS]
Description
IP Security (IPSec): when an IOS device is configured to use IPSec, PMTUD is enabled by default, and
therefore, the device may be affected by the PMTUD attack described in this document. An IOS device
is configured for IPSec if either crypto map or tunnel protection is applied to an interface.
4-352
OL-25941-01
Chapter 4

For example:
crypto ipsec profile IPSEC_PROFILE
[...]
!
crypto map MYMAP 1 ipsec-isakmp
[...]
!
interface Tunnel0
tunnel protection ipsec profile IPSEC_PROFILE
[...]
!
interface Ethernet1
crypto map MYMAP
[...]
Generic Routing Encapsulation (GRE) and IPinIP: devices configured to use these tunneling
protocols are vulnerable to crafted ICMP "fragmentation needed and DF bit set" messages if PMTUD is
enabled. PMTUD is disabled by default for these two protocols. The device is vulnerable if the command
tunnel path-mtu-discovery is present in the configuration.
Cisco IOS Devices
Impact
These attacks may result in Denial-of-Service conditions. No remote code execution or unauthorized
access results from these types of attacks.
Suggested Fix
IPSec
For IPSec, the recommended workaround is to "disable" PMTUD. Please note that there is not a single
command to disable PMTUD under IPSec, but this can be achieved through other mechanisms. In
particular, the following two things must be done:
1.
Filter out ICMP "fragmentation needed and DF bit set" messages (type 3, code 4) destined to the
router itself using an Access Control List or the Control Plane Policing (CoPP) feature. The
following example shows how to block ICMP "fragmentation needed and DF bit set" (type 3, code
4) messages that are addressed to any of the device's IP addresses using an interface ACL (note how
the type 3, code 4 message is specified using the packet-too-big keyword):
access-list 111 deny icmp any host <fa0/0's IP address> packet-too-big

access-list 111 permit ip any any
!
interface fastEthernet 0/0
ip access-group 111 in
!

OL-25941-01
4-353
Chapter 4

!
Note
CoPP is available in IOS release trains 12.0S, 12.2S and 12.3T.

2.
Allow IPSec to fragment the embedded packet even when the DF bit is set. This can be
accomplished by using the command crypto ipsec df-bit clear (which is available in IOS 12.2(2)T
and later) or by using Policy-Based Routing (PBR) (available in IOS 12.1(6) and later) to clear the
DF bit. What follows is an example of how to use PBR to clear the DF bit:
route-map clear-df permit 10

match ip address 101
!--- The following command is used to change the

!--- Don't Fragment (DF) bit value in the IP header;
!--- it must be used in route-map configuration mode.
set ip df 0
access-list 101 permit tcp 10.1.3.0 0.0.0.255 any
interface ethernet0
...
!--- The following command is used to identify a

!--- route map to use for policy routing on an
!--- interface; if must be used in interface
!--- configuration mode.
ip policy route-map clear-df

In this example the route-map is applied to the interface where the unencrypted traffic enters the router,
and 10.1.3.0/24 is the address space that is sending traffic through the IPSec tunnel.
Generic Routing Encapsulation and IPinIP
The only workaround for this case is to disable PMTUD on the tunnel interface if it has been enabled.
This is accomplished via the command no tunnel path-mtu-discovery, while in the specific tunnel
interface configuration mode.
4-354
OL-25941-01
Chapter 4

Without the tunnel path-mtu-discovery command configured, the DF bit will always be cleared in the
GRE IP header. This allows the GRE IP packet to be fragmented, even though the encapsulated data IP
header had the DF bit set, which normally wouldn't allow the packet to be fragmented.
Please note that if you are using GRE with IPSec you need to use the command no tunnel
path-mtu-discovery instead of the command crypto ipsec df-bit clear to make sure that DF bit is
cleared in transmitted packets; and you also need to filter out ICMP "fragmentation needed and DF bit
set" messages (type 3, code 4) destined to the router itself using an Access Control List or the Control
Plane Policing (CoPP) feature as described above.
If you have an image that is fixed for Cisco Bug IDCSCef44699 (registered customers only) you can set
a low limit on the MTU that is learned via the PMTUD process by using the new command tunnel
path-mtu-discovery min-mtu <minimum MTU> under the specific tunnel interface configuration
mode.
Crafted ICMP Messages DoS for L2TPv2 - 64520 [IOS]

Description
types:
Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also known
as Path Maximum Transmission Unit Discovery (PMTUD) attacks
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-64520: Verify Crafted ICMP Messages DoS for L2TPv2 Vulnerability [IOS]

OL-25941-01
4-355
Chapter 4
Description
Layer 2 Tunneling Protocol Version 2 (L2TP) and Layer 2 Tunneling Protocol Version 3 (L2TPv3):
devices configured to use these tunneling protocols are vulnerable to crafted ICMP "fragmentation
needed and DF bit set" messages if PMTUD is enabled. PMTUD is disabled by default for these
protocols. A device running L2TP is vulnerable if the command ip pmtu appears in the device's
configuration.
Note
L2TP (version 2) and L2TPv3 (version 3) are two different and independent protocols. Both are affected,
but throughout the rest of this document we will refer to them as one since they are affected in the same
manner.
Cisco IOS Devices
Impact
Suggested Fix
The only workaround to protect Layer 2 Tunneling Protocol sessions (both versions 2 and 3) against
PMTUD attacks is to disable PMTUD if it has been enabled. For L2TPv2, this is done via the no ip pmtu
command in vpdn-group configuration mode as shown here:
router(config)#vpdn enable
router(config)#vpdn-group 1
router(config-vpdn)#no ip pmtu
For L2TPv3, this is done via the commands no ip pmtu and no ip dfbit set in pseudowire-class
configuration mode as shown here:
pseudowire-class [pseudowire class name]
encapsulation l2tpv3
no ip pmtu
no ip dfbit set
[...]
For L2TPv2, if you have an image that is fixed for Cisco Bug ID CSCsa52807 (registered customers
only) you can set low and high limits on the MTU that is learned via the PMTUD process by using the
new commands vpdn pmtu minimum <minimum MTU> and vpdn pmtu maximum <maximum
MTU> under vpdn-group configuration mode.
4-356
OL-25941-01
Chapter 4

Description
types:
1.
2.
Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also
known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-64520: Verify Crafted ICMP Messages DoS for TCP over IPv4 Vulnerability [IOS]
Transmission Control Protocol over Internet Protocol (IP) Version 4: if an IOS device establishes
TCP sessions with other devices, for example, to speak Border Gateway Protocol (BGP) with other
peers, it may be vulnerable to crafted ICMP "fragmentation needed and DF bit set" error messages if
PMTUD is enabled. PMTUD is disabled by default for TCP in IOS. PMTUD is enabled if the command
ip tcp path-mtu-discovery is present in the device configuration.
Cisco IOS Devices
Impact

OL-25941-01
4-357
Chapter 4
Suggested Fix
Transmission Control Protocol Over IP Version 4

If PMTUD has been explicitly enabled, a possible workaround to prevent PMTUD attacks is to disable
it by using the global configuration command no ip tcp path-mtu-discovery. Once this command is
executed, PMTUD will be disabled for all new TCP connections; configuring PMTD on the IOS device
does not have any effect on existing TCP sessions already established from/to the router.
Please note that with PMTUD disabled, the MSS that will be used will be the value set with the ip tcp
mss command, or the default of 536 bytes for remote destinations, or 1460 bytes for local destinations.
Description
types:
1.
2.
Attacks that use ICMP "fragmentation needed and Don't Fragment (DF) bit set" messages, also
known as Path Maximum Transmission Unit Discovery (PMTUD) attacks
3.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-64520: Verify Crafted ICMP Messages DoS for TCP over IPv6 Vulnerability [IOS]
Description
Transmission Control Protocol over Internet Protocol Version 6 (IPv6): PMTUD is enabled by
default for IPV6; therefore, devices configured for IPv6 are vulnerable to PMTUD attacks if they are
running services that rely on TCP, like BGP. If the device is just forwarding IPv6 traffic, i.e., it does not
establish TCP sessions with other hosts, then it is not affected.
4-358
OL-25941-01
Chapter 4

Cisco IOS Devices
Impact
Suggested Fix
Transmission Control Protocol Over IP Version 6

PMTUD is enabled by default when using TCP over IPv6, and it is not possible to disable it. For this
reason a possible workaround is to use an ACL to block the ICMPv6 "packet too big" message.
Please note that filtering out ICMPv6 "packet too big" messages means that the layer 3 (IPv6) PMTUD
is being shut down as well. Therefore, it is necessary to make sure that the MTU is set on the end host
to the lowest possible IPv6 MTU - 1280 bytes. Otherwise, since the device is not seeing the "packet too
big" message, the device will not know that an intermediate system has dropped a packet because it was
too big.
ICMPv6 "packet too big" messages are the IPv6 equivalent to the ICMPv4 "fragmentation needed and
DF bit set" message.
Crafted IP Option - 81734 [IOS]

Description
Cisco routers and switches running Cisco IOS or Cisco IOS XR software may be vulnerable to a
remotely exploitable crafted IP option Denial of Service (DoS) attack. Exploitation of the vulnerability
may potentially allow for arbitrary code execution. The vulnerability may be exploited after processing
an Internet Control Message Protocol (ICMP) packet, Protocol Independent Multicast version 2 (PIMv2)
packet, Pragmatic General Multicast (PGM) packet, or URL Rendezvous Directory (URD) packet
containing a specific crafted IP option in the packet's IP header. No other IP protocols are affected by
this issue.
There are workarounds available to mitigate the effects of the vulnerability.
This vulnerability was discovered during internal testing.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-81734 : Verify Crafted IP Option Can Cause DoS Vulnerability [IOS]

OL-25941-01
4-359
Chapter 4
Description
This vulnerability may be exploited when an affected device processes a packet that meets all three of
the following conditions:
1. The packet contains a specific crafted IP
option.
AND
2. The packet is one of the following protocols:
ICMP - Echo (Type 8) - 'ping'
ICMP - Timestamp (Type 13)
ICMP - Information Request (Type 15)
ICMP - Address Mask Request (Type 17)
PIMv2 - IP protocol 103
PGM - IP protocol 113
URD - TCP Port 465
AND
3. The packet is sent to a physical or virtual
IPv4 address configured on the affected device.
No other ICMP message types are affected by this issue.
No other IP protocols are affected by this issue.
No other TCP services are affected by this issue.
The packet can be sent from a local network or from a remote network.
The source IP address of the packet can be spoofed or non-spoofed.
Packets which transit the device (packets not sent to one of the device's IP addresses) do not trigger the
vulnerability and the device is not affected.
Cisco IOS Devices
Impact
execution of arbitrary code. Repeated exploitation could result in a sustained DoS attack.
Suggested Fix
Configure ip option drop configuration command to drop IP packets that has options.
4-360
OL-25941-01
Chapter 4

Crafted TCP Packet Denial of Service Vulnerability - 111450 [IOS]

Description
Cisco IOS Software is affected by a denial of service vulnerability that may allow a remote
unauthenticated attacker to cause an affected device to reload or hang. The vulnerability may be
triggered by a TCP segment containing crafted TCP options that is received during the TCP session
establishment phase. In addition to specific, crafted TCP options, the device must have a special
configuration to be affected by this vulnerability.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-111450: Verify Crafted TCP Packet DoS Vulnerability [IOS]

Description
Cisco IOS Software is affected by a denial of service vulnerability that may allow a remote
unauthenticated attacker to cause a device reload or hang.
The vulnerability may only be triggered by a TCP segment received during the TCP session
establishment phase. The received TCP segment mustcontain crafted, not malformed, TCP options. A
TCP three-way handshake does not need to be completed to exploit the vulnerability.
To be affected by this vulnerability, a device must be configured for any of the following:
A specific TCP receive window size
PMTUD
SNAT with TCP as the transport protocol
The vulnerability exists in the TCP options processing code of Cisco IOS Software. When the
vulnerability is triggered, Cisco IOS Software enters an infinite loop that may cause the device to reload
or hang. The following syslog messages may indicate that this vulnerability has been exploited:
%SYS-3-CPUHOG: Task is running for (128004)msecs, more than (2000)msecs (23/1),process = IP
Input.
-Traceback= 0x41CA6AC4 0x41C83170 0x41A22704 0x41F249D4 0x41A24A34 0x41B24C58
%SYS-2-WATCHDOG: Process aborted on watchdog timeout, process = IP Input.

OL-25941-01
4-361
Chapter 4
BGP Considerations
This vulnerability could be exploited through the BGP port (TCP port 179) if all the following conditions
are met:
The device is configured for one or more of the features that make a device affected, as explained
above. Note that in recent versions of Cisco IOS Software, configuring BGP automatically enables
PMTUD for all BGP neighbor sessions.
The source IP address of an attack packet is the IP address of a configured BGP peer.
If the BGP TTL Security Hack (BTSH)/Generalized TTL Security Mechanism (GTSM) is
configured, the TTL of the received attack packet is within the allowed TTL range.
If the BGP peering session is protected by the TCP MD5 option, the attack packet has the correct
MD5 hash.
Cisco IOS Devices
Impact
Successful exploitation of the vulnerability may cause the affected device to reload or hang. Repeated
exploitation could result in a sustained denial of service condition. In the case of a hang, cycling power
to the device may be required to put the device back in service.
Suggested Fix
There are no workarounds to mitigate this vulnerability other than disabling the specific features that
make a device vulnerable, if feasible.
Additionally, allowing only legitimate devices to connect to affected devices will help limit exposure to
this vulnerability.Since a TCP three-way handshake is not required, to increase effectiveness, the
mitigation must be coupled with anti-spoofing measures on the network edge.
companion document "Cisco Applied Mitigation Bulletin: Identifying and Mitigating Exploitation of the
Cisco IOS Software Crafted TCP Packet Denial of Service Vulnerability".
Configurations Using a Specific TCP Window Size
Not setting a specific TCP receive window size can be accomplished by removing the ip tcp window-size
command from the configuration.
Configurations Using Path MTU Discovery
PMTUD may be disabled in some of the Cisco IOS Software features that make use of PMTUD. The
specific command to use to disable PMTUD varies depending on the specific feature:
TCP over IPv4: removing the ip tcp path-mtu-discovery command from the configuration will
disable PMTUD for TCP over IPv4 sessions that originate on the device.
TCP over IPv6: PMTUD is enabled by default for IPV6 and cannot be disabled.
BGP: if BGP is configured on a recent version of Cisco IOS Software that enables PMTUD for BGP
sessions, PMTUD can be disabled for all BGP sessions with the no bgp transport
path-mtu-discovery command in router configuration mode (Cisco IOS Release 12.2(33)SRA,
12.2(31)SB, 12.2(33)SXH, 12.4(20)T, and later releases).
Configurations Using Stateful NAT with TCP as the Transport Protocol

SNAT can be disabled by removing the ip nat Stateful id command from the configuration.
4-362
OL-25941-01
Chapter 4

For devices that need to offer TCP services, it is possible to use Control Plane Policing (CoPP) to block
TCP traffic to the device from untrusted sources. Cisco IOS Releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4,
policies and configurations. The following example can be adapted to specific network configurations:
!-- policy (the CoPP feature.) If the access list matches (permit)
!-- Note that TCP ports 22 and 23 are just examples; this configuration
!-- needs to be expanded to include all used TCP ports.
access-list 100 permit tcp any any
class-map match-all drop-tcp-class

OL-25941-01
4-363
Chapter 4

!-- Control-Plane of the device, and add the "drop-tcp-traffic"
!-- class map.
class drop-tcp-class
drop

!-- device.
control-plane
Warning
Because a TCP three-way handshake is not required to exploit this vulnerability, it is possible to
easily spoof the IP address of the sender, which may defeat access control lists (ACLs) that permit
communication to these ports from trusted IP addresses.
with the "permit" action result in these packets being discarded by the policy-map "drop" function, while
packets that match the "deny" action (not shown) are not affected by the policy-map drop function.
Configuring Infrastructure Access Lists (iACLs)
Although it is often difficult to block traffic transiting your network, it is possible to identify traffic that
should never be allowed to target your infrastructure devices and block that traffic at the border of your
network. Infrastructure ACLs are considered a network security best practice and should be considered
as a long-term addition to good network security as well as a workaround for this specific vulnerability.
The white paper entitled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents
guidelines and recommended deployment techniques for infrastructure protection ACLs:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml
BGP Considerations
BTSH/GTSM can help prevent exploitation of this vulnerability via the BGP port because packets
coming from devices that do not pass the TTL check configured via BTSH are dropped before any TCP
processing takes place. For information on BTSH refer to:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_btsh.html.
MD5 authentication for BGP peering sessions can also help prevent exploitation via the BGP port
because the MD5 hash in an attack packet is checked before processing the crafted TCP option. For a
detailed discussion on how to configure BGP, refer to the following document:
http://www.cisco.com/en/US/docs/ios/12_0/np1/configuration/guide/1cbgp.html.
4-364
OL-25941-01
Chapter 4

Crafted UDP Packet Vulnerability - 108558 [IOS]

Description
Several features within Cisco IOS Software are affected by a crafted UDP packet vulnerability. If any of
the affected features are enabled, a successful attack will result in a blocked input queue on the inbound
interface. Only crafted UDP packets destined for the device could result in the interface being blocked,
transit traffic will not block the interface.
Workarounds that mitigate this vulnerability are available.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-108558: Verify Crafted UDP Packet Vulnerability [IOS]

Description
Devices running affected versions of Cisco IOS Software and Cisco IOS XE Software are affected when
running any of the following features:
IP Service Level Agreements (SLA) Responder
Session Initiation Protocol (SIP)
H.323 Annex E Call Signaling Transport
Media Gateway Control Protocol (MGCP)
Cisco IOS Devices
Impact
Successful exploitation of this vulnerability may cause the inbound interface to be blocked and will
silently drop any received traffic. A reload of the device is required to restore normal functionality.
Suggested Fix
The following mitigations have been identified for this vulnerability; only packets destined for any
configured IP address on the device can exploit this vulnerability. Transit traffic will not exploit this
vulnerability.

OL-25941-01
4-365
Chapter 4
Disable Affected Listening Ports

If an affected feature is not required it can be explicitly disabled. Once disabled confirm the listening
UDP port has been closed by entering the CLI command "show udp" or "show ip socket". Some features
may require a reload of the device after disabling the feature in order to close the listening UDP port.
For SIP it is possible to disable UDP listening if only TCP services are required. The following example
shows how to disable SIP from listening on its associated UDP port.
Infrastructure Access Control Lists
Warning
Because the features in this vulnerability utilize UDP as a transport, it is possible to spoof the
sender's IP address, which may defeat ACLs that permit communication to these ports from trusted IP
addresses. Unicast RPF should be considered to be used in conjunction to offer a better mitigation
solution.
Although it is often difficult to block traffic that transits a network, it is possible to identify traffic that
should never be allowed to target infrastructure devices and block that traffic at the border of networks.
Infrastructure Access Control Lists (iACLs) are a network security best practice and should be
considered as a long-term addition to good network security as well as a workaround for this specific
vulnerability.
Warning
Because the features in this vulnerability utilizes UDP as a transport, it is possible to spoof the
addresses. Unicast RPF should be considered to be used in conjunction to offer better mitigation
solution.
Control Plane Policing (CoPP) can be used to block untrusted UDP traffic to the device. Cisco IOS
software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP can be
configured on a device to protect the management and control planes and minimize the risk and
effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic that is sent
to infrastructure devices in accordance with existing security policies and configurations.
Exploit Detection
It is possible to detect blocked interface queues with an Cisco IOS Embedded Event Manager (EEM)
policy. EEM provides event detection and reaction capabilities on a Cisco IOS device. EEM can alert
administrators of blocked interfaces with email, a syslog message, or a Simple Network Management
Protocol (SNMP) trap.
Crypto - 91890 [IOS]

Description
A vulnerability has been discovered in a third party cryptographic library which is used by a number of
Cisco products. This vulnerability may be triggered when a malformed Abstract Syntax Notation One
(ASN.1) object is parsed. Due to the nature of the vulnerability it may be possible, in some cases, to
trigger this vulnerability without a valid certificate or valid application-layer credentials (such as a valid
username or password).
4-366
OL-25941-01
Chapter 4

Successful repeated exploitation of any of these vulnerabilities may lead to a sustained

Denial-of-Service (DoS); however, vulnerabilities are not known to compromise either the
confidentiality or integrity of the data or the device. These vulnerabilities are not believed to allow an
attacker to decrypt any previously encrypted information.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-91890: Verify For Vulnerabilities In Crypto Library Vulnerability [IOS]

Description
Cisco IOS Devices
Impact
Successful exploitation of the vulnerability listed in this advisory may result in the crash of a vulnerable
device. Repeated exploitation can result in a sustained DoS attack.
Suggested Fix
The only way to prevent a device being susceptible to the listed vulnerabilities is to disable the affected
service(s). However, if regular maintenance and operation of the device relies on these services then
there is no workaround.
It is possible to mitigate these vulnerabilities by preventing unauthorized hosts to access the affected
devices. Additional mitigations that can be deployed on Cisco devices within the network are available
in the Cisco Applied Intelligence companion document.

OL-25941-01
4-367
Chapter 4
DFS ACL Leakage - 13655 [IOS]

Description
Errors in certain Cisco IOS software versions for certain routers can cause IP datagrams to be output to
network interfaces even though access lists have been applied to filter those datagrams. This applies to
routers from the Cisco 7xxx family only, and only when those routers have been configured for
distributed fast switching (DFS).
There are two independent vulnerabilities, which have been given Cisco bug IDs CSCdk35564 and
CSCdk43862. Each vulnerability affects only a specialized subset of DFS configurations. Affected
configurations are not believed to be extremely common, but neither are they extremely rare. More
details of affected configurations are in the "Who is Affected" section of this document.
These vulnerabilities may permit users to send packets to parts of the customer's network for which they
are not authorized. This may permit unauthorized access or other attacks on customer computer systems
or data. Cisco does not know of any incidents in which these vulnerabilities have actually been exploited
by attackers.
Neither vulnerability affects any Cisco product other than routers in the 70xx or 75xx series. Of 70xx
routers, only routers with the optional route-switch processor (RSP) card are affected. Additional
configuration conditions apply.
See "Cisco IOS DFS Access List Leakage." at Cisco Security Advisories website
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-13655 : Verify DFS Access List Leakage Vulnerability [IOS]

Description
Errors in certain Cisco IOS software versions for certain routers can cause IP datagrams to be output to
network interfaces even though access lists have been applied to filter those datagrams. This applies to
routers from the Cisco 7xxx family only, and only when those routers have been configured for
distributed fast switching (DFS).
There are two independent vulnerabilities, which have been given Cisco bug IDs CSCdk35564 and
CSCdk43862. Each vulnerability affects only a specialized subset of DFS configurations. Affected
configurations are not believed to be extremely common, but neither are they extremely rare. More
details of affected configurations are in the "Who is Affected" section of this document.
These vulnerabilities may permit users to send packets to parts of the customer's network for which they
are not authorized. This may permit unauthorized access or other attacks on customer computer systems
or data. Cisco does not know of any incidents in which these vulnerabilities have actually been exploited
by attackers.
4-368
OL-25941-01
Chapter 4

Neither vulnerability affects any Cisco product other than routers in the 70xx or 75xx series. Of 70xx
routers, only routers with the optional route-switch processor (RSP) card are affected. Additional
configuration conditions apply.
See "Cisco IOS DFS Access List Leakage." at Cisco Security Advisories website
Cisco IOS Devices
Impact
Incorrect access-list filtering may be applied to output packets. Output access lists are frequently used
to implement security filtering, and the failure of such access lists may permit users to send packets to
parts of the network for which they are not authorized. This, in turn, may permit them to bypass security
restrictions, and to gain access to data or resources from which they should be excluded.
Neither of the defects described in this notice "fails reliably". The same access lists, on the same
interfaces, may work correctly at some times, and fail at other times. Because of this, administrators who
test their access lists may be misled into believing that the access lists are providing effective protection,
when in fact they are not.
CSCdk43862 may result in legitimate traffic being filtered out, as well as in undesired traffic being
permitted to pass through the router. CSCdk35564 never filters legitimate traffic; it only permits
undesired traffic.
An attacker who had detailed knowledge of these vulnerabilities might be able to create conditions
favorable to unauthorized access being permitted. However, such activity would probably be
unnecessary; even without deliberate intervention by an attacker, such conditions would be expected to
occur frequently during the operation of most affected networks.
Suggested Fix
These vulnerabilities can be worked around by disabling DFS on network interfaces (with no ip
route-cache distributed). Be aware that the purpose of DFS is to transfer computational load from the
router's primary CPU to the CPUs on the VIP cards, and that disabling DFS may therefore cause
overload of the primary CPU. Evaluate your traffic load and CPU usage before using this workaround.
If all interfaces in the router are DFS-capable, but DFS has for some reason been enabled only on some
of the interfaces, it may be possible to work around CSCdk35564 by enabling DFS on all interfaces. This
will not affect CSCdk43862.
CSCdk43862 can sometimes be worked around by reconfiguring to use the same output access list on
all the subinterfaces of a physical interface.
Another possible workaround is to redesign the access lists structure on the router to avoid the need for
output access lists on affected interfaces.
DHCP - 63312 [IOS]

Description
Cisco IOS devices running branches of Cisco IOS version 12.2S that have Dynamic Host Configuration
Protocol (DHCP) server or relay agent enabled, even if not configured, are vulnerable to a denial of
service where the input queue becomes blocked when receiving specifically crafted DHCP packets.
Cisco IOS Devices

References

OL-25941-01
4-369
Chapter 4

Rule 1
Rule
PSIRT-63312: Verify DHCP Blocked Interface Denial-of-Service Vulnerability [IOS]

Description
Cisco IOS devices running branches of Cisco IOS version 12.2S that have Dynamic Host Configuration
Protocol (DHCP) server or relay agent enabled, even if not configured, are vulnerable to a denial of
service where the input queue becomes blocked when receiving specifically crafted DHCP packets.
See "Cisco IOS DHCP Blocked Interface Denial-of-Service." at Cisco Security Advisories website for
more information.
Cisco IOS Devices
Impact
A device receiving these specifically crafted DHCP packets will force the inbound interface to stop
processing traffic. The device may stop processing packets destined to the router, including routing
protocol packets and ARP packets. No alarms will be triggered, nor will the router reload to correct
itself. This vulnerability may be exercised repeatedly resulting in loss of availability until a workaround
has been applied or the device has been upgraded to a fixed version of code.
Suggested Fix
This vulnerability can be mitigated by utilizing the command, "no service dhcp". However, this
workaround will disable all DHCP processing on the device, including the DHCP helper functionality
that may be necessary in some network configurations.
DLSw Denial of Service Vulnerabilities - 99758 [IOS]

Description
Cisco IOS contains multiple vulnerabilities in the Data-link Switching (DLSw) feature that may result
in a reload or memory leaks when processing specially crafted UDP or IP Protocol 91 packets.
Cisco IOS Devices
4-370
OL-25941-01
Chapter 4

References

Rule 1
Rule
PSIRT-99758: Verify Multiple DLSw Denial of Service Vulnerabilities in Cisco [IOS]

Description
Data-link switching (DLSw) provides a means of transporting IBM Systems Network Architecture
(SNA) and network basic input/output system (NetBIOS) traffic over an IP network. Cisco
implementation of DLSw also uses UDP port 2067 and IP Protocol 91 for Fast Sequenced Transport
(FST).
Multiple vulnerabilities exists in Cisco IOS when processing UDP and IP protocol 91 packets. These
vulnerabilities do not affect TCP packet processing. A successful exploitation may result in a reload of
the system or a memory leak on the device, leading to a denial of service (DoS) condition.
Cisco IOS devices configured for DLSw with dlsw local-peer automatically listen for IP protocol 91
packets. A Cisco IOS device that is configured for DLSw with the dlsw local-peer peer-id
<IP-address> command listen for IP protocol 91 packets and UDP port 2067.
Cisco IOS devices listen to IP protocol 91 packets when DLSw is configured. However, it is only used
if DLSw is configured for Fast Sequenced Transport (FST). A DLSw FST peer configuration will
contain the following line:
dlsw remote-peer 0 fst <ip-address>
It is possible to disable UDP processing in DLSw with the dlsw udp-disable command. However,
disabling UDP only prevents the sending of UDP packets, it does not prevent the device from receiving
and processing incoming UDP packets.
Cisco IOS Devices
Impact
Successful exploitation of these vulnerabilities may result in the reload of the device or memory leaks,
leading to a DoS condition.
Suggested Fix
The workaround consists of filtering UDP packets to port 2067 and IP protocol 91 packets. Filters can
be applied at network boundaries to filter all IP protocol 91 packets and UDP packets to port 2067 or
can be applied on individual affected devices to permit such traffic only from trusted peer IP addresses.
However, since both of the protocols are connectionless, it is possible for an attacker to spoof malformed
packets from legitimate peer IP addresses.
As soon as DLSw is configured, the Cisco IOS device begins listening on IP protocol 91. However, this
protocol is only used if DLSw is configured for Fast Sequenced Transport (FST). A DLSw FST peer
configuration will contain the following line:

OL-25941-01
4-371
Chapter 4
dlsw remote-peer 0 fst <ip-address>

If FST is used, filtering IP protocol 91 will break the operation, so filters need to permit protocol 91
traffic from legitimate peer IP addresses.
It is possible to disable UDP processing in DLSw with the dlsw udp-disable command. However,
disabling UDP only prevents the sending of UDP packets, it does not prevent the receiving and
processing of incoming UDP packets. To protect a vulnerable device from malicious packets via UDP
port 2067, both of the following actions must be taken:
1.
Disable UDP outgoing packets with the "dlsw udp-disable" command, AND
2.
Filter UDP 2067 in the vulnerable device using infrastructure ACL.
Additional mitigation techniques that can be deployed on Cisco devices within the network are available
in the Cisco Applied Mitigation Bulletin companion document.
DLSw Vulnerability - 77859 [IOS]

Description
A vulnerability exists in the Data-link Switching (DLSw) feature in Cisco IOS where an invalid value
in a DLSw message could result in a reload of the DLSw device. Successful exploitation of this
vulnerability requires that an attacker be able to establish a DLSw connection to the device. Applicable
Platforms
Cisco IOS Devices
References

Rule 1
Rule
PSIRT-77859: Check for DLSw Vulnerability [IOS]

Description
Data-link switching (DLSw) provides a means of transporting IBM Systems Network Architecture
(SNA) and network basic input/output system (NetBIOS) traffic over an IP network. Establishing DLSw
communications involves several operational stages.
In phase one, DLSw peers establish two TCP connections with each other via TCP ports 2065 or 2067.
Those TCP connections provide the foundation for the DLSw communication.
After a connection is established, the DLSw partners exchange a list of supported capabilities in phase
two. This helps to ensure that the peers use the same options. This is particularly vital when the DLSw
partners are manufactured by different vendors.
Next, the DLSw partners establish circuits between SNA or NetBIOS end systems, and information
frames can flow over the circuit.
A vulnerability exists in certain Cisco IOS software releases when configured for DLSw. After the
connection is established, it is possible for a reload to occur should the device receive an invalid option
during the capabilities exchange.
4-372
OL-25941-01
Chapter 4

Cisco IOS Devices
Impact
Successful exploitation of the vulnerability may result in a reload of the device.

Suggested Fix
If DLSw is configured with no remote peers defined, then it must be operating in promiscuous mode on
one end of the connection. Promiscuous mode could allow for any device to attempt to establish a DLSw
peer with the router. To prevent malicious connections, DLSw peers may be explicitly defined with the
dlsw remote-peer command removing the need for promiscuous mode.
FTP Server - 90782 [IOS]

Description
The Cisco IOS FTP Server feature contains multiple vulnerabilities that can result in a denial of service
(DoS) condition, improper verification of user credentials, and the ability to retrieve or write any file
from the device filesystem, including the device's saved configuration. This configuration file may
include passwords or other sensitive information.
The IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically
configured to enable the IOS FTP Server service are unaffected by these vulnerabilities.
This vulnerability does not apply to the IOS FTP Client feature.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-90782: Check for Multiple Vulnerabilities in the IOS FTP Server [IOS]

OL-25941-01
4-373
Chapter 4
Description
Multiple vulnerabilities exist in the IOS FTP Server feature. These vulnerabilities are documented with
the following Cisco bug IDs:
CSCek55259 - Improper authorization checking in IOS FTP server
CSCse29244 - IOS reload when transferring files via FTP
Due to these issues with the IOS FTP server, the feature is being removed. Cisco is considering adding
fully featured and secure FTP server functionality at a later date.
The IOS FTP Server feature removal is addressed with Cisco bug ID CSCsg16908.
Cisco IOS Devices
Impact
Successful exploitation of these vulnerabilities may allow unauthorized, remote users to access the
filesystem on the IOS device, cause the affected device to reload, or execute arbitrary code.
Unauthorized users could retrieve the device's startup-config file from the filesystem. This file may
contain information that could allow the attacker to gain escalated privileges.
Repeated exploitation of the vulnerabilities could lead to an extended Denial of Service (DoS).
Suggested Fix
Customers can disable the use of the IOS FTP Server feature by executing the following command in
configuration mode:
no ftp-server enable
Firewall Application Inspection Control Vulnerability - 107716 [IOS]

Description
Cisco IOS software configured for IOS firewall Application Inspection Control (AIC) with a HTTP
configured application-specific policy are vulnerable to a Denial of Service when processing a specific
malformed HTTP transit packet. Successful exploitation of the vulnerability may result in a reload of
the affected device.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-107716: Verify Firewall Application Inspection Control Vulnerability [IOS]
4-374
OL-25941-01
Chapter 4

Description
Firewalls are networking devices that control access to an organization's network assets. Firewalls are
often positioned at the entrance points into networks. Cisco IOS software provides a set of security
features that enable you to configure a simple or elaborate firewall policy, according to your particular
requirements.
HTTP uses port 80 by default to transport Internet web services, which are commonly used on the
network and rarely challenged with regard to their legitimacy and conformance to standards. Because
port 80 traffic is typically allowed through the network without being challenged, many application
developers are leveraging HTTP traffic as an alternative transport protocol that will allow their
application's traffic to travel through or even bypass the firewall. When the Cisco IOS Firewall is
configured with HTTP AIC, it performs packet inspection to detect HTTP connections that are not
authorized in the scope of the security policy configuration. It also detects users who are tunneling
applications through port 80. If the packet is not in compliance with the HTTP protocol, it will be
dropped, the connection will be reset, and a syslog message will be generated, as appropriate.
Cisco IOS Software that is configured for IOS firewall AIC with an HTTP application-specific policy is
vulnerable to a denial of service condition when it processes a specific malformed HTTP transit packet.
Successful exploitation of the vulnerability may result in a reload of the affected device.
HTTP runs over TCP. For this vulnerability to be exploited, a full three-way handshake between client
and server is required before any malicious traffic would be processed to result in a device reload.
Cisco IOS Devices
Impact
Successful exploitation of the vulnerability may result in a reload of the affected device. Repeated
exploitation attempts may result in a sustained denial of service attack.
Suggested Fix
There are no known workarounds for this vulnerability. The only known action to help counter this
vulnerability is to disable AIC HTTP deep packet inspection in the affected device's configuration.
Disabling deep packet HTTP inspection will allow the rest of the firewall features to continue to function
until a software upgrade can be implemented. All other firewall features will continue to perform
normally.
Disabling AIC HTTP Deep Packet Inspection
To disable AIC HTTP Deep Packet Inspection, remove the linkage between policy-map type inspect
layer4-policymap and policy-map type inspect http layer7-policymap. This example shows an existing
configuration, followed by how to remove AIC HTTP Deep Packet Inspection:
!--- Existing Configuration
!
parameter-map type inspect global

!

match protocol http

OL-25941-01
4-375
Chapter 4

allow
class class-default
inspect global
class class-default
!

Remove the service-policy from the zone-pair in question:

Router(config)#zone-pair security in2out source inside destination outside
Router(config-sec-zone-pair)#no service-policy type inspect layer4-policymap
Router(config-sec-zone-pair)#exit
Remove the linkage between policy-map type inspect layer4-policymap and policy-map type inspect
http layer7-policymap:
Router(config)#policy-map type inspect layer4-policymap
Router(config-pmap)#class type inspect layer4-classmap
Router(config-pmap-c)#no service-policy http layer7-policymap
Router(config-pmap-c)#exit
Router(config-pmap)#exit
Reapply the service-policy to the zone-pair in question:

Router(config)#zone-pair security in2out source inside destination outside
4-376
OL-25941-01
Chapter 4

Router(config-sec-zone-pair)#service-policy type inspect layer4-policymap

Router(config-sec-zone-pair)#exit
Although not required, for completeness of the configuration the policy-map type inspect http
layer7-policymap and class-map type inspect http match-any layer7-classmap are recommended to be
removed.
Router(config)#no policy-map type inspect http layer7-policymap
Router(config)#no class-map type inspect http match-any layer7-classmap
Router(config)#exit
Router#
H.323 Denial of Service Vulnerability - 111265 [IOS]

Description
The H.323 implementation in Cisco IOS Software contains two vulnerabilities that may be exploited
remotely to cause a denial of service(DoS) condition on a device that is running a vulnerable version of
Cisco IOS Software.
Cisco has released free software updates that address these vulnerabilities. There are no workarounds to
mitigate these vulnerabilities other than disabling H.323 on the vulnerable device if H.323 is not
required.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-111265: Verify H.323 Denial of Service Vulnerability [IOS]

Description
H.323 is the ITU standard for real-time multimedia communications and conferencing over packet-based
(IP) networks. A subset of the H.323 standard is H.225.0, a standard used for call signaling protocols
and media stream packetization over IP networks.
The H.323 implementation in Cisco IOS Software contains two DoS vulnerabilities. An attacker can
exploit these vulnerabilities remotely by sending crafted H.323 packets to the affected device that is
running Cisco IOS Software. A TCP three-way handshake is needed to exploit these vulnerabilities.
When exploited, the first vulnerability may lead to an interface queue wedge. The second vulnerability
may cause a memory leak and, in most cases, the device to reload.
An interface queue wedge is a class of vulnerability in which certain packets are received and queued
by a Cisco IOS router or switch, but due to a processing error, are never removed from the queue.

OL-25941-01
4-377
Chapter 4
Received packets are counted against the interface input "queue," which is of a limited and relatively
small size. For example, on most interface types on most platforms the default interface input queue is
75 packets, a value that can be configured via the hold-queue value in interface configuration command.
Once the input queue contains nothing but packets that, due to a bug, will never be dequeued, the queue
is said to be wedged. More recently this condition has been termed a "blocked interface".
This can be seen on a Cisco IOS device when the input queue size is equal to or greater than (depending
on the Cisco IOS Software Release) the input queue max value, as shown below. In this example, the
current "size" of the input queue is 75, which is equal to the "max" size of the input queue, which is also
75.
Router#show interface Ethernet 0/0
Ethernet0/0 is up, line protocol is up
Hardware is AmdP2, address is 0001.0001.0001
Internet address is 10.1.1.100/24
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:20, output 00:00:05, output hang never
Last clearing of "show interface" counters never
Input queue: 75/75/44/0 (size/max/drops/flushes);
Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)

5 minute input rate 4000 bits/sec, 9 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
2937 packets input, 182298 bytes, 0 no buffer
Received 7 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 input packets with dribble condition detected
58 packets output, 6540 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
To display detected memory leaks, use the show memory debug leaks command in privileged EXEC
mode.
Router#show memory debug leaks
4-378
OL-25941-01
Chapter 4

Adding blocks for GD...
I/O memory
Address
Size Alloc_pc PID Alloc-Proc
Name
Processor memory
Address
Size
Alloc_pc
PID
Alloc-Proc
Name
640854D4
1940
622265A4
196
CCH323_CT CCH323_CT
1940
622265A4
196
CCH323_CT CCH323_CT
1940
622265A4
196
CCH323_CT CCH323_CT
The previous example shows a memory leak in the process CCH323_CT. The show memory debug leaks
command was introduced in Cisco IOS Software versions 12.3(8)T1 and 12.2(25)S, respectively.
Cisco IOS Devices
Impact
Successful exploitation of the vulnerabilities described in this advisory may cause the affected device to
experience an interface queue wedge or to reload. Theses vulnerabilities could be exploited repeatedly
to cause an extended DoS condition.
Suggested Fix
There are no workarounds to mitigate these vulnerabilities apart from disabling H.323 if the Cisco IOS
device does not need it. Applying access lists on interfaces that should not accept H.323 traffic and
putting firewalls in strategic locations may greatly reduce exposure until an upgrade can be performed.
Cisco provides Solution Reference Network Design (SRND) guides to help design and deploy
networking solutions, which can be found at http://www.cisco.com/go/srnd Voice Security best practices
are covered in the Cisco Unified Communications SRND Based on Cisco Unified Communications
Manager 6.x.

OL-25941-01
4-379
Chapter 4
You can use the call service stop forced command under the voice service voip mode, as shown in the
following example:
voice service voip
h323
call service stop forced
Note
The call service stop forced command disables all H.323 call processing.
Denial of Service Vulnerabilities in Cisco Unified Communications Manager and Cisco IOS Software",
which is available at the following location:
/en/US/products/products_applied_mitigation_bulletin09186a0080b20ee9.html
H.323 Protocol DoS Vulnerability - 110396 [IOS]

Description
The H.323 implementation in Cisco IOS Software contains a vulnerability that can be exploited remotely
to cause a device that is running Cisco IOS Software to reload.
Cisco has released free software updates that address this vulnerability. There are no workarounds to
mitigate the vulnerability apart from disabling H.323 if the device that is running Cisco IOS Software
does not need to run H.323 for VoIP services.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-110396: Verify H.323 Protocol DoS Vulnerability [IOS]

Description
H.323 is the ITU standard for real-time multimedia communications and conferencing over packet-based
(IP) networks. A subset of the H.323 standard is H.225.0, a standard used for call signalling protocols
and media stream packetization over IP networks.
The H.323 implementation in Cisco IOS Software contains a vulnerability. An attacker can exploit this
vulnerability remotely by sending an H.323 crafted packet to the affected device that is running Cisco
IOS Software. A TCP three-way handshake is needed to exploit this vulnerability.
Cisco IOS Devices
4-380
OL-25941-01
Chapter 4

Impact
Successful exploitation of the vulnerability described in this document may cause the affected device to
reload. The issue could be exploited repeatedly to cause an extended DoS condition.
Suggested Fix
There are no workarounds to mitigate the vulnerability apart from disabling H.323 if the Cisco IOS
device does not need to run H.323 for VoIP services. Affected devices that must run H.323 are
vulnerable, and there are not any specific configurations that can be used to protect them. Applying
access lists on interfaces that should not accept H.323 traffic and putting firewalls in strategic locations
may greatly reduce exposure until an upgrade can be performed.
networking solutions, which can be found at http://www.cisco.com/go/srnd Voice Security best practices
are covered in the Cisco Unified Communications SRND Based on Cisco Unified Communications
Manager 6.x.
Below is an example of an access list to block H.323 management traffic from anywhere but a permitted
network. In this example, the permitted network is 172.16.0.0/16.
!--- Permit access from any IP address in the 172.16.0.0/16
!--- network to anywhere on port 1720.
access-list 101 permit tcp 172.16.0.0 0.0.255.255 any eq 1720
!--- Permit access from anywhere to a host in the

!--- 172.16.0.0/26 network on port 1720.
access-list 101 permit tcp any 172.16.0.0 0.0.255.255 eq 1720
!--- Deny all traffic from port 1720.
access-list 101 deny tcp any eq 1720 any
!--- Deny all traffic to port 1720.
access-list 101 deny tcp any any eq 1720
!--- Permit all other traffic.

OL-25941-01
4-381
Chapter 4

Alternatively, you can use the call service stop forced command under the voice service voip mode, as
shown in the following example:
voice service voip
h323
Denial of Service Vulnerabilities in Cisco Unified Communications Manager and Cisco IOS Software".
H323 DoS Vulnerability - 112021 [IOS]

Description
The H.323 implementation in Cisco IOS Software contains two vulnerabilities that may be exploited
remotely to cause a denial of service (DoS) condition on a device that is running a vulnerable version of
Cisco IOS Software.
Cisco has released free software updates that address these vulnerabilities. There are no workarounds to
mitigate these vulnerabilities other than disabling H.323 on the vulnerable device.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-112021: Verify Cisco IOS Software H323 DoS Vulnerability [IOS]

Description
Cisco devices that are running affected Cisco IOS Software versions that are configured to process
H.323 messages are affected by these vulnerabilities. H.323 is not enabled by default.
4-382
OL-25941-01
Chapter 4

To determine if the Cisco IOS Software device is running H.323 services, issue the show process cpu |
include H323 command, as shown in this example:
Router# show process cpu | include H323
249
16000
250
3
1
5333 0.00% 0.00% 0.00% 0 CCH323_CT

0 0.00% 0.00% 0.00% 0 CCH323_DNS
Router#
In the previous example the processes CCH323_CT and CCH323_DNS are running on the device;
therefore, the device is listening to H.323 messages. The device is vulnerable if any of these processes
(or similar) are active.
Note
Creating a dial peer by issuing the dial-peer voice command will start the H.323 processes, which causes
the Cisco IOS device to process H.323 messages.
Router# show version
Copyright (c) 1986-2008 by cisco Systems, Inc.
The following example identifies a Cisco product that is running Cisco IOS Software Release 12.4(20)T
with an installed image name of C1841-ADVENTERPRISEK9-M:
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T,

OL-25941-01
4-383
Chapter 4
Paper: Cisco IOS Reference Guide".
Cisco IOS Devices
Impact
Successful exploitation of the vulnerability described in this document may cause the affected device to
reload. The issue could be exploited repeatedly to cause an extended DoS condition.
Suggested Fix
There are no workarounds to mitigate these vulnerabilities apart from disabling H.323 if the Cisco IOS
device does not require it. Applying access lists on interfaces that should not accept H.323 traffic and
placing firewalls in strategic locations may greatly reduce exposure until an upgrade can be performed.
networking solutions, Voice Security best practices are covered in the Cisco Unified Communications
SRND Based on Cisco Unified Communications Manager 6.x.
To disable all H.323 call processing, administrators can issue the call service stop forced command
under the voice service voip mode, as shown in this example:
voice service voip
h323
Note
The call service stop forced command disables all H.323 call processing.
Multiple Vulnerabilities in Cisco Voice Products".
HTTP - 13627 [IOS]

Description
A defect in multiple releases of Cisco IOS software will cause a Cisco router or switch to halt and reload
if the IOS HTTP service is enabled and browsing to "http:// /%%" is attempted. This defect can be
exploited to produce a denial of service (DoS) attack. . See "Cisco IOS HTTP Server Vulnerability." at
Cisco IOS Devices
4-384
OL-25941-01
Chapter 4

References

Rule 1
Rule
PSIRT-13627: Verify HTTP Server Vulnerability [IOS]

Description
The HTTP server was introduced in IOS release 11.0 to extend router management to the worldwide
web. The defect appears in a function added in IOS releases 11.1 and 11.2 that parses special characters
in a URI of the format "%nn" where each "n" represents a hexadecimal digit. The vulnerability is
exposed when an attempt is made to browse to "http:// /%%". Due to the defect, the function incorrectly
parses "%%" and it enters an infinite loop. A watchdog timer expires two minutes later and forces the
router to crash and reload. Once it has resumed normal operation, the router is again vulnerable to the
same defect until the HTTP server is disabled, access from untrusted hosts is prohibited, or the router is
upgraded to a release of Cisco IOS software that is not vulnerable to this defect. In rare cases, the
affected device fails to reload, forcing the administrator to cycle the power to resume operation. Some
devices have reloaded without providing stack traces and may indicate wrongly that they were "restarted
by power-on" when that did not occur.
Cisco IOS Devices
Impact
Any affected Cisco IOS device that is operating with the HTTP server enabled and is not protected
against unauthorized connections can be forced to halt for a period of up to two minutes and then reload.
The vulnerability can be exercised repeatedly, possibly creating a denial of service (DoS) attack, until
such time as the HTTP server is disabled, the router is protected against the attack, or the software on
the router is upgraded to an unaffected release of IOS.
Suggested Fix
Completely disable the HTTP server using the command no ip http server while in global configuration
mode.
HTTP Auth - 13626 [IOS]

Description
When the HTTP server is enabled and local authorization is used, it is possible, under some
circumstances, to bypass the authentication and execute any command on the device. In that case, the
user will be able to exercise complete control over the device. All commands will be executed with the
highest privilege (level 15).
See "IOS HTTP Authorization Vulnerability." at Cisco Security Advisories website
Cisco IOS Devices

OL-25941-01
4-385
Chapter 4
References

Rule 1
Rule
PSIRT-13626: Verify HTTP Authorization Vulnerability [IOS]

Description
When the HTTP server is enabled and local authorization is used, it is possible, under some
circumstances, to bypass the authentication and execute any command on the device. In that case, the
user will be able to exercise complete control over the device. All commands will be executed with the
highest privilege (level 15).
See "IOS HTTP Authorization Vulnerability." at Cisco Security Advisories website
Cisco IOS Devices
Impact
An attacker can exercise complete control over the device. By exploiting this vulnerability, the attacker
can see and change the configuration of the device.
Suggested Fix
The workaround for this vulnerability is to disable HTTP server on the router or to use TACACS+ or
Radius for authentication.
HTTP Command Injection - 68322 [IOS]

Description
A vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated
output, such as the output from a show buffers command, will be passed to the browser requesting the
page. This HTML code could be interpreted by the client browser and potentially execute malicious
commands against the device or other possible cross-site scripting attacks. Successful exploitation of
this vulnerability requires that a user browse a page containing dynamic content in which HTML
commands have been injected.
See "IOS HTTP Server Command Injection Vulnerability." at Cisco Security Advisories website
Cisco IOS Devices

References

4-386
OL-25941-01
Chapter 4

Rule 1
Rule
PSIRT- 68322: Verify HTTP Server Command Injection Vulnerability [IOS]

Description
A vulnerability exists in the IOS HTTP server in which HTML code inserted into dynamically generated
output, such as the output from a show buffers command, will be passed to the browser requesting the
page. This HTML code could be interpreted by the browser and potentially execute malicious commands
against the device or other possible cross-site scripting attacks.
See "IOS HTTP Server Command Injection Vulnerability." at Cisco Security Advisories website.
Cisco IOS Devices
Impact
Successful exploitation of the vulnerability may result in an attacker executing commands on the device,
including the possibility of gaining full administrative privileges on the device which is dependent on
the privilege level of the authenticated user.
Suggested Fix
If the HTTP server is not used for any legitimate purposes on the device, it is a best practice to disable
it by issuing the following commands in configure mode:
no ip http server no ip http secure-server
HTTP GET Vulnerability - 44162 [IOS]

Description
A vulnerability has been reported by an external researcher in Cisco IOS release for Cisco Aironet
AP1x00 Series Wireless devices. The vulnerability affects only IOS-based Cisco Aironet Wireless
products. The VxWorks based Cisco Aironet Wireless Devices are not affected. This vulnerability can
cause the AP1x00 to reload.
See "HTTP GET Vulnerability in AP1x00." at Cisco Security Advisories website.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT- 44162: Verify HTTP GET Vulnerability in AP1x00 Vulnerability[IOS]

OL-25941-01
4-387
Chapter 4
Description
Sending a malformed URL to the Cisco Aironet AP1x00 can cause the device to reload.
Cisco IOS Devices
Impact
This causes device reload. Repeated exploitation of this vulnerability can lead to a prolonged
Denial-of-Service (DoS) of the AP1x00.
Suggested Fix
There are two workarounds for this vulnerability. One is to use access-class or access-list commands to
limit the access to legitimate hosts only, and another workaround is to disable HTTP and use SSH to
administer the Cisco Aironet Access Point.
HTTP Server Query - 13628 [IOS]

Description
A defect in multiple releases of Cisco IOS software will cause a Cisco router or switch to halt and reload
if the IOS HTTP service is enabled, browsing to "http://router-ip/anytext?/" is attempted, and the enable
password is supplied when requested. This defect can be exploited to produce a denial of service (DoS)
attack.
This vulnerability can only be exploited if the enable password is known or not set.
. See "Cisco IOS HTTP Server Query Vulnerability." at Cisco Security Advisories website.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT- 13628: Verify HTTP Server Query Vulnerability [IOS]

Description
The HTTP server was introduced in IOS release 11.0 to extend router management to the worldwide
Web. The "?" (question mark) character is defined in the HTML specifications as a delimiter for CGI
arguments. It is also interpreted by the IOS command-line interface as a request for help.
As of Cisco IOS Software Release 12.0T, the meaning of a question mark when it appears adjacent to a
"/" (slash) character cannot be determined properly by the URI parser in affected versions of Cisco IOS
software. When a URI containing "?/" is presented to the HTTP service on the router and a valid enable
password is supplied, the router enters an infinite loop. A watchdog timer expires two minutes later and
forces the router to crash and reload. The router continues to be vulnerable to this defect as long as it is
running an affected IOS software release and the enable password is known.
4-388
OL-25941-01
Chapter 4

This vulnerability may only be exploited if the enable password is not set, it is well known, or it can be
guessed.
Cisco IOS Devices
Impact
An affected Cisco IOS device that is operating with the HTTP service enabled and is not protected by
having the enable password configured can be forced to halt for up to two minutes and then reload. The
vulnerability can be exercised repeatedly, possibly creating a denial of service (DOS) attack, unless the
service is disabled, the enable password is set, or the router is upgraded to a fixed release.
In instances in which a router at a remote location fails to reload, an administrator must visit the site to
enable the device to recover from the defect.
Suggested Fix
In lieu of an upgrade, the threat may be eliminated or reduced by taking any of the following measures:
Select and configure strong enable passwords on networking devices.
Or
Disable the HTTP server using the command no ip http server while in global configuration mode.
Or
If the HTTP server must remain enabled while unrepaired, network access to it can be controlled by
applying a standard access list to the HTTP service itself.
Vulnerability- 111895 [IOS]
Description
Cisco Industrial Ethernet 3000 (IE 3000) Series switches running Cisco IOS Software releases
12.2(52)SE or 12.2(52)SE1, contain a vulnerability where well known SNMP community names are
hard-coded for both read and write access. The hard-coded community names are "public" and "private."
Cisco IOS Devices

References

Rule 1
Rule
PSIRT- 111895: Hard-Coded SNMP Community Names in Cisco Industrial Ethernet 3000 Series
Switches Vulnerability [IOS]

OL-25941-01
4-389
Chapter 4
Description
Cisco Industrial Ethernet 3000 Series switches that are running affected versions of Cisco IOS Software
contain hard-coded SNMP read-write community names.
The Cisco Industrial Ethernet 3000 Series is a family of switches that provide a rugged, easy-to-use,
secure infrastructure for harsh environments.
SNMP is used for managing and monitoring the device and community names are the equivalent to a
password.
The hard-coded SNMP community names are:
snmp-server community public RO
snmp-server community private RW
The SNMP community names can be removed; however, the hard-coded community names are reapplied
to the running configuration when the device reloads. Cisco has provided a workaround that ensures the
community names are removed when the device reloads.
Note
Configuring an access list or a restricted mib view:

snmp-server community public RO 99
snmp-server community private RW 99
snmp-server community public view <mib> RO 99
snmp-server community private view <mib> RO 99

The proceeding works as a workaround until the device is reloaded. Once the device is reloaded the
original configuration is inserted without the access lists or mib views assigned to the community names.
Consult the workarounds section of this advisory.
This vulnerability was introduced as part of a new feature integrated into the affected releases called
PROFINET. At the time of the publication of this advisory, PROFINET was only supported on Cisco
Industrial Ethernet 3000 Series switches.
Cisco IOS Devices
Impact
Successful exploitation of the vulnerability could result in an attacker obtaining full control of the device
Suggested Fix
Manually Remove SNMP Community Names
Note
The following workaround is only effective until the device is reloaded. Upon each reload of the device
this workaround must be re-applied. Cisco encourages performing a Cisco IOS Software upgrade as a
permanent fix for this vulnerability.
4-390
OL-25941-01
Chapter 4

Log in to the device, and enter configuration mode. Enter the following configuration commands:
no snmp-server community public RO
no snmp-server community private RW
Saving the configuration will update the start-up configuration files; however the hard-coded
community names will be reinserted to the running configuration when the device reloads. This
workaround must be applied each time the device is reloaded.
Automatically Remove SNMP Community Names
By creating an Embedded Event Manager (EEM) policy, it is possible to automatically remove the
hard-coded SNMP community names each time the device is reloaded. The following example shows an
EEM policy that runs each time the device is reloaded and removes the hard-coded SNMP community
names.
event manager applet cisco-sa-20100707-snmp
event timer countdown time 30
action 10 cli command "enable"
action 20 cli command "configure terminal"
action 30 cli command "no snmp-server community public RO"
action 40 cli command "no snmp-server community private RW"
action 50 cli command "end"
action 60 cli command "disable"
action 70 syslog msg "Hard-coded SNMP community names as per Cisco Security Advisory
cisco-sa-20100707-snmp removed"
For more information on EEM policies consult the Cisco IOS Network Management Configuration
Guide - Embedded Event Manager Overview at the following link:
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_overview_ps6922_TSD_
Products_Configuration_Guide_Chapter.html
should never be allowed to target infrastructure devices and block that traffic at the device interface or
the border of networks.
If SNMP management is not required on the IE3000, then dropping all SNMP traffic to the device is a
sufficient workaround. The iACL below shows an example of an IE3000 with two interfaces configured
with layer 3 access, dropping all SNMP queries destined to the IE3000:
!--!--- Deny SNMP traffic from all other sources destined to
!--- configured IP addresses on the IE3000.
!---
access-list 150 deny udp any host 192.168.0.1 eq snmp

access-list 150 deny udp any host 192.168.1.1 eq snmp

OL-25941-01
4-391
Chapter 4
!--!--- Permit/deny all other Layer 3 and Layer 4 traffic in

!--- accordance with existing security policies and configurations
!--- Permit all other traffic to transit the device.
!---
!--!--- Apply access-list to all Layer 3 interfaces

!--- (only two examples shown)
!---
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip address 192.168.1.1 255.255.255.0
The white paper "Protecting Your Core: Infrastructure Protection Access Control Lists" presents
guidelines and recommended deployment techniques for infrastructure protection access lists. This
white paper can be obtained at the following link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml.
IKE Resource Exhaustion Vulnerability - 110559 [IOS]

Description
Cisco IOS devices that are configured for Internet Key Exchange (IKE) protocol and certificate based
authentication are vulnerable to a resource exhaustion attack. Successful exploitation of this
vulnerability may result in the allocation of all available Phase 1 security associations (SA) and prevent
the establishment of new IPsec sessions.
Cisco IOS Devices
4-392
OL-25941-01
Chapter 4

References

Rule 1
Rule
PSIRT- 110559: Verify IKE Resource Exhaustion Vulnerability [IOS]

Description
A vulnerability exists in the IKE implementation of Cisco IOS Software, if the certificate based
authentication method is used. Successful exploitation of this vulnerability may result in the allocation
of all available Phase 1 SAs, which may prevent new IPSec sessions from being established.
Administrators can view Phase 1 SAs that are allocated as a result of exploitation by issuing the show
crypto isakmp sa command. The following example displays sample output for this command:
Router#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst
src
state
conn-id slot status
10.48.66.77
10.48.66.6
MM_KEY_EXCH
1004 ACTIVE
10.48.66.77
10.48.66.6
MM_KEY_EXCH
1003 ACTIVE
10.48.66.77
10.48.66.6
MM_KEY_EXCH
1002 ACTIVE
....
Any allocated SA can be de-allocated up manually by using the clear crypto isakmp <conn-ID>
command.
Cisco IOS Devices
Impact
Successful exploitation of this vulnerability may result in the allocation of all available Phase 1 SAs,
which may prevent new IPsec sessions from being established.
Suggested Fix
If RSA keys are not needed on the system, the crypto key zeroize rsa command can be used to delete all
RSA keys from your system. Note that this will break all features that are using RSA keys, including the
Secure Shell (SSH). .
Additional mitigations that can be deployed on Cisco devices in the network are available in the Cisco
Applied Mitigation Bulletin companion document.

OL-25941-01
4-393
Chapter 4
IKE Xauth - 64424 [IOS]

Description
Cisco Internetwork Operating System (IOS) Software release trains 12.2T, 12.3 and 12.3T may contain
vulnerabilities in processing certain Internet Key Exchange (IKE) Xauth messages when configured to
be an Easy VPN Server.
Successful exploitation of these vulnerabilities may permit an unauthorized user to complete
authentication and potentially access network resources.
See "Vulnerabilities in the Internet Key Exchange Xauth Implementation" at Cisco Security Advisories
website
Cisco IOS Devices

References

Rule 1
Rule
PSIRT- 64424: Verify Vulnarabilities in the IKE Xauth Implementation [IOS]

Description
Cisco Internetwork Operating System (IOS) Software release trains 12.2T, 12.3 and 12.3T may contain
vulnerabilities in processing certain Internet Key Exchange (IKE) Xauth messages when configured to
be an Easy VPN Server.
Successful exploitation of these vulnerabilities may permit an unauthorized user to complete
authentication and potentially access network resources.
See "Vulnerabilities in the Internet Key Exchange Xauth Implementation" at Cisco Security Advisories
website
Cisco IOS Devices
Impact
Successful exploitation may result in the affected device allowing an unauthorized user to complete
authentication and access network resources.
Suggested Fix
Because the preshared group password (also referred to as the group key) must be known by an attacker,
the use of a best practice to deploy strong preshared group keys may mitigate a brute-force attack against
this group key.
4-394
OL-25941-01
Chapter 4

IPS ATOMIC.TCP Signature Vulnerability - 81545 [IOS]

Description
The Intrusion Prevention System (IPS) feature set of Cisco IOS contains several vulnerabilities. These
include:
Fragmented IP packets may be used to evade signature inspection.
IPS signatures utilizing the regular expression feature of the ATOMIC.TCP signature engine may cause
a router to crash resulting in a denial of service.
There are mitigations and workarounds for these vulnerabilities. Cisco has made free software available
to address these vulnerabilities for affected customers.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT- 81545: Verify IPS ATOMIC.TCP Signature Vulnerability [IOS]

Description
Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection-based feature that
enables Cisco IOS software to mitigate network attacks. Cisco IOS IPS enables the network to defend
itself with the intelligence to identify, classify, and stop or block certain malicious or damaging traffic
in real time. The IOS IPS feature set contains multiple vulnerabilities. Only IOS images containing the
IPS feature set are affected by these vulnerabilities.
ATOMIC.TCP Regular Expression Denial of Service Vulnerability
Certain network traffic can trigger IPS signatures which use the regular expression feature of the
ATOMIC.TCP signature engine which may cause the IOS IPS device to crash. This may cause a denial
of service resulting in disruption network traffic. Signature 3123.0 (Netbus Pro Traffic) has been
demonstrated to trigger this vulnerability. There is a workaround for this vulnerability.
Cisco IOS Devices
Impact
Successful exploitation of the ATOMIC.TCP regular expression denial of service vulnerability may
cause an IOS IPS device to crash.
Suggested Fix
There is a workaround for the ATOMIC.TCP regular expression denial of service vulnerability by
deleting IPS signature 3123.0 from the IOS IPS Signature Definition File (SDF). Disabling signature
3123.0 is alone not sufficient for the workaround to be effective. The following commands will delete
signature 3123.0 from an IOS IPS device.

OL-25941-01
4-395
Chapter 4
router#configure terminal
router(config)#ip ips signature 3123 delete
%IPS Signature 3123:0 is marked for deletion

%IPS The signature will be deleted when signatures are reloaded or saved
router(config)#interface FastEthernet0/0
router(config)#no ip ips test in
router(config)#ip ips test in
router(config)#exit
In the above example, signature 3123.0 is first deleted from the Signature Definition File, then the IPS
instance running on interface FastEthernet0/0 is stopped and started to reinitialize the IPS state to reflect
the signature deletion. If the IPS feature set is configured on multiple interfaces, then these steps must
be completed for each affected interface.
To determine if signature 3123 is active, use the show ip ips signature command.
router#show ip ips signatures | include 3123
3123:0
N A
MED
0 100
30 FA N
S46
In the command output above, the N after 3123.0 indicates that the signature is present in the
configuration but not enabled. Once the signature has been deleted, rerunning the show ip ips signature
command shows:
3123:0
N* A
MED
0 100
30 FA N
S46
In the command output above, the N* after 3123.0 indicates that the signature has been deleted from the
configuration. The IPS feature set must be restarted on each interface configured for IPS to complete the
workaround. Once completed, the output of the show ip ips signature command will show:
router#
This vulnerability may affect any IPS signature using the regular expression functionality of the
ATOMIC.TCP engine. Currently, Cisco only ships one signature configured this way (3123.0). If custom
signatures have been added to an IOS IPS device configured use the ATOMIC.TCP engine with a regular
expression, these signatures must also be deleted from the IPS configuration to ensure the effectiveness
of the workaround.
IPS DoS Vulnerability - 107583 [IOS]

Description
The Cisco IOS Intrusion Prevention System (IPS) feature contains a vulnerability in the processing of
certain IPS signatures that use the SERVICE.DNS engine. This vulnerability may cause a router to crash
or hang, resulting in a denial of service condition.
Cisco has released free software updates that address this vulnerability. There is a workaround for this
vulnerability.
4-396
OL-25941-01
Chapter 4

Note
This vulnerability is not related in any way to CVE-2008-1447 - Cache poisoning attacks.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT- 107583: Verify IPS DoS Vulnerability [IOS]

Description
Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection feature that effectively
mitigates a wide range of network attacks. A component of the Cisco IOS Integrated Threat Control
framework and complemented by Cisco IOS Flexible Packet Matching feature, Cisco IOS IPS provides
your network with the intelligence to accurately identify, classify, and stop or block malicious traffic in
real time. Additional information on the Cisco IOS IPS feature can be found at
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_fwids.html.
Previous to the introduction of the Cisco IOS IPS feature, Cisco IOS provided a similar feature, the Cisco
IOS Intrusion Detection System (IDS). The Cisco IOS IDS feature is not affected by this vulnerability.
Additional information on the Cisco IOS IDS feature can be found at
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/ios_ids.html.
Certain network traffic can trigger IPS signatures on the SERVICE.DNS signature engine which may
cause the Cisco IOS device to crash or hang. This may cause a denial of service that results in disruption
of network traffic.
Cisco IOS Devices
Impact
Successful exploitation of this vulnerability may cause a Cisco IOS device configured with the Cisco
IOS IPS feature to crash or hang, resulting in a denial of service condition.
Suggested Fix
The workaround consists of adding an Access Control List (ACL) to every Cisco IOS IPS policy
configured on the device so that traffic destined to ports 53/udp or 53/tcp is not inspected by the Cisco
IOS IPS feature. The following ACL would need to be added to the device configuration:
! deny inspection of traffic with a destination port of 53/udp
access-list 177 deny udp any any eq 53
! deny inspection of traffic with a destination port of 53/tcp
! allow all other traffic to be inspected

OL-25941-01
4-397
Chapter 4

Every instance of a Cisco IOS IPS policy on the device would then need to be modified in order to
reference the previous ACL. In order to determine which Cisco IOS IPS policies are configured on the
device, execute the command show running-config | include ip ips name as in the following example:
Router#show running-config | include ip ips name
ip ips name ios-ips-incoming
ip ips name ios-ips-outgoing
Router#
In the previous example, two Cisco IOS IPS policies are configured on the device. The following
example shows the addition of an ACL to each one of the Cisco IOS IPS policies previously identified:
Router(config)#ip ips name ios-ips-incoming list 177
Router(config)#ip ips name ios-ips-outgoing list 177
Router(config)#end
Router#
As a verification step, the command show ip ips interfaces can be executed again to verify the ACL has
been properly attached to each one of the Cisco IOS IPS policies:
Interface Configuration
Interface FastEthernet0/0
Inbound IPS rule is ios-ips-incoming
acl list 177
Outgoing IPS rule is not set
4-398
OL-25941-01
Chapter 4

Interface FastEthernet0/1
Inbound IPS rule is not set
Outgoing IPS rule is ios-ips-outgoing
acl list 177
Router#
Note
Disabling or deleting individual or all signatures using the SERVICE.DNS engine of the Cisco IOS IPS
feature is not a recommended workaround. The previous workaround is the only Cisco-recommended
workaround for this vulnerability.
IPS Fragmented Packet Vulnerability - 81545 [IOS]

Description
The Intrusion Prevention System (IPS) feature set of Cisco IOS contains several vulnerabilities. These
include:
Fragmented IP packets may be used to evade signature inspection.
IPS signatures utilizing the regular expression feature of the ATOMIC.TCP signature engine may
cause a router to crash resulting in a denial of service.
There are mitigations and workarounds for these vulnerabilities. Cisco has made free software available
to address these vulnerabilities for affected customers.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT- 81545: Verify IPS Fragmented Packet Vulnerability [IOS]

Description
Cisco IOS Intrusion Prevention System (IPS) is an inline, deep-packet inspection-based feature that
enables Cisco IOS software to mitigate network attacks. Cisco IOS IPS enables the network to defend
itself with the intelligence to identify, classify, and stop or block certain malicious or damaging traffic
in real time. The IOS IPS feature set contains multiple vulnerabilities. Only IOS images containing the
IPS feature set are affected by these vulnerabilities.

OL-25941-01
4-399
Chapter 4
Fragmented Packet Evasion Vulnerability

Some of the IPS signatures utilize regular expressions. Due to a vulnerability, an attacker can evade
those IPS signatures by sending malicious network traffic as IP fragments. This may result in potential
malicious traffic bypassing signature inspection and possibly allow the exploitation of protected
systems. IPS signatures which do not utilize regular expressions are not affected by this vulnerability.
All IP protocols (e.g. TCP, UDP, ICMP) are affected by this vulnerability. There is a mitigation for this
vulnerability.
Cisco IOS Devices
Impact
Successful exploitation of the fragmented packet evasion vulnerability may result in an attacker being
able to evade detection by an IOS IPS device. This could allow protected systems to be covertly attacked.
Suggested Fix
There is a mitigation for the fragmented packet evasion vulnerability. The fragments keyword of IOS
transit Access Control Lists (ACL) can be used to prohibit fragmented IP packets from transiting an IOS
device. More information about filtering IP fragments can be found here:
http://www.cisco.com/en/US/tech/tk648/tk361/
technologies_white_paper09186a00801afc76.shtml#frag
Blocking IP fragments may have adverse affects on some protocols (like HTTP, FTP and
Kerberos/Active Directory), so this workaround should be used with caution.
access-list 100 deny tcp any 10.1.1.0 0.0.0.255 fragments
access-list 100 deny udp any 10.1.1.0 0.0.0.255 fragments
IPSec IKE Malformed Packet - 50430 [IOS]

Description
A malformed Internet Key Exchange (IKE) packet may cause the Cisco Catalyst 6500 Series Switch or
the Cisco 7600 Series Internet Router to reload. Only devices running Cisco IOS software with Crypto
support are affected.
See "Cisco IPSec Malformed IKE Packet Vulnerability" at Cisco Security Advisories website.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT- 50430: Verify IPSec Malformed IKE Packet Vulnerability [IOS]
4-400
OL-25941-01
Chapter 4

Description
A malformed Internet Key Exchange (IKE) packet may cause the Cisco Catalyst 6500 Series Switch or
the Cisco 7600 Series Internet Router to reload. Only devices running Cisco IOS software with Crypto
support are affected.
See "Cisco IPSec Malformed IKE Packet Vulnerability" at Cisco Security Advisories website.
Cisco IOS Devices
Impact
Successful exploitation of this vulnerability could result in a reload of the device. Repeated exploitation
could result in a sustained DoS attack.
Suggested Fix
Customers that do not require IPSec functionality on their devices can use the command 'no crypto
isakmp enable' in configuration mode to disable processing of IPSec and eliminate their exposure. As a
possible mitigation, access-lists could be applied on the affected IOS platforms to limit the source IP
addresses permitted to establish IPSec sessions to the device.
IPsec Vulnerability- 111266 [IOS]

Description
A malformed Internet Key Exchange (IKE) packet may cause a device running Cisco IOS Software to
reload. Only Cisco 7200 Series and Cisco 7301 routers running Cisco IOS software with a VPN
Acceleration Module 2+ (VAM2+) installed are affected. Cisco has released free software updates that
address this vulnerability.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT- 111266: Verify IOS Software IPsec Vulnerability [IOS]

Description
p>IPsec is an IP security feature that provides robust authentication and encryption of IP packets. IKE
is a key management protocol standard that is used with the IPsec standard.
IKE is a hybrid protocol that implements the Oakley and SKEME key exchanges inside the Internet
Security Association and Key Management Protocol (ISAKMP) framework. (ISAKMP, Oakley, and
SKEME are security protocols that are implemented by IKE.). More information on IKE is available at
the following link:

OL-25941-01
4-401
Chapter 4
http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_key_exch_ips
ec.html
A vulnerability exists in the Cisco IOS Software implementation of IKE where a malformed packet may
cause a device running Cisco IOS Software to reload. Only Cisco 7200 Series and Cisco 7301 routers
running Cisco IOS software with a VPN Acceleration Module 2+ (VAM2+) installed are affected.
Cisco IOS Devices
Impact
Successful exploitation of this vulnerability may cause the affected device to reload. Repeated
exploitation will result in a denial of service (DoS) condition.
Suggested Fix
There are no workarounds available
IPv4 - 44020 [IOS]

Description
Cisco routers and switches running Cisco IOS software and configured to process Internet Protocol
version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. Multiple IPv4 packets with
specific protocol fields sent directly to the device may cause the input interface to stop processing traffic
once the input queue is full. Traffic passing through the device cannot block the input queue. No
authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by
default. Devices running only IP version 6 (IPv6) are not affected. Multiple valid workarounds are
available in the form of best practices for situations where software upgrades are not currently feasible.
See "Cisco IOS Interface Blocked by IPv4 Packets."at Cisco Security Advisories website for more
information.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT- 44020: Verify Cisco IOS Interface Blocked by IPv4 Packets [IOS]
Description
Cisco routers and switches running Cisco IOS software and configured to process Internet Protocol
version 4 (IPv4) packets are vulnerable to a Denial of Service (DoS) attack. Multiple IPv4 packets with
specific protocol fields sent directly to the device may cause the input interface to stop processing traffic
once the input queue is full. Traffic passing through the device cannot block the input queue. No
4-402
OL-25941-01
Chapter 4

authentication is required to process the inbound packet. Processing of IPv4 packets is enabled by
default. Devices running only IP version 6 (IPv6) are not affected. Multiple valid workarounds are
available in the form of best practices for situations where software upgrades are not currently feasible.
See "Cisco IOS Interface Blocked by IPv4 Packets."at Cisco Security Advisories website for more
information.
Cisco IOS Devices
Impact
A device receiving these specifically crafted IPv4 packets will force the inbound interface to stop
processing traffic. The device may stop processing packets destined to the router, including routing
protocol packets and ARP packets. No alarms will be triggered, nor will the router reload to correct
itself. This issue can affect all Cisco devices running Cisco IOS software. This vulnerability may be
exercised repeatedly resulting in loss of availability until a workaround has been applied or the device
has been upgraded to a fixed version of code.
Suggested Fix
Cisco recommends that all IOS devices which process IPv4 packets be configured to block unwanted
traffic, or any traffic directed to the router from an unauthorized source with the use of Access Control
Lists (ACLs).
For devices with interfaces that are currently blocked due to exploitation of this vulnerability, ACL
workarounds may be applied. AFTER APPLYING THE WORKAROUND, the input queue depth may
be raised with the hold-queue in interface command to something larger than the default size of 75.
This will allow traffic flow on the interface. The device may then be reloaded at a convenient time to
release the blocked packets.
For interfaces blocked with PIM packets only, the PIM process may be enabled on the router after
applying a workaround which will clear protocol type 103 packets from the blocked input queue. This
does not clear packets with protocol type 53, 55, or 77 from the input queue.
IPv6 Crafted Packet - 65783 [IOS]

Description
Cisco Internetwork Operating System (IOS) Software is vulnerable to a Denial of Service (DoS) and
potentially an arbitrary code execution attack from a specifically crafted IPv6 packet. The packet must
be sent from a local network segment. Only devices that have been explicitly configured to process IPv6
traffic are affected. Upon successful exploitation, the device may reload or be open to further
exploitation.
See "IPv6 Crafted Packet Vulnerability." at Cisco Security Advisories website
Cisco IOS Devices

OL-25941-01
4-403
Chapter 4
References

Rule 1
Rule
PSIRT- 65783: Verify IPv6 Crafted Packet Vulnarability [IOS]

Description
IPv6 is the "Internet Protocol Version 6", designed by the Internet Engineering Task Force (IETF) to
replace the current version Internet Protocol, IP Version 4 (IPv4).
A vulnerability exists in the processing of IPv6 packets. Crafted packets from the local segment received
on logical interfaces (that is, tunnels including 6to4 tunnels) as well as physical interfaces can trigger
this vulnerability. Crafted packets can not traverse a 6to4 tunnel and attack a box across the tunnel.
The crafted packet must be sent from a local network segment to trigger the attack. This vulnerability
can not be exploited one or more hops from the IOS device. See "IPv6 Crafted Packet Vulnerability." at
Cisco IOS Devices
Impact
execution of arbitrary code. Repeated exploitation could result in a sustained DoS attack or execution of
arbitrary code on Cisco IOS devices.
Successful exploitation of the vulnerability on Cisco IOS-XR may result in a restart of the IPv6 neighbor
discovery process. A restart of this process will only affect IPv6 traffic passing through the system. All
other processes and traffic will be unaffected. Repeated exploitation could result in a sustained DoS
attack on IPv6 traffic.
Suggested Fix
In networks where IPv6 is not needed but enabled, disabling IPv6 processing on an IOS device will
eliminate exposure to this vulnerability. On a router which is configured for IPv6, this must be done by
issuing the command no ipv6 enable and no ipv6 address on each interface.
IPv6 Routing Header - 72372 [IOS]

Description
Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS
software. This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6.
IPv6 is not enabled by default in Cisco IOS.
There are workarounds available to mitigate the effects of the vulnerability. The workaround depends
on if Mobile IPv6 is used and what version on Cisco IOS is being currently used.
4-404
OL-25941-01
Chapter 4

This vulnerability was initially reported by a customer and further trigger vector was discovered during
developing the fix for this vulnerability.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT- 72372: Verify IPv6 Routing Header Vulnerability [IOS]

Description
This vulnerability can be triggered only when Cisco IOS processes specifically crafted IPv6 Type 0
Routing headers, which are used for source routing. Source routing is when an originator node explicitly
specifies the exact path that a packet must take to reach the destination. Source routing is enabled by
default on Cisco IOS if IPv6 is configured on the device. In order to trigger this vulnerability the packet
must be destined to any of the IPv6 addresses defined on the device. The exact packet type is not relevant
(e.g., TCP, ICMP, UDP) as the vulnerability is on the IP layer. For this reason care must be taken when
implementing a workaround as this vulnerability can be triggered by a spoofed packet.
IPv6 multicast packets can not be used to trigger this vulnerability.
In addition to Type 0 Routing headers, IPv6 also supports Type 2 Routing that is used in Mobile IPv6
implementation. Type 2 Routing headers can not be used to trigger the vulnerability described in this
Advisory.
A router running vulnerable Cisco IOS software will process Type 0 Routing headers only if the
destination address in the IPv6 packet is one of the IPv6 addresses defined on any of the interfaces. The
address may be either a global (i.e., routable), loopback or link local address. Link local addresses are
not supposed to be routable and they are valid only among directly connected devices.
A device may also be susceptible in scenarios where IPv6 packets are tunneled over IPv4 networks
provided that the IPv6 destination address (after de-encapsulation) is one of the IPv6 addresses defined
on the device. This is independent of the exact encapsulation method used (e.g., MPLS, GRE or
IPv6-in-IPv4).
Cisco IOS Devices
Impact
Successful exploitation of the vulnerability listed in this Advisory can corrupt some memory structures.
In most cases this will cause the affected device to crash and repeated exploitation could result in a
sustained DoS attack. However, due to memory corruption, there is a potential to execute an arbitrary
code. In the event of a successful remote code execution, device integrity will have been completely
compromised.

OL-25941-01
4-405
Chapter 4
Suggested Fix
The workaround consists of filtering packets that contain Type 0 Routing header(s). Special attention
must be paid not to filter packets with Type 2 Routing headers as that would break Mobile IPv6
deployment.
Information Leakage Using IPv6 Routing Header - 97848 [IOS]

Description
Cisco IOS and Cisco IOS XR contain a vulnerability when processing specially crafted IPv6 packets
with a Type 0 Routing Header present. Exploitation of this vulnerability can lead to information leakage
on affected IOS and IOS XR devices, and may also result in a crash of the affected IOS device.
Successful exploitation on an affected device running Cisco IOS XR will not result in a crash of the
device itself, but may result in a crash of the IPv6 subsystem.
Cisco has made free software available to address this vulnerability for affected customers. There are
workarounds available to mitigate the effects of the vulnerability.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT- 97848: Verify Information Leakage Using IPv6 Routing Header [IOS]
Description
Cisco IOS and Cisco IOS XR contain a vulnerability when processing specially crafted IPv6 packets
with a Type 0 Routing Header present. Exploitation of this vulnerability can lead to information leakage
on affected IOS and IOS XR devices, and may also result in a crash of the affected IOS device.
Successful exploitation on an affected device running Cisco IOS XR will not result in a crash of the
device itself, but may result in a crash of the IPv6 subsystem.
Cisco has made free software available to address this vulnerability for affected customers. There are
workarounds available to mitigate the effects of the vulnerability.
This vulnerability affects devices that are configured to use the IPv6 protocol and are running affected
versions
Successful exploitation of the vulnerability described in this document may result in swapping memory
between the destination IPv6 address in the IPv6 packet header and 16 bytes from the packet buffer
memory. Memory that can be accessed through this vulnerability can not be further than 1500 bytes from
the packet header start.
Cisco IOS Devices
4-406
OL-25941-01
Chapter 4

Impact
Successful exploitation of this vulnerability may result in the swapping of memory between the
destination IPv6 address field and packet buffer memory. This can lead to the leakage of data from the
buffer memory in the form of an IPv6 destination address and, in a worst case scenario for devices
running Cisco IOS, a complete crash of the IOS device.
Note
Given that the destination IPv6 address will contain the contents of a buffer memory, the packet may not
get routed outside of the local network. Depending on the exact destination address the packet may get
dropped by the next router or on the targeted router itself if it does not have route to the newly formed
IPv6 address.
In the case of Cisco IOS XR, successful exploitation will not crash the whole device but only lead to a
restart of the IPv6 subsystem. Successful repeated exploitation of this vulnerability may lead to a
sustained denial of service (DoS) of all upper layer services that use IPv6 as the transport protocol but
not the whole device.
Suggested Fix
The workaround consists of filtering packets that contain Type 0 Routing header(s). Special attention
must be paid not to filter packets with Type 2 Routing headers as that would break a Mobile IPv6
deployment. Depending on which Cisco IOS software release is used, and if Mobile IPv6 is deployed,
there are several potential workarounds. Because any packet type (TCP, UDP, ICMP) can be used to
trigger this vulnerability, care must be taken when implementing a workaround to account for a spoofed
IPv6 packet.
Inter Process Communication (IPC) Vulnerabilty - 107661 [IOS]

Description
Cisco 10000, uBR10012 and uBR7200 series devices use a User Datagram Protocol (UDP) based
Inter-Process Communication (IPC) channel that is externally reachable. An attacker could exploit this
vulnerability to cause a denial of service (DoS) condition on affected devices. No other platforms are
affected.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT- 107661: Verify Inter Process Communication (IPC) Vulnerability [IOS]

OL-25941-01
4-407
Chapter 4
Description
Cisco 10000, uBR10012 and uBR7200 series devices use a UDP-based IPC channel. This channel uses
addresses from the 127.0.0.0/8 range and UDP port 1975. Cisco 10000, uBR10012 and uBR7200 series
devices that are running an affected version of Cisco IOS will process IPC messages that are sent to UDP
port 1975 from outside of the device. This behavior may be exploited by an attacker to cause a reload of
the device, linecards, or both, resulting in a DoS condition.
Filtering unauthorized traffic destined to 127.0.0.0/8 or UDP port 1975 will mitigate this vulnerability.
Cisco IOS Devices
Impact
Successful exploitation of the vulnerability may result in a reload of the device, linecards, or both,
resulting in a DoS condition.
Suggested Fix
Workarounds consist of filtering packets that are sent to 127.0.0.0/8 range and UDP packets that are sent
to port 1975.
Using Interface Access Control Lists
Access lists that filter UDP packets destined to port 1975 can be used to mitigate this vulnerability. UDP
port 1975 is a registered port number that can be used by certain applications. However, filtering all
packets that are destined to UDP port 1975 may cause some applications to malfunction. Therefore,
access lists need to explicitly deny UDP 1975 packets that are sent to any router interface IP addresses
and permit transit traffic. Such access lists need to be applied on all interfaces to be effective. Since the
IPC channel uses addresses from the 127.0.0.0/8 range, it is also necessary to filter packets that are
sourced from or destined to this range. An example is given below:
access-list 100 deny udp any host <router-interface 1> eq 1975
access-list 100 deny udp any host <router-interface 2> eq 1975
access-list 100 deny udp any host <router-interface ...> eq 1975
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 deny ip any 127.0.0.0 0.255.255.255
interface Serial 0/0

Using Control Plane Policing
Control Plane Policing (CoPP) can be used to block untrusted UDP port 1975 access to the affected
device. Cisco IOS software releases 12.2BC and 12.2SCA support the CoPP feature. CoPP may be
configured on a device to protect the management and control planes to minimize the risk and
effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic sent to
infrastructure devices in accordance with existing security policies and configurations. The following
example can be adapted to your network.
Note
CoPP is not supported on uBR10012 series devices.
4-408
OL-25941-01
Chapter 4

!-- Permit all UDP/1975 traffic so that it

!-- will be policed and dropped by the CoPP feature
!
access-list 111 permit ip any 127.0.0.0 0.255.255.255
access-list 111 permit ip 127.0.0.0 0.255.255.255 any
!
!-- Permit (Police or Drop)/Deny (Allow) all other Layer 3 and
!-- Layer 4 traffic in accordance with existing security policies
!-- and configurations for traffic that is authorized to be sent
!-- to infrastructure devices
!
!-- Create a Class-Map for traffic to be policed by the CoPP
!-- feature
!
class-map match-all drop-IPC-class
!
!-- Create a Policy-Map that will be applied to the Control-Plane
!-- of the device
!
policy-map drop-IPC-traffic
class drop-IPC-class
drop
!
!-- Apply the Policy-Map to the Control-Plane of the device
!
control-plane
service-policy input drop-IPC-traffic
!

OL-25941-01
4-409
Chapter 4
In the above CoPP example, the access control list entries (ACEs) which match the potential exploit
packets with the "permit" action result in these packets being discarded by the policy-map "drop"
function, while packets that match the "deny" action (not shown) are not affected by the policy-map drop
function.
Please note that in the Cisco IOS 12.2S and 12.0S trains the policy-map syntax is different:
!
policy-map drop-IPC-traffic class drop-IPC-class
!
Using Infrastructure ACLs at Network Boundary
Although it is often difficult to block traffic transiting your network, it is possible to identify traffic
which should never be allowed to target your infrastructure devices and block that traffic at the border
of your network. iACLs are a network security best practice and should be considered as a long-term
addition to good network security as well as a workaround for this specific vulnerability. The iACL
example shown below should be included as part of the deployed infrastructure access-list which will
protect all devices with IP addresses in the infrastructure IP address range:
!-- Note: IPC packets sent to UDP destination port 1975 must not
!--
be permitted from any trusted source as this traffic
!--
should only be sent and received internally by the
!--
affected device using an IP address allocated from the
!--
127.0.0.0/8 prefix.
!-!--
IPC that traffic that is internally generated and sent
!--
and/or received by the affected device is not subjected
!--
to packet filtering by the applied iACL policy.
!
!-- Deny IPC (UDP port 1975) packets from all sources destined to
!-- all IP addresses configured on the affected device.
!
access-list 150 deny udp any host INTERFACE_ADDRESS#1 eq 1975
access-list 150 deny udp any host INTERFACE_ADDRESS#2 eq 1975
access-list 150 deny udp any host INTERFACE_ADDRESS#N eq 1975
!
!-- Deny all IP packets with a source or destination IP address
!-- from the 127.0.0.0/8 prefix.
!
4-410
OL-25941-01
Chapter 4

access-list 150 deny ip any 127.0.0.0 0.255.255.255

!
!-- Permit/deny all other Layer 3 and Layer 4 traffic in accordance

!-- with existing security policies and configurations.
!
!-- Permit all other traffic to transit the device.
!
!
!-- Apply iACL to interfaces in the ingress direction.
!
!
Note
iACLs that filter UDP packets destined to port 1975 can be used to mitigate this vulnerability. However,
UDP port 1975 is a registered port number that can be used by certain applications. Filtering all packets
that are destined to UDP port 1975 may cause some applications to malfunction. Therefore, the iACL
policy needs to explicitly deny UDP packets using a destination port of 1975 that are sent to any router
interface IP addresses for affected devices, then permit and/or deny all other Layer 3 and Layer 4 traffic
in accordance with existing security policies and configurations, and then permit all other traffic to
transit the device. iACLs must be applied on all interfaces to be used effectively. Since the IPC channel
uses addresses from the 127.0.0.0/8 range, it is also necessary to filter packets that are sourced from or
destined to this range as provided in the preceding example.
guidelines and recommended deployment techniques for infrastructure protection access lists.

OL-25941-01
4-411
Chapter 4
Additional Mitigation Techniques

Additional mitigation techniques that can be deployed on Cisco devices within the network are available
in the Cisco Applied Mitigation Bulletin companion document.
Layer 2 Tunneling Protocol (l2TP) DoS Vulnerability - 107441

Description
A vulnerability exists in the Cisco IOS software implementation of Layer 2 Tunneling Protocol (L2TP),
which affects limited Cisco IOS software releases. Several features enable the L2TP mgmt daemon
process within Cisco IOS software, including but not limited to Layer 2 virtual private networks
(L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack Group Bidding Protocol (SGBP) and
Cisco Virtual Private Dial-Up Networks (VPDN). Once this process is enabled the device is vulnerable.
This vulnerability will result in a reload of the device when processing a specially crafted L2TP packet.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-107441: Verify Layer 2 Tunneling Protocol(L2TP) Dos Vulnerability [IOS]

Description
A device running affected 12.2 and 12.4 versions of Cisco IOS and that has the L2TP mgmt daemon
process running will reload when processing a specially crafted L2TP packet.
Several features leverage the L2TP protocol and start the L2TP mgmt daemon within Cisco IOS. These
features have been outlined in this advisory under the Vulnerable Products section.
Cisco IOS Devices
Impact
Successful exploitation of the vulnerability will result in a reload of the device. Repeated exploitation
may result in an extended denial of service (DoS) condition.
Suggested Fix
Note
L2TP implementations will need to allow UDP 1701, from trusted addresses to infrastructure
addresses. This does not provide for a full mitigation as the source addresses may be spoofed.
Note
L2TPv3 over IP only implementations need to deny all UDP 1701 from anywhere to the
infrastructure addresses.
4-412
OL-25941-01
Chapter 4

Infrastructure Access Control Lists Although it is often difficult to block traffic that transits a network,
it is possible to identify traffic that should never be allowed to target infrastructure devices and block
that traffic at the border of networks. Infrastructure Access Control Lists (iACLs) are a network security
best practice and should be considered as a long-term addition to good network security as well as a
workaround for these specific vulnerabilities. The iACL example below should be included as part of
the deployed infrastructure access-list which will protect all devices with IP addresses in the
infrastructure IP address range:
!--- Permit L2TP UDP 1701 packets from all trusted
!--- sources destined to infrastructure addresses.
!--- NOTE: This does not prevent spoofed attacks.
!---
To be a full mitigation, no trusted source
!---
addresses should be listed.
!---
Omit this line if using a L2TPv3 over IP implementation only.
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES MASK

INFRASTRUCTURE_ADDRESSES MASK eq 1701
!--- Deny L2TP UDP 1701 packets from all
!--- sources destined to infrastructure addresses.
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 1701
!--- If using a L2TPv3 over IP implementation ensure to allow L2TPv3
access-list 150 permit 115 <source_ip_address and mask>
<destination_ip_address and mask>
!--- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
!--- with existing security policies and configurations
!--- Apply access-list to all interfaces (only one example shown)
interface serial 2/0
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
Control Plane Policing Control Plane Policing (CoPP) can be used to block L2TP access to the device.
Cisco IOS software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature.
CoPP can be configured on a device to protect the management and control planes and minimize the risk
and effectiveness of direct infrastructure attacks by explicitly permitting only authorized traffic that is
sent to infrastructure devices in accordance with existing security policies and configurations. The CoPP
example below should be included as part of the deployed CoPP which will protect all devices with IP
addresses in the infrastructure IP address range.

OL-25941-01
4-413
Chapter 4
!--- Deny all trusted source L2TP UDP traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so that it
!--- will not be policed by the CoPP feature.
!--- NOTE: This does not prevent spoofed attacks.
!---
To be a full mitigation, no trusted source
!---
addresses should be listed.
!---
Omit this line if using an L2TPv3 over IP implementation only.
access-list 111 deny udp TRUSTED_SOURCE_ADDRESSES MASK

INFRASTRUCTURE_ADDRESSES MASK eq 1701
!--- Permit all L2TP UDP traffic sent to all IP addresses
!--- will be policed and dropped by the CoPP feature
access-list 111 permit udp any INFRASTRUCTURE_ADDRESSES MASK eq 1701
!--- If using an L2TPv3 over IP implementation ensure not to drop L2TPv3
access-list 111 deny 115 <source_ip_address and mask>
<destination_ip_address and mask>
!--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!--- traffic in accordance with existing security policies and
!--- configurations for traffic that is authorized to be sent
!--- to infrastructure devices
!--- Create a Class-Map for traffic to be policed by
!--- the CoPP feature
class-map match-all drop-l2tp-class
!--- Create a Policy-Map that will be applied to the
!--- Control-Plane of the device.
policy-map drop-l2tp-traffic
class drop-l2tp-class
drop
!--- Apply the Policy-Map to the
!--- Control-Plane of the device
control-plane
service-policy input drop-l2tp-traffic
In the above CoPP example, the access control list entries (ACEs) that match the potential exploit
function. Please note that the policy-map syntax is different in the 12.2S and 12.0S Cisco IOS trains:
policy-map drop-l2tp-traffic
4-414
OL-25941-01
Chapter 4

class drop-l2tp-class
Additional information on the configuration and use of the CoPP feature is available at the following
link: http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
MPLS - 63846 [IOS]

Description
Cisco Routers running Internetwork Operating System (IOS) that supports Multi Protocol Label
Switching (MPLS) are vulnerable to a Denial of Service (DoS) attack on interfaces where MPLS is not
configured. A system that supports MPLS is vulnerable even if that system is not configured for MPLS.
See "Crafted Packet Causes Reload on Cisco Routers." at Cisco Security Advisories website
Cisco IOS Devices
References

Rule 1
Rule
PSIRT - 63846: Crafted packet causes reload on devices supporting MPLS. [IOS]
Description
Cisco Routers running Internetwork Operating System (IOS) that supports Multi Protocol Label
Switching (MPLS) are vulnerable to a Denial of Service (DoS) attack on interfaces where MPLS is not
configured. A system that supports MPLS is vulnerable even if that system is not configured for MPLS.
See "Crafted Packet Causes Reload on Cisco Routers." at Cisco Security Advisories website
Cisco IOS Devices
Impact
Successful exploitation of this vulnerability could result in a reload of the device. Repeated exploitation
could result in a sustained DoS attack.
Suggested Fix
Enabling MPLS Traffic Engineering (MPLS TE) globally can be used as a workaround to mitigate this
vulnerability. Since MPLS requires Cisco Express Forwarding (CEF) in order to work, CEF needs to be
enabled first in order to enable MPLS TE.

OL-25941-01
4-415
Chapter 4
Using this workaround may affect the operation of your network and might cause problems. Therefore
it is strongly recommended that you do a code upgrade if you are affected. It is not recommended that
you use the workaround as a long term solution.
MPLS Forwarding Infrastructure DoS Vulnerability - 107646

Description
Cisco IOS Software Multi Protocol Label Switching (MPLS) Forwarding Infrastructure (MFI) is
vulnerable to a Denial of Service (DoS) attack from specially crafted packets. Only the MFI is affected
by this vulnerability. Older Label Forwarding Information Base (LFIB) implementation, which is
replaced by MFI, is not affected.
Cisco IOS Devices
References

Rule 1
Rule
PSIRT-107646: Verify MPLS Forwarding Infrastructure DoS Vulnerability [IOS]

Description
In newer versions of Cisco IOS software, a new packet forwarding infrastructure was introduced to
improve scalability and performance. This forwarding infrastructure, called MFI, is transparent to the
user. MFI manages MPLS data structures used for forwarding and replaces the older implementation,
Label Forwarding Information Base (LFIB). Cisco IOS MFI implementation is vulnerable to a DoS
attack from specially crafted packets that are handled in the software path, including transit packets that
are handled in the software path. Such packets can be sent from the local segment to the interfaces that
are configured for MPLS or via tunnel interfaces that are configured for MPLS. To target a remote
system in an MPLS network, an attacker needs to have access to the MPLS network through an
MPLS-enabled interface. MPLS packets are dropped on interfaces that are not configured for MPLS.
Devices that support MFI will have mfi_ios in the output of the show subsys command. Interfaces that
are enabled for MPLS can be seen by the show mpls interface command.
More information on MFI can be found at the following link:
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_lsc_remove
Cisco IOS Devices
4-416
OL-25941-01
Chapter 4

Impact
Successful exploitation of this vulnerability may result in the reload of the device, leading to a DoS
condition.
Suggested Fix
MPLS is normally enabled on physical and logical interfaces that are shared with other MPLS-enabled
devices. It can be disabled on interfaces where MPLS is not necessary and from which a potential attack
can be launched. This action may help to limit the exposure of this vulnerability.
If it is not possible to disable MPLS on interfaces from which an attack can be launched, there are no
workarounds to mitigate this vulnerability.
MPLS VPN May Leak Information Vulnerability - 107578

Description
Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label
Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite)
and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE)
devices may permit information to propagate between VPNs.
Workarounds are available to help mitigate this vulnerability.
This issue is triggered by a logic error when processing extended communities on the PE device.
This issue cannot be deterministically exploited by an attacker.
these vulnerabilities are available.
Cisco IOS Devices
References

Rule 1
Rule
PSIRT - 107578: Verify MPLS VPN May Leak Information Vulnerability [IOS]
Description
MPLS VPNs allow for the creation of 'virtual networks' that customers can use to segregate traffic into
multiple, isolated VPNs. Traffic within each MPLS VPN is kept separate from the others, thereby
maintaining a virtual private network.
More information on MPLS and MPLS VPNs is available at the following link:
http://www.cisco.com/en/US/products/ps6557/products_ios_technology_home.html
A bug exists when processing extended communities with MPLS VPNs. If extended communities are
used, MPLS VPN may incorrectly use a corrupted route target (RT) to forward traffic. If this occurs,
traffic can leak from one MPLS VPN to another.

OL-25941-01
4-417
Chapter 4
This vulnerability exists whenever an affected PE device has a BGP session running in the MPLS VPN
Virtual Routing and Forwarding (VRF). The following two examples of this scenario are the most
common:
1.
MPLS VPN configuration with BGP running inside the VRF between the PE and CE devices.
2.
MPLS Inter-AS option A with BGP running between the Autonomous System Border Routers
(ASBR).
The mitigation in the Workarounds section filters extended communities on a PE device, preventing
them from being received by devices configured for MPLS VPN.
This vulnerability was introduced with Cisco bug ID CSCee83237. Cisco IOS images that do not include
CSCee83237 are not vulnerable to this issue.
It is important to note that this condition cannot be triggered by an attacker and that the condition does
not provide ways to determine the flow of traffic between VPNs
Cisco IOS Devices
Impact
This vulnerability may cause traffic to be improperly routed between MPLS VPNs, which may lead to
a breach of confidentiality.
Suggested Fix
Customers running versions of Cisco IOS that support filtering of extended communities can prevent the
corruption of the route target (RT) by applying a BGP route-map that removes RT entries on inbound
BGP sessions.
The following configuration example applied in the ipv4 address family of a PE device removes
extended communities from the CE router:
router bgp <Local AS>
address-family ipv4 vrf one
neighbor <neighbor IP>
remote-as <Remote AS>
activate neighbor <neighbor IP>
route-map FILTER in exit-address-family
!
ip extcommunity-list 100 permit _RT.*_
!
!
route-map FILTER permit 10
set extcomm-list 100 delete
!
The following configuration example applied in the ipv6 address family of a PE device removes
extended communities from the CE router:
router bgp <Local AS>
4-418
OL-25941-01
Chapter 4

address-family ipv6 vrf one

remote-as <Remote AS>
activate neighbor <neighbor IP>
route-map FILTER in exit-address-family
!
ip extcommunity-list 100 permit _RT.*_
!
!
route-map FILTER permit 10
set extcomm-list 100 delete!
Note
The capability of filtering extended communities is only available in certain 12.0S and 12.2S
based Cisco IOS releases.
BGP session between the PE and the CE needs to cleared to make this configuration change effective.
Mobile IP and IPv6 Vulnerabilities - 109487

Description
Devices that are running Cisco IOS Software and configured for Mobile IP Network Address Translation
(NAT) Traversal feature or Mobile IPv6 are vulnerable to a denial of service (DoS) attack that may result
in a blocked interface.
Cisco IOS Devices

OL-25941-01
4-419
Chapter 4
References

Rule 1
Rule
PSIRT - 109487 Verify Mobile IP and IPv6 Vulnerabilities [IOS]

Description
Mobile IP is part of both IPv4 and IPv6 standards. Mobile IP allows a host device to be identified by a
single IP address even though the device may move its physical point of attachment from one network
to another. Regardless of movement between different networks, connectivity at the different points is
achieved seamlessly without user intervention. Roaming from a wired network to a wireless or wide-area
network is also possible.
More information on Mobile IPv6 can be found at the following link:
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-mobile.html
The Mobile IP Support NAT Traversal feature is documented in RFC 3519. It introduces an alternative
method for tunneling Mobile IP data traffic. New extensions in the Mobile IP registration request and
reply messages have been added for establishing User Datagram Protocol (UDP) tunneling. This feature
allows mobile devices in collocated mode that use a private IP address (RFC 1918) or foreign agents
(FAs) that use a private IP address for the care-of address (CoA) to establish a tunnel and traverse a
NAT-enabled router with mobile node (MN) data traffic from the home agent (HA).
More information on Mobile IP NAT Traversal feature can be found at the following link:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gtnatmip.html
Devices that are running an affected version of Cisco IOS Software and configured for Mobile IPv6 or
Mobile IP NAT Traversal feature are affected by a DoS vulnerability. A successful exploitation of this
vulnerability could cause an interface to stop processing traffic until the system is restarted. Offending
packets need to be destined to the router for a successful exploit.
Cisco IOS Devices
Impact
Successful exploitation of the vulnerability may result in an interface to stop processing traffic, causing
a DoS condition.
Suggested Fix
The following mitigation and identification methods have been identified for these vulnerabilities:
considered as a long-term addition to good network security as well as a workaround for these specific
vulnerabilities. The iACL example below should be included as part of the deployed infrastructure
access-list which will protect all devices with IP addresses in the infrastructure IP address range:
4-420
OL-25941-01
Chapter 4

IPv4 example:
!--- Anti-spoofing entries are shown here.
!--- Deny special-use address sources.
!--- Refer to RFC 3330 for additional special use addresses.
access-list 110 deny ip host 0.0.0.0 any

!--- Filter RFC 1918 space.

!--- Deny your space as source from entering your AS.
!--- Deploy only at the AS edge.
access-list 110 deny ip YOUR_CIDR_BLOCK any

!--- Permit BGP.
access-list 110 permit tcp host bgp_peer host router_ip eq bgp

access-list 110 permit tcp host bgp_peer eq bgp host router_ip
!--- Deny access to internal infrastructure addresses.
access-list 110 deny ip any INTERNAL_INFRASTRUCTURE_ADDRESSES
!--- Permit transit traffic.

IPv6 example:
!--- Configure the access-list.
ipv6 access-list iacl

!--- Deny your space as source from entering your AS.
!--- Deploy only at the AS edge.

OL-25941-01
4-421
Chapter 4
deny ipv6 YOUR_CIDR_BLOCK_IPV6 any

!--- Permit multiprotocol BGP.
permit tcp host bgp_peer_ipv6 host router_ipv6 eq bgp

permit tcp host bgp_peer_ipv6 eq bgp host router_ipv6
!--- Deny access to internal infrastructure addresses.
deny ipv6 any INTERNAL_INFRASTRUCTURE_ADDRESSES_IPV6

!--- Permit transit traffic.
permit ipv6 any any

white paper can be obtained at the following link
Cisco IOS Embedded Event Manager
It is possible to detect blocked interface queues with a Cisco IOS Embedded Event Manager (EEM)
policy. EEM provides event detection and reaction capabilities on a Cisco IOS device. EEM can alert
A sample EEM policy that uses syslog to alert administrators of blocked interfaces is available at Cisco
Beyond, an online community dedicated to EEM. A sample script is available at the following link:
https://supportforums.cisco.com/community/netpro/network-infrastructure/eem
More information about EEM is available from Cisco.com at the following link:
http://www.cisco.com/en/US/products/ps6815/products_ios_protocol_group_home.
Multicast Virtual Private Network (MVPN) Date Leak - 100374 [IOS]

Description
A vulnerability in the Cisco implementation of Multicast Virtual Private Network (MVPN) is subject to
exploitation that can allow a malicious user to create extra multicast states on the core routers or receive
multicast traffic from other Multiprotocol Label Switching (MPLS) based Virtual Private Networks
(VPN) by sending specially crafted messages.
Cisco IOS Devices
4-422
OL-25941-01
Chapter 4

Refersences

public forum, or recommendations to mitigate general problems affecting network stability
Rule 1
Rule
PSIRT -100374: Verify Virtual MVPN Data Leak Vulnerability [IOS]

Description
Devices that run Cisco IOS and are configured for MVPN are affected.
An IOS device that is configured for MVPN has a line that is similar to this in the running configuration
example:
mdt default <group-address>
A vulnerability exists in the implementation of MVPN that allows an attacker to send specially crafted
Multicast Distribution Tree (MDT) Data Join messages that can cause the creation of extra multicast
states on the core routers. MDT Data Join messages can be sent in unicast or multicast. The vulnerability
can also allow leaking multicast traffic from different MPLS VPNs. It is possible to receive multicast
traffic from VPNs that are not connected to the same Provider Edge (PE) router. In order to successfully
exploit this vulnerability, an attacker needs to know or guess the Border Gateway Protocol (BGP)
peering IP address of a remote PE router and the address of the multicast group that is used in other
MPLS VPNs.
Cisco IOS Devices
Impact
Successful exploitation of the vulnerability can result in the creation of extra multicast states on the core
routers or the leaking of multicast traffic from one MPLS VPN to another.
Suggested Fix
The workaround for this vulnerability consists of filtering MDT Data Join packets on the PE device.
The workarounds need to be applied on all Virtual Routing and Forwarding (VRF) interfaces of all PE
routers. Otherwise, attackers can target remote PE routers and can still exploit this vulnerability.
Even if only one PE router in the network runs an unfixed version of IOS code, it is vulnerable to packets
that come from systems that are connected to remote PE routers. In such a case, workarounds need to be
deployed on all PE routers to successfully mitigate this vulnerability.
The mdt data <group> <mask> or mdt data <group> <mask> threshold <n> list <acl> commands do
not mitigate this vulnerability.

OL-25941-01
4-423
Chapter 4
Multiple Crafted IPv6 Packets - 63844

Description
Cisco Internetwork Operating System (IOS) Software is vulnerable to a Denial of Service (DoS) attack
from crafted IPv6 packets when the device has been configured to process IPv6 traffic. This
vulnerability requires multiple crafted packets to be sent to the device which may result in a reload upon
successful exploitation.
See "Multiple Crafted IPv6 Packets Cause Reload." at Cisco Security Advisories website
Cisco IOS Devices
References

Rule 1
Rule
PSIRT-63844: Verify Multiple Crafted IPv6 Packets Cause Reload. [IOS]

Description
IPv6 is the "Internet Protocol Version 6", designed by the Internet Engineering Task Force (IETF) to
replace the current version Internet Protocol, IP Version 4 (IPv4).
A vulnerability exists in the processing of IPv6 packets that can be exploited to cause the reload of a
system. Crafted packets received on logical interfaces (that is, tunnels including 6to4 tunnels) as well as
physical interfaces can trigger this vulnerability.
Multiple crafted IPv6 packets need to be sent to exploit this vulnerability. Such crafted packets can be
sent remotely.
Cisco IOS Devices
Impact
Suggested Fix
In networks where IPv6 is not needed but enabled, disabling IPv6 processing on an IOS device will
eliminate exposure to this vulnerability. On a router which is configured for IPv6, this must be done by
issuing the command no ipv6 enable and no ipv6 address on each interface.
4-424
OL-25941-01
Chapter 4

Multiple DNS Cache Poisioning Attacks - 107064 [IOS]

Description
Multiple Cisco products are vulnerable to DNS cache poisoning attacks due to their use of insufficiently
randomized DNS transaction IDs and UDP source ports in the DNS queries that they produce, which
may allow an attacker to more easily forge DNS answers that can poison DNS caches.
To exploit this vulnerability an attacker must be able to cause a vulnerable DNS server to perform
recursive DNS queries. Therefore, DNS servers that are only authoritative, or servers where recursion is
not allowed, are not affected.
Cisco IOS Devices
References

Rule 1
Rule
PSIRT-107064: Verify Mulyiple DNS Cache POisioning Attacks Vulnerability [IOS]

Description
A device that is running Cisco IOS Software will be affected if it is running a vulnerable version and if
it is acting as a DNS server.
All Cisco IOS Software releases that support the DNS server functionality and that have not had their
DNS implementation improved are affected.
A device that is running Cisco IOS Software is configured to act as a DNS server if the command ip dns
server is present in the configuration. This command is not enabled by default.
Cisco IOS Devices
Impact
Successful exploitation of the vulnerability described in this document may result in invalid
hostname-to-IP address mappings in the cache of an affected DNS server. This may lead users of this
DNS server to contact the wrong provider of network services. The ultimate impact varies greatly,
ranging from a simple denial of service (for example, making www.example.com resolve to 127.0.0.1)
to phishing and financial fraud.
Suggested Fix
Disable DNS server using the command

no ip dns server

OL-25941-01
4-425
Chapter 4
Additional information about identification and mitigation of attacks against DNS is in the Cisco
Applied Intelligence white paper "DNS Best Practices, Network Protections, and Attack Identification,"
available at http://www.cisco.com/web/about/security/intelligence/dns-bcp.html.
Multiple Features Crafted TCP Sequence Vulnerability - 109337

Description
Cisco IOS Software contains a vulnerability in multiple features that could allow an attacker to cause a
denial of service (DoS) condition on the affected device. A sequence of specially crafted TCP packets
can cause the vulnerable device to reload.
Several mitigation strategies are outlined in the workarounds section of this advisory.
Cisco IOS Devices
References

Rule 1
Rule
PSIRT - 109337: Verify Crafted TCP Sequence Vulnerability [IOS]

Description
Devices running affected versions of Cisco IOS Software and Cisco IOS XE Software are affected when
configured to use any of the following features within Cisco IOS:
Airline Product Set (ALPS)
Serial Tunnel Code (STUN) and Block Serial Tunnel Code (BSTUN)
Native Client Interface Architecture support (NCIA)
Data-link switching (DLSw)
Remote Source-Route Bridging (RSRB)
Point to Point Tunneling Protocol (PPTP)
X.25 for Record Boundary Preservation (RBP)
X.25 over TCP (XOT)
X.25 Routing
Information on how to determine whether an affected feature is enabled on a device are provided in the
Details section of this advisory.
Cisco IOS Devices
4-426
OL-25941-01
Chapter 4

Impact
Successful exploitation of this vulnerability will cause the device to reload. Repeated attempts to exploit
this vulnerability could result in a sustained DoS condition.
Suggested Fix
The following mitigations have been identified for this vulnerability, which may help protect an
infrastructure until an upgrade to a fixed version of Cisco IOS software can be scheduled:
vulnerabilities.
Receive ACLs (rACL)
For distributed platforms, Receive ACLs may be an option starting in Cisco IOS Software Versions
12.0(21)S2 for the 12000 (GSR), 12.0(24)S for the 7500, and 12.0(31)S for the 10720. The Receive ACL
protects the device from harmful traffic before the traffic can impact the route processor. Receive ACLs
are designed to only protect the device on which it is configured. On the 12000, 7500, and 10720, transit
traffic is never affected by a receive ACL. Because of this, the destination IP address "any" used in the
example ACL entries below only refer to the router's own physical or virtual IP addresses. Receive ACLs
are considered a network security best practice, and should be considered as a long-term addition to good
network security, as well as a workaround for this specific vulnerability. The white paper entitled
"Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and
recommended deployment techniques for infrastructure protection access lists. This white paper can be
obtained at the following link
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a0a5e.shtml.
Control Plane Policing (CoPP) can be used to block the affected features TCP traffic access to the device.
sent to infrastructure devices in accordance with existing security policies and configurations.
"Cisco Applied Mitigation Bulletin" companion document.
Multiple Features IP Sockets Vulnerability - 109333 [IOS]

Description
A vulnerability in the handling of IP sockets can cause devices to be vulnerable to a denial of service
attack when any of several features of Cisco IOS Software are enabled. A sequence of specially crafted
TCP/IP packets could cause any of the following results:
The configured feature may stop accepting new connections or sessions.
The memory of the device may be consumed.
The device may experience prolonged high CPU utilization.
The device may reload.

OL-25941-01
4-427
Chapter 4
Several mitigation strategies are outlined in the "Workarounds" section of this advisory.
Cisco IOS Devices
References

Rule 1
Rule
PSIRT- 109333: Verify Multiple Features IP Sockets Vulnerability [IOS]

Description
Devices that are running affected versions of Cisco IOS Software and Cisco IOS XE Software are
affected if they are running any of the following features. Details about confirming whether the affected
feature is enabled on a device are in the "Details" section of this advisory.
Cisco Unified Communications Manager Express
SIP Gateway Signaling Support Over Transport Layer Security (TLS) Transport
Secure Signaling and Media Encryption
Blocks Extensible Exchange Protocol (BEEP)
Network Admission Control HTTP Authentication Proxy
Per-user URL Redirect for EAPoUDP, Dot1x, and MAC Authentication Bypass
Distributed Director with HTTP Redirects
DNS (TCP mode only)
Cisco IOS Devices
Impact
Successful exploitation of the vulnerability may result in the any of the following occurring:
The configured feature may stop accepting new connections or sessions.
The memory of the device may be consumed.
The device may experience prolonged high CPU utilization.
The device may reload.
Repeated attempts to exploit this vulnerability could result in a sustained DoS condition.
4-428
OL-25941-01
Chapter 4

Suggested Fix
The following mitigations have been identified for this vulnerability:

vulnerabilities.
Receive ACLs (rACL)
network security, as well as a workaround for this specific vulnerability. The white paper entitled "GSR:
Receive Access Control Lists" will help you identify and allow legitimate traffic to your device and deny
all unwanted packets. This white paper is available at the following link
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a0a5e.shtml.
Control Plane Policing (CoPP) can be used to block the affected features TCP traffic access to the device.
sent to infrastructure devices in accordance with existing security policies and configurations.
"Cisco Applied Mitigation Bulletin" companion document.
Multiple Multicase Vulnerabilities - 107550

Description
Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS software
that may lead to a denial of service (DoS) condition. Cisco has released free software updates that
address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available.
Cisco IOS Devices
References


OL-25941-01
4-429
Chapter 4
Rule 1
Rule
PSIRT - 107550: Verify Multiple Multicase Vulnerabilities in Cisco IOS Software [IOS]
Description
Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS Software
that may lead to a denial of service (DoS) condition. Devices that run Cisco IOS Software and are
configured for PIM are affected by the first vulnerability. Only Cisco 12000 Series (GSR) routers that
are configured for PIM are affected by the second vulnerability.
Available PIM modes on a Cisco IOS device are dense mode, sparse mode, or sparse-dense mode. The
mode determines how the device populates its multicast routing table and how multicast packets are
forwarded. PIM must be enabled in one of these modes for an interface to perform IP multicast routing.
Cisco IOS Devices
Impact
Successful exploitation may cause a reload of the affected device. Repeated exploitation could result in
a sustained denial of service (DoS) condition.
Suggested Fix
There are no workarounds for the second vulnerability. The following workarounds only apply to the
vulnerability addressed in Cisco bug ID CSCsd95616. A PIM router must receive PIM Hellos to
establish PIM neighborship. PIM neighborship is also the basis for designated router (DR) election, DR
failover, and accepting/sending PIM Join/Prune/Assert messages. To specify trusted PIM neighbors, use
the ip pim neighbor-filter command, as shown in the following example:
Router(config)#access-list 1 permit host 10.10.10.123
!-- An access control list is created to allow a trusted PIM neighbor
!-- in this example the neighbor is 10.10.10.123
!
Router(config)#interface fastEthernet 0/0
Router(config-if)#ip pim neighbor-filter 1
!-- The PIM neighbor filter is then applied to the respective interface(s)
The ip pim neighbor-filter command filters PIM packets from untrusted devices including Hellos,
Join/Prune, and BSR packets.
Note
The vulnerabilities described in this document can be exploited by spoofed IP packets if the
attacker knows the IP address of the trusted PIM neighbors listed in the ip pim neighbor-filter
implementation.
To protect infrastructure devices and minimize the risk, impact, and effectiveness of direct infrastructure
attacks, administrators are advised to deploy ACLs to perform policy enforcement of traffic sent to core
infrastructure equipment. PIM is IP protocol 103. As an additional workaround, administrators can
explicitly permit only authorized PIM (IP protocol 103) traffic sent to infrastructure devices in
accordance with existing security policies and configurations. An ACL can be deployed as shown in the
following example:
4-430
OL-25941-01
Chapter 4

ip access-list extended Infrastructure-ACL-Policy

!
!-- When applicable, include explicit permit statements for trusted
!-- sources that require access on the vulnerable protocol
!-- PIM routers need to communicate with the rendezvous point (RP).
!-- In this example, 192.168.100.1 is the IP address of the
!-- rendezvous point, which is a trusted host that requires access
!-- to and from the affected PIM devices.
!
permit pim host 192.168.100.1 192.168.60.0 0.0.0.255

permit pim 192.168.60.0 0.0.0.255 host 192.168.100.1
!
!-- Permit PIM segment traffic, packets have destination of:
!-- 224.0.0.13 (PIMv2)
!-- 224.0.0.2 (Required only by legacy PIMv1)
!
permit pim 192.168.60.0 0.0.0.255 host 224.0.0.13

permit pim 192.168.60.0 0.0.0.255 host 224.0.0.2
!
!-- The following vulnerability-specific access control entries
!-- (ACEs) can aid in identification of attacks
!
deny pim any 192.168.60.0 0.0.0.255

!
!-- Explicit deny ACE for traffic sent to addresses configured within
!-- the infrastructure address space
!
deny ip any 192.168.60.0 0.0.0.255

!
!-- Permit/deny all other Layer 3 and Layer 4 traffic in accordance
!-- with existing security policies and configurations
!
!-- Apply iACL to interfaces in the ingress direction

OL-25941-01
4-431
Chapter 4
ip access-group Infrastructure-ACL-Policy in
Multiple SIP DoS Vulnerabilities - 107617

Description
Multiple vulnerabilities exist in the Session Initiation Protocol (SIP) implementation in Cisco IOS that
can be exploited remotely to trigger a memory leak or to cause a reload of the IOS device.
Cisco has released free software updates that address these vulnerabilities. Fixed Cisco IOS software
listed in the Software Versions and Fixes section contains fixes for all vulnerabilities addressed in this
advisory.
There are no workarounds available to mitigate the effects of any of the vulnerabilities apart from
disabling the protocol or feature itself, if administrators do not require the Cisco IOS device to provide
voice over IP services.
Cisco IOS Devices
References

Rule 1
Rule
PSIRT - 107617: Verify Multiple CISCO SIP DoS Vulnerabilities [IOS]

Description
SIP is a popular signaling protocol used to manage voice and video calls across IP networks such as the
Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are
the most popular types of sessions that SIP handles, but the protocol is flexible to accommodate for other
applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP
(port 5060), or TLS (TCP port 5061) as the underlying transport protocol.
Multiple denial of service vulnerabilities exist in the SIP implementation in Cisco IOS. In all cases
vulnerabilities can be triggered by processing valid SIP messages.
Cisco IOS Devices
4-432
OL-25941-01
Chapter 4

Impact
device. The issue could be repeatedly exploited to result in an extended Denial Of Service (DoS)
condition.
Suggested Fix
If the affected Cisco IOS device needs to provide voice over IP services and therefore SIP cannot be
disabled then none of the listed vulnerabilities have workarounds. Users are advised to apply mitigation
techniques to limit exposure to the listed vulnerabilities. Mitigation consists of only allowing legitimate
devices to connect to the routers. To increase effectiveness, the mitigation must be coupled with
anti-spoofing measures on the network edge. This action is required because SIP can use UDP as the
transport protocol.
Disable SIP Listening Ports
disable SIP processing on the device. Some versions of Cisco IOS allow administrators to accomplish
this with the following commands:
sip-ua
no transport udp
no transport tcp
Warning
When applying this workaround to devices processing MGCP or H.323 calls, the device will not allow
you to stop SIP processing while active calls are being processed. Under these circumstances, this
workaround should be implemented during a maintenance window when active calls can be briefly
stopped.
It is recommended that after applying this workaround, the show commands discussed in the Vulnerable
Products section be used to confirm that the Cisco IOS device is no longer processing SIP messages.
For devices that need to offer SIP services it is possible to use Control Plane Policing (CoPP) to block
SIP traffic to the device from untrusted sources. Cisco IOS software releases 12.0S, 12.2SX, 12.2S,
12.3T, 12.4, and 12.4T support the CoPP feature. CoPP may be configured on a device to protect the
management and control planes to minimize the risk and effectiveness of direct infrastructure attacks by
explicitly permitting only authorized traffic sent to infrastructure devices in accordance with existing
security policies and configurations. The following example can be adapted to your network:

OL-25941-01
4-433
Chapter 4



policy-map drop-sip-traffic
drop
!-- device.
control-plane
service-policy input drop-sip-traffic
Warning
Because SIP can utilize UDP as a transport protocol, it is possible to easily spoof the sender's IP
address, which may defeat ACLs that permit communication to these ports from trusted IP addresses.
4-434
OL-25941-01
Chapter 4

function. Additional information on the configuration and use of the CoPP feature can be found at
http://www.cisco.com/en/US/products/ps6642/products_white_paper0900aecd804fa16a.shtml and
http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/products_feature_guide09186a008052446b
.html.

Description
session key.
Cisco IOS Devices
References

Rule 1
Rule
PSIRT - 8118: Verify Multiple SSH Vulnerabilities [IOS]

Description
CRC-32 integrity check vulnerability -- This vulnerability has been described in a CORE SDI S.A.
paper entitled "An attack on CRC-32 integrity checks of encrypted channels using CBC and CFB
modes". In order for this attack to succeed, an attacker must possess one or two known
ciphertext/plaintext pairs. This should not be difficult since every session starts with a greeting
screen which is fixed and which can be determined. This also implies that an attacker must be
somewhere along the session path in order to be able to sniff the session and collect corresponding
ciphertext. While fixing this vulnerability, we have not made the implementation mistake described
by VU#945216 (see http://www.kb.cert.org/vuls/id/945216) which is being actively exploited.

OL-25941-01
4-435
Chapter 4
Designer. It can be found at: http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt,
and is entitled "Passive Analysis of SSH (Secure Shell) Traffic". To exploit this vulnerability, an
attacker must be able to capture packets. When sending a packet using the SSH protocol, it is padded
to the next 8-byte boundary, but the exact length of the data (without the padding) is sent
unencrypted. The timing between packets may yield additional information, such as the relative
position of a letter on the keyboard, but that depends on overall jitter in the network and the typing
habits of the person. For additional information, please see
describing it can be viewed at http://www.securityfocus.com/archive/1/161150. The subject line is
"SSH protocol 1.5 session key recovery vulnerability". In order to exploit this vulnerability, an
attacker must be able to sniff the SSH session and be able to establish a connection to the SSH server.
In order to recover the server key, an attacker must perform an additional 2^20+2^19=1572864
connections. Since the key has a lifespan of about an hour, this means that an attacker must perform
around 400 connections per second. For further details, please see
http://www.securityfocus.com/archive/1/161150.
Cisco IOS Devices
Impact
brute force attack.
form.
Suggested Fix
Multiprotocol Label Switching Packet Vulnerability - 111458

Description
A device running Cisco IOS Software, Cisco IOS XE Software, or Cisco IOS XR Software is
vulnerable to a remote denial of service (DoS) condition if it is configured for Multiprotocol Label
Switching (MPLS) and has support for Label Distribution Protocol (LDP).
A crafted LDP UDP packet can cause an affected device running Cisco IOS Software or Cisco IOS XE
Software to reload. On devices running affected versions of Cisco IOS XR Software, such packets can
cause the device to restart the mpls_ldp process.
A system is vulnerable if configured with either LDP or Tag Distribution Protocol (TDP).
4-436
OL-25941-01
Chapter 4


Cisco IOS Devices
References

Rule 1
Rule
PSIRT - 111458: Verify IOS Software Multiprotocol Label Switching Packet Vulnerability [IOS]
Description
MPLS LDP enables peer label switch routers (LSRs) in an MPLS network to exchange label binding
information for supporting hop-by-hop forwarding in an MPLS network.
A vulnerability exists in Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software when
processing a specially crafted LDP packet. For the device to be vulnerable, it has to be configured to
process LDP hello messages, as explained within the Affected Products section of this advisory.
The crafted LDP packet, can be received as either a unicast or multicast UDP packet on port UDP 646
on any listening IP address of the device. Transit traffic will not trigger this vulnerability.
Note
Devices configured with TDP will also process the crafted LDP packet and are vulnerable.
For further information regarding MPLS and LDP please consult the "Multiprotocol Label Switching
(MPLS) Introduction" home page available at this link:
http://www.cisco.com/en/US/products/ps6557/products_ios_technology_home.html
Cisco IOS Devices
Impact
Successful exploitation of this vulnerability on a device running a vulnerable version of Cisco IOS
Software or Cisco IOS XE Software will cause the affected device to reload.
Exploitation on a router running a vulnerable version of Cisco IOS XR Software will result in a restart
of the mpls_ldp process.
The issue could be repeatedly exploited to cause an extended DoS condition.

OL-25941-01
4-437
Chapter 4
Suggested Fix
Users are advised to apply mitigation techniques to help limit exposure to the vulnerability. Mitigation
consists of allowing only legitimate devices to connect to the device. To increase effectiveness, the
mitigation must be coupled with anti-spoofing measures on the network edge. This action is required
because LDP will use UDP as the hello transport protocol.
If LDP is not required on the device, then MPLS forwarding can be disabled with the global
configuration command no mpls ip.
Note
LDP password or MD5 protection, does not protect against this vulnerability.
Transit traffic will not exploit this vulnerability. Only packets destined to the device may be used to
exploit this vulnerability.
Cisco IOS Software Multiprotocol Label Switching Packet Vulnerability,".
Warning
Because the feature in this vulnerability utilizes UDP as a transport, it is possible to spoof the
sender's IP address, which may defeat access control lists (ACLs) that permit communication to these
ports from trusted IP addresses. Unicast Reverse Path Forwarding (Unicast RPF) should also be
considered, to offer a comprehensive solution.
should never be allowed to target infrastructure devices and block that traffic at the border of the
network. Infrastructure ACLs (iACLs) are a network security best practice and should be considered as
a long-term addition to good network security as well as a workaround for this specific vulnerability.
This iACL example should be included as part of the deployed infrastructure access list, which will help
protect all devices with IP addresses in the infrastructure IP address range:
!--!--- Feature: Label Distribution Protocol (LDP)
!---
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES

WILDCARD INFRASTRUCTURE_ADDRESSES WILDCARD eq 646
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES

WILDCARD host 224.0.0.2 eq 646
!--!--- Deny LDP traffic from all other sources destined
!--- to infrastructure addresses.
!---
4-438
OL-25941-01
Chapter 4

access-list 150 deny udp any

INFRASTRUCTURE_ADDRESSES WILDCARD eq 646
!--!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and
!--- configurations. Permit all other traffic to transit the
!--- device.
!--access-list 150 permit ip any any
!--!--- Apply access-list to all interfaces (only one example
!--- shown)
!--interface fastEthernet 2/0
guidelines and recommended deployment techniques for infrastructure protection access lists and is
available at this link:
Warning
addresses. Unicast RPF should also be considered, to offer a comprehensive solution.
Software Releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP can be
configured on a device to help protect the management and control planes and minimize the risk and
to infrastructure devices in accordance with existing security policies and configurations. The CoPP
example below should be included as part of the deployed CoPP policy, which will help protect all
devices with IP addresses in the infrastructure IP address range.
!--access-list 150 deny udp TRUSTED_SOURCE_ADDRESSES
WILDCARD any eq 646

OL-25941-01
4-439
Chapter 4
!--- to the device control plane.

!--access-list 150 permit udp any any eq 646
!--!--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and
!--- Layer4 traffic in accordance with existing security policies
!--- and configurations for traffic that is authorized to be sent
!--class-map match-all drop-ldp-class
!--!--- Create a Policy-Map that will be applied to the
!--policy-map control-plane-policy
class drop-ldp-class
drop
!--!--- Apply the Policy-Map to the
!--control-plane
Please note that the policy-map syntax is different in the 12.2S and 12.0S Cisco IOS Software trains:
class drop-udp-class
Additional information on the configuration and use of the CoPP feature can be found in the documents,
"Control Plane Policing Implementation Best Practices" and "Cisco IOS Software Releases 12.2 S Control Plane Policing" at these links:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html
4-440
OL-25941-01
Chapter 4

Receive ACLs (rACL)
Warning
addresses. Unicast RPF should also be considered, to offer a comprehensive solution.
network security, as well as a workaround for this specific vulnerability. The white paper entitled "GSR:
Receive Access Control Lists" will help you identify and allow legitimate traffic to your device and deny
all unwanted packets. This white paper is available at the following link
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a0a5e.shtml
This is the receive path ACL written to permit this type of traffic from trusted hosts:
!---
!--!--- Permit LDP traffic from all trusted sources allowed

!--access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 646
!--access-list 150 deny udp any any eq 646
!--!--- Permit all other traffic to the RP.
!--- according to security policy and configurations.
!---

OL-25941-01
4-441
Chapter 4

!--!--- Apply this access list to the 'receive' path.
!--ip receive access-list 150
NAM (Network Analysis Module) Vulnerability - 81863

Description
Cisco Catalyst 6000, 6500 series and Cisco 7600 series that have a Network Analysis Module installed
are vulnerable to an attack, which could allow an attacker to gain complete control of the system. Only
Cisco Catalyst systems that have a NAM on them are affected. This vulnerability affects systems that
run Internetwork Operating System (IOS) or Catalyst Operating System (CatOS).
Cisco IOS Devices
References

Rule 1
Rule
PSIRT - 81863: NAM Vulnerability [IOS]

Description
NAMs are deployed in Catalyst 6000, 6500 series and Cisco 7600 series to monitor and analyze network
traffic by using Remote Monitoring (RMON), RMON2, and other MIBs.
NAMs communicate with the Catalyst system by using the Simple Network Management Protocol
(SNMP). By spoofing the SNMP communication between the Catalyst system and the NAM an attacker
may obtain complete control of the Catalyst system.
Devices running both Cisco IOS and Cisco CatOS are affected by this vulnerability. This vulnerability
is introduced in CatOS at 7.6(15) and 8.5(1). Older CatOS images are not vulnerable.
Cisco IOS Devices
Impact
By successfully exploiting this vulnerability, an attacker may gain complete control of the device.
Suggested Fix
No workarounds exist for this vulnerability.
4-442
OL-25941-01
Chapter 4

This vulnerability requires an attacker to spoof SNMP packets from the IP address of the NAM. Filtering
SNMP traffic to an affected device can be used as a mitigation. Filtering SNMP traffic needs to be done
on systems that are deployed in front of an affected device, since it is ineffective to filter against such
spoofed packets on the device itself.
Anti-spoofing measures and infrastructure access-lists can also be deployed at your network edge as a
potential mitigation technique. Refer to http://www.cisco.com/warp/public/707/iacl.html for examples
on how to apply ACLs on Cisco routers for infrastructure protection.
NAT - 13659
Description
A group of related software bugs create an undesired interaction between network address translation
(NAT) and input access list processing. This may cause input access list filters to "leak" packets in
certain NAT configurations, creating a security exposure. Configurations without NAT are not affected.
The failure does not happen at all times, and is less likely under laboratory conditions than in installed
networks. This may cause administrators to believe that filtering is working when it is not.. See "Cisco
IOS Software Input Access List Leakage with NAT." at Cisco Security Advisories website
Cisco IOS Devices
References

Rule 1
Rule
PSIRT - 13659: Verify Input Access List Leakage with NAT [IOS]
Description
A group of related software bugs create an undesired interaction between network address translation
(NAT) and input access list processing. This may cause input access list filters to "leak" packets in
certain NAT configurations, creating a security exposure. Configurations without NAT are not affected.
The failure does not happen at all times, and is less likely under laboratory conditions than in installed
networks. This may cause administrators to believe that filtering is working when it is not.. See "Cisco
IOS Software Input Access List Leakage with NAT." at Cisco Security Advisories website
Cisco IOS Devices
Impact
This vulnerability may allow users to circumvent network security filters, and therefore security
policies.

OL-25941-01
4-443
Chapter 4
Suggested Fix
None

Description
Skinny Client Control Protocol (SCCP) crafted messages may cause a Cisco IOS device that is
configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to reload.
Cisco has released free software updates that address this vulnerability. A workaround that mitigates this
vulnerability is available.
Cisco IOS Devices
References

Rule 1
Rule
PSIRT - 111268: Verify NAT Skinny Call Control Protocol Vulnerability [IOS]
Description
The Skinny Client Control Protocol (SCCP) enables voice communication between an SCCP client and
a Call Manager (CM). Typically, the CM provides service to the SCCP clients on TCP Port 2000 by
default. Initially, an SCCP client connects to the CM by establishing a TCP connection; the client will
also establish a TCP connection with a secondary CM, if available.
The NAT SCCP Fragmentation Support feature enables the Skinny Application Layer Gateway (ALG)
to reassemble skinny control messages. Since this feature was introduced in Cisco IOS version 12.4(6)T,
SCCP payloads requiring reassembly and NAT are no longer dropped.
A series of crafted SCCP packets may cause a Cisco IOS router that is running the NAT SCCP
Fragmentation Support feature to reload.
Cisco IOS Devices
Impact
Suggested Fix
As workaround, an administrator can disable SCCP NAT support using the no ip nat service skinny tcp
port 2000 command, as shown in the following example:
Router(config)# no ip nat service skinny tcp port 2000
4-444
OL-25941-01
Chapter 4

Note
Caution
If your Cisco CallManager is using a TCP port for skinny signaling different from the default
port (2000), you need to adjust this command accordingly.
This workaround is only feasible on networks where SCCP traffic does not need to be processed by NAT.
Please confirm before implementing this workaround.

Description
A series of segmented Skinny Call Control Protocol (SCCP) messages may cause a Cisco IOS device
that is configured with the Network Address Translation (NAT) SCCP Fragmentation Support feature to
reload.
Cisco has released free software updates that address this vulnerability. A workaround that mitigates this
vulnerability is available.
Cisco IOS Devices
References

Rule 1
Rule
PSIRT - 99866: Verify Cisco IOS NAT Skinny Call Control Protocol Vulnerability [IOS]
Description
The Skinny Call Control Protocol (SCCP) enables voice communication between an SCCP client and a
Call Manager (CM). Typically, the CM provides service to the SCCP clients on TCP Port 2000 by
default. Initially, an SCCP client connects to the CM by establishing a TCP connection; the client will
also establish a TCP connection with a secondary CM, if available.
The NAT SCCP Fragmentation Support feature prevents skinny control message exchanges from failing
in a TCP segmentation scenario because the NAT Skinny Application Layer Gateway (ALG) is able to
reassemble the skinny control messages. A segmented payload that requires an IP or port translation will
no longer be dropped. The NAT SCCP Fragmentation Support feature was introduced in Cisco IOS
version 12.4(6)T.
A series of fragmented SCCP messages may cause a Cisco IOS router that is running the NAT SCCP
Fragmentation Support feature to reload.
Cisco IOS Devices

OL-25941-01
4-445
Chapter 4
Impact
Suggested Fix
As workaround, an administrator can disable SCCP NAT support using the no ip nat service skinny tcp
port 2000 command, as shown in the following example:
Router(config)# no ip nat service skinny tcp port 2000
Note
If your Cisco CallManager is using a TCP port for skinny signaling different from the default
port (2000), you need to adjust this command accordingly.
NTP - 23445
Description
Network Time Protocol (NTP) is used to synchronize time on multiple devices. A vulnerability has been
discovered in the NTP daemon query processing functionality. This vulnerability has been publicly
announced.
See "NTP Vulnerability" at Cisco Security Advisories website for more information
Cisco IOS Devices
References

Rule 1
Rule
PSIRT - 23445: Verify NIT Vulnerabilities [IOS]

Description
Network Time Protocol (NTP) is used to synchronize time on multiple devices. A vulnerability has been
discovered in the NTP daemon query processing functionality. This vulnerability has been publicly
announced.
See "NTP Vulnerability" at Cisco Security Advisories website for more information
4-446
OL-25941-01
Chapter 4

Impact
The successful exploitation may cause arbitrary code to be executed on the target machine. More often,
an attempt to exploit this vulnerability will result in a daemon or device crash.
Suggested Fix
There are methods available to mitigate the exposure. You can combine these methods or use them
individually.
Prevent IOS from processing NTP queries at all. Depending on whether you are acting as a server or a
client, the configuration is different.
It is possible to mitigate the exposure by using ACLs and dropping all NTP packets that are not from the
legitimate servers.
Additionally, if you are not using NTP servers external from your network, you can drop all NTP packets
on the network boundary.
NTP Packet Vulnerability - 110447

Description
Cisco IOS Software with support for Network Time Protocol (NTP) version (v4) contains a vulnerability
processing specific NTP packets that will result in a reload of the device. This results in a remote denial
of service (DoS) condition on the affected device.
Cisco IOS Devices
References

Rule 1
Rule
PSIRT - 110447: Verify NTP Packet Vulnerability [IOS]

Description
Cisco IOS Software devices are vulnerable if they support NTPv4 and are configured for NTP
operations. NTP is not enabled in Cisco IOS Software by default.
To see if a device supports NTPv4, log into the device and via configuration mode of the command line
interface (CLI), enter the command ntp peer 127.0.0.1 version ?. If the output has the number 4 as an
option, then the device supports NTPv4. The following example identifies a Cisco device that is running
a Cisco IOS Software release that does support NTPv4:
Router(config)#ntp peer 127.0.0.1 version ?
<2-4> NTP version number

OL-25941-01
4-447
Chapter 4
The following example identifies a Cisco device that is running a Cisco IOS Software release that does
not support NTPv4:
Router(config)#ntp peer 127.0.0.1 version ?
<1-3> NTP version number
To see if a device is configured with NTP, log into the device and issue the CLI command show
running-config | include ntp. If the output returns either of the following commands listed then the
device is vulnerable:
ntp master <any following commands>
ntp peer <any following commands>
ntp server <any following commands>
ntp broadcast client
ntp multicast client
The following example identifies a Cisco device that is configured with NTP:
router#show running-config | include ntp
ntp peer 192.168.0.12
The following example identifies a Cisco device that is not configured with NTP:
router#show running-config | include ntp
router#
Cisco IOS Devices
Impact
Successful exploitation of the vulnerability may result in a reload of the device. The vulnerability could
be repeatedly exploited to cause an extended DoS condition.
Suggested Fix
There are no workarounds other than disabling NTP on the device. The following mitigations have been
identified for this vulnerability; only packets destined for any configured IP address on the device can
exploit this vulnerability. Transit traffic will not exploit this vulnerability.
Note
NTP peer authentication is not a workaround and is still a vulnerable configuration.
NTP Access Group
Warning
sender's IP address, which may defeat access control lists (ACLs) that permit communication to these
ports from trusted IP addresses. Unicast Reverse Path Forwarding (Unicast RPF) should be considered
to be used in conjunction to offer a better mitigation solution.
!--- Configure trusted peers for allowed access

access-list 1 permit 171.70.173.55
!--- Apply ACE to the NTP configuration
ntp access-group 1
4-448
OL-25941-01
Chapter 4

For additional information on NTP access control groups, consult the document titled "Performing Basic
System Management" at the following link:
http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_basic_sys_manage.html#wp1
034942
Warning
solution.
Infrastructure ACLs (iACLs) are a network security best practice and should be considered as a
long-term addition to good network security as well as a workaround for this specific vulnerability. The
iACL example below should be included as part of the deployed infrastructure access-list, which will
help protect all devices with IP addresses in the infrastructure IP address range:
!--!--- Feature: Network Time Protocol (NTP)
!--access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
!--- Note: If the router is acting as a NTP broadcast client
!--- via the interface command "ntp broadcast client"
!--- then broadcast and directed broadcasts must be
!--- filtered as well. The following example covers
!--- an infrastructure address space of 192.168.0.X
access-list 150 permit udp TRUSTED_SOURCE_ADDRESSES WILDCARD
host 192.168.0.255 eq ntp
host 255.255.255.255 eq ntp
!--- Note: If the router is acting as a NTP multicast client
!--- via the interface command "ntp multicast client"
!--- then multicast IP packets to the mutlicast group must
!--- be filtered as well. The following example covers
!--- a NTP multicast group of 239.0.0.1 (Default is
!--- 224.0.1.1)
host 239.0.0.1 eq ntp
!--- Deny NTP traffic from all other sources destined

OL-25941-01
4-449
Chapter 4
access-list 150 deny udp any

!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and
!--- configurations. Permit all other traffic to transit the
!--- device.
!--- Apply access-list to all interfaces (only one example
!--- shown)
guidelines and recommended deployment techniques for infrastructure protection access lists and is
available at the following link
Warning
solution.
4-450
OL-25941-01
Chapter 4

configured on a device to help protect the management and control planes and minimize the risk and
to infrastructure devices in accordance with existing security policies and configurations. The CoPP
example below should be included as part of the deployed CoPP, which will help protect all devices with
IP addresses in the infrastructure IP address range.
!--- Feature: Network Time Protocol (NTP)
access-list 150 deny udp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 123
!--- Deny NTP traffic from all other sources destined
!--- to the device control plane.
!--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and
!--- Layer4 traffic in accordance with existing security policies
!--- and configurations for traffic that is authorized to be sent
class-map match-all drop-udp-class
policy-map drop-udp-traffic
drop
control-plane
service-policy input drop-udp-traffic
function. Please note that the policy-map syntax is different in the 12.2S and 12.0S Cisco IOS Software
trains:
policy-map drop-udp-traffic

OL-25941-01
4-451
Chapter 4
Additional information on the configuration and use of the CoPP feature can be found in the documents,
"Control Plane Policing Implementation Best Practices" and "Cisco IOS Software Releases 12.2 S Control Plane Policing" at the following links:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html
Network Address Translation Vulnerability - 112028

Description
The Cisco IOS Software Network Address Translation functionality contains three denial of service
(DoS) vulnerabilities. The first vulnerability is in the translation of Session Initiation Protocol (SIP)
packets, the second vulnerability in the translation of H.323 packets and the third vulnerability is in the
translation of H.225.0 call signaling for H.323 packets.
Cisco IOS Devices
References

Rule 1
Rule
PSIRT - 112028: Verify Cisco IOS Software Network Address Translation Vulnerability [IOS]
Description
Cisco devices running Cisco IOS Software that are configured for NAT and that support NAT for SIP,
H.323, or H.225.0 call signaling for H.323 packets are affected.
To verify whether NAT is enabled on a Cisco IOS device log in to the device and issue the show ip nat
statistics command. The following example shows a device that is configured with NAT:
Router#show ip nat statistics
Total translations: 2 (0 static, 2 dynamic; 0 extended)
Outside interfaces: Serial0
Inside interfaces: Ethernet1
Hits: 135 Misses: 5
Expired translations: 2
Dynamic mappings:
-- Inside Source
access-list 1 pool mypool refcount 2
pool mypool: netmask 255.255.255.0
start 192.168.10.1 end 192.168.10.254
4-452
OL-25941-01
Chapter 4

type generic, total addresses 14, allocated 2 (14%), misses 0

Alternatively, administrators can use the show running-config | include ip nat command to verify if
NAT has been enabled on the router interfaces.
For NAT to be enabled in a router either the ip nat inside and ip nat outside commands must be present
in different interfaces or, in the case of NAT Virtual Interface, if the ip nat enable interface command is
present.
In order to determine the software that runs on a Cisco IOS product, log in to the device and issue the
show version command to display the system banner. Cisco IOS software identifies itself as
"Internetwork Operating System Software" or simply "IOS." On the next line of output, the image name
displays between parentheses, followed by "Version" and the Cisco IOS release name. Other Cisco
devices do not have the show version command or give different output.
The following example shows output from a device that runs an IOS image:
SOFTWARE (fc1)
<More output removed for brevity>
Cisco IOS Devices
Impact
Successful exploitation of any of the vulnerabilities described in this document may cause the affected
device to reload. Repeated exploitation will result in an extended denial of service (DoS) condition.
Suggested Fix
The mitigations for the NAT vulnerabilities disable the respective Application Layer Gateway NAT
processing. That is, packets will continue to be translated at the network and transport layers, but the
embedded IP addresses will not be translated.
NAT for Session Initiation Protocol DoS Vulnerability
Mitigation for this vulnerability consists of disabling NAT for SIP over the UDP transport by using the
no ip nat service sip udp port 5060 global configuration command.
NAT for H.323 DoS Vulnerability
NAT for H.225.0 DoS vulnerability

OL-25941-01
4-453
Chapter 4
Next Hop Resolution Protocol Vulnerability - 91766

Description
The Cisco Next Hop Resolution Protocol (NHRP) feature in Cisco IOS contains a vulnerability that can
result in a restart of the device or possible remote code execution.
NHRP is a primary component of the Dynamic Multipoint Virtual Private Network (DMVPN) feature.
NHRP can operate in three ways: at the link layer (Layer 2), over Generic Routing Encapsulation (GRE)
and multipoint GRE (mGRE) tunnels and directly on IP (IP protocol number 54). This vulnerability
affects all three methods of operation.
NHRP is not enabled by default for Cisco IOS.
Cisco IOS Devices
References

Rule 1
Rule
PSIRT - 91766: Verify Next Hop Resolution Protocol Vulnerability [IOS]

Description
NHRP is a standards-based protocol that is aimed at providing Layer 2 to Layer 3 resolution for
Nonbroadcast Multiaccess networks (NBMA).
Network devices and hosts can use NHRP to discover the addresses of other devices connected to an
NBMA network.
For more information on NHRP, see
http://www.cisco.com/en/US/docs/ios/12_4/ip_addr/configuration/guide/hadnhrp_ps6350_TSD_Produ
cts_Configuration_Guide_Chapter.html
NHRP is an open standard and the public RFC is on the web at:
http://www.rfc-editor.org/rfc/rfc2332.txt
NHRP has extended uses in DMVPNs, can be carried in GRE and mGRE tunnels or can be transported
directly within IP datagrams as IP protocol number 54.
Workarounds are available for protecting routers from NHRP packets sent over GRE or mGRE tunnels
or sent as NHRP directly in IP datagrams.
No workarounds exist for blocking Layer 2 NHRP packets. However, Layer 2 NHRP packets are not
routable and must be sent by a Layer 2-adjacent device.
Cisco IOS Devices
4-454
OL-25941-01
Chapter 4

Impact
Successful exploitation of the vulnerability may result in a restart of the device or remote code
execution. Repeated exploitation may result in an extended denial of service (DoS) condition.
Suggested Fix
Customers who do not need NHRP functionality may disable the NHRP service and eliminate the
exposure to this vulnerability.
If NHRP is required, the only complete resolution to this issue is to upgrade to a fixed version of
software.
Additional mitigations that can be deployed on Cisco devices within the network are discussed in the
Because this attack can be sent from spoofed source addresses, anti-spoofing techniques are required for
the workarounds in this section to be most effective.

Description
A Cisco device running Internetwork Operating System (IOS) and enabled for the Open Shortest Path
First (OSPF) protocol is vulnerable to a Denial of Service (DoS) attack from a malformed OSPF packet.
The OSPF protocol is not enabled by default.
See "Cisco IOS Malformed OSPF Packet Causes Reload." at Cisco Security Advisories website.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-61365: Verify Malformed OSPF Packet Causes Reload Vulnerability[IOS]

Description
A Cisco device running Internetwork Operating System (IOS) and enabled for the Open Shortest Path
First (OSPF) protocol is vulnerable to a Denial of Service (DoS) attack from a malformed OSPF packet.
The OSPF protocol is not enabled by default.
See "Cisco IOS Malformed OSPF Packet Causes Reload." at Cisco Security Advisories website.
Cisco IOS Devices

OL-25941-01
4-455
Chapter 4
Impact
Suggested Fix
OSPF authentication may be used as a workaround. OSPF packets without a valid key will not be
processed. MD5 authentication is highly recommended, due to inherent weaknesses in plain text
authentication.
OSPF, MPLS VPN Vulnerability - 100526 [IOS]

Description
Certain Cisco Catalyst 6500 Series and Cisco 7600 Router devices that run branches of Cisco IOS based
on 12.2 can be vulnerable to a denial of service vulnerability that can prevent any traffic from entering
an affected interface. For a device to be vulnerable, it must be configured for Open Shortest Path First
(OSPF) Sham-Link and Multi Protocol Label Switching (MPLS) Virtual Private Networking (VPN).
This vulnerability only affects Cisco Catalyst 6500 Series or Catalyst 7600 Series devices with the
Supervisor Engine 32 (Sup32), Supervisor Engine 720 (Sup720) or Route Switch Processor 720
(RSP720) modules. The Supervisor 32, Supervisor 720, Supervisor 720-3B, Supervisor 720-3BXL,
Route Switch Processor 720, Route Switch Processor 720-3C, and Route Switch Processor 720-3CXL
are all potentially vulnerable.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-100526: Verify Vulnerability in Cisco IOS with OSPF, MPLS VPN[IOS]

Description
CVE ID CVE-2008-0537.
The following combination of hardware and software configuration must be present for the device to be
vulnerable:
Cisco Catalyst Sup32, Sup720, or RSP720 is present
MPLS VPN is configured
OSPF sham-link is configured
In order to determine whether you are running this feature, use the show running-config command and
search for the address-family vpnv4 and area sham-link router configuration commands. The
following command displays all configuration lines that meet the following criteria:
Begins with the word "router," OR
4-456
OL-25941-01
Chapter 4

Includes "address-family vpnv4," OR

Includes "sham-link"
Router# show run | include ^router |address-family vpnv4|sham-link
router bgp 1
address-family vpnv4
router ospf 1 vrf VRFNAME
area 0 sham-link 192.168.1.1 192.168.100.1
Router#
For customers that run versions of IOS that support the section modifier, an additional option is available
to view the relevant sections of the running configuration:
Router# show run | section ^router
router bgp 1
[snip]
address-family vpnv4
router ospf 1 vrf VRFNAME
area 0 sham-link 192.168.1.1 192.168.100.1
[snip]
If certain packets are received by a device that meets the above requirements, the input queue of the
interface that receives these packets can become blocked, which can prohibit additional traffic from
entering the interface and cause a denial of service condition. In addition to a potential blocked interface
queue, the device can also suffer a memory leak or restart. In the event of a memory leak, the device is
unable to forward traffic once available memory is depleted.
Cisco IOS Devices

Impact
Exploitation of this vulnerability may result in a blocked interface input queue, memory leak, and/or
restart of the device. Repeated exploitation of this vulnerability may result in an extended denial of
service.
Suggested Fix
Once a device interface queue has been exhausted, only a device restart can clear OSPF packets in the
blocked queue.
Due to the manner in which these packets are processed, the queue block occurs prior to the OSPF MD5
check. The OSPF MD5 configuration does not protect a device from this vulnerability.
Increasing the SPD headroom provides additional buffering for OSPF packets. In the event of a blocked
queue, the SPD headroom can be increased to allow more control plane traffic buffer space.
It is possible to expand the queue size to accommodate more packets, but packets can still accumulate
until the expanded queue is exhausted. As a temporary workaround that allows traffic to continue to
flow, the input hold queue can be increased. Any additional malformed packets still fill the queue, but

OL-25941-01
4-457
Chapter 4
increasing the input queue depth can extend the amount of time before the input queue fills and traffic
ceases flowing. The following example demonstrates how to set the input queue size from the default of
75 to the maximum of 4096:
Router# configure terminal
Router(configure)# interface FastEthernet 0/0
Router(config-if)# hold-queue 4096 in
Because OSPF Sham-Link configuration is required for the vulnerability to be present, removing
Sham-Link functionality eliminates exposure to this vulnerability. In order to remove the OSPF
Sham-Link configuration from a device, the OSPF configuration must be changed on each interface
where Sham-Link is configured.
Cisco IOS Embedded Event Manager (EEM) provides event detection and reaction capabilities on a
Cisco IOS device. It is possible to detect blocked interface queues with an EEM policy. EEM can alert
Object-Group ACL Bypass Vulnerability - 110398 [IOS]

Description
A vulnerability exists in Cisco IOS software where an unauthenticated attacker could bypass access
control policies when the Object Groups for Access Control Lists (ACLs) feature is used. Cisco has
released free software updates that address this vulnerability. There are no workarounds for this
vulnerability other than disabling the Object Groups for ACLs feature.
Cisco IOS Devices

References

public forum, or recommendations to mitigate general problems affecting network stability .
Rule 1
Rule
PSIRT-110398: Verify Object-Group ACL Bypass Vulnerability [IOS]

Description
In Cisco IOS Software an object group can contain a single object (such as a single IP address, network,
or subnet) or multiple objects (such as a combination of multiple IP addresses, networks, or subnets). In
an ACL that is based on an object group, administrators can create a single access control entry (ACE)
that uses an object group name instead of creating many ACEs, which each would require a different IP
address. A similar object group, such as a protocol port group, can be extended to limit access to a set
of applications for a user group to a server group.
Note: The Cisco Catalyst 6500 Object Groups feature for policy-based ACLs (PBACLs) is not affected
by this vulnerability.
4-458
OL-25941-01
Chapter 4

A vulnerability exists in Cisco IOS Software that could allow an unauthenticated attacker to bypass
access control policies when the Object Groups for ACLs feature is used.
Note: The Object Groups for ACLs feature was introduced in Cisco IOS software version 12.4(20)T.
Cisco IOS Devices

Impact
Successful exploitation of the vulnerability may allow an attacker to access resources that should be
protected by the Cisco IOS device.
Suggested Fix
There are no workarounds for this vulnerability other than disabling the Object Groups for ACLs feature.
OpenSSL Implementation DoS Vulnerability - 45643 [IOS]

Description
An affected network device running an SSL server based on an affected OpenSSL implementation may
be vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a
client. The network device may be vulnerable to this vulnerability even if it is configured to not
authenticate certificates from the client.
See "SSL Implementation Vulnerabilities." at Cisco Security Advisories website
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-45643: Verify SSL Implementation Vulnerabilities [IOS]

Description
An affected network device running an SSL server based on the OpenSSL implementation may be
vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a client.
The network device is vulnerable to this vulnerability even if it is configured to not authenticate
certificates from the client.
Cisco IOS Devices

OL-25941-01
4-459
Chapter 4
Impact
vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a client
regardless of whether it is configured to process client certificates or not.
Suggested Fix
The Cisco PSIRT recommends that affected users upgrade to a fixed software version of code as soon as
it is available.
Restrict access to the HTTPS server on the network device. Allow access to the network device only
from trusted workstations by using access lists / MAC filters that are available on the affected
platforms.
Disable the SSL server / service on the network device. This workaround must be weighed against
the need for secure communications with the vulnerable device.
Cisco SIP Proxy Server (SPS) - Disable SSL/TLS functionality. One can do this using the Provisioning
GUI. Log in, then select Farm/Proxies from the Configuration options. Select Advanced, and then the
SIP Server Core tab. Turn the Enable TLS directive to Off.
OpenSSL Implementation Vulnerability - 49898 [IOS]

Description
be vulnerable to a Denial of Service (DoS) attack. See "Cisco OpenSSL Implementation Vulnerability"
at Cisco Security Advisories website.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT-49898: Verify Open SSL Implementation Vulnerability [IOS]

Description
Secure Sockets Layer (SSL), is a protocol used to encrypt the data transferred over a TCP session. SSL
in Cisco products is mainly used by the HyperText Transfer Protocol Secure (HTTPS) web service for
which the default TCP port is 443. The affected products, listed above, are only vulnerable if they have
the HTTPS service enabled and the access to the service is not limited to trusted hosts or network
management workstations. They are not vulnerable to transit traffic, only traffic that is destined to them
may exploit this vulnerability.
4-460
OL-25941-01
Chapter 4

To check if the HTTPS service is enabled one can do the following:

1.
Check the configuration on the device to verify the status of the HTTPS service.
2.
Try to connect to the device using a standard web browser that supports SSL using a URL
similar to https://ip_address_of_device/.
3.
Try and connect to the default HTTPS port, TCP 443, using Telnet. telnet ip_address_of_device
443. If the session connects the service is enabled and accessible.
Cisco IOS Devices

Impact
vulnerable to a Denial of Service (DoS) attack.
Suggested Fix
it is available.
platforms.
PIX Crafted MGCP Packet - 98711 [PIX, ASA]

Description
Two crafted packet vulnerabilities exist in the Cisco PIX 500 Series Security Appliance (PIX) and the
Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. These
vulnerabilities are triggered during processing of Media Gateway Control Protocol (MGCP) packets, or
during processing of Transport Layer Security (TLS) traffic that terminates on the PIX or ASA security
appliance. The Cisco PIX and ASA security appliances are affected by a crafted MGCP packet
vulnerability if MGCP application layer protocol inspection is enabled and the device is running certain
7.x software versions. Version 6.3.x is not affected. MGCP inspection is not enabled by default. For
specific affected versions, refer to the Software Versions and Fixes section. The PIX and ASA security
appliances are also affected by a crafted TLS packet vulnerability that affects devices running certain
7.x software versions if the software has one or more features configured that cause TLS sessions to
terminate on the PIX or ASA security appliance. These functions include, but are not limited to,
clientless WebVPN, client connections with AnyConnect and the SSL VPN client, HTTPS management,
cut-through proxy for network access, and TLS proxy for encrypted voice inspection. Version 6.3.x is
not affected. Features that cause TLS sessions to terminate on the PIX and ASA security appliances are
not enabled by default. For specific affected versions, please refer to the Software Versions and Fixes
section. In addition to the PIX and ASA security appliances, the crafted MGCP packet vulnerability also
affects the Cisco Firewall Services Module (FWSM). More information regarding the FWSM can be
found in the companion advisory http://www.cisco.com/warp/public/707/cisco-sa-20071017

OL-25941-01
4-461
Chapter 4
References

Rule 1
Rule
PIX PSIRT-98711: Verify Crafted MGCP Packet Vulnerabilities [PIX, ASA]

Description
A PIX or ASA security appliance with the Media Gateway Control Protocol (MGCP) application layer
protocol inspection feature enabled may reload when the device processes a crafted MGCP packet.
MGCP application layer protocol inspection is not enabled by default. MGCP messages are transmitted
over the User Datagram Protocol (UDP), which does allow the crafted MGCP messages to be sourced
from a spoofed address. Only the MGCP for gateway application (MGCP traffic on UDP port 2427) is
affected.

Impact
Successful exploitation of the vulnerabilities described in this advisory will result in a reload of the
affected device. Repeated exploitation can result in a sustained denial of service (DoS) condition.
Suggested Fix
There is no workaround for this vulnerability other than disabling MGCP application layer protocol
inspection on the device.Leveraging anti-spoofing techniques will help mitigate spoofed packets from
triggering this vulnerability. Limiting MGCP application layer inspection to traffic between MGCP
gateways may help to mitigate this vulnerability since it would require an attacker to have additional
information (the addresses of the MGCP gateways) to launch a successful attack. To limit MGCP
application layer inspection to traffic between certain devices, a class map that matches only traffic
between the gateways must be created. Then, MGCP inspection must be performed on traffic in that
class. The following example shows how to accomplish this:
ASA(config)# access-list mgcp_traffic permit udp host 192.168.0.1 host 172.16.0.1 eq 2427
ASA(config)# access-list mgcp_traffic permit udp host 172.16.0.1 host 192.168.0.1 eq 2427
ASA(config)# class-map MGCP ASA(config-cmap)# match access-list mgcp_traffic
ASA(config-cmap)# exit ASA(config)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# no inspect mgcp
ASA(config-pmap-c)# exit
ASA(config-pmap)# class MGCP
ASA(config-pmap-c)# inspect mgcp
ASA(config-pmap-c)# exit
ASA(config-pmap)# exit
ASA(config)#
4-462
OL-25941-01
Chapter 4

Note that MGCP inspection is applied only to UDP traffic between hosts 192.168.0.1 and 172.16.0.1 See
the Cisco Applied Intelligence companion document for additional mitigation possibilities
PIX Crafted TLS Packet - 98711 [PIX, ASA]

Description
Two crafted packet vulnerabilities exist in the Cisco PIX 500 Series Security Appliance (PIX) and the
Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. These
vulnerabilities are triggered during processing of Media Gateway Control Protocol (MGCP) packets, or
during processing of Transport Layer Security (TLS) traffic that terminates on the PIX or ASA security
appliance. Note: These vulnerabilities are independent of each other; a device may be affected by one
and not by the other.

References

Rule 1
Rule
PIX PSIRT-98711: Verify Crafted TSL Packet Vulnerabilities [PIX, ASA]

Description
Transport Layer Security (TLS) is the replacement for the Secure Socket Layer (SSL) protocol. It is a
protocol that provides, via cryptography, secure communications between two end-points. The PIX and
ASA security appliances rely on TLS to protect the confidentiality of communications in a variety of
scenarios. In all these scenarios, the PIX and ASA may be affected by a vulnerability in the handling of
the TLS protocol that may lead to a reload of the device when it processes specially crafted TLS packets.
The scenarios affected by this vulnerability are clientless WebVPN connections, HTTPS management
sessions, cut-through proxy for network access, and TLS proxy for encrypted voice inspection

Impact
Successful exploitation of the vulnerabilities described in this advisory will result in a reload of the
affected device. Repeated exploitation can result in a sustained denial of service (DoS) condition
Suggested Fix
ASDM is used to manage the Cisco PIX or ASA security appliance. Access to ASDM should be allowed
only on trusted interfaces and only from authorized hosts. Restricting ASDM access to trusted hosts
limits the ability of an attacker to conduct these attacks. For example, to limit ASDM access to a single

OL-25941-01
4-463
Chapter 4
host on the inside interface with an address of 192.168.1.2, enter the following command:
hostname(config)# http 192.168.1.2 255.255.255.255 inside Additional information is available at:
Cisco Security Appliance Command Line Configuration Guide, Version 7.2
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html#wp1047288
There are no workarounds if the clientless WebVPN, client connections with AnyConnect and the SSL
VPN client, cut-through proxy for network access, and TLS proxy for encrypted voice inspection
features are in use.
PIX Erroneous SIP Processing Vulnerabilities - 107475 [PIX, ASA]

Description
Erroneous SIP Processing Vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security
Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of
confidential information.

References

Rule 1
Rule
PIX PSIRT-107475: Verify Erroneous SIP Processing Vulnerabilities [PIX, ASA]

Description
Cisco PIX and Cisco ASA devices configured for SIP inspection are vulnerable to multiple processing
errors that may result in denial of service attacks. Cisco PIX and ASA software versions prior to
7.0(7)16, 7.1(2)71, 7.2(4)7, 8.0(3)20, and 8.1(1)8 are vulnerable to these SIP processing errors.
errors that may result in denial of service attacks. All Cisco PIX and Cisco ASA software releases may
be vulnerable to these SIP processing vulnerabilities. A successful attack may result in a reload of the
device.
SIP inspection is enabled with the inspect sip command.
To determine whether the Cisco PIX or Cisco ASA security appliance is configured to support inspection
of sip packets, log in to the device and issue the CLI command show service-policy | include sip. If the
output contains the text Inspect: sip and some statistics, then the device has a vulnerable configuration.
The following example shows a vulnerable Cisco ASA Security Appliance:
asa#show service-policy | include sip
Inspect: sip, packet 0, drop 0, reset-drop 0
asa#
4-464
OL-25941-01
Chapter 4


Impact
Successful exploitation of the Erroneous SIP Processing Vulnerabilities may result in the device
reloading. This can be repeatedly exploited and may lead to a denial of service attack.
Suggested Fix
SIP inspection should be disabled if it is not needed and temporarily disabling the feature will mitigate
the SIP processing vulnerabilities. SIP inspection can be disabled with the command no inspect sip.
PIX Buffer overflow - 28947 [PIX, ASA]

Description
The Cisco PIX Firewall provides robust, enterprise-class security services including stateful inspection
firewalling, standards-based IP Security (IPsec) Virtual Private Networking (VPN), intrusion protection
and much more in cost-effective, easy to deploy solutions.
Two vulnerabilities have been resolved for the PIX firewall for which fixes are available. These
vulnerabilities are documented as Cisco bug ID CSCdv83490 and CSCdx35823. There are no
workarounds available to mitigate the effects of these vulnerabilities.

References
CISCO PSIRT Advisories and Notices(28947_2 of 1.0)

Rule 1
Rule
PIX PSIRT-28947: Verify Buffer overflow Vulnerability [PIX, ASA]

Description
CSCdv83490
When a user establishes a VPN session upon successful peer and user authentication, the PIX creates an
ISAKMP SA associating the user and his IP address.
If an attacker is now able to block the logged-in user's connection and establish a connection to the PIX
using the same IP address as that of the user, he will be able to establish a VPN session with the PIX,
using only peer authentication, provided he already has access to the peer authentication key also known
as the group pre-shared key (PSK) or group password key.
CSCdx35823

OL-25941-01
4-465
Chapter 4
A user starting a connection via FTP, Telnet, or over the World Wide Web (HTTP) is prompted for their
user name and password. If the user name and password are verified by the designated TACACS+ or
RADIUS authentication server, the PIX Firewall unit will allow further traffic between the
authentication server and the connection to interact independently through the PIX Firewall unit's
"cut-through proxy" feature.
The PIX may crash and reload due to a buffer overflow vulnerability while processing HTTP traffic
requests for authentication using TACACS+ or RADIUS.
These vulnerabilities are documented in the Bug Toolkit as Bug IDs CSCdv83490 and CSCdx35823, and
can be viewed after 2002 November 21 at 1600 UTC. To access this tool, you must be a registered user
and you must be logged in.

Impact
DDTs - Description
Impact
CSCdv83490While processing initial contact

This vulnerability can be exploited to initiate a
notify messages the PIX does not delete duplicate Man-In-The-Middle attack for VPN sessions to
the PIX
ISAKMP SA's with the peer
CSCdx35823 - Buffer overflow while doing
HTTP traffic authentication using TACACS+ or
RADIUS

Denial-of-Service attack
Suggested Fix
There are no workarounds for this vulnerability. The Cisco PSIRT recommends that affected users
upgrade to a fixed software version of code.
PIX CBAC - 23885 [PIX, ASA]

Description
Neither Cisco's PIX Firewall, nor the Context-Based Access Control (CBAC) feature of Cisco's IOS
Firewall Feature Set, protects hosts against certain denial of service attacks involving fragmented IP
packets. This vulnerability does not permit network "break-ins". The vulnerability is most severe in
configurations involving static Network Address Translation (NAT) entries, or in configurations not
involving any use of NAT.
The vulnerability is present in Cisco PIX Firewall software up to and including version 4.2(1), and in
CBAC versions of Cisco IOS software through 11.2P and 11.3T, and will be present in initial 12.0
revisions of CBAC software.
The Cisco Centri Firewall does not share this vulnerability.
Stateless packet filtering products, such as the extended access lists available in non-CBAC versions of
Cisco IOS software, share the vulnerability because of the inherent limitations of stateless operation.
This it is not considered a defect in stateless filtering. More information is in the section on "Stateless
Packet Filters" in this document.
4-466
OL-25941-01
Chapter 4

This vulnerability will be fixed in Cisco PIX Firewall software version 4.2(2), which is tentatively
scheduled for release on or after September 16, 1998. The vulnerability is scheduled to be fixed for
CBAC in Cisco IOS software release 12.0(2) and 12.0(3)T, which are tentatively scheduled for release
in late November 1998, and in late January 1999, respectively. All schedules are subject to change.
The possibility of IP fragmentation attacks against packet filters, from Cisco and other vendors, has been
widely known for a very long time. However, exploitation does not seem to be increasing. Therefore,
Cisco does not believe that the majority of its customers are critically exposed by this vulnerability.
Cisco is, however, prepared to support any customers who suffer actual attacks, or who have specific
reason to think that they are likely to be attacked in this way.

References

Rule 1
Rule
PIX PSIRT-23885 : Verify for PIX CBAC Vulnerability [PIX, ASA]

Description
This vulnerability on the PIX Firewall has been assigned Cisco bug ID CSCdk36273.
Note: If you are a registered CCO user and you have logged in, you can view bug details.
View CSCdk36273 (registered customers only)

Impact
Even though the firewall keeps an attacker from making actual connections to a given host, he or she
may still be able to disrupt services provided by that host. This is done by sending many unmatched
non-initial IP fragments, which use reassembly resources on the target host. Hosts vary widely in the
quality of their resource management and in their response to this attack. Some hosts can be made nearly
useless by traffic levels that might realistically be available to attackers.
The attack can be launched only against hosts to which the attackers can address packets. If dynamic
NAT is being used, attack packets can be sent only to hosts which are actively communicating with the
Internet, since NAT translation table entries will not exist for other hosts.
Because the firewall drops only the initial fragments of blocked datagrams, attackers can exploit this
vulnerability by sending streams of complete fragmented packets. The attacker in this case deliberately
intends the initial fragments to be blocked by the firewall. Since only the non-initial fragments will be
forwarded, the effect on the target host will be similar to the effect of sending only the non-initial
fragments to begin with. This method involves some waste of the attacker's resources, and is therefore

OL-25941-01
4-467
Chapter 4
slightly less effective than simply sending the non-initial fragments alone. This method is of interest
because it allows attacks to be launched using relatively standard networking tools, without any special
exploit program.
Suggested Fix
There are no workarounds for this vulnerability. The Cisco PSIRT recommends that affected users
upgrade to a fixed software version of code
PIX Control Plane Access Control List Vulnerability - 105444 [PIX, ASA]
Description
A vulnerability exists in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX
Security Appliances. This security advisory outlines details of the vulnerability:
Control-plane Access Control List Vulnerability
The Control-plane Access Control List Vulnerability may allow an attacker to bypass control-plane
access control lists (ACL).

References

Rule 1
Rule
PSIRT- 105444 : Verify Control Plane Access Control List Vulnerability [PIX, ASA]
Description
Cisco ASA and Cisco PIX devices are affected by a vulnerability if the device is configured to use
control-plane ACLs and if it is running software versions prior to 8.0(3)9 on the 8.0.x release. Devices
running software versions 7.x or 8.1.x are not vulnerable.
Note: Control-plane ACLs were first introduced in software version 8.0(2). The control-plane ACLs are
not enabled by default.
The show version command-line interface (CLI) command can be used to determine if a vulnerable
version of the Cisco PIX or Cisco ASA software is running. The following example shows a Cisco ASA
Security Appliance that runs software release 8.0(2):
ASA# show version
Cisco Adaptive Security Appliance Software Version 8.0(2)

Device Manager Version 6.0(1)
4-468
OL-25941-01
Chapter 4

[...]
Customers who use the Cisco Adaptive Security Device Manager (ASDM) to manage their devices can
find the version of the software displayed in the table in the login window or in the upper left corner of
the ASDM window.

Impact
Successful exploitation of the this vulnerabilities may cause a reload of the affected device. Repeated
exploitation could result in a sustained Denial-of-Service (DoS) condition.
Suggested Fix
PIX Crafted TCP ACK Packet Vulnerability - 105444 [PIX, ASA]

Description
Security Appliances.This security advisory outlines details of the vulnerability:
Crafted TCP ACK Packet Vulnerability
The Crafted TCP ACK Packet Vulnerability may lead to a denial of service (DoS) condition.

References

Rule 1
Rule
PSIRT- 105444 : Verify Crafted TCP ACK Packet Vulnerability [PIX, ASA]
Description

Cisco ASA and Cisco PIX devices are affected by a crafted TCP acknowledgment (ACK) packet
vulnerability. Software versions prior to 7.1(2)70 on the 7.1.x release, 7.2(4) on the 7.2.x release, and
8.0(3)10 on the 8.0.x release are affected. Cisco ASA or Cisco PIX security appliances running software
version 7.0.x, or 8.1.x are not vulnerable.
Cisco ASA and Cisco PIX devices running versions 7.1.x and 7.2.x with WebVPN, SSL VPN, or ASDM
enabled are affected by this vulnerability. Devices running software versions on the 8.0 release that are
configured for Telnet, Secure Shell (SSH), WebVPN, SSL VPN, or ASDM enabled are affected by this
vulnerability.

OL-25941-01
4-469
Chapter 4

Impact
Suggested Fix

As a workaround and best practice allow Telnet, SSH, and ASDM connections from only trusted hosts
in your network.
Additionally, filters that deny TCP ports 22, 23, 80, and 443 packets may be deployed throughout the
network as part of a transit ACL (tACL) policy for protection of traffic which enters the network at
ingress access points. This policy should be configured to protect the network device where the filter is
applied and other devices behind it. Filters for packets using TCP ports 22, 23, 80, and 443 should also
be deployed in front of vulnerable network devices so that traffic is only allowed from trusted clients.
Additional information about tACLs is available in "Transit Access Control Lists : Filtering at Your
Edge":
PIX Crafted TLS Packet Vulnerability - 105444 [PIX, ASA]

Description
A vulnerability exists in the Cisco ASA 5500 Series Adaptive Cisco ASA 5500 Series Adaptive Security
Appliances and Cisco PIX Security Appliances. This security advisory outlines details of the
vulnerability:
Crafted TLS Packet Vulnerability
The Crafted TLS Packet Vulnerability may lead to a denial of service (DoS) condition.

References

Rule 1
Rule
PSIRT- 105444 : Verify Crafted TLS Packet Vulnerability [PIX, ASA]

Description
Crafted TLS Packet Vulnerability
4-470
OL-25941-01
Chapter 4

Cisco ASA and Cisco PIX devices are affected by a crafted TLS request vulnerability if the HTTPS
server on the Cisco ASA or Cisco PIX device is enabled and is running software versions prior to 8.0(3)9
on the 8.0.x release or prior to version 8.1(1)1 on the 8.1.x release. Cisco ASA and Cisco PIX appliances
running software versions 7.x are not vulnerable.

Impact
Suggested Fix

Description
PIX Private Link is an optional feature that can be installed in Cisco PIX firewalls. PIX Private Link
creates IP virtual private networks over untrusted networks, such as the Internet, using tunnels encrypted
with Data Encryption Standard (DES). PIX Private Link in versions up to 4.1 uses DES in ECB
("electronic codebook") mode.
An error in parsing of configuration file commands reduces the effective key length for the PIX Private
Link DES encryption to 48 bits from the nominal 56 bits.

References

Rule 1
Rule
PIX PSIRT- 23886 : Verify for private link crypto Vulnerabilities [PIX, ASA]
Description
This vulnerability has been assigned Cisco bug ID CSCdk11848. The use of ECB mode is Cisco bug ID
CSCdj23353.

OL-25941-01
4-471
Chapter 4
Impact
If attackers know the details of the key-parsing error in the PIX Private Link software, they will know
8 bits of the key ahead of time. This reduces the effective key length from the attacker's point of view
from 56 to 48 bits. This reduction of the effective key length reduces the work involved in a brute-force
attack on the encryption by a factor of 256. That is, knowledgeable attackers can, on the average, find
the right key 256 times faster than they would be able to find it with a true 56-bit key.
In addition to this key-length issue, some customers have expressed concern over the use of DES ECB
mode for PIX Private Link encryption. Although the use of ECB mode is intentional, ECB is not
generally considered to be the best mode in which to employ DES, because it tends to simplify certain
forms of cryptanalysis and may permit certain replay attacks. Technical details of the relative merits of
various encryption modes are beyond the scope of this document. Any interested reader should refer to
a good cryptography text for more information, such as Bruce Schneier's Applied Cryptography.
Suggested Fix
There is no workaround is available for this vulnerability and user needs upgrade the PIX OS.

Description

References

Rule 1
Rule
PIX PSIRT- 91890 : Verify For Vulnerabilities In Crypto Library [PIX, ASA]
Description
4-472
OL-25941-01
Chapter 4



Impact
Successful exploitation of the vulnerability listed in this advisory may result in the crash of a vulnerable
device. Repeated exploitation can result in a sustained DoS attack.
Suggested Fix
The only way to prevent a device being susceptible to the listed vulnerabilities is to disable the affected
service(s). However, if regular maintenance and operation of the device relies on these services then
It is possible to mitigate these vulnerabilities by preventing unauthorized hosts to access the affected
in the Cisco Applied Intelligence companion document.
PIX DoS - 13635 [PIX, ASA]

Description
The Cisco Secure PIX Firewall AAA authentication feature, introduced in version 4.0, is vulnerable to
a Denial of Service (DoS) attack initiated by authenticating users on the system. This vulnerability
affects specific configurations and has been resolved in released versions of the PIX Firewall.
This vulnerability has been assigned Cisco bug ID CSCdt92339.
In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT
PGP key and is posted to the following e-mail and Usenet news recipients.
cust-security-announce@cisco.com
bugtraq@securityfocus.com
firewalls@lists.gnac.com
first-teams@first.org (includes CERT/CC)
cisco@spot.colorado.edu
cisco-nsp@puck.nether.net
comp.dcom.sys.cisco
Various internal Cisco mailing lists
Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not
be actively announced on mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.

OL-25941-01
4-473
Chapter 4
References

Rule 1
Rule
PIX PSIRT- 13635 : Verify for AAA authentication DoS Vulnerability [PIX, ASA]
Description
When AAA authentication services are configured on the Cisco Secure PIX Firewall, it is possible for a
single source address to consume all of the authentication resources, preventing other legitimate users
from authenticating. This is a denial of service strictly for the authentication resources; other established
traffic continues unaffected, and only new authentication requests are prevented.
This vulnerability has been resolved in the recent versions of the PIX Firewall by creating a maximum
limit of three open authentication requests per user.
Cisco Bug ID CSCdv09731 amends this limitation to allow system administrators to modify this limit,
depending on their network requirements.

Impact
This issue causes a PIX Firewall to be vulnerable to a DoS attack in which the availability of the unit is
degraded. This does not result in a loss in confidentiality or in loss of integrity of the traffic being
filtered.
Suggested Fix
No known workarounds. Upgrade the software version.
PIX Device Reload with SIP Inspection Vulnerability - 107475 [PIX, ASA]
Description
Device reload possible when SIP inspection is enabled exist in the Cisco ASA 5500 Series Adaptive
Security Appliances and Cisco PIX Security Appliances that may result in a reload of the device or
disclosure of confidential information.

References

4-474
OL-25941-01
Chapter 4

Rule 1
Rule
PSIRT- 107475 : Verify Device Reload with SIP Inspection Vulnerability [PIX, ASA]
Description
Device reload possible when SIP inspection is enabled

device.
asa#

Impact
Suggested Fix
PIX Enhanced inspection of Malformed HTTP traffic - 77853 [PIX, ASA]

Description
Vulnerability is found in Cisco PIX 500 Series Security Appliances and the Cisco ASA 5500 Series
Adaptive Security Appliances that affects enhanced inspection of malformed Hypertext Transfer
Protocol (HTTP) traffic.

OL-25941-01
4-475
Chapter 4
References

Rule 1
Rule
PIX PSIRT- 77853 : Verify Enhanced inspection of Malformed HTTP traffic [PIX, ASA]
Description
Cisco PIX and ASA Security Appliances may crash when inspecting a malformed HTTP request when
enhanced HTTP inspection is enabled. If enhanced HTTP application inspection is enabled your
configuration will contain a line like "inspect http " where is the name of a specific HTTP map. Please
note that regular HTTP inspection (configured via the command "inspect http" without an HTTP map)
is not affected by this vulnerability. This vulnerability affects only 7.x

Impact
Successful exploitation of the first three vulnerabilities listed in this Advisory may crash the affected
device. Repeated exploitation can result in a sustained DoS attack. Successful exploitation of
CSCsh33287 can result in the escalation of user privileges and complete compromise of the affected
Cisco PIX and ASA Appliances.
Suggested Fix
Disabling HTTP application inspection (appfw) will prevent Cisco PIX and ASA Appliances from being
vulnerable to the issue listed in this Advisory. By leaving inspect http statement configured, some level
of protection for the end devices (for example, computers protected by Cisco PIX and ASA Appliance)
will remain. However, since this level of inspection is less granular, it may have negative impact on
devices terminating HTTP sessions. Devices which terminate HTTP sessions may be exposed to packets
that may cause these devices to crash or become compromised.
PIX FTP - 13638 [PIX, ASA]

Description
The Cisco Secure PIX Firewall interprets FTP (File Transfer Protocol) commands out of context and
inappropriately opens temporary access through the firewall. This is an interim notice describing two
related vulnerabilities.
The first vulnerability is exercised when the firewall receives an error message from an internal FTP
server containing an encapsulated command such that the firewall interprets it as a distinct command.
This vulnerability can be exploited to open a separate connection through the firewall. This vulnerability
is documented as Cisco Bug ID CSCdp86352.
The second vulnerability is exercised when a client inside the firewall browses to an external server and
selects a link that the firewall interprets as two or more FTP commands. The client begins an FTP
connection as expected and at the same time unexpectedly executes another command opening a separate
connection through the firewall. This vulnerability is documented as Cisco Bug ID CSCdr09226.
4-476
OL-25941-01
Chapter 4

Either vulnerability can be exploited to transmit information through the firewall without authorization.
Both vulnerabilities are addressed more completely in this updated interim security advisory.

References

Rule 1
Rule
PIX PSIRT- 13638: Verify FTP Vulnerability[PIX, ASA]

Description
The first vulnerability has been assigned Cisco bug ID CSCdp86352. The second vulnerability has been
assigned Cisco bug ID CSCdr09226.
The behavior is due to the command fixup protocol ftp [portnum], which is enabled by default on the
Cisco Secure PIX Firewall.
If you do not have protected FTP hosts with the accompanying configuration (configuration example
below) you are not vulnerable to the attack which causes a server to send a valid command, encapsulated
within an error message, and causes the firewall to read the encapsulated partial command as a valid
command (CSCdp86352).
To exploit this vulnerability, attackers must be able to make connections to an FTP server protected by
the PIX Firewall. If your Cisco Secure PIX Firewall has configuration lines similar to the following:
fixup protocol ftp 21
and either
conduit permit tcp host 192.168.0.1 eq 21 any
or
conduit permit tcp 192.168.0.1 255.255.255.0 eq 21 any
It is possible to fool the PIX stateful inspection into opening up arbitrary TCP ports, which could allow
attackers to circumvent defined security policies.
If you permit internal clients to make arbitrary FTP connections outbound, you may be vulnerable to the
second vulnerability (CSCdr09226). This is an attack based on CERT advisory CA-2000-02: Malicious
HTML Tags Embedded in Client Web Requests http://www.cert.org/advisories/CA-2000-02.html.
The recommendation in the workarounds section of this document will provide protection against this
vulnerability.

OL-25941-01
4-477
Chapter 4
Impact
Any Cisco Secure PIX Firewall that has enabled the fixup protocol ftp command is at risk of
unauthorized transmission of data through the firewall.
Suggested Fix
Disable ftp protocol inspection by using "no fixup protocol ftp" CLI on the vulnerable device.
PIX Firewall Unintentional Password Modification - 70811 [PIX, ASA]

Description
Certain versions of the software for the Cisco PIX 500 Series Security Appliances, the Cisco ASA 5500
Series Adaptive Security Appliances (ASA), and the Firewall Services Module (FWSM) are affected by
a software bug that may cause the EXEC password, passwords of locally defined usernames, and the
enable password in the startup configuration to be changed without user intervention.
Unauthorized users can take advantage of this bug to try to gain access to a device that has been reloaded
after passwords in its startup configuration have been changed. In addition, authorized users can be
locked out and lose the ability to manage the affected device.
Cisco has made free software available to address this issue for affected customers.

References

Rule 1
Rule
PIX PSIRT- 70811: Unintentional Password Modification Vulnerability in Cisco Firewall Products[PIX,
ASA]
Description
The Cisco PIX 500 Series Security Appliances, the Cisco ASA 5500 Series Adaptive Security
Appliances, and the Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Switches and Cisco
7600 Series Routers are part of Cisco's security portfolio. All of these products offer firewall services
with stateful packet filtering and deep packet inspection. The PIX and ASA devices also offer other
services like Virtual Private Networking (VPN), Content Filtering, and Intrusion Prevention.
On these devices, authentication for both EXEC mode and enable mode can be performed based on
Authentication, Authorization, and Accounting (AAA) methods (Remote Authentication Dial-In User
Service [RADIUS], Terminal Access Controller Access Control System Plus [TACACS+], or LOCAL).
If a device does not have any AAA method (i.e., RADIUS, TACACS+, or LOCAL) configured,
authentication for EXEC mode is performed using the password configured with the passwd command,
and authentication for enable mode is performed using the password configured with the enable
password command.
4-478
OL-25941-01
Chapter 4

A software bug exists in certain versions of the software used by these devices that may cause, under
some circumstances, the EXEC password, passwords of locally defined users, and the enable password
that are stored in the startup configuration to be changed without user intervention. The startup
configuration is stored in a non-volatile medium such as flash memory.
The affected passwords are set using the following configuration commands:
passwd - configures the EXEC password. For example:
pix(config)# passwd xxxxxxxxx
username - configures local users and their associated passwords. For example:
pix(config)# username admin password xxxxxxxx
enable password - configures the password used to enter enable mode. For example:
pix(config)# enable password xxxxxxxx

OL-25941-01
4-479
Chapter 4
The software bug is known to be triggered in only two scenarios:
A software crash, normally caused by a software bug. Please note that not all software crashes may
cause the undesired results discussed above.
Two or more users making concurrent configuration changes on a device, regardless of the method
(command-line interface [CLI], Adaptive Security Device Manager [ASDM], Firewall Management
Center, etc.) used to access the device.
Please note that the passwords in the startup configuration will be changed when the configuration is
saved, to the non-volatile medium where the startup configuration is stored, via the write memory or
copy running-config startup-config commands. During normal operation, if the running configuration
is not saved, passwords in the startup configuration will not change.
Once the passwords in the startup configuration are changed, administrators will be locked out after the
next device reload if authentication for EXEC and for enable privilege depends on the passwords or local
accounts stored in the startup configuration. If a AAA server (RADIUS or TACACS+) is used for
authentication, the change of passwords in the startup configuration will only cause the undesired results
when the AAA server is unavailable, regardless of whether the "LOCAL" authentication method is
configured as a fallback, e.g. aaa authentication enable console RADIUS LOCAL.
Passwords are changed to a non-random value. This behavior is not due to a hardcoded default password
or other explicitly induced set of password values, but rather the result of a coding error related to
configuration parsing.
Devices configured in multiple context mode are also affected by this software bug.

Impact
The software issue may cause the EXEC password, password of locally defined users, and the enable
password in the startup configuration to change without user's intervention. This will prevent
administrators from logging in to the device if authentication is configured to use the passwords stored
in the startup configuration.
If a malicious user were able to guess the new password, and the device reloads, either automatically
because of a software crash, or manually by the network administrator, unauthorized access to the device
may be possible.
Suggested Fix
Configuring authentication against an external RADIUS/TACACS+ server, per network security best
practices, mitigates this issue.
If the passwords in the startup configuration have been modified as a result of software crash or
concurrent configuration update, the administrators will need to perform a password recovery procedure,
unless external AAA authentication is configured.
4-480
OL-25941-01
Chapter 4

The password recovery procedure for the PIX and the ASA is documented at the following URL:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_password_recovery09186a00800
9478b.shtml
In addition, it is possible to limit the exposure of the firewall device by permitting remote connections
only from known, trusted IP addresses. This is accomplished via the ssh, telnet, and http commands for
Secure Shell (SSH), Telnet, and Secure Hyper-Text Transfer Protocol (HTTPS) access, respectively.
In the case of the FWSM, please note that remote access to it can also be obtained via the Cisco Catalyst
6500 switch or Cisco 7600 Series router that hosts the FWSM blade. For this reason, the switch or router
needs to be configured, using access control lists, to permit remote connections only from known, trusted
IP addresses.
PIX IPSec Client Authentication Processing Vulnerability - 107475 [PIX, ASA]

Description
IPSec Client Authentication Processing Vulnerability exist in the Cisco ASA 5500 Series Adaptive

References

Rule 1
Rule
PSIRT- 107475: Verfiy IPSec Client Authentication Processing Vulnerability[PIX, ASA]

Description
IPSec Client Authentication Processing Vulnerability

Cisco PIX and Cisco ASA devices that terminate remote access VPN connections are vulnerable to a
denial of service attack if the device is running software versions prior to 7.2(4)2, 8.0(3)14, and 8.1(1)4.
Cisco PIX and Cisco ASA devices that run software versions 7.0 and 7.1 are not affected by this
vulnerability .
A successful attack may result in a reload of the device.
Remote access VPN connections will have Internet Security Association and Key Management Protocol
(ISAKMP) enabled on an interface with the crypto command, such as: crypto isakmp enable outside.

OL-25941-01
4-481
Chapter 4
Impact
Successful exploitation of the IPSec Client Authentication Processing Vulnerability may result in the
device reloading. This can be repeatedly exploited and may lead to a denial of service attack.
Suggested Fix
Use strong group credentials for remote access VPN connections and do not give out the group
credentials to end users.
PIX ISAKMP - 28947 [PIX, ASA]

Description
The Cisco PIX Firewall provides robust, enterprise-class security services including stateful inspection
firewalling, standards-based IP Security (IPsec) Virtual Private Networking (VPN), intrusion protection
and much more in cost-effective, easy to deploy solutions.
Two vulnerabilities have been resolved for the PIX firewall for which fixes are available. These
vulnerabilities are documented as Cisco bug ID CSCdv83490 and CSCdx35823. There are no
workarounds available to mitigate the effects of these vulnerabilities.

References

Rule 1
Rule
PIX PSIRT- 28947: Verfiy ISAKMP Vulnerability[PIX, ASA]

Description
CSCdv83490
When a user establishes a VPN session upon successful peer and user authentication, the PIX creates an
ISAKMP SA associating the user and his IP address.
If an attacker is now able to block the logged-in user's connection and establish a connection to the PIX
using the same IP address as that of the user, he will be able to establish a VPN session with the PIX,
using only peer authentication, provided he already has access to the peer authentication key also known
as the group pre-shared key (PSK) or group password key.
CSCdx35823
A user starting a connection via FTP, Telnet, or over the World Wide Web (HTTP) is prompted for their
user name and password. If the user name and password are verified by the designated TACACS+ or
RADIUS authentication server, the PIX Firewall unit will allow further traffic between the
authentication server and the connection to interact independently through the PIX Firewall unit's
"cut-through proxy" feature.
4-482
OL-25941-01
Chapter 4

The PIX may crash and reload due to a buffer overflow vulnerability while processing HTTP traffic
requests for authentication using TACACS+ or RADIUS.
These vulnerabilities are documented in the Bug Toolkit as Bug IDs CSCdv83490 and CSCdx35823, and
can be viewed after 2002 November 21 at 1600 UTC. To access this tool, you must be a registered user
and you must be logged in.

Impact
.
DDTsDescription
Impact
CSCdv83490While processing initial contact
notify messages the PIX does not delete duplicate Man-In-The-Middle attack for VPN sessions to
ISAKMP SA's with the peer.
the PIX.
CSCdx35823 - Buffer overflow while doing
HTTP traffic authentication using TACACS+ or
RADIUS.

Denial-of-Service attack.
Suggested Fix
There is no workaround for this vulnerability. The Cisco PSIRT recommends that affected users upgrade
to a fixed software version of code.
PIX Inspection of a stream of malformed TCP packets - 77853 [PIX, ASA]

Description
Adaptive Security Appliances that affects inspection of a stream of malformed Transmission Control
Protocol (TCP) packets.

References

Rule 1
Rule
PIX PSIRT- 77853: Verfiy Inspection of a stream of malformed TCP packets [PIX, ASA]

OL-25941-01
4-483
Chapter 4
Description
By processing a stream of malformed packet in a TCP-based protocol Cisco PIX and ASA Appliances
may crash. Processing of the protocol must be done by inspect feature. The packets can be addressed to
the device itself or just transiting it.

Impact
Successful exploitation of the vulnerability described in this advisory will result in a reload of the
Suggested Fix
The workaround is to increase the minimum TCP segment size (MSS) to 64. This is accomplished with
a global sysopt command: sysopt connection tcpmss minimum 64
PIX Inspection of malformed SIP packets - 77853 [PIX, ASA]

Description
Adaptive Security Appliances that affects inspection of malformed Session Initiation Protocol (SIP)
packets.

References
Rule 1
Rule
PIX PSIRT- 77853: Verfiy Inspection of malformed SIP packets [PIX, ASA]
Description
The inspection of a malformed SIP packet may crash Cisco PIX and ASA appliances. In order to trigger
this vulnerability, SIP fixup (for 6.x software) or inspect (for 7.x software) feature must be enabled. SIP
fixup (in 6.x and earlier) and SIP inspection (in 7.x and later) are enabled by default. Note that SIP can
use TCP and UDP as transport protocol. When UDP protocol is used, spoofing SIP messages is possible
4-484
OL-25941-01
Chapter 4

Impact
Successful exploitation of the first three vulnerabilities listed in this Advisory may crash the affected
device. Repeated exploitation can result in a sustained DoS attack. Successful exploitation of
CSCsh33287 can result in the escalation of user privileges and complete compromise of the affected
Cisco PIX and ASA Appliances.
Suggested Fix
Disabling SIP inspection will prevent Cisco PIX and ASA Appliances from being vulnerable to the issue
listed in this Advisory. However, this may have a negative impact on end devices terminating SIP
sessions. Devices which terminate SIP sessions could be exposed to packets that may cause these devices
to crash or become compromised. If you run a 7.x software release, the alternative is to only allow traffic
from trusted hosts. The configuration needed to accomplish this is as follows:
access-list sip-acl extended permit udp 10.1.1.0 255.255.255.0 host 192.168.5.4 eq sip
access-list sip-acl extended permit udp host 192.168.5.4 10.1.1.0 255.255.255.0 eq sip
class-map sip-traffic
match access-list sip-acl
!
!
class inspection_default inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras inspect rsh inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
class sip-traffic
inspect sip
!
In this example, the SIP endpoints are any host within the 10.1.1.0 network (inside the trusted network)
and a host with the IP address of 192.168.5.4 (outside of the trusted network). You have to substitute
these IP addresses with the ones that are used in your network Note that SIP is an UDP-based protocol,
so spoofing SIP messages is possible.4

OL-25941-01
4-485
Chapter 4
PIX Instant Message Inspection Vulnerability - 105444 [PIX, ASA]

Description
Security Appliances. This security advisory outlines details of the vulnerability:
Instant Messenger Inspection Vulnerability
The Instant Messenger Inspection Vulnerability may lead to a denial of service (DoS) condition.

References
Rule 1
Rule
PSIRT- 105444: Verfiy Instant Message Inspection Vulnerability [PIX, ASA]

Description
Cisco ASA and Cisco PIX devices are affected by a crafted packet vulnerability if Instant Messaging
Inspection is enabled and the device is running software versions prior to 7.2(4) on the 7.2.x release,
8.0(3)10 on the 8.0.x release, or 8.1(1)2 on the 8.1.x release. Devices running software versions in the
7.0.x and 7.1.x releases are not vulnerable. Additionally, devices that do not have Instant Messaging
Inspection enabled are not vulnerable.
Note: Instant Messaging Inspection is disabled by default.

Impact
Suggested Fix
The only workaround for this vulnerability is to disable IM inspection on the security appliance.
PIX LDAP Authentication Bypass - 82451 [PIX, ASA]

Description
The Lightweight Directory Access Protocol (LDAP) authentication bypass vulnerabilities are caused by
a specific processing path followed when the device is setup to use a Lightweight Directory Access
Protocol (LDAP) authentication server. These vulnerabilities may allow unauthenticated users to access
either the internal network or the device itself.
4-486
OL-25941-01
Chapter 4


References
Rule 1
Rule
PIX PSIRT- 82451: Verfiy PIX LDAP Authentication bypass vulnerability [PIX, ASA]
Description
The Lightweight Directory Access Protocol (LDAP) authentication bypass vulnerabilities are caused by
a specific processing path followed when the device is setup to use a Lightweight Directory Access
Protocol (LDAP) authentication server. These vulnerabilities may allow unauthenticated users to access
either the internal network or the device itself. Devices configured to use a LDAP authentication server
and use an authentication protocol other than PAP may be vulnerable. The LDAP server is specified in
the configuration via the aaa-server ldap server host <ip address> command line interface (CLI)
configuration command. The authentication protocol is specified via the authentication <protocol>
command within the tunnel-group <tunnel-group> ppp-attributes section of the configuration.

OL-25941-01
4-487
Chapter 4
Impact
Cisco ASA and PIX devices leveraging LDAP AAA servers for authentication of terminating L2TP
IPSec tunnels or remote management sessions may be vulnerable to an authentication bypass attack. See
the following bullets for more details:
Layer 2 Tunneling Protocol (L2TP) Devices terminating L2TP IPSec tunnels must be configured to
use LDAP in conjunction with CHAP, MS-CHAPv1, or MS-CHAPv2 authentication protocols to be
vulnerable. If LDAP authentication is used in conjunction with PAP, the device is not vulnerable to
the LDAP L2TP authentication bypass.
Remote Management Access

Cisco ASA and PIX devices leveraging LDAP AAA servers for authentication of management
sessions (telnet, SSH and HTTP) may be vulnerable to an authentication bypass attack. Access for
management sessions must be explicitly enabled and is limited to the defined source IP address
within the device configuration.
Suggested Fix
The following workarounds may be a useful reference for some customers to mitigate the LDAP
authentication bypass vulnerabilities.
L2TP
For Cisco ASA or PIX devices configured to use a LDAP authentication server for L2TP over IPSec
connections, configuring the device to use PAP as an authentication protocol may mitigate this
vulnerability. It is important to note that PAP transmits passwords in clear-text. PAP authentication is
encrypted via IPSec when it is used for the L2TP connection. Communications between the security
appliance and the LDAP server are not encrypted by default and can be secured with SSL using the
ldap-over-ssl command. Configuration of PAP authentication can be done using the following example
as a guide or by referring to the security appliance configuration guides listed:
ciscoasa#configure terminal
ciscoasa(config)#tunnel-group l2tp_group ppp-attributes
ciscoasa(config-ppp)#authentication pap
ciscoasa(config-ppp)#no authentication ms-chap-v1
ciscoasa(config-ppp)#no authentication ms-chap-v2
ciscoasa(config-ppp)#no authentication chap
Remote Management Cisco ASA or PIX devices that authenticate remote management sessions with
either the local database or an AAA server other than a LDAP server are not affected by this
vulnerability. More information on changing the AAA server protocol used with remote
management sessions is available at the following link:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/sysadmin/mgac
cess.htm. Remote management sessions must be explicitly enabled before the Cisco ASA or PIX
will accept sessions. The source IP addresses are defined within the command that enables remote
management access.
4-488
OL-25941-01
Chapter 4

Below are examples of enabling remote management sessions (Note that other commands are
required, but these commands control the source IP address of the device that is allowed access to
the Cisco ASA or PIX device): For remote telnet, ssh and http access:
ciscoasa(config)#telnet source_IP_address mask source_interface
ciscoasa(config)#ssh source_IP_address mask source_interface
ciscoasa(config)#http source_IP_address mask source_interface
PIX Mailgaurd - 13636 [PIX, ASA]

Description
The Cisco Secure PIX firewall feature "mailguard," which limits SMTP commands to a specified
minimum set of commands, can be bypassed.
This vulnerability can be exploited to bypass SMTP command filtering.
This vulnerability has been assigned Cisco bug ID CSCdr91002 and CSCds30699.
A new aspect of this vulnerability has been assigned Cisco bug ID CSCds38708.
comp.dcom.sys.cisco

References
Rule 1
Rule
PIX PSIRT- 13636: Verfiy mailgaurd vulnerability [PIX, ASA]

OL-25941-01
4-489
Chapter 4
Description
The behavior is a failure of the command fixup protocol smtp [portnum], which is enabled by default
on the Cisco Secure PIX Firewall.
If you do not have protected Mail hosts with the accompanying configuration (configuration example
below) you are not affected by this vulnerability.
To exploit this vulnerability, attackers must be able to make connections to an SMTP mail server
protected by the PIX Firewall. If your Cisco Secure PIX Firewall has configuration lines similar to the
following:
fixup protocol smtp 25
and either
or
or
access-list 100 permit tcp any host 192.168.0.1 eq 25
access-group 100 in interface outside
The expected filtering of the Mailguard feature can be circumvented by an attacker.


Impact
The Mailguard feature is intended to help protect weakly secured mail servers. The workaround for
this issue is to secure the mail servers themselves, or upgrade to fixed PIX firewall code.
In order to exploit this vulnerability, an attacker would need to also exploit the mailserver that is
currently protected by the PIX. If that server is already well configured, and has the latest security
patches and fixes from the SMTP vendor, that will minimize the potential for exploitation of this
vulnerability.
Suggested Fix
There is not a direct work around for this vulnerability. The potential for exploitation can be lessened by
ensuring that mail servers are secured without relying on the PIX functionality
PIX Multiple SSH Vulnerabilities - 8118 [PIX, ASA]

Description
session key.
4-490
OL-25941-01
Chapter 4

References
Rule 1
Rule
PIX PSIRT- 8118: Verfiy PIX Multiple SSH Vulnerabilities [PIX, ASA]
Description
CRC-32 integrity check vulnerability -- This vulnerability has been described in a CORE SDI
S.A. paper entitled "An attack on CRC-32 integrity checks of encrypted channels using CBC and
CFB modes". In order for this attack to succeed, an attacker must possess one or two known
ciphertext/plaintext pairs. This should not be difficult since every session starts with a greeting
screen which is fixed and which can be determined. This also implies that an attacker must be
somewhere along the session path in order to be able to sniff the session and collect corresponding
ciphertext. While fixing this vulnerability, we have not made the implementation mistake described
by VU#945216 (see http://www.kb.cert.org/vuls/id/945216) which is being actively exploited.
Designer. It can be found at: http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt,
and is entitled "Passive Analysis of SSH (Secure Shell) Traffic". To exploit this vulnerability, an
attacker must be able to capture packets. When sending a packet using the SSH protocol, it is padded
to the next 8-byte boundary, but the exact length of the data (without the padding) is sent
unencrypted. The timing between packets may yield additional information, such as the relative
position of a letter on the keyboard, but that depends on overall jitter in the network and the typing
habits of the person. For additional information, please see
describing it can be viewed at http://www.securityfocus.com/archive/1/161150. The subject line is
"SSH protocol 1.5 session key recovery vulnerability". In order to exploit this vulnerability, an
attacker must be able to sniff the SSH session and be able to establish a connection to the SSH server.
In order to recover the server key, an attacker must perform an additional 2^20+2^19=1572864
connections. Since the key has a lifespan of about an hour, this means that an attacker must perform
around 400 connections per second. For further details, please see
http://www.securityfocus.com/archive/1/161150.

Impact
brute force attack.

OL-25941-01
4-491
Chapter 4
form.
Suggested Fix
PIX OpenSSL Implementation DoS Vulnerability - 45643 [PIX, ASA]

Description
be vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a
client. The network device may be vulnerable to this vulnerability even if it is configured to not
authenticate certificates from the client.
. See "SSL Implementation Vulnerabilities." at Cisco Security Advisories website

References
Rule 1
Rule
PIX PSIRT- 45643: Verfiy SSL Implementation Vulnerabilities [PIX, ASA]

Description
vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a client.
The network device is vulnerable to this vulnerability even if it is configured to not authenticate
certificates from the client.

Impact
vulnerable to a Denial of Service (DoS) attack when presented with a malformed certificate by a client
regardless of whether it is configured to process client certificates or not.
Suggested Fix
it is available.
4-492
OL-25941-01
Chapter 4

platforms.
Cisco SIP Proxy Server (SPS) - Disable SSL/TLS functionality. One can do this using the Provisioning
GUI. Log in, then select Farm/Proxies from the Configuration options. Select Advanced, and then the
SIP Server Core tab. Turn the Enable TLS directive to Off.
PIX OpenSSL Implementation Vulnerability - 49898[PIX, ASA]

Description
be vulnerable to a Denial of Service (DoS) attack.. See "Cisco OpenSSL Implementation Vulnerability."
at Cisco Security Advisories website

References
Rule 1
Rule
PIX PSIRT- 49898: Verfiy OpenSSL Implementation Vulnerability [PIX, ASA]

Description
Secure Sockets Layer (SSL), is a protocol used to encrypt the data transferred over a TCP session. SSL
in Cisco products is mainly used by the HyperText Transfer Protocol Secure (HTTPS) web service for
which the default TCP port is 443. The affected products, listed above, are only vulnerable if they have
the HTTPS service enabled and the access to the service is not limited to trusted hosts or network
management workstations. They are not vulnerable to transit traffic, only traffic that is destined to them
may exploit this vulnerability.
To check if the HTTPS service is enabled one can do the following:
1.
Check the configuration on the device to verify the status of the HTTPS service.
2.
Try to connect to the device using a standard web browser that supports SSL using a URL similar
to https://ip_address_of_device/.
3.
Try and connect to the default HTTPS port, TCP 443, using Telnet. telnet ip_address_of_device
443. If the session connects the service is enabled and accessible.

OL-25941-01
4-493
Chapter 4
Impact
vulnerable to a Denial of Service (DoS) attack.
Suggested Fix
it is available.
platforms.
PIX Potential Information Disclosure in Clientless VPNs - 107475 [PIX, ASA]

Description
Potential Information Disclosure in Clientless VPNs exist in the Cisco ASA 5500 Series Adaptive

References
Rule 1
Rule
PSIRT- 107475: Verfiy Potential Information Disclosure in Clientless VPNs Vulnerability [PIX, ASA]
4-494
OL-25941-01
Chapter 4

Description
Potential Information Disclosure in Clientless VPNs

Cisco ASA devices that terminate clientless remote access VPN connections are vulnerable to potential
information disclosure if the device is running affected 8.0 or 8.1 software versions. Cisco ASA devices
running software versions 7.0, 7.1, or 7.2 are not affected by this vulnerability. Cisco ASA devices the
run software versions prior to 8.0(3)15 and 8.1(1)4, or after 8.0(3)16 and 8.1(1)5 are also not affected
by this vulnerability
On Cisco ASA devices configured to terminate clientless VPN connections, an attacker may be able to
discover potentially sensitive information such as usernames and passwords. This attack requires an
attacker to convince a user to visit a rogue web server, reply to an e-mail, or interact with a service to
successfully exploit the vulnerability.
Cisco ASA devices running software versions 8.0 or 8.1 with clientless VPNs enabled may be affected
by this vulnerability. Cisco ASA devices running that run software versions 7.0, 7.1, or 7.2 are not
vulnerable to this vulnerability.
Clientless SSL VPN connections are enabled via the webvpn command. For example, the following
configuration shows a Cisco ASA device with Clientless VPNs configured and enabled. In this case the
Cisco ASA device will listen for VPN connections on the default port, TCP port 443:
http server enable
!
webvpn
enable outside
Note that with this particular configuration, the device is vulnerable to attacks coming from the outside
interface due to the enable outside command within the webvpn group configuration.

Impact
The Potential Information Disclosure in Clientless SSL VPNs vulnerability may allow an attacker to
obtain user and group credentials if the user interacts with a rogue system or document.
Suggested Fix
Client based VPN connections are not vulnerable to the information disclosure vulnerability. If you are
running 8.0(3)15, 8.0(3)16, 8.1(1)4, or 8.1(1)5, you may safely use client based VPN connections as an
alternative to clientless VPNs.
PIX Privilege escalation - 77853 [PIX, ASA]

Description
Adaptive Security Appliances that affects privilege escalation.

OL-25941-01
4-495
Chapter 4
References
Rule 1
Rule
PIX PSIRT- 77853: Verfiy Privilege escalation [PIX, ASA]

Description
Using the LOCAL method for user authentication may result in privilege escalation. In order to exploit
this vulnerability, a user must be defined in the local database with a privilege of zero and be able to
successfully authenticate to the affected device. Only if these conditions are met can the user escalate
assigned privileges to level 15 and become an administrator. After that, the user can change every aspect
of the configuration and operation of the device.A device is vulnerable to this issue if these lines are
present in the device's configuration:
pixfirewall(config)# aaa authentication enable console LOCAL
pixfirewall(config)# username xxxxx password xxxxxx privilege 0

Impact
Suggested Fix
There are two workarounds for this vulnerability. One consists of the use of TACACS+ or Radius for
authentication, and another is to change the minimum privilege of the user from zero to one. Use
TACACS+ or Radius for authentication Do not use the LOCAL method for user authentication, but use
TACACS+ or Radius instead. This example shows how to configure the Cisco PIX appliance to use
TACACS+ or Radius to authenticate Secure Shell (SSH) access to the device.
pixfirewall(config)#aaa-server AuthOutbound protocol radius (or tacacs+)
pixfirewall(config)#aaa authentication ssh console AuthOutbound
pixfirewall(config)#aaa-server AuthOutbound host 10.0.0.1 radius_key
In this example, 10.0.0.1 is the IP address of the Radius server and radius_key is the shared key between
the Radius server and the appliance. More information on how to configure TACACS+ or Radius on
Cisco PIX and ASA appliances can be found at
http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080734
9e7.shtml.
Changing user's minimum privilege level
The second workaround consists of the change of the user minimum privilege level from zero to
one.
4-496
OL-25941-01
Chapter 4

In that case, your configuration may look like this:

pixfirewall(config)# aaa authentication enable console LOCAL
pixfirewall(config)# username xxxxx password xxxxxx privilege 1
It is possible to use any other level as long as it is not zero or 15. If it is 15, the user has all privileges,
and that is what we want to avoid in the first place.
PIX SMTP - 15235 [PIX, ASA]

Description
The Cisco Secure PIX firewall feature "mailguard" which limits SMTP commands to a specified
minimum set of commands can be bypassed.
This vulnerability can be exploited to bypass SMTP command filtering.
This vulnerability has been assigned Cisco bug ID CSCdu47003.
comp.dcom.sys.cisco
Future updates of this advisory, if any, will be placed on Cisco's Worldwide Web server, but may or may
not be actively announced on mailing lists or newsgroups. Users concerned about this problem are

References
Rule 1
Rule
PIX PSIRT- 15235: Verfiy SMTP vulnerability [PIX, ASA]

Description
The behavior is a failure of the command fixup protocol smtp [portnum], which is enabled by default
on the Cisco Secure PIX Firewall. If you do not have protected Mail hosts with the accompanying
configuration (configuration example below) you are not vulnerable to the attack.

OL-25941-01
4-497
Chapter 4
To exploit this vulnerability, attackers must be able to make connections to an SMTP mail server
protected by the PIX Firewall. If your Cisco Secure PIX Firewall has configuration lines similar to the
following:
fixup protocol smtp 25
and either
or
or
access-list 100 permit tcp any host 192.168.0.1 eq 25
access-group 100 in interface outside
The expected filtering of the Mailguard feature can be circumvented by an attacker.

Impact
If the mail server itself is not properly secured, an attacker may be able to collect information about
existing e-mail accounts and aliases, or may be able to execute arbitrary code on the mail server. In order
to exploit this vulnerability, an attacker would need to also exploit the mailserver that is currently
protected by the PIX. If that server is already well configured, and has the latest security patches and
fixes from the SMTP vendor, that will minimize the potential for exploitation of this vulnerability.
Please note that Cisco strongly recommends that security on all servers, workstations and network
infrastructure gear is maintained as part of Standard Operating Procedures. Internet Firewalls do not
protect against risk factors internal to a Firewalled network such as social engineering, rogue internal
users or additional external access points to the internal network (i.e. modem pools or network fax
machines) and as such should not be viewed as the only security measure necessary to ensure network
integrity.
Suggested Fix
There is not a direct workaround for this vulnerability. The potential for exploitation can be lessened by
ensuring that mail servers are secured without relying on the PIX functionality
PIX SNMP - 19296 [PIX, ASA]

Description
service. In most cases, workarounds are available that may mitigate the impact. Some of these
vulnerabilities are identified by various groups as VU#617947, VU#107186, OUSPG #0100,
CAN-2002-0012, and CAN-2002-0013.
See Cisco non-IOS Malformed SNMP Message-Handling Vulnerability. at Cisco Security Advisories
website
4-498
OL-25941-01
Chapter 4

References
Rule 1
Rule
PIX PSIRT- 19296: Verfiy For Vulnerabilities In Malformed SNMP Message-Handling [PIX, ASA]
Description
Malformed SNMP messages received by affected systems can cause various parsing and processing
functions to fail, which may result in a system crash and reload (or reboot) in most circumstances. Some
Cisco products may not reload but will become unresponsive instead. Some of the affected products are
not directly vulnerable to malformed SNMP messages, but fail under extended testing or large volumes
of SNMP messages due to memory leaks or other unrelated problems.

Impact
The vulnerabilities can be exploited to produce a Denial of Service (DoS) attack. When the
vulnerabilities are exploited, they can cause an affected Cisco product to crash and reload.
address spoofing which could be used to circumvent the access control mechanisms.
If an attacker is able to guess or otherwise obtain a read-only community string for an affected device,
then he or she could bypass SNMP access control relying on the community string.
Suggested Fix
Customers should review configuration for lines such as the following: snmp-server host outside
ip-address which would permit SNMP queries from the unprotected interface. If they find these
commands in the configuration, they should carefully evaluate the necessity for them and the protection
offered by other devices upstream to ensure that spoofing of the SNMP host cannot take place.
Disable SNMP. You can do this by removing all snmp-server host commands.
no snmp-server host inside ip-address
no snmp-server host inside ip-address
no snmp-server location
no snmp-server contact
no snmp-server community community-string
no snmp-server enable traps
Note: Other PIX SNMP commands including the snmp-server community may still appear in the PIX
configuration after the no snmp-server host ... command has been executed.

OL-25941-01
4-499
Chapter 4
PIX SNMPv3 - 47284 [PIX, ASA]

Description
This advisory documents two vulnerabilities for the Cisco PIX firewall. These vulnerabilities are
documented as CSCeb20276 (SNMPv3) and CSCec20244 (VPNC).
There are workarounds available to mitigate the effects of CSCeb20276 (SNMPv3). No workaround is
available for CSCec20244 (VPNC).

References
Rule 1
Rule
PIX PSIRT- 47284: Verfiy SNMPv3 vulnerability[PIX, ASA]

Description
CSCeb20276 (SNMPv3)
The Cisco PIX firewall crashes and reloads while processing a received SNMPv3 message when
snmp-server host <if_name> <ip_addr> or snmp-server host <if_name> <ip_addr> poll is
configured on the Cisco PIX firewall. This happens even though the Cisco PIX firewall does not
support SNMPv3.
A Cisco PIX firewall configured to only generate and send traps using the snmp-server host
<if_name> <ip_addr> trap command is not vulnerable.
CSCec20244 (VPNC)
Under certain conditions an established VPNC IPSec tunnel connection is dropped if another IPSec
client attempts to initiate an IKE Phase I negotiation to the outside interface of the VPN Client
configured Cisco PIX firewall.
Only a Cisco PIX firewall configured as a VPN Client is vulnerable to this vulnerability. A device
reload of the VPN Client configured PIX is required to recover from this unstable state. No action
is required on the headend VPN concentrator.
A VPNC, also referred to as Easy VPN or ezVPN, connection is created when the Cisco PIX firewall
is used as a VPN client to connect to a VPN server. An IKE Phase I negotiation is a step in the
establishment of an IPSec session. CSCec20244 resolved this issue for the 6.2 (3.100) and later
software releases.
These vulnerabilities are documented in the CiscoBug Toolkit as Bug ID CSCeb20276 (SNMPv3) and
CSCec20244 (VPNC). To access this tool, you must be a registered user and you must be logged in.
4-500
OL-25941-01
Chapter 4

Impact
CSCeb20276 (SNMPv3)
This vulnerability can be exploited to initiate a Denial of Service attack on the Cisco PIX firewall.
CSCec20244 (VPNC)
This vulnerability can be exploited to initiate a Denial of Service attack on sessions established
between a Cisco PIX configured as a VPN Client and a VPN server.
Suggested Fix
Disable the SNMP server on the Cisco PIX firewall.
PIX SSH - 24862 [PIX, ASA]

Description
While fixing vulnerabilities mentioned in the Cisco Security Advisory: Multiple SSH Vulnerabilities
Cisco has inadvertently introduced an instability in some products. When an attacker tries to exploit the
enabled on the device.

References
Rule 1
Rule
PIX PSIRT- 24862: Verfiy Scanning For SSH Can Cause a Crash Vulnerability[PIX, ASA]
Description
While fixing the vulnerabilities an instability is introduced in some products. When exposed to an overly
large packet, the SSH process will consume a large portion of the processor's instruction cycles,
effectively causing a DoS. The capability to create such a packet is available in publicly available exploit
code. In some cases this availability attack may result in a reboot of the device. In order to be exposed
SSH must be enabled on the device.

Impact

OL-25941-01
4-501
Chapter 4
Suggested Fix

others.
PIX SSL VPN DOS - 82451 [PIX, ASA]

Description
The two DoS vulnerabilities may be triggered when devices are terminating Virtual Private Networks
(VPN). These denial of service vulnerabilities may allow an attacker to disconnect VPN users, prevent
new connections, or prevent the device from transmitting traffic.
Cisco ASAs using clientless SSL VPNs are vulnerable to a denial of service attack via the SSL VPN
HTTP server. A successful attack must exploit a race condition in the processing non-standard SSL
sessions and may result in a reload of the device.

References
Rule 1
Rule
PIX PSIRT -82541: Verify SSL VPN DOS Vulnerability [PIX, ASA]
Description

Impact
Suggested Fix
If clientless SSL VPNs are used, there is no workaround for the SSL VPN vulnerability. Client-based
VPNs are not affected, and may be used as an alternative to the clientless VPN connections.
4-502
OL-25941-01
Chapter 4

More information on configuring clientless SSL VPNs on the ASA is available in the configuration
example at the following link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.sht
ml
PIX SSL VPN Memory Leak Vulnerability - 107475 [PIX, ASA]

Description
SSL VPN Memory Leak Vulnerability exist in the Cisco ASA 5500 Series Adaptive Security Appliances
and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of confidential
information.

References
Rule 1
Rule
PSIRT -107475: Verfiy SSL VPN Memory Leak Vulnerability [PIX, ASA}
Description
SSL VPN Memory Leak Vulnerability
Cisco ASA devices that terminate clientless remote access VPN connections are vulnerable to a denial
of service attack affecting the SSL processing software if the device is running a software version prior
to 7.2(4)2, 8.0(3)14, or 8.1(1)4. Cisco ASA devices that run software versions 7.0 and 7.1 are not
A crafted SSL or HTTP packet may cause a denial of service condition on a Cisco ASA device that is
configured to terminate clientless VPN connections. A successful attack may result in a reload of the
device.
Cisco ASA devices that run versions 7.2, 8.0, or 8.1 with clientless SSL VPNs enabled may be affected
by this vulnerability. Devices that run software versions 7.0 and 7.1 are not affected by this vulnerability.
Clientless VPN, SSL VPN Client, and AnyConnect connections are enabled via the webvpn command.
For example, the following configuration shows a Cisco ASA with Clientless VPNs configured and
enabled. In this case the ASA will listen for VPN connections on the default port, TCP port 443:
http server enable
!
webvpn
enable outside

OL-25941-01
4-503
Chapter 4

Impact
Successful exploitation of the SSL VPN Memory Leak Vulnerability may result in the device reloading.
This can be repeatedly exploited and may lead to a denial of service attack.
Suggested Fix
IPSec clients are not vulnerable to this issue and may be used in conjunction with strong group
credentials until the device can be upgraded.
PIX Scan Denial of Service Vulnerability - 105444 [PIX, ASA]

Description
Security Appliances.This security advisory outlines details of the vulnerability:
Vulnerability Scan Denial of Service
Vulnerability Scan Denial of Service may lead to a denial of service (DoS) condition.

References
Rule 1
Rule
PSIRT -105444: Verfiy Scan Denial of Service Vulnerability [PIX, ASA}

Description
Vulnerability Scan Denial of Service
Cisco ASA and Cisco PIX devices are affected by a vulnerability (port) scan denial of service
vulnerability if the device is running software versions prior to 7.2(3)2 on the 7.2.x release or 8.0(2)17
on the 8.0.x release. Cisco ASA and Cisco PIX devices running software versions 7.0.x, 7.1.x, or 8.1.x
are not vulnerable..
Impact
Suggested Fix
4-504
OL-25941-01
Chapter 4

PIX TCP Conn Reset - 50961 [PIX, ASA]

Description
transit traffic that is being routed by a router). In addition, the attack vector does not directly compromise
data integrity or confidentiality.

References
public forum, or recommendations to mitigate general problems affecting network stabilitY.
Rule 1
Rule
PIX PSIRT -50961: Verfiy TCP connection reset vulnerabilties [PIX, ASA]
Description
TCP is the transport layer protocol designed to provide connection-oriented reliable delivery of a data
stream. To accomplish this, TCP uses a mixture of flags to indicate state and sequence numbers to
identify the order in which the packets are to be reassembled. TCP also provides a number, called an
packets are reassembled by the receiving TCP implementation only if their sequence numbers fall within
a range of the acknowledgement number (called a "window"). The acknowledgement number is not used
in a packet with the reset (RST) flag set because a reset does not expect a packet in return.
Impact
The impact is different for each specific protocol. While, in the majority of cases, a TCP connection will
be automatically re-established, in some specific protocols a second order of consequences may have a
larger impact than tearing down the connection itself.
Suggested Fix
There are no workarounds available to mitigate the effects of this vulnerability. It is possible to mitigate
the exposure on this vulnerability by applying anti-spoofing measures on the edge of the network.

OL-25941-01
4-505
Chapter 4
PIX TCP Prevention - 68268 [PIX, ASA]

Description
TCP connections through the firewall may be silently blocked.


References
Rule 1
Rule
PIX PSIRT -68268: Verfiy TCP prevention vulnerabiltiy [PIX, ASA]

Description
TCP connections through the firewall may be silently blocked. By sending a TCP SYN packet with an
incorrect checksum through a PIX firewall, the PIX will block new TCP connections using the same
source and destination TCP ports and IP addresses. Connections will remain blocked for approximately
two minutes after which connections will be allowed. This behavior may be seen on all firewall
interfaces but can be expected to have the most impact on TCP connections originating from higher
security level interfaces to lower security level interfaces.
Since the spoofed packets have an incorrect checksum, they are silently discarded by the destination and
the firewall will not see a RST packet from either the destination or the legitimate source and will hold
the embryonic connection open until the embryonic connection timeout which is 2 minutes by default.
The root cause is due to the spoofed packet creating an embryonic connection which sets up the TCP
sliding window. A valid packet from a real host using the same connection as the spoofed packet sends
a SYN over the same connection. The sequence number of the valid packet is out-of-window and
rejected by the firewall's TCP sequence number check. Any subsequent retransmissions of the valid
packet are also out-of-window and are rejected by TCP sequence number check.
Other spoofed TCP SYN packets that create embryonic connections can also cause this behavior,
blocking legitimate TCP connections until the embryonic connection times out..
Impact
By sending a TCP SYN packet with an invalid checksum through a PIX firewall, the PIX will block new
TCP connections using the same source and destination TCP ports and IP addresses. Connections will
remain blocked until the embryonic connection timeout which is 30 seconds by default. Also, PIX
software version 6.3 does not verify the TCP checksum of packets transiting through the
firewall.Because the PIX does not verify the TCP checksum, the malformed TCP packet is allowed
through the firewall in a half-opened, embryonic state.
4-506
OL-25941-01
Chapter 4

Suggested Fix
Issuing the commands clear xlate or clear local-host will allow the firewall to pass connections again.
PIX TCP Reset - 13639 [PIX, ASA]

Description
The Cisco Secure PIX Firewall cannot distinguish between a forged TCP Reset (RST) packet and a
genuine TCP RST packet. Any TCP/IP connection established through the Cisco Secure PIX Firewall
can be terminated by a third party from the untrusted network if the connection can be uniquely
determined. This vulnerability is independent of configuration. There is no workaround.
This vulnerability exists in all Cisco Secure PIX Firewall software releases up to and including 4.2(5),
4.4(4), 5.0(3) and 5.1(1). The defect has been assigned Cisco bug ID CSCdr11711.
cisco-nsp@puck.nether.net
comp.dcom.sys.cisco

References
Rule 1
Rule
PIX PSIRT -13639: Verfiy TCP reset vulnerabiltiy [PIX, ASA]

OL-25941-01
4-507
Chapter 4
Description
When the Cisco Secure PIX Firewall receives a TCP Reset (RST) packet, it evaluates that packet based
on data contained in the TCP packet header: source IP address, source port, destination IP address, and
destination port. If these four values match an entry in the stateful inspection table, the associated
connection will be reset. This affects only TCP sessions. Data exchange based on any other protocol is
not affected.
To exploit this vulnerability, an attacker would need to have or infer:
Detailed knowledge of the connection table in the Cisco Secure PIX Firewall prior to launching the
attack, or
Detailed knowledge of the source and destination IP Address and ports associated with a particular
connection to be attacked
This particular vulnerability only affects the connection table (which keeps state regarding the
connections being made through the device). It does not affect the translation table (in which address
mappings are stored).
Cisco Secure PIX Firewall software has been fixed so that it now checks for a valid sequence number
before removing a connection from the connection state table.
Impact
Any Cisco Secure PIX Firewall that provides external access to the Internet and for which all of the
preceding conditions are met is vulnerable to the disruption of individual sessions.
Suggested Fix
There are no workarounds for this defect. Customers are urged to upgrade to the versions of code
containing the fix.
PIX Time-to-Live Vulnerability - 100314 [PIX, ASA]

Description
A crafted IP packet vulnerability exists in the Cisco PIX 500 Series Security Appliance (PIX) and the
Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. This
vulnerability is triggered during processing of a crafted IP packet when the Time-to-Live (TTL)
decrement feature is enabled. Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0028
has been assigned to this vulnerability.

References
4-508
OL-25941-01
Chapter 4

Rule 1
Rule
PIX PSIRT -100314: Verfiy Time-to-Live Vulnerabiltiy [PIX, ASA]

Description
A crafted IP packet vulnerability exists in the Cisco PIX 500 Series Security Appliance (PIX) and the
Cisco 5500 Series Adaptive Security Appliance (ASA) that may result in a reload of the device. This
vulnerability is triggered during processing of a crafted IP packet when the Time-to-Live (TTL)
decrement feature is enabled..
Impact
Suggested Fix
Disable the TTL decrement feature using the no set connection decrement-ttl command in class
configuration mode.
PIX Traceback When Processing Malformed SIP Requests - 107475[PIX, ASA]

Description
Traceback when processing malformed SIP requests exist in the Cisco ASA 5500 Series Adaptive

References
Rule 1
Rule
PSIRT -107475: Verfiy Traceback When Processing Malformed SIP Requests Vulnerabiltiy [PIX, ASA]

OL-25941-01
4-509
Chapter 4
Description
Traceback when processing malformed SIP requests
device.
asa#
Impact
Suggested Fix
PIX URI Processing Error Vulnerability in SSL VPNs - 107475 [PIX, ASA]
Description
URI Processing Error Vulnerability in SSL VPNs exist in the Cisco ASA 5500 Series Adaptive Security
Appliances and Cisco PIX Security Appliances that may result in a reload of the device or disclosure of
confidential information.

References
4-510
OL-25941-01
Chapter 4

Rule 1
Rule
PSIRT -107475: Verfiy URI Processing Error Vulnerabiltiy in SSL VPNs [PIX, ASA]
Description
Cisco ASA devices that terminate clientless remote access VPN connections are vulnerable to a denial
of service attack in the HTTP server if the device is running software versions prior to 8.0(3)15, and
8.1(1)5. Cisco ASA devices that run software versions 7.0, 7.1, or 7.2 are not affected by this
vulnerability.
A crafted SSL or HTTP packet may cause a denial of service condition on a Cisco ASA device that is
configured to terminate clientless VPN connections. A successful attack may result in a reload of the
device.
Cisco ASA devices that run versions 7.2, 8.0, or 8.1 with clientless SSL VPNs enabled may be affected
by this vulnerability. Devices that run software versions 7.0 and 7.1 are not affected by this vulnerability.
Clientless VPN, SSL VPN Client, and AnyConnect connections are enabled via the webvpn command.
For example, the following configuration shows a Cisco ASA with Clientless VPNs configured and
enabled. In this case the ASA will listen for VPN connections on the default port, TCP port 443:
http server enable
!
webvpn
enable outside
Impact
Successful exploitation of the URI Processing Error Vulnerability in SSL VPNs may result in the device
Suggested Fix
IPSec clients are not vulnerable to this issue and may be used in conjunction with strong group
credentials until the device can be upgraded.
PIX VPN Password Expiry - 82451 [PIX, ASA]

Description

OL-25941-01
4-511
Chapter 4
References
Rule 1
Rule
PIX PSIRT -82451: Verfiy VPN Password Vulnerabiltiy [PIX, ASA]

Description
new connections, or prevent the device from transmitting traffic. p>A device may be affected by this
vulnerability if the password-management command is present in the tunnel-group section, as shown
in the following examples:
tunnel-group example_group general-attributes
address-pool inside_addresses
default-group-policy example_group
password-management
tunnel-group example_group general-attributes
address-pool inside_addresses
default-group-policy example_group
password-management password-expire-in-days 30.
Impact
Cisco ASA and PIX devices terminating remote access VPN connections may be vulnerable to a DoS
attack if the tunnel group is configured with password expiry. To exploit this vulnerability for IPSec
VPN connections, an attacker would need to know the group name and group password. An attacker
would not need this information for SSL VPN connections. A successful attack may result in a reload of
the device.
Suggested Fix
Disabling password expiry for remote access users until a device can be updated with non-vulnerable
code can prevent the exposure of this vulnerability. This can be accomplished by removing the password
management entry in the general attributes of the tunnel group, as shown in the following example:
ciscoasa(config)#tunnel-group remote_access_group general-attributes
ciscoasa(config-tunnel-general)#no password-management
Implementing this workaround will disable the password expiry feature, and users will not be forced to
change their passwords.
4-512
OL-25941-01
Chapter 4

PIX VPNC - 47284 [PIX, ASA]

Description
This advisory documents two vulnerabilities for the Cisco PIX firewall. These vulnerabilities are
documented as CSCeb20276 (SNMPv3) and CSCec20244 (VPNC).
There are workarounds available to mitigate the effects of CSCeb20276 (SNMPv3). No workaround is
available for CSCec20244 (VPNC).

References
Rule 1
Rule
PIX PSIRT -47284: Verfiy VPNC Vulnerabiltiy [PIX, ASA]

Description
This section provides detailed information about these vulnerabilities.
CSCeb20276 (SNMPv3) The Cisco PIX firewall crashes and reloads while processing a received
SNMPv3 message when snmp-server host <if_name> <ip_addr> or snmp-server host
<if_name> <ip_addr> poll is configured on the Cisco PIX firewall. This happens even though the
Cisco PIX firewall does not support SNMPv3. A Cisco PIX firewall configured to only generate and
send traps using the snmp-server host <if_name> <ip_addr> trap command is not vulnerable.
CSCec20244 (VPNC) Under certain conditions an established VPNC IPSec tunnel connection is
dropped if another IPSec client attempts to initiate an IKE Phase I negotiation to the outside
interface of the VPN Client configured Cisco PIX firewall. Only a Cisco PIX firewall configured as
a VPN Client is vulnerable to this vulnerability. A device reload of the VPN Client configured PIX
is required to recover from this unstable state. No action is required on the headend VPN
concentrator. A VPNC, also referred to as Easy VPN or ezVPN, connection is created when the
Cisco PIX firewall is used as a VPN client to connect to a VPN server. An IKE Phase I negotiation
is a step in the establishment of an IPSec session. CSCec20244 resolved this issue for the 6.2 (3.100)
and later software releases.
Impact
This section describes the impact of the issues described in this document.
CSCeb20276 (SNMPv3) This vulnerability can be exploited to initiate a Denial of Service attack
on the Cisco PIX firewall.
CSCec20244 (VPNC) This vulnerability can be exploited to initiate a Denial of Service attack on
sessions established between a Cisco PIX configured as a VPN Client and a VPN server.
Suggested Fix
No workaround. Please upgrade.

OL-25941-01
4-513
Chapter 4
PIX/ASA ACL Bypass Vulnerability - 109974 [PIX, ASA]

Description
Access control list (ACL) bypass vulnerability exist in the Cisco ASA 5500 Series Adaptive Security
Appliances and Cisco PIX Security Appliances.

References
Rule 1
Rule
PSIRT -109974: Verfiy ACL Bypass Vulnerabiltiy [PIX, ASA]

Description
Access lists have an implicit deny behavior that is applied to packets that have not matched any of the
permit or deny ACEs in an ACL and reach the end of the ACL. This implicit deny is there by design,
does not require any configuration and can be understood as an implicit ACE that denies all traffic
reaching the end of the ACL. A vulnerability exists in the Cisco ASA and Cisco PIX that may allow
traffic to bypass the implicit deny ACE.
Note: This behavior only impacts the implicit deny statement on any ACL applied on the device. Access
control lists with explicit deny statements are not affected by this vulnerability. This vulnerability is
experienced in very rare occasions and extremely hard to reproduce.
You can trace the lifespan of a packet through the security appliance to see whether the packet is
operating correctly with the packet tracer tool. The packet-tracer command provides detailed
information about the packets and how they are processed by the security appliance. If a command from
the configuration did not cause the packet to drop, the packet-tracer command will provide information
about the cause in an easily readable manner. You can use this feature to see if the implicit deny on an
ACL is not taking effect.
The following example shows that the implicit deny is bypassed (result = ALLOW):
<output truncated>
...
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
4-514
OL-25941-01
Chapter 4

in id=0x1a09d350, priority=1, domain=permit, deny=false

hits=1144595557, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
<output truncated>
Impact
Successful exploitation of the ACL bypass vulnerability may allow an attacker to access resources that
should be protected by the Cisco ASA.
Suggested Fix
As a workaround, remove the access-group line applied on the interface where the ACL is configured
and re-apply it. For example:
ASA(config)#no access-group acl-inside in interface inside
ASA(config)#access-group acl-inside in interface inside
In the previous example the access group called acl-inside is removed and reapplied to the inside
interface. Alternatively, you can add an explicit deny ip any any line in the bottom of the ACL applied
on that interface. For example:
ASA(config)#access-list 100 deny ip any any
In the previous example, an explicit deny for all IP traffic is added at the end of access-list 100.
PIX/ASA Crafted H.323 Packet DoS Vulnerability - 109974 [PIX, ASA]

Description
Crafted H.323 packet DoS vulnerability exist in the Cisco ASA 5500 Series Adaptive Security
Appliances and Cisco PIX Security Appliances.

References

OL-25941-01
4-515
Chapter 4
Rule 1
Rule
PSIRT -109974: Verfiy Crafted H.323 Packet DoS Vulnerabiltiy [PIX, ASA]
Description
Crafted H.323 Packet DoS Vulnerability
Cisco ASA and Cisco PIX security appliances may experience a device reload that can be triggered by
a series of crafted H.323 packets, when H.323 inspection is enabled. H.323 inspection is enabled by
default. Cisco ASA and Cisco PIX software versions 7.0, 7.1, 7.2, 8.0, and 8.1 are affected by this
vulnerability.
A crafted H.323 packet may cause a DoS condition on a Cisco ASA device that is configured with H.323
inspection. H.323 inspection is enabled by default. A successful attack may result in a reload of the
device. A TCP three-way handshake is not needed to exploit this vulnerability.
Impact
The Denial of Service (DoS) vulnerabilities may cause a reload of the affected device.
Suggested Fix
H.323 inspection should be disabled if it is not needed. Temporarily disabling the feature will mitigate
this vulnerability. H.323 inspection can be disabled with the command no inspect h323
PIX/ASA Crafted HTTP Packet DoS Vulnerability - 109974 [PIX, ASA]

Description
Crafted HTTP packet denial of service (DoS) vulnerability exist in the Cisco ASA 5500 Series Adaptive
Security Appliances and Cisco PIX Security Appliances:

References
Rule 1
Rule
PSIRT -109974: Verfiy Crafted HTTP Packet DoS Vulnerabiltiy [PIX, ASA]
Description
Crafted HTTP Packet DoS Vulnerability
Cisco ASA security appliances may experience a device reload that can be triggered by a series of
crafted HTTP packets, when configured for SSL VPNs or when configured to accept Cisco Adaptive
Security Device Manager (ASDM) connections. Only Cisco ASA software versions 8.0 and 8.1 are
4-516
OL-25941-01
Chapter 4

A crafted SSL or HTTP packet may cause a DoS condition on a Cisco ASA device that is configured to
terminate SSL VPN connections. This vulnerability can also be triggered to any interface where ASDM
access is enabled. A successful attack may result in a reload of the device. A TCP three-way handshake
is needed to exploit this vulnerability.
Impact
Suggested Fix
Devices configured for SSL VPN (clientless or client-based) or accepting ASDM management
connections are vulnerable.
Note: IPSec clients are not vulnerable to this vulnerability.
If SSL VPN (clientless or client-based) is not used, administrators should make sure that ASDM
connections are only allowed from trusted hosts.
To identify the IP addresses from which the security appliance accepts HTTPS connections for ASDM,
configure the http command for each trusted host address or subnet. The following example, shows how
a trusted host with IP address 192.168.1.100 is added to the configuration:
hostname(config)# http 192.168.1.100 255.255.255.255

OL-25941-01
4-517
Chapter 4
PIX/ASA Crafted TCP Packet DoS Vulnerability - 109974 [PIX, ASA]

Description
Crafted TCP Packet DoS vulnerability exist in the Cisco ASA 5500 Series Adaptive Security Appliances
and Cisco PIX Security Appliances.

References
Rule 1
Rule
PSIRT -109974: Verfiy Crafted TCP Packet DoS Vulnerabiltiy [PIX, ASA]
Description
Crafted TCP Packet DoS Vulnerability
A crafted TCP packet may cause a memory leak on a Cisco ASA or Cisco PIX device. A successful
attack may result in a sustained DoS condition. A Cisco ASA device configured for any of the following
features is affected:
SSL VPNs
ASDM Administrative Access
Telnet Access
SSH Access
cTCP for Remote Access VPNs
Virtual Telnet
Virtual HTTP
TLS Proxy for Encrypted Voice Inspection
Cut-Through Proxy for Network Access
TCP Intercept
Note: This vulnerability may be triggered when crafted packets are sent to any TCP based service that
terminates on the affected device. The vulnerability may also be triggered via transient traffic only if the
TCP intercept features has been enabled. A TCP three-way handshake is not needed to exploit this
vulnerability.
Impact
Suggested Fix
4-518
OL-25941-01
Chapter 4

PIX/ASA IPv6 Denial of Service Vulnerability - 108009 [PIX, ASA]

Description
IPv6 Denial of Service Vulnerability exists in the Cisco ASA 5500 Series Adaptive Security Appliances

References
Rule 1
Rule
PSIRT -108009: Verfiy IPv6 Denial of Service Vulnerabiltiy [PIX, ASA]

Description
IPv6 Denial of Service Vulnerability
A specially crafted IPv6 packet may cause the Cisco ASA and Cisco PIX security appliances to reload.
Devices that are running software version 7.2(4)9 or 7.2(4)10 and configured for IPv6 may be
vulnerable. This vulnerability does not affect devices that are configured only for IPv4.
Note: Devices that are running software versions in the 7.0, 7.1, 8.0, and 8.1 releases are not vulnerable.
To configure IPv6 on a Cisco ASA or Cisco PIX security appliance, at a minimum, each interface needs
to be configured with an IPv6 link-local address. Additionally, you can add a global address to the
interface.
Note: Only packets that are destined to the device (not transiting the device) may trigger the effects of
this vulnerability. These packets must be destined to an interface configured for IPv6.
Impact
Suggested Fix
Customers that do not require IPv6 functionality on their devices can use the no ipv6 address interface
sub-command to disable processing of IPv6 packets and eliminate their exposure.
PIX/ASA SQL *Net Packet DoS Vulnerability - 109974 [PIX, ASA]

Description
SQL Net packet DoS vulnerability exist in the Cisco ASA 5500 Series Adaptive Security Appliances

OL-25941-01
4-519
Chapter 4

References
Rule 1
Rule
PSIRT -109974: Verfiy SQL *Net Packet DoS Vulnerabiltiy [PIX, ASA]
Description
SQL*Net Packet DoS Vulnerability
The SQL*Net protocol consists of different packet types are handled by the security appliance to make
the data stream appear consistent to the Oracle version 7.x and earlier implementations on either side of
the Cisco ASA and Cisco PIX security appliances. A series of SQL*Net packets may cause a denial of
service condition on a Cisco ASA and Cisco PIX device that is configured with SQL*Net inspection.
SQL*Net inspection is enabled by default. A successful attack may result in a reload of the device.
The default port assignment for SQL*Net is TCP port 1521. This is the value used by Oracle for
SQL*Net. Please note the class-map command can be used in the Cisco ASA or Cisco PIX to apply
SQL*Net inspection to a range of different port numbers. A TCP three-way handshake is needed to
exploit this vulnerability. The requirement of a TCP three way handshake significantly reduces the
possibility of exploitation using packets with spoofed source addresses.
4-520
OL-25941-01
Chapter 4

Impact
Denial of Service (DoS) vulnerabilities may cause a reload of the affected device. Repeated exploitation
Suggested Fix
SQL*Net inspection should be disabled if it is not needed. Temporarily disabling the feature will
mitigate this vulnerability. SQL*Net inspection can be disabled with the command no inspect sqlnet.
PIX/ASA TCP State Manipulation DoS Vulnerability - 109444 [PIX, ASA]

Description

References
Rule 1
Rule
PIX PSIRT -109444: Verfiy TCP State Manipulation DoS Vulnerabiltiy [PIX, ASA]

OL-25941-01
4-521
Chapter 4
Description
Certain Cisco ASA and Cisco PIX Software versions are affected by these vulnerabilities. A device
running Cisco ASA and Cisco PIX Software that is under attack will have numerous TCP connections
in the established state. The show asp table socket command can be used to display the TCP connections.
The following is example output showing a potential attack in progress.
FIREWALL# show asp table socket | grep ESTAB
TCP
123a8a6c 192.168.1.10:80
192.168.1.20:46181
ESTAB
TCP
123e6d54 192.168.1.10:80
192.168.1.20:29546
ESTAB
TCP
1244f78c 192.168.1.10:80
192.168.1.20:40271
ESTAB
TCP
124f8d2c 192.168.1.10:80
192.168.1.20:46599
ESTAB
TCP
12507f2c 192.168.1.10:80
192.168.1.20:5607
ESTAB
It is possible for normal traffic to cause established TCP connections to appear on Cisco ASA or PIX
devices, especially VPN connections terminated to the device. In order to confirm if established TCP
connections are part of an attack, administrators should use a monitoring point outside the firewall such
as a packet sniffer or Netflow collection agent to examine the profile of the suspicious TCP connections
and determine if an attack is occurring.
Note: The show asp table socket command was introduced in Cisco ASA and Cisco PIX Software
8.0(1).
Further detail about hung TCP connections can be found with show conn detail all long command. The
IP address used to qualify the example below is the address of the firewall interface under attack.
FIREWALL# show conn detail all long | grep 192.168.1.10
TCP outside:192.168.1.20/62345 (192.168.1.20/62345) NP Identity Ifc:192.168.1.10/80
(192.168.1.10/80), flags UB, idle 0s, uptime 0s, timeout 1m0s, bytes 0
Note: Both troubleshooting commands referenced about will display TCP connections that are
terminated to a firewall interface and transiting through the firewall.
4-522
OL-25941-01
Chapter 4

Impact
Suggested Fix
Cisco ASA and Cisco PIX Software provide a method to expire stalled half-closed TCP connections that
helps mitigate against the TCP state manipulation vulnerabilities. This method protects against attacks
directed to a firewall and devices protected by a firewall. The timeout half-closed command will expire
TCP sessions that have remained in a half-closed state beyond a user-configured timeout.
FIREWALL(config)# timeout half-closed 0:5:0
This command will set the TCP half-closed timeout to the smallest permitted value of five minutes. For
more information on the TCP half-closed timeout, please consult the following link:
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/t.html#wp1500148.
PIX/ASA VPN Authentication Bypass Vulnerability - 109974 [PIX, ASA]

Description
VPN Authentication Bypass when Account Override Feature is Used vulnerability exist in the Cisco
ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances

References
Rule 1
Rule
PSIRT -109974: Verfiy VPN Authentication Bypass Vulnerabiltiy [PIX, ASA]

Description
VPN Authentication Bypass Vulnerability
Cisco ASA or Cisco PIX security appliances that are configured for IPsec or SSL-based remote access
VPN and have the Override Account Disabled feature enabled are affected by this vulnerability.
Note: The Override Account Disabled feature was introduced in Cisco ASA software version 7.1(1).
Cisco ASA and PIX software versions 7.1, 7.2, 8.0, and 8.1 are affected by this vulnerability. This feature
is disabled by default.

OL-25941-01
4-523
Chapter 4
The Cisco ASA or Cisco PIX security appliance can be configured to override an account-disabled
indication from a AAA server and allow the user to log on anyway. However, the user must provide the
correct credentials in order to login to the VPN. A vulnerability exists in the Cisco ASA and Cisco PIX
security appliances where VPN users can bypass authentication when the override account feature is
enabled.
Note: The override account feature was introduced in Cisco ASA software version 7.1(1).
The override account feature is enabled with the override-account-disable command in tunnel-group
general-attributes configuration mode, as shown in the following example. The following example allows
overriding the "account-disabled" indicator from the AAA server for the WebVPN tunnel group
"testgroup":
hostname(config)#tunnel-group testgroup type webvpn
hostname(config)#tunnel-group testgroup general-attributes
hostname(config-tunnel-general)#override-account-disable
Note: The override account feature is disabled by default.

Impact
Successful exploitation of the VPN Authentication Bypass when Account Override Feature is Used
vulnerability may allow an attacker to successfully connect to the Cisco ASA via remote access IPSec
or SSL-based VPN.
Suggested Fix
VPN Authentication Bypass Vulnerability

The override account feature is enabled with the override-account-disable command in tunnel-group
general-attributes configuration mode. As a workaround, disable this feature using the no
override-account-disable command.
PIX/ASA Windows NT Domain Authentication Bypass Vulnerability - 108009

Description
Windows NT Domain Authentication Bypass Vulnerability exists in the Cisco ASA 5500 Series
Adaptive Security Appliances and Cisco PIX Security Appliances.

References
4-524
OL-25941-01
Chapter 4

Rule 1
Rule
PSIRT -108009: Verfiy Windows NT Domain Authentication Bypass Vulnerabiltiy [PIX, ASA]
Description
Windows NT Domain Authentication Bypass Vulnerability
Because of a Microsoft Windows NT Domain authentication issue the Cisco ASA and Cisco PIX devices
may be susceptible to a VPN authentication bypass vulnerability. Cisco ASA or Cisco PIX security
appliances configured for IPSec or SSL-based remote access VPN may be vulnerable.
Note: Cisco ASA or Cisco PIX security appliances that are configured for IPSec or SSL-based remote
access VPN using any other type of external authentication (that is, LDAP, RADIUS, TACACS+, SDI, or
local database) are not affected by this vulnerability.
The Cisco ASA security appliance supports Microsoft Windows server operating systems that support
NTLM version 1, collectively referred to as "NT servers". NT Domain authentication is supported only for
remote access VPNs.

Impact
Successful exploitation of the VPN Authentication Bypass Vulnerability may allow an attacker to
successfully connect to the Cisco ASA via remote access IPSec or SSL-based VPN.
Suggested Fix
LDAP authentication is not affected by this vulnerability. As a workaround, you can enable a different
type of external authentication for Remote Access VPN instead of Windows NT Domain authentication.
Note: For more information about support for a specific AAA server type, refer to the following link:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/aaa.html#wp1069492
PPTP - 13640 [IOS]

Description
Point-to-Point Tunneling Protocol (PPTP) allows users to tunnel to an Internet Protocol (IP) network
using a Point-to-Point Protocol (PPP). The protocol is described in RFC2637.
PPTP implementation using Cisco IOS software releases contains a vulnerability that will crash a router
if it receives a malformed or crafted PPTP packet. To expose this vulnerability, PPTP must be enabled
on the router. PPTP is disabled by default. No additional special conditions are required.
Cisco IOS Devices

OL-25941-01
4-525
Chapter 4
References
Rule 1
Rule
PSIRT -13640: Verfiy Malformed PPTP Packet Vulnerabiltiy [IOS]

Description
By sending a crafted PPTP packet to port 1723, a control PPTP port, it is possible to crash the router. This
vulnerability does not require special router configuration. Enabling PPTP is sufficient to expose the
vulnerability. The router will crash after it receives a single packet.
Cisco IOS Devices.

Impact
By repeatedly exploiting this vulnerability, it is possible to cause permanent Denial of Service (DoS).
This denial is not only of the PPTP functionality but the whole router will stop functioning.
Suggested Fix
Radius - 65328 [IOS]

Description
There is a vulnerability in AAA RADIUS authentication if none is used as a fallback method. Sending
a sufficiently long username will bypass the RADIUS authentication and succeed. "RADIUS
Authentication Bypass." at Cisco Security Advisories website.
Cisco IOS Devices

References
Rule 1
Rule
PSIRT -65328: Verfiy RADIUS Authentication Bypass [IOS]
4-526
OL-25941-01
Chapter 4

Description
There is a vulnerability in AAA RADIUS authentication if none is used as a fallback method. Sending a
sufficiently long username will bypass the RADIUS authentication and succeed. "RADIUS Authentication
Bypass." at Cisco Security Advisories website
Cisco IOS Devices.

Impact
Successful exploitation of the vulnerability may result in bypassing the RADIUS authentication.
Suggested Fix
Removing none as a fallback to RADIUS or putting an additional method other than local between
RADIUS and none will mitigate this vulnerability.
Reload After Scanning - 13632[IOS]

Description
Security Scanning software can cause a memory error in Cisco IOS Software that will cause a reload to
occur. This vulnerability affects only Cisco IOS software version 12.1(2)T and 12.1(3)T, and limited
deployment releases based on those versions.
. See "IOS Reload after Scanning Vulnerability." at Cisco Security Advisories website
Cisco IOS Devices

References
Rule 1
Rule
PSIRT -13632: Verfiy IOS Reload after Scanning Vulnerability [IOS]

Description
p>An attempt to make a TCP connection to ports 3100-3999, 5100-5999, 7100-7999, and 10100-10999
will cause the router to unexpectedly reload at the next show running-config, or write memory, or any
command that causes the configuration file to be accessed. Cisco IOS software cannot be configured to
support any services that might listen at those port addresses, and cannot be configured to accept
connections on those ports, however, connection attempts to these ports in the affected version will cause
memory corruption, later leading to an unexpected reload.
Software packages are available from various commercial and free sites that perform automated remote
tests for computer security vulnerabilities by scanning computers on a network for known security flaws.
A common log message in environments that experienced security scan related crashes was the "attempt
to connect to RSHELL" error message.

OL-25941-01
4-527
Chapter 4
Cisco IOS Devices.

Impact
The described defect can be used to mount a denial of service (DoS) attack on any vulnerable Cisco
product, which may result in violations of the availability aspects of a customer's security policy. This
defect by itself does not cause the disclosure of confidential information nor allow unauthorized access.
Suggested Fix
This vulnerability can be mitigated by configuring access lists and applying access groups on all
interfaces or on external devices or firewalls to prevent connection attempts to affected routers, and to
eliminate router addresses in any planned security scanning exercises.
SAA Packets - 42744 [IOS]

Description
The router is vulnerable only if the RTR responder is enabled. When the router receives a malformed
RTR packet, it will crash. RTR is disabled by default. Although RTR was introduced in Cisco IOS
Software Release 11.2, only the following main releases are vulnerable:
. See "Cisco IOS Software Processing of SAA Packets." at Cisco Security Advisories website
Cisco IOS Devices

References
Rule 1
Rule
PSIRT -42744: Verfiy SAA Packets Processing Vulnerability [IOS]

Description
The Service Assurance Agent (SAA) is the new name for the Response Time Reporter (RTR) feature.
The RTR feature allows you to monitor network performance, network resources, and applications by
measuring response times and availability. With this feature you can perform troubleshooting, problem
notifications, and problem analysis based on response time reporter statistics. A router is vulnerable only
if the RTR responder is enabled.
Cisco IOS Devices.

Impact
By sending malformed RTR packets, it is possible to crash the router.
4-528
OL-25941-01
Chapter 4

Suggested Fix
There is no workaround short of disabling the RTR responder. It is possible to mitigate the vulnerability
by applying the ACL on the router.
SGBP Packet - 68793 [IOS]

Description
The Cisco IOS Stack Group Bidding Protocol (SGBP) feature in certain versions of Cisco IOS software
is vulnerable to a remotely-exploitable denial of service condition. Devices that do not support or have
not enabled the SGBP protocol are not affected by this vulnerability..
(See "IOS Stack Group Bidding Protocol Crafted Packet DoS" at Cisco Security Advisories website for
more information.)
Cisco IOS Devices

References
Rule 1
Rule
PSIRT -68793: Verfiy Stack Group Bidding Protocol Crafted Packet DoS Vulnerability [IOS]
Description
The Cisco IOS Stack Group Bidding Protocol (SGBP) feature in certain versions of Cisco IOS software is
vulnerable to a remotely-exploitable denial of service condition. Devices that do not support or have not
enabled the SGBP protocol are not affected by this vulnerability.
This vulnerability affects any device that runs Cisco IOS and has enabled the SGBP protocol. SGBP is
enabled by defining a stack group, which is done using the global IOS command sgbp group . The presence
of this command will cause the device to begin listening on port 9900, even if the remaining SGBP
parameters are not fully configured.
(See "IOS Stack Group Bidding Protocol Crafted Packet DoS" at Cisco Security Advisories website for
more information.)
Cisco IOS Devices.

Impact
Successful exploitation of this vulnerability may cause the affected device to become unresponsive and
trigger a hardware reset, resulting in a denial of service condition.
Suggested Fix
Disable SGBP Protocol on the device. For sites that require the SGBP protocol to be enabled, it may be
possible to apply Access Control Lists (ACLs) to prevent untrusted hosts from exploiting this
vulnerability. The Control Plane Policy (CoPP) feature, if available, may also be used to mitigate this
vulnerability.

OL-25941-01
4-529
Chapter 4
SIP - 81825 [IOS]

Description
Cisco devices running an affected version of Internetwork Operating System (IOS) which supports
Session Initiation Protocol (SIP) are affected by a vulnerability that may lead to a reload of the device
when receiving a specific series of packets destined to port 5060. This issue is compounded by a related
bug which allows traffic to TCP 5060 and UDP port 5060 on devices not configured for SIP.
There are no known instances of intentional exploitation of this issue. However, Cisco has observed data
streams that appear to be unintentionally triggering the vulnerability.
Workarounds exist to mitigate the effects of this problem on devices which do not require SIP.
Cisco IOS Devices

References
Rule 1
Rule
PSIRT -81825: Verfiy SIP Packet Reloads IOS Devices Not Configured for SIP [IOS]
Description
SIP is a protocol designed for use in IP voice networks and is widely used for Voice over Internet Protocol
(VoIP) communications worldwide.
Cisco devices running certain versions of IOS with support for SIP services may be affected by a
vulnerability that leads to a reload of the device with a crafted series of SIP packets to either TCP port 5060
or UDP port 5060. This vulnerability affects routers that contain any SIP configuration, including SIP
gateways. This issue is being tracked as Cisco Bug ID CSCsh58082 (registered customers only) .
In addition, certain versions of IOS with support for SIP services may process SIP messages even if they
are not configured for SIP operation. To process SIP messages IOS will open UDP port 5060 and TCP port
5060 for listening. The Cisco Bug ID that documents the issue of IOS processing SIP messages without
being configured for SIP operation is CSCsb25337 (registered customers only) . The fix for this bug turns
off the listening ports TCP 5060 and UDP 5060.
A device must have an open SIP port to be vulnerable to this issue. Devices which do not listen on TCP
5060 or UDP 5060 are not vulnerable. Because SIP utilizes UDP as a transport, it is possible to spoof the
addresses.
Cisco IOS Devices.

Impact
Successful exploitation of the vulnerability may result in a reload of the device. The issue may be
repeatedly exploited, leading to an extended Denial Of Service (DoS) condition.
4-530
OL-25941-01
Chapter 4

Suggested Fix
Disable SIP listening ports

For devices which do not require SIP to be enabled, the simplest and most effective workaround is to
disable SIP processing on the device with the following commands.
Warning: When applying this workaround to devices which are processing MGCP or H.323 calls, the
device will not allow you to stop SIP processing while active calls are being processed. Under these
circumstances, this workaround should be implemented during a maintenance window when active calls
can be briefly stopped.
Router(config)#sip-ua
Router(config-sip-ua)#no transport udp
Router(config-sip-ua)#no transport tcp
Router(config-sip-ua)#end
After applying this workaround the commands show ip sockets and show tcp brief all will not show the
device listening on UDP and TCP port 5060:
Router#show ip sockets
Proto
Remote
17 --listen--
Port
Local
9.13.32.18
Port In Out Stat TTY

2887 0 0 11 0
Router#show tcp brief all

TCB
Local Address
Foreign Address
(state)
6649A5A4 *.1720
*.*
LISTEN
66CDC764 *.1723
*.*
LISTEN

For devices which do not need to run SIP, you can use Control Plane Policing (CoPP) to block all SIP
access to the device. Cisco IOS software releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support
the CoPP feature. CoPP may be configured on a device to protect the management and control planes to
minimize the risk and effectiveness of direct infrastructure attacks by explicitly permitting only
authorized traffic sent to infrastructure devices in accordance with existing security policies and
configurations. The following example can be adapted to your network.
Warning: Because SIP utilizes UDP as a transport, it is possible to spoof the sender's IP address, which
may defeat ACLs that permit communication to these ports from trusted IP addresses.
!-- Permit all TCP and UDP SIP traffic sent to all IP addresses
!-- configured on all interfaces of the affected device so that it
!-- will be policed and dropped by the CoPP feature.

OL-25941-01
4-531
Chapter 4



drop
!-- device.
control-plane
In the above CoPP example, the access control list entries (ACEs) which match the potential exploit
function.
SIP DoS Vulnerabilities - 109322 [IOS]

Description
A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software that
can be exploited remotely to cause a reload of the Cisco IOS device.
Cisco has released free software updates that address this vulnerability. There are no workarounds
available to mitigate the vulnerability apart from disabling SIP, if the Cisco IOS device does not need to
run SIP for VoIP services. However, mitigation techniques are available to help limit exposure to the
vulnerability.
4-532
OL-25941-01
Chapter 4

Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 109322: Verfiy SIP DoS Vulnerabilities [IOS]

Description
SIP is a popular signaling protocol that is used to manage voice and video calls across IP networks such as
the Internet. SIP is responsible for handling all aspects of call setup and termination. Voice and video are
the most popular types of sessions that SIP handles, but the protocol has the flexibility to accommodate
other applications that require call setup and termination. SIP call signaling can use UDP (port 5060), TCP
A denial of service (DoS) vulnerability exists in the SIP implementation in Cisco IOS Software. This
vulnerability is triggered by processing a specific and valid SIP message..
Cisco IOS Devices.

Impact
device. The issue could be repeatedly exploited to result in an extended Denial Of Service (DoS)
condition.
Suggested Fix
If If the affected Cisco IOS device requires SIP for VoIP services, SIP cannot be disabled, and therefore,
no workarounds are available. Users are advised to apply mitigation techniques to help limit exposure
to the vulnerability. Mitigation consists of allowing only legitimate devices to connect to the routers. To
increase effectiveness, the mitigation must be coupled with anti-spoofing measures on the network edge.
This action is required because SIP can use UDP as the transport protocol.
Cisco IOS SIP and Crafted UDP Vulnerabilities".
accomplish this with the following commands:
sip-ua
no transport udp
no transport tcp

OL-25941-01
4-533
Chapter 4
Warning: When applying this workaround to devices that are processing Media Gateway Control
Protocol (MGCP) or H.323 calls, the device will not stop SIP processing while active calls are being
processed. Under these circumstances, this workaround should be implemented during a maintenance
window when active calls can be briefly stopped.
After applying this workaround, administrators are advised to use the show commands, as discussed in
the Affected Products section of this advisory, to confirm that the Cisco IOS device is no longer
processing SIP messages.
policies and configurations. The following example can be adapted to the network:


4-534
OL-25941-01
Chapter 4


drop
!-- device.
control-plane
Warning: Because SIP can use UDP as a transport protocol, it is possible to easily spoof the IP address
of the sender, which may defeat access control lists that permit communication to these ports from
trusted IP addresses.

OL-25941-01
4-535
Chapter 4

Description
A vulnerability exists in the Session Initiation Protocol (SIP) implementation in Cisco IOS Software that
could allow an unauthenticated attacker to cause a denial of service (DoS) condition on an affected
device when the Cisco Unified Border Element feature is enabled.
Cisco has released free software updates that address this vulnerability. For devices that must run SIP
there are no workarounds; however, mitigations are available to limit exposure of the vulnerability.
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 110395 Verfiy SIP DoS Vulnerability [IOS]

Description
the most popular types of sessions that SIP handles, but the protocol has the flexibility to accommodate
The Cisco Unified Border Element (previously known as the Cisco Multiservice IP-to-IP Gateway) is a
special Cisco IOS Software image that runs on Cisco multiservice gateway platforms. It provides a
network-to-network interface point for billing, security, call admission control, quality of service, and
signaling interworking.
For more information about Cisco Unified Border Element refer to the following link:
A DoS vulnerability exists in the SIP implementation in Cisco IOS Software when devices are running a
Cisco IOS image that contains the Cisco Unified Border Element feature. This vulnerability is triggered by
processing a series of crafted SIP messages.
Cisco IOS Devices.

Impact
device. The issue could be repeatedly exploited to cause an extended DoS condition.
4-536
OL-25941-01
Chapter 4

Suggested Fix
If the affected Cisco IOS device requires SIP for VoIP services, SIP cannot be disabled, and therefore,
no workarounds are available. Users are advised to apply mitigation techniques to help limit exposure
to the vulnerability. Mitigation consists of allowing only legitimate devices to connect to the routers. To
increase effectiveness, the mitigation must be coupled with anti-spoofing measures on the network edge.
This action is required because SIP can use UDP as the transport protocol.
Denial of Service Vulnerabilities in Cisco Unified Communications Manager and Cisco IOS Software".
accomplish this with the following commands:
sip-ua
no transport udp
no transport tcp
Depending on the Cisco IOS Software version in use, the output of "show ip sockets" still showed UDP
port 5060 open, but sending something to that port caused the SIP process to emit the following message:
*Feb 2 11:36:47.691: sip_udp_sock_process_read: SIP UDP Listener is
DISABLED
policies and configurations. The following example can be adapted to the network

OL-25941-01
4-537
Chapter 4


drop
!-- device.
control-plane
4-538
OL-25941-01
Chapter 4


Description
Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device
when SIP operation is enabled.
Cisco has released free software updates that address these vulnerabilities. There are no workarounds
for devices that must run SIP; however, mitigations are available to limit exposure to the vulnerabilities.
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 112022 Verfiy Cisco IOS Software SIP DoS Vulnerability [IOS]
Description
Cisco devices are affected when they are running affected Cisco IOS Software versions that are configured
to process SIP messages.
Recent versions of Cisco IOS Software do not process SIP messages by default. Creating a dial peer by
issuing the dial-peer voice command will start the SIP processes, causing the Cisco IOS device to process
SIP messages. In addition, several features within Cisco Unified Communications Manager Express, such
as ePhones, will also automatically start the SIP process when they are configured, causing the device to
start processing SIP messages. An example of an affected configuration follows:
dial-peer voice <Voice dial-peer tag> voip
...
!

OL-25941-01
4-539
Chapter 4
In addition to inspecting the Cisco IOS device configuration for a dial-peer command that causes the
device to process SIP messages, administrators can also use the show processes | include SIP command
to determine whether Cisco IOS Software is running the processes that handle SIP messages. In the
following example, the presence of the processes CCSIP_UDP_SOCKET or CCSIP_TCP_SOCKET
indicates that the Cisco IOS device will process SIP messages:
Router# show processes | include SIP
149 Mwe 40F48254
400023108/24000 0 CCSIP_UDP_SOCKET
150 Mwe 40F48034
400023388/24000 0 CCSIP_TCP_SOCKET
Note: Because there are several ways a device running Cisco IOS Software can start processing SIP
messages, it is recommended that the show processes | include SIP command be used to determine
whether the device is processing SIP messages instead of relying on the presence of specific configuration
commands.
Cisco Unified Border Element images are also affected by two of these vulnerabilities.
Note: The Cisco Unified Border Element feature (previously known as the Cisco Multiservice IP-to-IP
Gateway) is a special Cisco IOS Software image that runs on Cisco multiservice gateway platforms. It
provides a network-to-network interface point for billing, security, call admission control, quality of
service, and signaling interworking.
To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in
to the device and issue the show version command to display the system banner. The system banner
Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed
by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the show version
Copyright (c) 1986-2008 by cisco Systems, Inc.
with an installed image name of C1841-ADVENTERPRISEK9-M:
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T,
4-540
OL-25941-01
Chapter 4


Paper: Cisco IOS Reference Guide".
Note: CUCM is affected by the vulnerabilities described in this advisory. Two separate Cisco Security
Advisories have been published to disclose the vulnerabilities that affect the Cisco Unified
Communications Manager at the following locations.
Cisco IOS Devices.

Impact
Successful exploitation of the vulnerabilities in this advisory may result in a reload of the device.
Repeated exploitation could result in a sustained denial of service condition.
Suggested Fix
companion document "Cisco Applied Mitigation Bulletin:Identifying and Mitigating Exploitation of the
Multiple Vulnerabilities in Cisco Voice Products".
Disabling SIP Listening Ports
sip-ua
no transport udp
no transport tcp
Depending on the Cisco IOS Software version in use, the output from the show ip sockets command
may still show the SIP ports open, but sending traffic to them will cause the SIP process to emit the
following message:
*Jun 2 11:36:47.691: sip_udp_sock_process_read: SIP UDP Listener is DISABLED
For devices that need to offer SIP services, it is possible to use Control Plane Policing (CoPP) to block

OL-25941-01
4-541
Chapter 4



drop
4-542
OL-25941-01
Chapter 4


!-- device.
control-plane
Note: Because SIP can use UDP as a transport protocol, it is possible to easily spoof the IP address of
the sender, which may defeat access control lists that permit communication to these ports from trusted
IP addresses.
SNMP Malformed Message Handling - 19294 [IOS]

Description
Protocol (SNMP) messages. The vulnerabilities can be repeatedly exploited to produce a denial of
service. In most cases, workarounds are available that may mitigate the impact. These vulnerabilities are
identified by various groups as VU#617947, VU#107186, OUSPG #0100, CAN-2002-0012, and
CAN-2002-0013.
. See "Malformed SNMP Message-Handling Vulnerabilities" at Cisco Security Advisories website for
more information
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 19294: Verfiy Malformed SNMPMessage-Handling Vulnerabilities [IOS]

Description
address spoofing. In any circumstance where ingress and egress source IP address filtering is lacking, it
is more likely that an attacker could spoof the source IP address and circumvent access control
mechanisms to cause a vulnerable system to fail.

OL-25941-01
4-543
Chapter 4
If an attacker is able to guess or otherwise obtain a read-only community string for an affected device, then
he or she could bypass SNMP access control that depends on the community string.
Cisco IOS Devices.

Impact
The vulnerability can be exploited to produce a Denial of Service (DoS) attack. When the vulnerability
is exploited, it can cause an affected Cisco product to crash and reload.
Suggested Fix
Turn SNMP off in the device. This is an effective workaround, but removes management capability to
the device.
SNMP Message Processing - 50980 [IOS]

Description
Cisco Internetwork Operating System (IOS) Software release trains 12.0S, 12.1E, 12.2, 12.2S, 12.3,
12.3B and 12.3T may contain a vulnerability in processing SNMP requests which, if exploited, could
cause the device to reload.
. See "Vulnerabilities in SNMP Message Processing." at Cisco Security Advisories website for more
information
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 50980: Verfiy Vulnerabilities in SNMPMessage Processing [IOS]
4-544
OL-25941-01
Chapter 4

Description
In this vulnerability, the IOS SNMP process is incorrectly attempting to process SNMP solicited operations
on UDP port 162 and the random UDP port. Upon attempting to process a solicited SNMP operation on
one of those ports, the device can experience memory corruption and may reload.
Cisco IOS Devices.

Impact
Suggested Fix
It is possible to disable SNMP processing on the device running IOS by issuing the following command:
no snmp-server
Removing the public community string with the configure command "no snmp-server community ro"
is not sufficient as the SNMP server will still be running and the device will be vulnerable. The command
"no snmp-server" must be used instead. Verify SNMP server status by using the enable command show
snmp. You should see a response of "%SNMP agent not enabled".
SNMP Multiple Community String Vulnerabilities - 13629 [IOS]

Description
. See "Cisco IOS Software Multiple SNMP Community String Vulnerabilities." at Cisco Security
Advisories website
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 13629: Verfiy Multiple SNMP Community StringVulnerabilities [IOS]

OL-25941-01
4-545
Chapter 4
Description
. See "Cisco IOS Software Multiple SNMP Community String Vulnerabilities." at Cisco Security
Advisories website
Cisco IOS Devices.

Impact
These vulnerabilities could be exploited separately or in combination to gain access to or modify the
configuration and operation of any affected devices without authorization.
Suggested Fix
Disable SNMP access to the device.
SNMP Read-Write ILMI Community String - 13630 [IOS]

Description
Cisco IOS Software releases based on versions 11.x and 12.0 contain a defect that allows a limited
number of SNMP objects to be viewed and modified without authorization using a undocumented ILMI
community string. Some of the modifiable objects are confined to the MIB-II system group, such as
"sysContact", "sysLocation", and "sysName", that do not affect the device's normal operation but that
may cause confusion if modified unexpectedly. The remaining objects are contained in the
LAN-EMULATION-CLIENT and PNNI MIBs, and modification of those objects may affect ATM
configuration. An affected device might be vulnerable to a denial-of-service attack if it is not protected
against unauthorized use of the ILMI community string.
. See "Cisco IOS Software SNMP Read-Write ILMI Community String Vulnerability." at Cisco Security
Advisories website
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 13630: Verfiy SNMP Read-Write ILMI Community StringVulnerability [IOS]
4-546
OL-25941-01
Chapter 4

Description
Numerous objects can be viewed in the LAN-EMULATION-CLIENT MIB and PNNI MIB, and
modification of some of the read-write objects can have an affect on ATM operation of the device. The
objects in the LAN-EMULATION-CLIENT MIB can only be viewed or modified if LANE has already
been configured on the device.
Cisco IOS Devices.

Impact
If SNMP requests can be received by an affected device, then certain MIB objects can be viewed without
proper authorization, causing a violation of confidentiality.
A subset of the readable MIB objects can be modified without authorization to cause a failure of
integrity. For example, the hostname can be modified so as to confuse network administrators, or the
contact and location information could be changed with a goal of disrupting operations or embarrassing
whoever is responsible for the device.
Objects in the LAN-EMULATION-CLIENT and PNNI MIBs can be viewed and modified, thus resulting
in changes to the operation of ATM functions. If ATM is in use on the device, this may result in a failure
of availability.
Any affected device that is not otherwise protected against the receipt of SNMP packets is vulnerable to
a denial-of-service (DoS) attack by flooding the SNMP port with read or write requests.
Suggested Fix
None.
SNMP Trap Reveals WEP Key - 46468 [IOS]

Description
Cisco Aironet Access Points (AP) running Cisco IOS software will send any static Wired Equivalent
Privacy (WEP) key in the cleartext to the Simple Network Management Protocol (SNMP) server if the
snmp-server enable traps wlan-wep command is enabled. Affected hardware models are the Cisco
Aironet 1100, 1200, and 1400 series. This command is disabled by default. The workaround is to disable
this command. Any dynamically set WEP key will not be disclosed.
See "SNMP Trap Reveals WEP Key in Cisco Aironet Access Point" at Cisco Security Advisories
website for more information
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 46468: Verfiy SNMP Trap Reveals WEP Key Vulnerability [IOS]

OL-25941-01
4-547
Chapter 4
Description
If enabled, the snmp-server enable traps wlan-wep command will send static WEP keys in the cleartext to
the SNMP server every time a key is changed or the AP is rebooted. This vulnerability is opportunistic,
and the following conditions must be met for the vulnerability to be exploited.
The snmp-server enable traps wlan-wep command must be enabled. (It is disabled by default.)
An adversary must be able to intercept SNMP packets sent from the AP to the SNMP server.
The AP in question must be rebooted or the static WEP key must be changed.
Under these circumstances, an adversary will be able to intercept all static WEP keys.
Dynamically configured WEP keys are not affected by this vulnerability and will not be revealed. A WEP
key is dynamically configured if you are using one of the Extensible Authentication Protocol (EAP)
authentication protocols. The following EAP authentication protocols are currently supported in Cisco
APs: LEAP, EAP-TLS, PEAP, EAP-MD5, and EAP-SIM.
This vulnerability is assigned Cisco Bug ID CSCec55538 (registered customers only) .
Cisco IOS Devices.

Impact
If SNMP requests can be received by an affected device, then certain MIB objects can be viewed without
proper authorization, causing a violation of confidentiality.
A subset of the readable MIB objects can be modified without authorization to cause a failure of
integrity. For example, the hostname can be modified so as to confuse network administrators, or the
contact and location information could be changed with a goal of disrupting operations or embarrassing
whoever is responsible for the device.
Objects in the LAN-EMULATION-CLIENT and PNNI MIBs can be viewed and modified, thus resulting
in changes to the operation of ATM functions. If ATM is in use on the device, this may result in a failure
of availability.
Any affected device that is not otherwise protected against the receipt of SNMP packets is vulnerable to
a denial-of-service (DoS) attack by flooding the SNMP port with read or write requests.
Suggested Fix
None.
SNMP Version 3 Authentication Vulnerability -107408 [IOS]

Description
Multiple Cisco products contain either of two authentication vulnerabilities in the Simple Network
Management Protocol version 3 (SNMPv3) feature. These vulnerabilities can be exploited when
processing a malformed SNMPv3 message. These vulnerabilities could allow the disclosure of network
information or may enable an attacker to perform configuration changes to vulnerable devices. The
SNMP server is an optional service that is disabled by default in Cisco products. Only SNMPv3 is
impacted by these vulnerabilities. Workarounds are available for mitigating the impact of the
vulnerabilities described in this document.
The United States Computer Emergency Response Team (US-CERT) has assigned Vulnerability Note
VU#878044 to these vulnerabilities.
4-548
OL-25941-01
Chapter 4

Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-0960 has also been assigned to
these vulnerabilities.
Cisco IOS Devices

References

Rule 1
Rule
PSIRT - 107408: Verfiy SNMP Version 3 AuthenticationVulnerability [IOS]

Description
There are three general types of SNMP operations: "get" requests to request information, "set" requests that
modify the configuration of a remote device, and "trap" messages that provide a monitoring function.
SNMP requests and traps are transported over User Datagram Protocol (UDP) and are received at the
assigned destination port numbers 161 and 162, respectively.
SNMPv3 provides secure access to devices by authenticating and encrypting packets over the network.
RFC2574 defines the use of HMAC-MD5-96 and HMAC-SHA-96 as the possible authentication protocols
for SNMPv3.
Vulnerabilities have been identified in the authentication code of multiple SNMPv3 implementations. This
advisory identifies two vulnerabilities that are almost identical. Both are specifically related to malformed
SNMPv3 packets that manipulate the Hash Message Authentication Code (HMAC). The two
vulnerabilities may impact both Secure Hashing Algorithm-1 (SHA-1) and Message-Digest Algorithm 5
(MD5). The vulnerabilities described in this document can be successfully exploited using spoofed
SNMPv3 packets.
Cisco IOS Devices.

Impact
Successful exploitation of these vulnerabilities could result in the disclosure of sensitive information on
a device or allow an attacker to make configuration changes to a vulnerable device that is based on the
SNMP configuration.
Suggested Fix


OL-25941-01
4-549
Chapter 4
vulnerabilities. The iACL example below should be included as part of the deployed infrastructure
access-list which will protect all devices with IP addresses in the infrastructure IP address range:
Note: UDP port 161 is applicable for all versions of SNMP.
!--- Permit SNMP UDP 161 packets from
!--- trusted hosts destined to infrastructure addresses.
access-list 150 permit udp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq

161
!--- Deny SNMP UDP 161 packets from all
!--- other sources destined to infrastructure addresses.
access-list 150 deny udp any INFRASTRUCTURE_ADDRESSES MASK eq 161!--- Permit/deny all
other Layer 3 and Layer 4 traffic in accordance
!--- with existing security policies and configurations
access-list 150 permit ip any anyinterface serial 2/0ip access-group 150 in

Control Plane Policing (CoPP) can be used to block untrusted SNMP access to the device. Cisco IOS
configured on a device to protect the management and control planes and minimize the risk and
to infrastructure devices in accordance with existing security policies and configurations. The following
example, which uses 192.168.100.1 to represent a trusted host, can be adapted to your network.
!--- Deny SNMP UDP traffic from trusted hosts to all IP addresses
!--- configured on all interfaces of the affected device so that
!--- it will be allowed by the CoPP feature

!--- Permit all other SNMP UDP traffic sent to all IP addresses
!--- will be policed and dropped by the CoPP feature
4-550
OL-25941-01
Chapter 4


!--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and Layer4
!--- traffic in accordance with existing security policies and
!--- configurations for traffic that is authorized to be sent

class-map match-all drop-snmpv3-class

policy-map drop-snmpv3-traffic
class drop-snmpv3-class
drop
control-plane
service-policy input drop-snmpv3-traffic
function.

OL-25941-01
4-551
Chapter 4
Please note that the policy-map syntax is different in the 12.2S and 12.0S Cisco IOS trains:
policy-map drop-snmpv3-traffic
class drop-snmpv3-class
Additional information on the configuration and use of the CoPP feature is available at the following
links:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900ae
cd804fa16a.html and http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html
Transit Access Control Lists
Filters that deny SNMP packets using UDP port 161 should be deployed throughout the network as part
of a Transit Access Control List (tACL) policy for protection of traffic that enters the network at ingress
access points. This policy should be configured to protect the network device where the filter is applied
and other devices behind it. Filters for SNMP packets that use UDP port 161 should also be deployed in
front of vulnerable network devices so that traffic is only allowed from trusted clients.
Additional information about tACLs is available in "Transit Access Control Lists: Filtering at Your
Edge:"
Hardening Guide Statement
Customers are advised to review the "Fortifying the Simple Network Management Protocol" section of
the "Cisco Guide to Harden Cisco IOS Devices" for information on configuring an IOS device for
SNMPv3 authentication and privacy:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml#fortif
y
Cisco IOS authPriv Configuration
Enabling the SNMPv3 privacy subsystem (if it is not already in use) is a short-term workaround for users
who are unable to upgrade in a timely fashion. This subsystem is used to encrypt SNMPv3 traffic using
a shared secret.
In Cisco IOS, administrators can enable this workaround by using the authPriv SNMPv3 feature. Only
Cisco IOS crypto images can run the authPriv feature.
Note: Ensure that the management application supports SNMPv3 authPriv before implementing this
feature.
SSH Can Cause a Crash -24862 [IOS]

Description
While fixing vulnerabilities mentioned in the Cisco Security Advisory: Multiple SSH Vulnerabilities we
inadvertently introduced an instability in some products. When an attacker tries to exploit the
enabled on the device.. See "Scanning for SSH Can Cause a Crash." at Cisco Security Advisories website
Cisco IOS Devices
4-552
OL-25941-01
Chapter 4

References
Rule 1
Rule
PSIRT - 24862: Verfiy Scanning for SSH Can Cause a Crash Vulnerability [IOS]
Description
While fixing the vulnerabilities (Cisco Security Advisory: Multiple SSH Vulnerabilities) an instability is
introduced in some products. When exposed to an overly large packet, the SSH process will consume a
large portion of the processor's instruction cycles, effectively causing a DoS. The capability to create such
a packet is available in publicly available exploit code. In some cases this availability attack may result in
a reboot of the device. In order to be exposed SSH must be enabled on the device.
The vulnerability in question is named CRC-32. It is also marked as VU#945216 and described in the
CERT/CC Vulnerability Note.
Cisco IOS Devices.

Impact
Suggested Fix
others.
Blocking all SSH connections, and all other protocols that are not supposed to come from the outside,
on the network edge should be an integral part of the network security best practice.
SSH Malformed Packet -29581 [IOS]

Description
Certain Cisco products containing support for the Secure Shell (SSH) server are vulnerable to a Denial
of Service (DoS) if the SSH server is enabled on the device. A malformed SSH packet directed at the
affected device can cause a reload of the device. No authentication is necessary for the packet to be
received by the affected device. The SSH server in Cisco IOS is disabled by default.
See "SSH Malformed Packet Vulnerabilities" at Cisco Security Advisories website
Cisco IOS Devices

OL-25941-01
4-553
Chapter 4
References
Rule 1
Rule
PSIRT - 29581: Verfiy SSH Malformed Packet Vulnerabilities [IOS]

Description
Certain Cisco products containing support for the Secure Shell (SSH) server are vulnerable to a Denial of
Service (DoS) if the SSH server is enabled on the device. A malformed SSH packet directed at the affected
device can cause a reload of the device. No authentication is necessary for the packet to be received by the
affected device. The SSH server in Cisco IOS is disabled by default.
See "SSH Malformed Packet Vulnerabilities" at Cisco Security Advisories website
Cisco IOS Devices.

Impact
The vulnerability can be exploited to make an affected product unavailable for several minutes while the
device reloads. Once it has resumed normal processing, the device is still vulnerable and can be forced
to reload repeatedly.
Suggested Fix
Workarounds consist of disabling the SSH server, removing SSH as a remote access method, permitting
only trusted hosts to connect to the server, and blocking SSH traffic to the device completely via external
mechanisms.
SSH TACACS+ Authentication -64439 [IOS]

Description
Certain release trains of Cisco Internetwork Operating System (IOS), when configured to use the IOS
Secure Shell (SSH) server in combination with Terminal Access Controller Access Control System Plus
(TACACS+) as a means to perform remote management tasks on IOS devices, may contain two
vulnerabilities that can potentially cause IOS devices to exhaust resources and reload. Repeated
exploitation of these vulnerabilities can result in a Denial of Service (DoS) condition. Use of SSH with
other authentication methods like Remote Authentication Dial In User Service (RADIUS) and the local
user database may also be affected. "Vulnerabilities in SSH Server using TACACS+ authentication." at
Cisco Security Advisories website
Cisco IOS Devices

References
4-554
OL-25941-01
Chapter 4

Rule 1
Rule
PSIRT - 64439: Vulnerabilities in SSH Server using TACACS+ authentication [IOS]

Description
Certain release trains of Cisco Internetwork Operating System (IOS), when configured to use the IOS
Secure Shell (SSH) server in combination with Terminal Access Controller Access Control System Plus
(TACACS+) as a means to perform remote management tasks on IOS devices, may contain two
vulnerabilities that can potentially cause IOS devices to exhaust resources and reload. Repeated
exploitation of these vulnerabilities can result in a Denial of Service (DoS) condition. Use of SSH with
other authentication methods like Remote Authentication Dial In User Service (RADIUS) and the local
user database may also be affected. "Vulnerabilities in SSH Server using TACACS+ authentication." at
Cisco Security Advisories website
Cisco IOS Devices.

Impact
Successful exploitation of the vulnerability may result in a reload of the device or resource depletion.
Repeated exploitation could result in a sustained denial of service condition.
Suggested Fix
It is possible to limit the exposure of the Cisco device by applying a VTY access class to permit only
known, trusted hosts to connect to the device via SSH.
SSL -91888 [IOS]

Description
Cisco IOS device may crash while processing malformed Secure Sockets Layer (SSL) packets. In order
to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol
exchange with the vulnerable device.
Cisco IOS Devices

OL-25941-01
4-555
Chapter 4
References
Rule 1
Rule
PSIRT - 91888: Verify For Vulnerabilities While Processing SSL Packets [IOS]
Description
SSL is a protocol designed to provide a secure connection between two hosts. The SSL Protocol is
described in RFC4346. While not necessary for the understanding of this advisory, users are encouraged
to consult the section "7.3 handshake Protocol Overview" in RFC4346 as well as Figure 1 in the same
section. The text of the RFC4346 is available at the following link:
http://tools.ietf.org/html/rfc4346#section-7.3.
An attacker can trigger these vulnerabilities after establishing a TCP connection, but prior to the exchange
of authentication credentials, such as username/password or certificate. The requirement of the complete
TCP 3-way handshake reduces the probability that these vulnerabilities will be exploited through the use
of spoofed IP addresses.
An attacker intercepting traffic between two affected devices cannot exploit these vulnerabilities if the SSL
session is already established because SSL protects against such injection. However, such an attack could
abnormally terminate an existing session, via a TCP RST, for example. The attacker could then wait for a
new SSL session to be established and inject malicious packets at the beginning of the new SSL session,
thus triggering the vulnerability.
Cisco IOS Devices.

Impact
Successful exploitation of any vulnerability listed in this advisory may result in the crash of the affected
device. Repeated exploitation can result in a sustained DoS condition.
Suggested Fix
The only way to prevent a device from being susceptible to the listed vulnerabilities is to disable the
affected service(s). However, if regular maintenance and operation of the device relies on these services,
It is possible to mitigate these vulnerabilities by preventing unauthorized hosts from accessing affected
in the Cisco Applied Intelligence companion document for this advisory.
4-556
OL-25941-01
Chapter 4

SSL Packet Processing Vulnerability - 107631 [IOS]

Description
A Cisco IOS device may crash while processing an SSL packet. This can happen during the termination
of an SSL-based session. The offending packet is not malformed and is normally received as part of the
packet exchange.
Cisco has released free software updates that address this vulnerability. Aside from disabling affected
services, there are no available workarounds to mitigate an exploit of this vulnerability.
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 107631: Verify SSL Packet Processing Vulnerability[IOS]

Description
This vulnerability is triggered during the termination of an SSL session. Possession of valid credentials
such as a username, password or a certificate is not required. SSL protocol uses TCP as a transport protocol.
The requirement of the complete TCP 3-way handshake reduces the probability that this vulnerability will
be exploited through the use of spoofed IP addresses.
A device running vulnerable Cisco IOS Software with SSL-based service configured will crash while
terminating an SSL session.
Cisco IOS Devices.

Impact
A successful exploit of this vulnerability may cause a crash of the affected device. Repeated exploitation
may result in a sustained denial of service condition.
Suggested Fix
To prevent an exploit of a vulnerable device, SSL-based services need to be disabled. However, if regular
maintenance and operation of the device relies on this service, there is no workaround.
The following command will disable the vulnerable HTTPS service:
Router(config)#no ip http secure-server
The following command will disable the vulnerable SSL VPN service:
Router(config)#no webvpn enable
The following command will disable the vulnerable OSP service:
Router(config)#no settlement <n>

OL-25941-01
4-557
Chapter 4
Another option is to revert to HTTP protocol instead using HTTPS. The downside of this workaround is
that the settlement information will be sent over the network unprotected.
It is possible to mitigate this vulnerability by preventing unauthorized hosts from accessing affected
devices.
Control Plane Policing (CoPP)
Cisco IOS software versions that support Control Plane Policing (CoPP) can be configured to help
protect the device from attacks that target the management and control planes. CoPP is available in Cisco
IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T.
In the following CoPP example, the ACL entries that match the exploit packets with the permit action
will be discarded by the policy-map drop function, whereas packets that match a deny action (not
shown) are not affected by the policy-map drop function:
!-- Include deny statements up front for any protocols/ports/IP addresses that
!-- should not be impacted by CoPP
!-- Include permit statements for the protocols/ports that will be
!-- governed by CoPPaccess-list 100 permit tcp any any eq 443
!
!
class-map match-all drop-SSL-class match access-group 100

!
!
policy-map drop-SSL-policy class drop-SSL-class drop
!-- device.
!
control-plane service-policy input drop-SSL-policy

Note: In the preceding CoPP example, the ACL entries with the permit action that match the exploit
packets will result in the discarding of those packets by the policy-map drop function, whereas packets
that match the deny action are not affected by the policy-map drop function.
Access Control List (ACL)
4-558
OL-25941-01
Chapter 4

An Access Control List (ACL) can be used to help mitigate attacks that target this vulnerability. ACLs
can specify that only packets from legitimate sources are permitted to reach a device, and all others are
to be dropped. The following example shows how to allow legitimate SSL sessions from trusted sources
and deny all other SSL sessions:
access-list 101 permit tcp host <legitimate_host_IP_address> host
<router_IP_address> eq 443
SSL VPN Vulnerability - 112029 [IOS]

Description
Cisco IOS Software contains a vulnerability when the Cisco IOS SSL VPN feature is configured with
an HTTP redirect. Exploitation could allow a remote, unauthenticated user to cause a memory leak on
the affected devices, that could result in a memory exhaustion condition that may cause device reloads,
the inability to service new TCP connections, and other denial of service (DoS) conditions.
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 112029: Verify Cisco IOS Software SSL VPN Vulnerability[IOS]

OL-25941-01
4-559
Chapter 4
Description
Devices running affected versions of Cisco IOS Software are vulnerable if configured with SSL VPN and
HTTP port redirection.
The following methods may be used to confirm if the device is configured for Cisco IOS SSL VPNs and
is vulnerable:
If the output from show running-config | include webvpn contains "webvpn gateway <word>" then the
device is supporting the Cisco IOS SSL VPN feature. A device is vulnerable if it has the inservice
command in at least one of the "webvpn gateway" sections and is configured for HTTP port redirection.
The following example shows a vulnerable device configured with Cisco IOS SSL VPN:
Router#show running | section webvpn
webvpn gateway Gateway
ip address 10.1.1.1 port 443
http-redirect port 80
ssl trustpoint Gateway-TP
inservice
!
Router#
A device that supports the Cisco IOS SSL VPN is not vulnerable if "webvpn gateway" is not configured.
To determine the Cisco IOS Software release that is running on a Cisco product, administrators can log in
to the device and issue the show version command to display the system banner. The system banner
Operating System Software" or "Cisco IOS Software." The image name displays in parentheses, followed
by "Version" and the Cisco IOS Software release name. Other Cisco devices do not have the show version
with an installed image name of C2800NM-ADVSECURITYK9-M:
Router#show version
Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(20)T, RELEASE
SOFTWARE (fc3)
! --- output truncated
Paper: Cisco IOS Reference Guide"
Cisco IOS Devices.
4-560
OL-25941-01
Chapter 4

Impact
Successful exploitation of the vulnerability may result in a lack of available memory resources on the
affected device, which could affect new connections to the device such as SSH and Telnet connections.
Depletion of memory resources may also result in failing of routing protocols and other services.
Suggested Fix
Disabling HTTP redirection for SSL VPN connections can be used as a workaround for this
vulnerability. HTTP redirection for SSL VPN connections is disabled by executing the command no
http-redirect port in webvpn gateway configuration mode.
In addition, manually clearing the hung TCBs with the command clear tcp tcb * will transition the TCBs
into a CLOSED state. After a time they will clear the CLOSED state and the memory will be released.
Note: Clearing the TCB will clear both legitimate and hung connections, including remote connections
to the device such as Telnet and SSH connections.
The Cisco Applied Mitigation Bulletin (AMB) "Identifying and Mitigating Exploitation of the TCP State
Manipulation Denial of Service Vulnerabilities in Multiple Cisco Products", contains two mitigations
(EEM scripts and SNMP) that can be used to detect and clear hung TCP connections.
Embedded Event Manager (EEM)
A Cisco IOS Embedded Event Manager (EEM) policy that is based on Tool Command Language (Tcl)
can be used on vulnerable Cisco IOS devices to identify and detect a hung, extended, or indefinite TCP
connection that is caused by this vulnerability. The policy allows administrators to monitor TCP
connections on a Cisco IOS device. When Cisco IOS EEM detects potential exploitation of this
vulnerability, the policy can trigger a response by sending a syslog message or a Simple Network
Management Protocol (SNMP) trap to clear the TCP connection. The example policy provided in this
document is based on a Tcl script that monitors and parses the output from two commands at defined
intervals, produces a syslog message when the monitor threshold reaches its configured value, and can
reset the TCP connection.
The Tcl script is available for download at the "Cisco Beyond: Embedded Event Manager (EEM)
Scripting Community" at the following link:
https://supportforums.cisco.com/community/netpro/network-infrastructure/eem
A sample device configuration is provided below.
!
!-- Location where the Tcl script will be stored
!
event manager directory user policy disk0:/eem

!
!-- Define variable and set the monitoring interval
!-- as an integer (expressed in seconds)
!

OL-25941-01
4-561
Chapter 4
event manager environment EEM_MONITOR_INTERVAL 60

!
!-- Define variable and set the threshold value as
!-- an integer for the number of retransmissions
!-- that determine if the TCP connection is hung
!-- (a recommended value to use is 15)
!
event manager environment EEM_MONITOR_THRESHOLD 15

!
!-- Define variable and set the value to "yes" to
!-- enable the clearing of hung TCP connections
!
event manager environment EEM_MONITOR_CLEAR yes

!
!-- Define variable and set to the TCP connection
!-- state or states that script will monitor, which
!-- can be a single state or a space-separated list
!-- of states
!
event manager environment EEM_MONITOR_STATES CLOSEWAIT

!
!-- Register the script as a Cisco EEM policy
!
event manager policy monitor-sockets.tcl

!
4-562
OL-25941-01
Chapter 4

Secure Copy Authorization Bypass Vulnerability - 97261 [IOS]

Description
The server side of the Secure Copy (SCP) implementation in Cisco Internetwork Operating System
(IOS) contains a vulnerability that allows any valid user, regardless of privilege level, to transfer files to
and from an IOS device that is configured to be a Secure Copy server. This vulnerability could allow
valid users to retrieve or write to any file on the device's filesystem, including the device's saved
configuration. This configuration file may include passwords or other sensitive information.
The IOS Secure Copy Server is an optional service that is disabled by default. Devices that are not
specifically configured to enable the IOS Secure Copy Server service are not affected by this
vulnerability.
This vulnerability does not apply to the IOS Secure Copy Client feature.
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 97261: Verify Secure Copy Authorization Bypassi Vulnerability[IOS]

OL-25941-01
4-563
Chapter 4
Description
Secure Copy (SCP) is a protocol similar to the Remote Copy (RCP) protocol, which allows for the transfer
of files between systems. The main difference between SCP and RCP is that in SCP, all aspects of the file
transfer session, including authentication, occur in encrypted form, which makes SCP a more secure
alternative than RCP. SCP relies on the Secure Shell (SSH) protocol, which uses TCP port 22 by default.
The server side of the Secure Copy implementation in Cisco IOS contains a vulnerability that allows any
valid user, regardless of privilege level, to transfer files to and from an IOS device that is configured to be
a Secure Copy server. This vulnerability could allow valid users to retrieve or write to any file on the
device's filesystem, including the device's saved configuration. This configuration file may include
passwords or other sensitive information.
This vulnerability does not allow for authentication bypass; login credentials are verified and access is only
granted if a valid username and password is provided. This vulnerability may cause authorization to be
bypassed.
A device with the Secure Copy server enabled is vulnerable regardless of whether Authentication,
Authorization, and Accounting (AAA) is enabled. If access control is enabled on the Virtual Terminal (vty)
via the login command, which allows logins via Virtual Terminals, then the device is affected.
Cisco IOS Devices.

Impact
Successful exploitation of the vulnerability described in this advisory may allow valid but unauthorized
users to retrieve or write to any file on the device's filesystem, including the device's saved
configuration. This configuration file may include passwords or other sensitive information.
Suggested Fix
If the IOS Secure Copy Server functionality is not needed then the vulnerability described in this
document can be mitigated by disabling the Secure Copy server. The Secure Copy server can be disabled
by executing the following command in global configuration mode:
no ip scp server enable
If the Secure Copy server cannot be disabled due to operational concerns, then no workarounds exist.
Secure Copy Privilege Escalation Vulnerability - 109323 [IOS]

Description
The server side of the Secure Copy (SCP) implementation in Cisco IOS software contains a vulnerability
that could allow authenticated users with an attached command-line interface (CLI) view to transfer files
to and from a Cisco IOS device that is configured to be an SCP server, regardless of what users are
authorized to do, per the CLI view configuration. This vulnerability could allow valid users to retrieve
or write to any file on the device's file system, including the device's saved configuration and Cisco IOS
image files, even if the CLI view attached to the user does not allow it. This configuration file may
include passwords or other sensitive information.
4-564
OL-25941-01
Chapter 4

The Cisco IOS SCP server is an optional service that is disabled by default. CLI views are a fundamental
component of the Cisco IOS Role-Based CLI Access feature, which is also disabled by default. Devices
that are not specifically configured to enable the Cisco IOS SCP server, or that are configured to use it
but do not use role-based CLI access, are not affected by this vulnerability.
This vulnerability does not apply to the Cisco IOS SCP client feature.
There are no workarounds available for this vulnerability apart from disabling either the SCP server or
the CLI view feature if these services are not required by administrators.
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 109323: Verify Secure Copy Privilege Escalation Vulnerability [IOS]

Description
SCP is a protocol similar to the Remote Copy (RCP) protocol, which allows the transfer of files between
systems. The main difference between SCP and RCP is that in SCP, all aspects of the file transfer session,
including authentication, occur in encrypted form, which makes SCP a more secure alternative than RCP.
SCP relies on the Secure Shell (SSH) protocol, which uses TCP port 22 by default.
The Role-Based CLI Access feature allows the network administrator to define "views". Views are sets of
operational commands and configuration capabilities that provide selective or partial access to Cisco IOS
software EXEC and configuration (Config) mode commands. Views restrict user access to Cisco IOS
command-line interface (CLI) and configuration information; that is, a view can define what commands
are accepted and what configuration information is visible. For more information about the Role-Based
CLI Access feature, reference
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html.
The server side of the SCP implementation in Cisco IOS software contains a vulnerability that allows
authenticated users with an attached command-line interface (CLI) view to transfer files to and from a
Cisco IOS device that is configured to be a SCP server, regardless of what users are authorized to do, per
the CLI view configuration. This vulnerability could allow authenticated users to retrieve or write to any
file on the device's file system, including the device's saved configuration and Cisco IOS image files. This
configuration file may include passwords or other sensitive information.
Users confined to a CLI view can elevate their privileges by using SCP to write to the device's
configuration. Note that a view can be attached to a user when defining the user in the local database (via
the username <user name> view ... command), or by passing the attribute cli-view-name from an AAA
server.
This vulnerability does not allow for authentication bypass; login credentials are verified and access is only
granted if a valid username and password is provided. This vulnerability may cause authorization to be
bypassed.

OL-25941-01
4-565
Chapter 4
Cisco IOS Devices.

Impact
Successful exploitation of the vulnerability described in this advisory may allow valid but unauthorized
users to retrieve or write to any file on the device's file system, including the device's saved
configuration and Cisco IOS image files. This configuration file may include passwords or other
sensitive information.
Suggested Fix
If the Cisco IOS SCP server functionality is not needed then the vulnerability described in this document
can be mitigated by disabling the SCP server or the CLI view feature. The SCP server can be disabled
by executing the following command in global configuration mode:
no ip scp server enable
If the SCP server cannot be disabled due to operational concerns, then no workarounds exist. The risk
posed by this vulnerability can be mitigated by following the best practices detailed in "Cisco Guide to
Harden Cisco IOS Devices" at
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml.
Please refer to the Obtaining Fixed Software section of this advisory for appropriate solutions to resolve
this vulnerability.
Due to the nature of this vulnerability, networking best practices like access control lists (ACLs) and
Control Plane Policing (CoPP) that restrict access to a device to certain IP addresses or subnetworks may
not be effective. If access is already granted to a specific IP address or subnetwork, a user with low
privileges will be able to establish an SCP session with the device, which would allow the user to exploit
this vulnerability.
Secure Shell Denial of Services Vulnerabilities -99725 [IOS]

Description
The Secure Shell server (SSH) implementation in Cisco IOS contains multiple vulnerabilities that allow
unauthenticated users the ability to generate a spurious memory access error or, in certain cases, reload
the device. The IOS SSH server is an optional service that is disabled by default, but its use is highly
recommended as a security best practice for management of Cisco IOS devices. SSH can be configured
as part of the AutoSecure feature in the initial configuration of IOS devices, AutoSecure run after initial
configuration, or manually. Devices that are not configured to accept SSH connections are not affected
by these vulnerabilities.
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 99725: Verify Secure Shell Denial of Services Vulnerabilities [IOS]
4-566
OL-25941-01
Chapter 4

Description
Secure shell (SSH) was developed as a secure replacement for the telnet, ftp, rlogin, rsh, and rcp protocols,
which allow for the remote access of devices. The main difference between SSH and older protocols is that
SSH provides strong authentication, guarantees confidentiality, and uses encrypted transactions. The
server side of the SSH implementation in Cisco IOS contains multiple vulnerabilities that allow an
unauthenticated user to generate a spurious memory access or, in certain cases, reload the device. If the
attacker is able to reload the device, these vulnerabilities could be repeatedly exploited to cause an
extended Denial of Service (DoS) condition. A device with the SSH server enabled is vulnerable.
Cisco IOS Devices.

Impact
Successful exploitation of these vulnerabilities may result in a spurious memory access or, in certain
cases, reload the device potentially resulting in a DoS condition.
Suggested Fix
If disabling the IOS SSH Server is not feasible, the following workarounds may be useful to some
customers in their environments.
Telnet
Telnet is not vulnerable to the issue described in this advisory and may be used as an insecure alternative
to SSH. Telnet does not encrypt the authentication information or data; therefore, it should only be
enabled for trusted local networks.
VTY Access Class
It is possible to limit the exposure of the Cisco device by applying a VTY access class to allow only
known, trusted hosts to connect to the device via SSH.
The following example permits access to VTYs from the 192.168.1.0/24 netblock and the single IP
address 172.16.1.2 while denying access from anywhere else:
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 1 permit host 172.16.1.2
Router(config)# line vty 0 4
Router(config-line)# access-class 1 in
Different Cisco platforms support different numbers of terminal lines. Check your device's configuration
to determine the correct number of terminal lines for your platform.

OL-25941-01
4-567
Chapter 4
Infrastructure ACLs (iACL)

Although it is often difficult to block traffic transiting your network, it is possible to identify traffic that
should never be allowed to target your infrastructure devices and block that traffic at the border of your
The ACL example shown below should be included as part of the deployed infrastructure access-list,
which will protect all devices with IP addresses in the infrastructure IP address range.
A sample access list for devices running Cisco IOS is below:
!--- Permit SSH services from trusted hosts destined
access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq

22
!--- Deny SSH packets from all other sources destined to infrastructure addresses.
access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 22

access-list 150 permit IP any any
interface serial 2/0

The white paper titled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents
white paper can be obtained here:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml.
The Control Plane Policing (CoPP) feature may be used to mitigate these vulnerabilities. In the
following example, only SSH traffic from trusted hosts and with 'receive' destination IP addresses is
permitted to reach the route processor (RP).
Note: Dropping traffic from unknown or untrusted IP addresses may affect hosts with dynamically
assigned IP addresses from connecting to the Cisco IOS device.
access-list 152 deny tcp TRUSTED_ADDRESSES MASK any eq 22
!
class-map match-all COPP-KNOWN-UNDESIRABLE
4-568
OL-25941-01
Chapter 4


!
!
policy-map COPP-INPUT-POLICY
class COPP-KNOWN-UNDESIRABLE
drop
!
control-plane
service-policy input COPP-INPUT-POLICY
In the above CoPP example, the ACL entries that match the exploit packets with the "permit" action
result in these packets being discarded by the policy-map "drop" function, while packets that match the
"deny" action are not affected by the policy-map drop function.
CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T.
Additional information on the configuration and use of the CoPP feature can be found at the following
URL:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900ae
cd804fa16a.html.
Session Initiation Protocol Denial of Services Vulnerability -111448 [IOS]

Description
Software that could allow an unauthenticated, remote attacker to cause a reload of an affected device
when SIP operation is enabled. Remote code execution may also be possible.
Cisco has released free software updates that address these vulnerabilities. For devices that must run SIP
there are no workarounds; however, mitigations are available to limit exposure of the vulnerabilities.
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 111448: Verify Session Initiation Protocol Denial of Services Vulnerability [IOS]

OL-25941-01
4-569
Chapter 4
Description
the most popular types of sessions that SIP handles, but the protocol has theflexibility to accommodate
Three vulnerabilities exist in the SIP implementation in Cisco IOS Software that may allow a remote
attacker to cause a device reload, or execute arbitrary code. These vulnerabilities are triggered when the
device running Cisco IOS Software processes malformed SIP messages.
In cases where SIP is running over TCP transport, a TCP three-way handshake is necessary to exploit these
vulnerabilities.
Cisco IOS Devices.

Impact
Successful exploitation of the vulnerabilities in this advisory may result in a reload of the device.
Repeated exploitation could result in a sustained denial of service condition. There is a potential to
execute arbitrary code. In the event of successful remote code execution, device integrity could be
completely compromised.
Suggested Fix
Cisco UnifiedCommunications Manager Express and Cisco IOS Software H.323 and Session Initiation
Protocol Denial of Service Vulnerabilities".
sip-ua
no transport udp
no transport tcp
4-570
OL-25941-01
Chapter 4

Depending on the Cisco IOS Software version in use, the output from the show ip sockets command may
still show the SIP ports open, but sending traffic to them will cause the SIP process to emit the following
message:
*Feb 2 11:36:47.691: sip_udp_sock_process_read: SIP UDP Listener is DISABLED



OL-25941-01
4-571
Chapter 4



drop
!-- device.
control-plane

4-572
OL-25941-01
Chapter 4

Syslog Crash -13660 [IOS]

Description
Certain versions of Cisco IOS software may crash or hang when they receive invalid user datagram
protocol (UDP) packets sent to their "syslog" ports (port 514). At least one commonly-used Internet
scanning tool generates packets which can cause such crashes and hangs. This fact has been announced
on public Internet mailing lists which are widely read both by security professionals and by security
"crackers", and should be considered public information.
See "Cisco IOS Syslog Crash." at Cisco Security Advisories website.
Cisco IOS Devices

References
public forum, or recommendations to mitigate general problems affecting network stability. Rule 1
Rule
PSIRT - 111448: Verify Session Initiation Protocol Denial of Services Vulnerability [IOS]
Description
Certain versions of Cisco IOS software may crash or hang when they receive invalid user datagram
protocol (UDP) packets sent to their "syslog" ports (port 514). At least one commonly-used Internet
scanning tool generates packets which can cause such crashes and hangs. This fact has been announced on
public Internet mailing lists which are widely read both by security professionals and by security
"crackers", and should be considered public information. See "Cisco IOS Syslog Crash." at Cisco Security
Advisories website.
Cisco IOS Devices.

Impact
Attackers can cause Cisco IOS devices to crash and reload. Furthermore, an attacker can repeat the
process at will. By striking continuously, an attacker might be able to completely disable a Cisco IOS
device until that device was reconfigured by its administrator.
Some Cisco IOS devices have been observed to hang instead of crashing when attacked. These devices
do not recover until manually restarted by reset or power cycle. This means that it might be necessary
for an administrator to physically visit an attacked device in order to recover from the attack, even if the
attacker is no longer actively sending any traffic.
Some devices have crashed without providing stack traces; devices crashed using this vulnerability may
indicate that they were "restarted by power-on", even when that is not actually the case.
Suggested Fix
You can work around this vulnerability by preventing any affected Cisco IOS device from receiving or
processing UDP datagrams addressed to its port 514. This can be done either using packet filtering on
surrounding devices, or by using input access list filtering on the affected IOS device itself.

OL-25941-01
4-573
Chapter 4
TCP -72318 [IOS]

Description
The Cisco IOS Transmission Control Protocol (TCP) listener in certain versions of Cisco IOS software
is vulnerable to a remotely-exploitable memory leak that may lead to a denial of service condition.
This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the Cisco
IOS device will not trigger this vulnerability.
There are workarounds available to mitigate the effects of the vulnerability.
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 72318: Verify Crafted TCP Packet Can Cause Denial of Service [IOS]
Description
TCP is the transport layer protocol designed to provide connection-oriented, reliable delivery of a data
stream. To accomplish this, TCP uses a mixture of flags to indicate state and sequence numbers to identify
the order in which the packets are to be reassembled. TCP also provides a number, called an
full specification of the TCP protocol can be found at http://www.ietf.org/rfc/rfc0793.txt.
Cisco IOS devices that are configured to receive TCP packets are exposed to this issue. This Advisory does
not apply to traffic that is transiting the device.
Certain crafted packets destined to an IPv4 address assigned to a physical or virtual interface on a Cisco
IOS device may cause the device to leak a small amount of memory. Over time, such a memory leak may
lead to memory exhaustion and potentially degraded service.
Although this is an issue with TCP, it is not required to complete the TCP 3-way handshake in order for
the memory leak to be triggered. Therefore, TCP packets with a spoofed source address may trigger the
leak.
The following document contains additional information on how to identify if your router is suffering from
a memory leak in Processor memory:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6f3a.shtml#
tshoot2.
Cisco IOS Devices.
4-574
OL-25941-01
Chapter 4

Impact
Successful exploitation of the vulnerability may result in a small amount of processor memory to leak,
which may lead to degraded service. This issue will not resolve over time, and will require a device reset
to recover the leaked memory.
This vulnerability only applies to traffic destined to the Cisco IOS device. Traffic transiting the device
will not trigger this issue.
Suggested Fix
ACLs can be used as an effective mitigation technique for the Crafted TCP transit enforcement points.
Anti-spoof protection in the form of unicast Reverse Path Forwarding (uRPF) can provide limited
mitigation if properly configured.
Anti-Spoofing and Embryonic Connection Limiting with TCP-Intercept can also be used mitigating this
vulnerability.
TCP Conn Reset -50960 [IOS]

Description
switch, or computer) and not to the sessions that are only passing through the device (for example, transit
traffic that is being routed by a router). In addition, this attack vector does not directly compromise data
integrity or confidentiality.
This attack vector is only applicable to the sessions which are terminating on a device (such as a router,
transit traffic that is being routed by a router).
See "TCP Vulnerabilities in Multiple IOS-Based Cisco Products" at Cisco Security Advisories website
.Applicable Platforms
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 50960: TCP connection reset vulnerabilities [IOS]

OL-25941-01
4-575
Chapter 4
Description
attack vector is only applicable to the sessions which are terminating on a device (such as a router, switch,
or computer) and not to the sessions that are only passing through the device (for example, transit traffic
that is being routed by a router). In addition, this attack vector does not directly compromise data integrity
or confidentiality.
This attack vector is only applicable to the sessions which are terminating on a device (such as a router,
switch, or computer), and not to the sessions that are only passing through the device (for example, transit
traffic that is being routed by a router).
See "TCP Vulnerabilities in Multiple IOS-Based Cisco Products" at Cisco Security Advisories website
Cisco IOS Devices.

Impact
The impact will be different for each specific protocol. While in the majority of cases a TCP connection
will be automatically re-established, in some specific protocols a second order of consequences may
have a larger impact than tearing down the connection itself.
Suggested Fix
The workaround for BGP is to configure MD5 secret for each session between peers. There are no
workarounds available to mitigate the effects of this vulnerability on Cisco IOS Firewall.
TCP Denial of Service Service Vulnerability -112099 [IOS]

Description
Cisco IOS Software Release, 15.1(2)T is affected by a denial of service (DoS) vulnerability during the
TCP establishment phase. The vulnerability could cause embryonic TCP connections to remain in a
SYNRCVD or SYNSENT state. Enough embryonic TCP connections in these states could consume
system resources and prevent an affected device from accepting or initiating new TCP connections,
including any TCP-based remote management access to the device.
No authentication is required to exploit this vulnerability. An attacker does not need to complete a
three-way handshake to trigger this vulnerability; therefore, this vulnerability can be exploited using
spoofed packets. This vulnerability may be triggered by normal network traffic.
Cisco has released Cisco IOS Software Release 15.1(2)T0a to address this vulnerability.
Cisco IOS Devices
4-576
OL-25941-01
Chapter 4

References
Rule 1
Rule
PSIRT - 112099: Verify TCP DoS vulnerability [IOS]

Description
TCP provides reliable data transmission services in packet-switched network environments. TCP
corresponds to the transport layer (Layer 4) of the OSI reference model. Among the services TCP provides
are stream data transfer, reliability, efficient flow control, full-duplex operation, and multiplexing.
When TCP connections are terminated in Cisco IOS Software, they are allocated a transmission control
block (TCB). All allocated TCBs, associated TCP port numbers, and the TCP state are displayed in the
output of the show tcp brief all command-line interface (CLI) command.
Cisco IOS Software version 15.1(2)T contains a vulnerability that could cause an embryonic TCP
connection to remain in SYNRCVD or SYNSENT state without a further TCP state transition. Examining
the output of the show tcp brief all command multiple times will indicate if TCP sessions remain in one
of these states.
This vulnerability is triggered only by TCP traffic that is terminated by or originated from the device.
Transit traffic will not trigger this vulnerability.
Both connections to and from the router could trigger this vulnerability. An example of a connection to the
router is that you may still be able to ping the device, but fail to establish a TELNET or SSH connection
to the device. For example, an administrator may still be able to ping the device but fail to establish a Telnet
or SSH connection to the device. Administrators who attempt a Telnet or a SSH connection to a remote
device from the CLI prompt will encounter a hung session and the "Trying <ip address|hostname> ..."
prompt. The connection that is initiated or terminated by the router can be removed from the socket table
by clearing the associated TCB with the clear tcp tcb 0x<address> command.
Devices could be vulnerable if examining the output of the CLI command debug ip tcp transactions,
displays the error messages connection queue limit reached: port <port number> or No wild listener: port
<port number>.
Devices could also be vulnerable if output from repetitive show tcp brief all CLI commands indicates many
TCBs in the state SYNRCVD or SYNSENT.
The following example shows a device that has several HTTP, SSH, and Telnet sessions in the TCP
SYNRCVD state:
Example#show tcp brief all
TCB
Local Address
07C2D6C8 192.168.0.2.443
07C38128 192.168.0.2.23
Foreign Address
192.168.0.5.11660
192.168.0.5.35018
(state)
SYNRCVD
SYNRCVD
07C2DD60 192.168.0.2.443
192.168.0.5.19316
SYNRCVD
07C2A8A0 192.168.0.2.80
192.168.0.5.13818
SYNRCVD
<output truncated>

OL-25941-01
4-577
Chapter 4
Any TCP sessions can be cleared by clearing the associated TCB with clear tcp tcb 0x<address> .
Alternatively Administrators can clear all TCBs at once by issuing clear tcp tcb *.
Note: This will clear all active and hung TCP connections.
Some TCP application specific information is provided in the following sections:
Telnet and SSH
Telnet can not be explicitly disabled on a Cisco IOS device. Configuring transport input none on the vty
lines of a vulnerable device will prevent it from being exploited on TCP port 23. However, if the Cisco IOS
SSH server feature is configured on the device, transport input none will not prevent the device from being
exploited on TCP port 22.
Configuration of vty access control lists can partially mitigate this vulnerability because the vulnerability
can be exploited using spoofed IP source addresses.
Border Gateway Protocol
Routers that are configured with Border Gateway Protocol (BGP) can be protected further by using the
Generalized Time to Live (TTL) Security Mechanism (GTSM) feature. GTSM allows users to configure
the expected TTL of a packet between a source and destination address. Packets that fail the GTSM check
will be dropped before TCP processing occurs, which prevents an attacker from exploiting this
vulnerability through BGP. GTSM is implemented with the command ttl-security hops.
Further information on protecting BGP can be found in Protecting Border Gateway Protocol for the
Enterprise.
TCP MD5 Authentication for BGP does not prevent this vulnerability from being exploited.
Cisco IOS Devices.

Impact
Successful exploitation of this vulnerability may prevent some TCP applications on Cisco IOS Software
from accepting any new connections. Exploitation could also prevent remote access to the affected
system via the vtys. Remote access to the affected device via out-of-band connectivity to the console
port should still be available.
Suggested Fix
The only complete workaround to mitigate this vulnerability is to disable the specific features that make
a device vulnerable, if this action is feasible.
Allowing only legitimate devices to connect to affected devices will help limit exposure to this
vulnerability. Refer to the following Control Plane Policing and Configuring Infrastructure Access Lists
subsections for further details. Because a TCP three-way handshake is not required, the mitigation must
be combined with anti-spoofing measures on the network edge to increase effectiveness.
Cisco Guide to Harden Cisco IOS Devices
The Cisco Guide to Harden Cisco IOS Devices provides examples of many useful techniques to mitigate
TCP state manipulation vulnerabilities. These include:
Infrastructure Access Control Lists (iACL)
Receive Access Control Lists (rACL)
Transit Access Control Lists (tACL)
4-578
OL-25941-01
Chapter 4

vty Access Control Lists

Control Plane Protection (CPPr)
For more information on these topics, consult Cisco Guide to Harden Cisco IOS Devices.
CoPP
For devices that need to offer TCP services, administrators can use CoPP to block TCP traffic from
untrusted sources that is destined to the affected device. Cisco IOS Software Releases 12.0S, 12.2SX,
12.2S, 12.3T, 12.4, and 12.4T support the CoPP feature. CoPP may be configured on a device to protect
the management and control planes and minimize the risk and effectiveness of direct infrastructure
attacks by explicitly permitting only authorized traffic sent to infrastructure devices in accordance with
existing security policies and configurations. The following example can be adapted to specific network
configurations:
!
!-- policy (the CoPP feature.) If the access list matches (permit),
!-- then traffic will be dropped. If the access list does not
!-- match (deny), then traffic will be processed by the router.
!-- Note that TCP ports 22 and 23 are examples; this
!-- configuration needs to be expanded to include all used
!-- TCP ports.
!
access-list 100 permit tcp any any
!
!-- Create a class map for traffic that will be policed by
!
class-map match-all drop-tcp-class
!

OL-25941-01
4-579
Chapter 4
!-- Create a policy map that will be applied to the

!-- Control Plane of the device, and add the "drop-tcp-traffic"
!-- class map.
!
class drop-tcp-class
drop
!
!-- Apply the policy map to the control plane of the
!-- device.
!
control-plane
Because a TCP three-way handshake is not required to exploit this vulnerability, it is possible to spoof
the IP address of the sender, which could defeat access control lists (ACLs) that permit communication
to these ports from trusted IP addresses.
In the preceding CoPP example, the access control entries (ACEs) that match the potential exploit
function. Additional information on the configuration and use of the CoPP feature can be found at
Control Plane Policing Implementation Best Practices and Control Plane Policing.
Configuring iACLs
should never be allowed to target infrastructure devices and block that traffic at the border of your
The white paper Protecting Your Core: Infrastructure Protection Access Control Lists presents
guidelines and recommended deployment techniques for infrastructure protection ACLs.
BGP Considerations
GTSM can help prevent exploitation of this vulnerability by means of the BGP port because packets that
originate from devices that do not pass the TTL check configured by GTSM are dropped before any TCP
processing occurs. For information on GTSM refer to BGP Support for TTL Security Check and BGP
Time To Live Security Check.
Embedded Event Manager (EEM)
A Cisco IOS Embedded Event Manager (EEM) policy that is based on Tool Command Language (Tcl)
can be used on vulnerable Cisco IOS devices to identify and detect a hung, extended, or indefinite TCP
connection that is caused by this vulnerability. The policy allows administrators to monitor TCP
connections on a Cisco IOS device. When Cisco IOS EEM detects potential exploitation of this
vulnerability, the policy can trigger a response by sending a syslog message or a Simple Network
Management Protocol (SNMP) trap to clear the TCP connection. The example policy provided in this
document is based on a Tcl script that monitors and parses the output from two commands at defined
intervals, produces a syslog message when the monitor threshold reaches its configured value, and can
reset the TCP connection.
4-580
OL-25941-01
Chapter 4

The Tcl script is available for download at the Embedded Event Manager (EEM) Scripting Community
at the following link
https://supportforums.cisco.com/community/netpro/network-infrastructure/eem, and the device sample
configuration is provided below.
!
!-- Location where the Tcl script will be stored
!
event manager directory user policy disk0:/eem
!
!-- Define variable and set the monitoring interval
!-- as an integer (expressed in seconds)
!
event manager environment EEM_MONITOR_INTERVAL 60

!
!-- Define variable and set the threshold value as
!-- an integer for the number of retransmissions
!-- that determine if the TCP connection is hung
!-- (a recommended value to use is 15)
!
event manager environment EEM_MONITOR_THRESHOLD 15

!
!-- Define variable and set the value to "yes" to
!-- enable the clearing of hung TCP connections
!
event manager environment EEM_MONITOR_CLEAR yes

!
!-- Define variable and set to the TCP connection
!-- state or states that script will monitor, which
!-- can be a single state or a space-separated list

OL-25941-01
4-581
Chapter 4
!-- of states
!
event manager environment EEM_MONITOR_STATES SYNRCVD SYNSENT

!
!-- Register the script as a Cisco EEM policy
!
event manager policy monitor-sockets.tcl
TCP ISN -13631 [IOS]

Description
Cisco IOS Software contains a flaw that permits the successful prediction of TCP Initial Sequence
Numbers.
This vulnerability is present in all released versions of Cisco IOS software running on Cisco routers and
switches. It only affects the security of TCP connections that originate or terminate on the affected Cisco
device itself; it does not apply to TCP traffic forwarded through the affected device in transit between
two other hosts.
. See "Cisco IOS Software TCP Initial Sequence Number Randomization Improvements." at Cisco
Security Advisories website
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 13631: Verify TCP Initial Sequence Number Randomization Vulnerability [IOS]
Description
To provide reliable delivery in the Internet, the Transmission Control Protocol (TCP) makes use of a
sequence number in each packet to provide orderly reassembly of data after arrival, and to notify the
sending host of the successful arrival of the data in each packet.
TCP sequence numbers are 32-bit integers in the circular range of 0 to 4,294,967,295. The host devices at
both ends of a TCP connection exchange an Initial Sequence Number (ISN) selected at random from that
range as part of the setup of a new TCP connection. After the session is established and data transfer begins,
4-582
OL-25941-01
Chapter 4

the sequence number is regularly augmented by the number of octets transferred, and transmitted to the
other host. To prevent the receipt and reassembly of duplicate or late packets in a TCP stream, each host
maintains a "window", a range of values close to the expected sequence number, in which the sequence
number in an arriving packet must fall if it is to be accepted. Assuming a packet arrives with the correct
source and destination IP addresses, source and destination port numbers, and a sequence number within
the allowable window, the receiving host will accept the packet as genuine.
This method provides reasonably good protection against accidental receipt of unintended data. However,
to guard against malicious use, it should not be possible for an attacker to infer a particular number in the
sequence. If the initial sequence number is not chosen randomly or if it is incremented in a non-random
manner between the initialization of subsequent TCP sessions, then it is possible, with varying degrees of
success, to forge one half of a TCP connection with another host in order to gain access to that host, or
hijack an existing connection between two hosts in order to compromise the contents of the TCP
connection. To guard against such compromises, ISNs should be generated as randomly as possible.
Cisco IOS Devices.

Impact
Forged packets can be injected into a network from a location outside its boundary so that they are
trusted as authentic by the receiving host, thus resulting in a failure of integrity. Such packets could be
crafted to gain access or make some other modification to the receiving system in order to attain some
goal, such as gaining unauthorized interactive access to a system or compromising stored data.
From a position within the network where it is possible to receive the return traffic (but not necessarily
in a position that is directly in the traffic path), a greater range of violations is possible. For example,
the contents of a message could be diverted, modified, and then returned to the traffic flow again,
causing a failure of integrity and a possible failure of confidentiality.
Note: Any compromise using this vulnerability is only possible for TCP sessions that originate or
terminate on the affected Cisco device itself. It does not apply to TCP traffic that is merely
forwarded through the device.
Suggested Fix
There is no specific configurable workaround to directly address the possibility of predicting a TCP Initial
Sequence Number. To prevent malicious use of this vulnerability from inside the network, ensure that
transport that makes interception and modification detectable, if not altogether preventable, is in use as
appropriate. Examples include using IPSEC or SSH to the Cisco device for interactive session, MD5
authentication to protect BGP sessions, strong authentication for access control, and so on.
TCP State Manipulation DoS Vulnerability -109444 [IOS]

Description

OL-25941-01
4-583
Chapter 4
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 109444: Verify TCP State Manipulation DoS Vulnerability [IOS]

Description
Multiple Cisco products are affected by DoS vulnerabilities in the TCP protocol. By manipulating the state
of TCP connections, an attacker could force a system that is under attack to maintain TCP connections for
long periods of time, or indefinitely in some cases. With a sufficient number of open TCP connections, the
attacker may be able to cause a system to consume internal buffer and memory resources, resulting in new
TCP connections being denied access to a targeted port or an entire system. A system reboot may be
required to restore full system functionality. A full TCP three-way handshake is required to exploit these
vulnerabilities.
Network devices are not directly impacted by TCP state manipulation DoS attacks transiting a device;
however, network devices that maintain the state of TCP connections may be impacted. If the attacker can
establish enough TCP connections through a transit device that maintains TCP state, device resources may
be exhausted and prevent the device from processing new TCP connections, resulting in a DoS condition.
If an affected device that forwards traffic (that is, routes) in a network is the target of a TCP state
manipulation attack, the attacker could cause a network-impacting DoS condition.
Cisco IOS Software
All Cisco IOS Software versions are affected by this vulnerability. A device running Cisco IOS Software
that is under attack will have numerous hung TCP connections in the FINWAIT1 state. The show tcp brief
command can be used to display the hung TCP connections. The following is example output showing an
attack in progress.
Router#show tcp brief | include FIN
63D697C4 192.168.1.10.80
192.168.1.20.38479
FINWAIT1
63032A28 192.168.1.10.80
192.168.1.20.54154
FINWAIT1
645F8068 192.168.1.10.80
192.168.1.20.56287
FINWAIT1
630323F4 192.168.1.10.80
192.168.1.20.6372
FINWAIT1
63D69190 192.168.1.10.80
192.168.1.20.23489
FINWAIT1
This method provides reasonably good protection against accidental receipt of unintended data. However,
to guard against malicious use, it should not be possible for an attacker to infer a particular number in the
sequence. If the initial sequence number is not chosen randomly or if it is incremented in a non-random
manner between the initialization of subsequent TCP sessions, then it is possible, with varying degrees of
success, to forge one half of a TCP connection with another host in order to gain access to that host, or
hijack an existing connection between two hosts in order to compromise the contents of the TCP
connection. To guard against such compromises, ISNs should be generated as randomly as possible.
Cisco IOS Devices.
4-584
OL-25941-01
Chapter 4

Impact
Suggested Fix
The Cisco Guide to Harden Cisco IOS Devices provides examples of many useful techniques to mitigate
against the TCP state manipulation vulnerabilities. These include:
Infrastructure Access Control Lists (iACL)
Receive Access Control Lists (rACL)
Transit Access Control Lists (tACL)
VTY Access Control Lists
Control Plane Protection (CPPr)
Management Plane Policing (MPP)
For more information on the topics listed above, consult the Cisco Guide to Harden Cisco IOS Devices at the
following link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml.
Telnet DoS -61671 [IOS]

Description
A specifically crafted Transmission Control Protocol (TCP) connection to a telnet or reverse telnet port
of a Cisco device running Internetwork Operating System (IOS) may block further telnet, reverse telnet,
Remote Shell (RSH), Secure Shell (SSH), and in some cases Hypertext Transport Protocol (HTTP)
access to the Cisco device. Data Link Switching (DLSw) and protocol translation connections may also
be affected. Telnet, reverse telnet, RSH, SSH, DLSw and protocol translation sessions established prior
to exploitation are not affected.
All other device services will operate normally. Services such as packet forwarding (excluding DLSw
and protocol translation per above), routing protocols and all other communication to and through the
device are not affected.
See "Cisco Telnet Denial of Service Vulnerability." at Cisco Security Advisories website.
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 61671: Verify Telnet DoS Vulnerability [IOS]

OL-25941-01
4-585
Chapter 4
Description
A specifically crafted Transmission Control Protocol (TCP) connection to a telnet or reverse telnet port of
a Cisco device running Internetwork Operating System (IOS) may block further telnet, reverse telnet,
Remote Shell (RSH), Secure Shell (SSH), and in some cases Hypertext Transport Protocol (HTTP) access
to the Cisco device. Data Link Switching (DLSw) and protocol translation connections may also be
affected. Telnet, reverse telnet, RSH, SSH, DLSw and protocol translation sessions established prior to
exploitation are not affected.
All other device services will operate normally. Services such as packet forwarding (excluding DLSw and
protocol translation per above), routing protocols and all other communication to and through the device
are not affected.
See "Cisco Telnet Denial of Service Vulnerability." at Cisco Security Advisories website
Cisco IOS Devices.

Impact
Exploitation of this vulnerability may result in the denial of new telnet, reverse telnet, RSH, SSH, SCP,
DLSw, protocol translation and HTTP connections to a device running IOS. Other access to the device
via the console or SNMP is not affected. The device will remain in this state until the problematic TCP
connection is cleared, or the device is reloaded (which will clear the problematic session). If no other
access methods are available, exploitation of this vulnerability could deny remote access to the device.
Suggested Fix
Enable SSH and disable Telnet access to the device.
Telnet Option-10939 [IOS]

Description
A defect in multiple Cisco IOS software versions will cause a Cisco router to reload unexpectedly when
the router is tested for security vulnerabilities by security scanning software programs. The defect can
be exploited repeatedly to produce a consistent denial of service (DoS) attack.. See "Cisco IOS Software
TELNET Option Handling Vulnerability." at Cisco Security Advisories website
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 10939: Verify TELNET Option Handling Vulnerability [IOS]

Description
4-586
OL-25941-01
Chapter 4

Software packages are available from various commercial and free sites that perform automated remote
tests for computer security vulnerabilities by scanning computers on a network for known security flaws.
Two security vulnerabilities associated with several UNIX-based platforms are the subject of two specific
tests that have the same effect on vulnerable Cisco routers. The scanning program is asserting the Telnet
ENVIRON option, #36, before the router indicates that it is willing to accept it, and this causes the router
to reload unexpectedly.
Cisco IOS Devices.

Impact
Can be used to mount a consistent and repeatable denial of service (DoS) attack on any vulnerable Cisco
product, which may result in violations of the availability aspects of a customer's security policy. This
defect by itself does not cause the disclosure of confidential information nor allow unauthorized access.
Suggested Fix
Disable Telnet and use SSH to access the device.
Timers Heap Overflow -68064 [IOS]

Description
The Cisco Internetwork Operating System (IOS) may permit arbitrary code execution after exploitation
of a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its
software, as further described below, that are intended to reduce the likelihood of arbitrary code
execution.
(See "IOS Heap-based Overflow Vulnerability in System Timers" at Cisco Security Advisories website
for more information.)
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 68064: Verify IOS Heap-based Overflow Vulnerability in System Timers [IOS]
Description
The Cisco Internetwork Operating System (IOS) may permit arbitrary code execution after exploitation of
a heap-based buffer overflow vulnerability. Cisco has included additional integrity checks in its software,
as further described below, that are intended to reduce the likelihood of arbitrary code execution.
Cisco IOS Devices.

OL-25941-01
4-587
Chapter 4
Impact
Successful exploitations of heap-based buffer overflow vulnerabilities in Cisco IOS software often result
in a Denial of Service because the exploit causes the router to crash and reload due to inconsistencies in
running memory. In some cases it is possible to overwrite areas of system memory and execute arbitrary
code from those locations. In the event of successful remote code execution, device integrity will have
been completely compromised.
Suggested Fix
There are no workarounds or configuration changes that will implement counter-measures equivalent to
the increased integrity checks on system timers that have been introduced. In order to reduce the
potential for system timer-related arbitrary code execution, an IOS upgrade is necessary.
4-588
OL-25941-01
Chapter 4

Tunnels DoS Vulnerability -109482 [IOS]

Description
Cisco devices running affected versions of Cisco IOS Software are vulnerable to a denial of service
(DoS) attack if configured for IP tunnels and Cisco Express Forwarding.
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 109482: Verify Tunnels DoS Vulnerability [IOS]

Description
A tunnel protocol encapsulates a wide variety of protocol packet types inside IP tunnels, creating a virtual
point-to-point link between internetworking devices over an IP network.
Cisco Express Forwarding is a Layer 3 IP switching technology. It improves network performance and
scalability for networks with high and dynamic traffic patterns.
Devices that are running Cisco IOS Software and configured for GRE, IPinIP, Generic Packet Tunneling
in IPv6 or IPv6 over IP tunnels tunnels and Cisco Express Forwarding may reload upon switching a
specially crafted malformed packets. Please note that using PPTP creates GRE tunnels that are transparent
to the end user so devices configured for PPTP are vulnerable if they are configured on an affected software
version. Using MVPN also creates GRE tunnels that are transparent to the end user. However MVPN
configurations are not vulnerable.
Cisco IOS Devices.

Impact
Successful exploitation of the vulnerability may result in the reload of an affected system, causing a DoS
condition.
Suggested Fix
Disabling Cisco Express Forwarding will mitigate this vulnerability. It can be disabled in two ways:
Disabling Cisco Express Forwarding Globally
Cisco Express Forwarding can be globally disabled by using the no ip cef and no ipv6 cef global
configuration command.
Disabling Cisco Express Forwarding on Tunnel Interfaces
Cisco Express Forwarding can also be disabled on individual tunnel interfaces. To be effective, it must
be disabled on all tunnel interfaces configured on an affected device. Cisco Express Forwarding can be
disabled on individual interfaces as shown in the following example:

OL-25941-01
4-589
Chapter 4
interface Tunnel [interface-ID]

no ip route-cache cef
no ipv6 cef
Note: Disabling Cisco Express Forwarding may have significant performance impact and is not
recommended.
Applied Mitigation Bulletin companion document .
Unified Communications Manager Express Vulnerability -110451

Description
Cisco IOS devices that are configured for Cisco Unified Communications Manager Express (CME) and
the Extension Mobility feature are vulnerable to a buffer overflow vulnerability. Successful exploitation
of this vulnerability may result in the execution of arbitrary code or a Denial of Service (DoS) condition
on an affected device.
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 110451: Verify Unified Comminications Manager Express Vulnerability [IOS]

Description
Cisco Unified CME is the call processing component of an enhanced IP telephony solution that is
integrated into Cisco IOS.
4-590
OL-25941-01
Chapter 4

The Extension Mobility feature in Cisco Unified CME provides the benefit of phone mobility for end users.
A user login service allows phone users to temporarily access a physical phone other than their own phone
and utilize their personal settings, such as directory number, speed-dial lists, and services, that is assigned
to their own desk phone. The phone user can make and receive calls on that phone using the same personal
directory number as is on their own desk phone. More information on Extension Mobility feature is
available at the following URL:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/admin/configuration/guide/cmemobl.html.
A vulnerability in the login section of the Extension Mobility feature may allow an unauthenticated
attacker to execute arbitrary code or cause a Denial of Service (DoS) condition. Such packets can only
come from registered phone IP addresses in the form of HTTP requests. If the auto-registration feature is
enabled, an attacker can register its IP address and subsequently send a crafted payload to exploit this
vulnerability. The auto-registration feature is enabled by default. More information on auto-registration
can be found at the following link:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/command/reference/cme_a1ht.html#wp10312
42.
Cisco IOS Devices.

Impact
Successful exploitation of this vulnerability may result in the execution of arbitrary code or a Denial of
Service (DoS) condition on an affected device.
Suggested Fix
There are no workarounds to mitigate this vulnerability, other than disabling Extension Mobility.
However, auto-registration can be disabled to make exploitation more difficult. Auto-registration can be
disabled by the following command:
telephony-service
no auto-reg-ephone
Before disabling auto-registration, all phone MAC addresses need to be explicitly defined on the Cisco
Unified CME. Otherwise phones will not be able to register. More information on auto-registration can
be found at the following link:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/command/reference/cme_a1ht.html#wp103
1242.
Applied Mitigation Bulletin companion document .
User Datagram protocol delivery issue -100638 [IOS]

Description
A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject
to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has
to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To
exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed
throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface
from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP)
service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability
was exploited will be affected.

OL-25941-01
4-591
Chapter 4
(See "IOS User Datagram Protocol Delivery Issue For IPv4/IPv6 Dual-stack Routers" at Cisco Security
Advisories website for more information.)
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 100638: Verify IOS User Datagram Protocol Delivery Issue for IPv4/IPv6 Dual-stack Routers
[IOS]
Description
A device running Cisco IOS software that has Internet Protocol version 6 (IPv6) enabled may be subject
to a denial of service (DoS) attack. For the device to be affected by this vulnerability the device also has
to have certain Internet Protocol version 4 (IPv4) User Datagram Protocol (UDP) services enabled. To
exploit this vulnerability an offending IPv6 packet must be targeted to the device. Packets that are routed
throughout the router can not trigger this vulnerability. Successful exploitation will prevent the interface
from receiving any additional traffic. The only exception is Resource Reservation Protocol (RSVP)
service, which if exploited, will cause the device to crash. Only the interface on which the vulnerability
was exploited will be affected. Only Cisco IOS software releases that have IPv6 enabled are affected by
this vulnerability. In order to be vulnerable both support for IPv6 protocol and IPv4 UDP-based services
must be enabled on the device. The IPv6 is not enabled by default in Cisco IOS software.
Cisco IOS Devices.

Impact
Successful exploitation of the vulnerability can result in one of the following two conditions:
1.
The device will crash if RSVP service is configured on the interface.
2.
Any other affected IPv4 UDP-based service will prevent the interface from receiving additional
traffic. Only the interface on which the vulnerability is exploited will be affected.
Suggested Fix
A blocked interface can be unblocked by disabling the UDP service whose packets are blocking the
interface. This procedure can restore normal operation of the interface without rebooting the device. The
procedure for disabling vulnerable services are described in the "If IPv4 UDP-based Services Are Not
Required" section.
The following workarounds are options that may be available depending on the Cisco IOS software
running on the device and the operating environment. The workarounds depend on whether IPv6 or any
of the affected UDP services are required for the normal operation.
If IPv6 Protocol Is Not Required
Disable IPv6. To disable IPv6 use the following commands:
4-592
OL-25941-01
Chapter 4

Router(config)#interface FastEthernet0/0
Router(config-if)#no ipv6 address
or
Router(config)#interface FastEthernet0/0
Router(config-if)#no ipv6 enable
If RSVP is the only affected service that is configured it is sufficient to disable IPv6 only on the interface
where RSVP is configured. If any other affected UDP service is present on the device then IPv6 would
have to be disabled from all interfaces.
If IPv4 UDP-based Services Are Not Required
Disable all affected IPv4 UDP-based services.
Virtual Private Dial-up Network DoS Vulnerability -97278 [IOS]

Description
Two vulnerabilities exist in the virtual private dial-up network (VPDN) solution when Point-to-Point
Tunneling Protocol (PPTP) is used in certain Cisco IOS releases prior to 12.3. PPTP is only one of the
supported tunneling protocols used to tunnel PPP frames within the VPDN solution.
The first vulnerability is a memory leak that occurs as a result of PPTP session termination. The second
vulnerability may consume all interface descriptor blocks on the affected device because those devices
will not reuse virtual access interfaces. If these vulnerabilities are repeatedly exploited, the memory
and/or interface resources of the attacked device may be depleted. (See for more information.)
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 97278: Verify Virtual Private Dial-up Network DoS Vulnerability [IOS]

OL-25941-01
4-593
Chapter 4
Description
Two vulnerabilities exist in the virtual private dial-up network (VPDN) solution when Point-to-Point
Tunneling Protocol (PPTP) is used in certain Cisco IOS releases prior to 12.3. PPTP is only one of the
supported tunneling protocols used to tunnel PPP frames within the VPDN solution.
The first vulnerability is a memory leak that occurs as a result of PPTP session termination. The second
vulnerability may consume all interface descriptor blocks on the affected device because those devices will
not reuse virtual access interfaces. If these vulnerabilities are repeatedly exploited, the memory and/or
interface resources of the attacked device may be depleted.
Cisco has made free software available to address these vulnerabilities for affected customers.
There are no workarounds available to mitigate the effects of these vulnerabilities.
Cisco IOS Devices.

Impact
Successful exploitation of the vulnerability may result in a memory leak of processor memory or
consumption of all available IDBs on the device. With continued exploitation, the device will deplete its
processor memory or reach an IDB limit. Both impacts would result in a denial of service condition for
the device.
Suggested Fix
There are no workarounds for these vulnerabilities. Cisco recommends upgrading to the fixed version of
Cisco IOS.
4-594
OL-25941-01
Chapter 4

Vulnerabilities Found by PROTOS IPSec Test Suite -68158 [IOS]

Description
Multiple Cisco products contain vulnerabilities in the processing of IPSec IKE (Internet Key Exchange)
messages. These vulnerabilities were identified by the University of Oulu Secure Programming Group
(OUSPG) "PROTOS" Test Suite for IPSec and can be repeatedly exploited to produce a denial of service.
See "Multiple Vulnerabilities Found by PROTOS IPSec Test Suite" at Cisco Security Advisories
website.
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 68158: Verify Multiple Vulnerabilities Found by PROTOS IPSec Test Suite [IOS]
Description
IP Security, or IPSec, is a set of protocols standardized by the IETF to support encrypted and/or
authenticated transmission of IP packets. IPSec is a protocol commonly used in Virtual Private Networks
(VPNs).
The Internet Key Exchange (IKE) protocol is used to negotiate keying material for IPSec Security
Associations (SAs) and provides authentication of peers.
When IKE is used for establishing VPN connections, receiving certain malformed packets can cause Cisco
devices to reset.
Cisco IOS Devices.

Impact
Successful exploitation of the vulnerabilities may result in the restart of the device. The device will
return to normal operation without any intervention required.
Suggested Fix
For customers that use IPSec, but do not require IKE for connection establishment, IPSec connection
information may be entered manually, and IKE can be disabled, eliminating the exposure.
It is possible to mitigate the effects of this vulnerability by restricting the devices that can send IKE
traffic to your IPSec devices. Due to the potential for IKE traffic to come from a spoofed source address,
a combination of Access Control Lists (ACLs) and anti-spoofing mechanisms will be most effective.
The Unicast Reverse Path Forwarding (Unicast RPF) feature helps to mitigate problems that are caused
by spoofed IP source addresses.

OL-25941-01
4-595
Chapter 4
Vulnerability in IOS Firewall Feature Set -9360 [IOS]

Description
The IOS Firewall Feature set, also known as Cisco Secure Integrated Software, also known as Context
Based Access Control (CBAC), and introduced in IOS version 11.2P, has a vulnerability that permits
traffic normally expected to be denied by the dynamic access control lists. See "A Vulnerability in IOS
Firewall Feature Set." at Cisco Security Advisories website
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 9360: Verify IOS Firewall Feature Set Vulnerability [IOS]

Description
The IOS Firewall Feature set, also known as Cisco Secure Integrated Software, also known as Context
Based Access Control (CBAC), and introduced in IOS version 11.2P, has a vulnerability that permits traffic
normally expected to be denied by the dynamic access control lists.
Cisco IOS Devices.

Impact
The device will permit traffic normally expected to be denied by the dynamic access control lists.
Suggested Fix
There is no workaround
4-596
OL-25941-01
Chapter 4

WeBVPN and SSLVPN Vulnerabilities -107397 [IOS]

Description
Cisco IOS software contains two vulnerabilities within the Cisco IOS WebVPN or Cisco IOS SSLVPN
feature (SSLVPN) that can be remotely exploited without authentication to cause a denial of service
condition. Both vulnerabilities affect both Cisco IOS WebVPN and Cisco IOS SSLVPN features:
1.
Crafted HTTPS packet will crash device.
2.
SSLVPN sessions cause a memory leak in the device.
There are no workarounds that mitigate these vulnerabilities.
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 107397: Verify WeBVPN and SSLVPN Vulnerabilities [IOS]

Description
The Cisco SSLVPN feature provides remote access to enterprise sites by users from anywhere on the
Internet. The SSLVPN provides users with secure access to specific enterprise applications, such as e-mail
and web browsing, without requiring them to have VPN client software installed on their end-user devices.
The WebVPN Enhancements feature (Cisco IOS SSLVPN), released in Cisco IOS Release 12.4(6)T,
obsoletes the commands and configurations originally put forward in Cisco IOS WebVPN.
Further information about Cisco IOS WebVPN is available in the "Cisco IOS Software Release 12.3T
WebVPN feature guide" at the following link:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/g_sslvpn.html.
Further information about Cisco IOS SSLVPN is available in the "Cisco IOS Software Release 12.4T
SSLVPN feature guide" at the following link:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htwebvpn.html.
Details regarding these two vulnerabilities in Cisco IOS devices that are running affected versions of
system software are:
Crafted HTTPS packet will crash device
A device configured for SSLVPN may reload or hang when it receives a specially crafted HTTPS packet.
Completion of the 3-way handshake to the associated TCP port number of the SSLVPN feature is required
in order for the vulnerability to be successfully exploited, however authentication is "not" required. The
default TCP port number for SSLVPN is 443.
SSLVPN sessions cause a memory leak in the device

OL-25941-01
4-597
Chapter 4
A device configured for SSLVPN may leak transmission control blocks (TCBs) when processing an
abnormally disconnected SSL session. Continued exploitation may result in the device depleting its
memory resources and result in a crash of the device. Authentication is "not" required to exploit this
vulnerability.
The memory leak can be detected by running the command "show tcp brief", like in the following
example:
Router#show tcp brief
TCB
Local Address
Foreign Address
(state)
468BBDC0 192.168.0.22.443 192.168.0.33.19794 CLOSEWAIT

482D4730 192.168.0.22.443 192.168.0.33.22092 CLOSEWAIT
482779A4 192.168.0.22.443 192.168.0.33.16978 CLOSEWAIT
4693DEBC 192.168.0.22.443 192.168.0.33.21580 CLOSEWAIT
482D3418 192.168.0.22.443 192.168.0.33.17244 CLOSEWAIT
482B8ACC 192.168.0.22.443 192.168.0.33.16564 CLOSEWAIT
46954EB0 192.168.0.22.443 192.168.0.33.19532 CLOSEWAIT
468BA9B8 192.168.0.22.443 192.168.0.33.15781 CLOSEWAIT
482908C4 192.168.0.22.443 192.168.0.33.19275 CLOSEWAIT
4829D66C 192.168.0.22.443 192.168.0.33.19314 CLOSEWAIT
468A2D94 192.168.0.22.443 192.168.0.33.14736 CLOSEWAIT
4688F590 192.168.0.22.443 192.168.0.33.18786 CLOSEWAIT
4693CBA4 192.168.0.22.443 192.168.0.33.12176 CLOSEWAIT
4829ABC4 192.168.0.22.443 192.168.0.33.39629 CLOSEWAIT
4691206C 192.168.0.22.443 192.168.0.33.17818 CLOSEWAIT
46868224 192.168.0.22.443 192.168.0.33.16774 CLOSEWAIT
4832BFAC 192.168.0.22.443 192.168.0.33.39883 CLOSEWAIT
482D10CC 192.168.0.22.443 192.168.0.33.13677 CLOSEWAIT
4829B120 192.168.0.22.443 192.168.0.33.20870 CLOSEWAIT
482862FC 192.168.0.22.443 192.168.0.33.17035 CLOSEWAIT
482EC13C 192.168.0.22.443 192.168.0.33.16053 CLOSEWAIT
482901D8 192.168.0.22.443 192.168.0.33.16200 CLOSEWAIT
In the output above, those Transmission Control Blocks (TCBs) in the state CLOSEWAIT will not go away
and represent memory leaks. Please note that only TCP connections with a local TCP port of 443 (the
well-known port for HTTPS) are relevant.
Cisco IOS Devices.

Impact
Successful exploitation of any of the two vulnerabilities may result in the device crashing, not accepting
any new SSLVPN sessions or a memory leak. Repeated exploitation may result in an extended denial of
service (DoS) condition.
4-598
OL-25941-01
Chapter 4

Suggested Fix
There are no workarounds for the vulnerabilities described in this advisory.
Zone-Based Policy Firewall Vulnerability -110410 [IOS]

Description
Cisco IOS devices that are configured with Cisco IOS Zone-Based Policy Firewall Session Initiation
Protocol (SIP) inspection are vulnerable to denial of service (DoS) attacks when processing a specific
SIP transit packet. Exploitation of the vulnerability could result in a reload of the affected device.
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 110410: Verify Zone-Based Policy Firewall Vulnerability [IOS]

OL-25941-01
4-599
Chapter 4
Description
Firewalls are networking devices that control access to the network assets of an organization. Firewalls are
often positioned at the entrance points into networks. Cisco IOS software provides a set of security features
that enable you to configure a simple or elaborate firewall policy, according to your particular
requirements.
SIP inspection in the Cisco IOS Firewall provides basic SIP inspect functionality (SIP packet inspection
and pinhole opening) as well as protocol conformance and application security.
Cisco IOS Software that is configured with Cisco IOS Zone-Based Policy Firewall SIP inspection are
vulnerable to a DoS attack when processing a specific SIP transit packet. Exploitation of this vulnerability
will result in a reload of the affected device.
Cisco IOS Zone-Based Policy Firewall SIP inspection was first introduced in Cisco IOS Software versions
12.4(15)XZ and 12.4(20)T.
Cisco IOS Firewall CBAC support for SIP inspection by way of the ip inspect name [inspection_name] sip
is not vulnerable. Additional information regarding Cisco IOS Firewall CBAC support for SIP inspection
is available in the document "Firewall Support for SIP" at the following link:
http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_fwall_sip_supp.html:
Cisco IOS Devices.

Impact
Successful exploitation of the vulnerability may result in a reload of the affected device. Repeated
exploit attempts may result in a sustained DoS attack.
Suggested Fix
The only workaround for this vulnerability is to disable Cisco IOS zone-based policy firewall SIP
inspection in the affected device's configuration. Disabling SIP inspection will allow the rest of the
firewall features to continue to function until a software upgrade can be implemented. All other firewall
features will continue to perform normally. Disabling SIP Inspection will vary depending on the
implementation of the SIP inspection firewall.
cTCP Denial of Service Vulnerability -109314 [IOS]

Description
A series of TCP packets may cause a denial of service (DoS) condition on Cisco IOS devices that are
configured as Easy VPN servers with the Cisco Tunneling Control Protocol (cTCP) encapsulation
feature. Cisco has released free software updates that address this vulnerability. No workarounds are
available; however, the IPSec NAT traversal (NAT-T) feature can be used as an alternative.
Cisco IOS Devices
4-600
OL-25941-01
Chapter 4

References
Rule 1
Rule
PSIRT - 109314: Verify IOS cTCP Denial of Service Vulnerability [IOS]

Description
The Cisco Tunneling Control Protocol (cTCP) feature is used by Easy VPN remote device operating in an
environment in which standard IPSec does not function transparently without modification to existing
firewall rules. The cTCP traffic is actually TCP traffic. Cisco IOS cTCP packets are Internet Key Exchange
(IKE) or Encapsulating Security Payload (ESP) packets that are being transmitted over TCP.
A vulnerability exists where a series of TCP packets may cause a Cisco IOS device that is configured as
an Easy VPN server with the cTCP encapsulation feature to run out of memory.
Cisco IOS Devices.

Impact
Successful exploitation of this vulnerability may cause the affected device to run out of memory.
Repeated exploitation will result in a denial of service (DoS) condition.
Suggested Fix
No workarounds are available.

As an alternative, the IPSec NAT traversal (NAT-T) feature can be used. The IPSec NAT-T feature
introduces support for IP Security (IPSec) traffic to travel through Network Address Translation (NAT)
or Port Address Translation (PAT) points in the network by addressing many known incompatabilites
between NAT and IPSec.
Note: The NAT-T feature was introduced in Cisco IOS version 12.2(13)T.
NAT Traversal is a feature that is auto detected by VPN devices. There are no configuration steps for a
router running Cisco IOS Release 12.2(13)T and later. If both VPN devices are NAT-T capable, NAT
Traversal is auto-detected and auto-negotiated.
Note: When you enable NAT-T, the Cisco IOS device automatically opens UDP port 4500 on all IPSec
enabled interfaces.
Caution: Be aware that you may need to enable IPSec over UDP on Cisco VPN software clients to
support NAT-T. Additionally, you may need to change firewall rules to allow UDP port 500 for Internet
Key Exchange (IKE) and UDP port 4500 for NAT-T.
For more information about NAT-T, refer to the white paper at:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ipsec_nat_transp.html.

OL-25941-01
4-601
Chapter 4
uBR10012 Series Devices SNMP Vulnerability -107696 [IOS]

Description
Cisco uBR10012 series devices automatically enable Simple Network Management Protocol (SNMP)
read/write access to the device if configured for linecard redundancy. This can be exploited by an
attacker to gain complete control of the device. Only Cisco uBR10012 series devices that are configured
for linecard redundancy are affected.
Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this
vulnerability are available.
Cisco IOS Devices

References
Rule 1
Rule
PSIRT - 109314: Verify Cisco uBR10012 Series Devices SNMP Vulnerability [IOS]
Description
Cisco uBR10012 series devices need to communicate with an RF Switch when configured for linecard
redundancy. This communication is based on SNMP (Simple Network Management Protocol). When
linecard redundancy is enabled on a Cisco uBR10012 series device, SNMP is also automatically enabled
with a default community string of private that has read/write privileges. Since there are no access
restrictions on this community string, it may be exploited by an attacker to gain complete control of the
device.
Changing the default community string, adding access restrictions on SNMP or doing both will mitigate
this vulnerability. The recommended mitigation is to do both.
Cisco IOS Devices.

Impact
Successful exploitation of the vulnerability may allow an attacker to gain complete control of the device.
Suggested Fix
Changing SNMP community string and restricting access

By default, Cisco uBR10012 series devices that are configured for linecard redundancy use a community
string of private. This community string can be changed in Cisco IOS versions 12.3(13)BC and later. It
is recommended to change the community string and apply access control restrictions that only permit
authorized devices SNMP access to the device.
The following configuration example provides operators with information on changing the community
string and adding SNMP access control restrictions using an access control list (ACL).
access-list 90 permit host <RF-Switch-IP-1>
4-602
OL-25941-01
Chapter 4


access-list 90 permit host <up-converter-IP-if-exists>
redundancy
linecard-group 1 cable
rf-switch snmp-community <RF-Switch-SNMP-community>
snmp-server community <RF-Switch-SNMP-community> rw 90
When the SNMP community is changed on a Cisco uBR10012 device, is must also be changed on the
RF Switch. It can be changed by the following command:
set SNMP COMMUNITY <RF-Switch-SNMP-community>
If there is an up-converter in the network, the SNMP community used by the up-converter must also be
changed after changing the community string on the Cisco uBR10012 device. Information on changing
the community string used by the up-converter can be found at the following link:
http://www.cisco.com/en/US/tech/tk86/tk804/technologies_tech_note09186a00801f7622.shtml#comm
unication.
If the Cisco IOS version does not support changing the community string, access control restrictions can
be applied to the default community string. The following configuration example provides operators
with information on applying access control restrictions to the default community string.
access-list 90 permit host <up-converter-IP-if-exists>
snmp-server community private rw 90
Land Attack
Description
This policy checks to make sure that the network can not be used by a malicious attacker to install
Distributed Denial Of Service (DDOS) scripts on any of the machines inside the network. DDOS attacks
use a number of compromised sites to flood a target site with sufficient traffic or service requests to
render it useless to legitimate users.
Cisco IOS Devices

References
1.1c)

OL-25941-01
4-603
Chapter 4
Rule 1
Rule
Check for Land attack vulnerability [IOS, PIX, ASA]

Description
This check will make sure that given interfaces are protected against a possible Land attack. It will check
that the interfaces have access lists installed to prevent IP traffic that has both source and destination
address same AND is one of the router's IP addresses. This makes sure that ALL given interfaces have
ACLs installed that would block incoming traffic with source IP and destination IP fields same AND is
one of the router's active IP addresses. The Land Attack involves sending a packet to the router with the
same IP address in the source and destination address fields and with the same port number in the source
port and destination port fields. This attack may cause denial of service or degrade the performance of
the router.
Cisco IOS Devices

Impact
This device may be vulnerable for Land attack.

Suggested Fix
Add the following ACL entries to the interface access list, one entry for each of the router's IP address
and apply it to all the required interfaces using the commands:
deny ip host <router interface's IP address > host <router interface's IP address >
Rule
Description
Constraints
Interfaces to Check
Group of interfaces to make sure it is protected

against Land attack. Example valid Values: 'Any',
'AnyEthernet', 'FastEthernet', 'GigabitEthernet',
'FastEthernet0/1', 'FastEthernet0/.*' etc.
Required: true
Default: [Firewall
External]
Using Interfaces to Check Editor option, you can add,

or remove Interface details. You can also change the
order of the Interface details.
Risky Traffic
Description
Risky traffic (protocols and services) that needs to be blocked at the routers. It is not always possible to
follow the strict security guidelines. In that case, fall back to prohibiting services that are commonly not
needed, or are known to be popular vehicles for security compromise. These policies check for common
services to restrict because they can be used to gather information about the protected network or they
have weaknesses that can be exploited against the protected network. Some these services should be
completely blocked by a typical border router. Unless there is a specific operational need to support,
these services and protocols should not be allowed across the router in either direction.
4-604
OL-25941-01
Chapter 4

Cisco IOS Devices

References
National Security Agency (NSA) Cisco Router Configuration Guide (Section 3.2.2 page 38 of Version
1.1c)
Payment Card Industry Data Security Standard (PCI) (1.2 of Version 1.1, September, 2006)
cardholder data.
Rule 1
Rule
List of interfaces to check the rules [IOS, PIX, ASA].

Description
This check makes sure configuration on given ports is not allowing any risky traffic.
Cisco IOS Devices

Impact
None
Suggested Fix
None
Rule
Description
Constraints
Interfaces To Check

Required: true
Default: [Firewall
External]

OL-25941-01
4-605
Chapter 4
Note
Using the Interfaces To Check Editor option, you can add, or remove the interface details. You can also
change the order of the interface details.
Rule 2
Rule
Check if TCPMUX traffic is allowed [IOS, PIX, ASA].

Description
Make sure TCPMUX traffic (Port 1 in TCP and UDP) is blocked if it is not required.
Cisco IOS Devices

Impact
TCPMUX (Port 1 in TCP and UDP) traffic can enter the router through given interface.
Suggested Fix
Add the following ACL entries to the interface access list.

deny tcp any eq 1 any
deny udp any eq 1 any
Rule 3
Rule
Check if ECHO traffic is allowed [IOS, PIX, ASA].

Description
Make sure ECHO traffic (Port 7 in TCP and UDP) is blocked if it is not required.
Cisco IOS Devices

Impact
ECHO (Port 7 in TCP and UDP) traffic can enter the router through given interface.
Suggested Fix

4-606
OL-25941-01
Chapter 4

Rule 4
Rule
Check if DISCARD traffic is allowed [IOS, PIX, ASA].

Description
Make sure DISCARD traffic (Port 9 in TCP and UDP) is blocked if it is not required.
Cisco IOS Devices

Impact
DISCARD (Port 9 in TCP and UDP) traffic can enter the router through given interface.
Suggested Fix

Rule 5
Rule
Check if SYSTAT traffic is allowed [IOS, PIX, ASA].

Description
Make sure SYSTAT traffic (Port 11 in TCP) is blocked if it is not required.

Cisco IOS Devices

Impact
SYSTAT (Port 11 in TCP) traffic can enter the router through given interface.
Suggested Fix

Rule 6
Rule
Check if DAYTIME traffic is allowed [IOS, PIX, ASA].

Description
Make sure DAYTIME traffic (Port 13 in TCP and UDP) is blocked if it is not required.

OL-25941-01
4-607
Chapter 4
Cisco IOS Devices

Impact
DAYTIME (Port 13 in TCP and UDP) traffic can enter the router through given interface.
Suggested Fix

Rule 7
Rule
Check if NETSTAT traffic is allowed [IOS, PIX, ASA].

Description
Make sure NETSTAT traffic (Port 15 in TCP) is blocked if it is not required.

Cisco IOS Devices

Impact
NETSTAT (Port 15 in TCP) traffic can enter the router through given interface.
Suggested Fix

Rule 8
Rule
Check if CHARGEN traffic is allowed [IOS, PIX, ASA].

Description
Make sure CHARGEN traffic (Port 19 in TCP and UDP) is blocked if it is not required.
Cisco IOS Devices

Impact
CHARGEN (Port 19 in TCP and UDP) traffic can enter the router through given interface.
4-608
OL-25941-01
Chapter 4

Suggested Fix

Rule 9
Rule
Check if TIME traffic is allowed [IOS, PIX, ASA].

Description
Make sure TIME traffic (Port 37 in TCP and UDP) is blocked if it is not required.
Cisco IOS Devices

Impact
TIME (Port 37 in TCP and UDP) traffic can enter the router through given interface.
Suggested Fix

Rule 10
Rule
Check if WHOIS traffic is allowed [IOS, PIX, ASA].

Description
Make sure WHOIS traffic (Port 43 in TCP) is blocked if it is not required.

Cisco IOS Devices

Impact
WHOIS (Port 43 in TCP) traffic can enter the router through given interface.
Suggested Fix


OL-25941-01
4-609
Chapter 4
Rule 11
Rule
Check if BOOTP traffic is allowed [IOS, PIX, ASA].

Description
Make sure BOOTP traffic (Port 67 in UDP) is blocked if it is not required.

Cisco IOS Devices

Impact
BOOTP (Port 67 in UDP) traffic can enter the router through given interface.
Suggested Fix

Rule 12
Rule
Check if TFTP traffic is allowed [IOS, PIX, ASA].

Description
Make sure TFTP traffic (Port 69 in UDP) is blocked if it is not required.

Cisco IOS Devices

Impact
TFTP (Port 69 in UDP) traffic can enter the router through given interface.
Suggested Fix

Rule 13
Rule
Check if SUPDUP traffic is allowed [IOS, PIX, ASA].

Description
Make sure SUPDUP traffic (Port 95 in TCP and UDP) is blocked if it is not required.
4-610
OL-25941-01
Chapter 4

Cisco IOS Devices

Impact
SUPDUP (Port 95 in TCP and UDP) traffic can enter the router through given interface.
Suggested Fix

Rule 14
Rule
Check if SUNRPC traffic is allowed [IOS, PIX, ASA].

Description
Make sure SUNRPC traffic (Port 111 in TCP and UDP) is blocked if it is not required.
Cisco IOS Devices

Impact
SUNRPC (Port 111 in TCP and UDP) traffic can enter the router through given interface.
Suggested Fix

Rule 15
Rule
Check if LOCSRV traffic is allowed [IOS, PIX, ASA].

Description
Make sure LOCSRV traffic (Port 135 in TCP and UDP) is blocked if it is not required.

OL-25941-01
4-611
Chapter 4
Cisco IOS Devices

Impact
LOCSRV (Port 135 in TCP and UDP) traffic can enter the router through given interface.
Suggested Fix

Rule 16
Rule
Check if NETBIOS_NS traffic is allowed [IOS, PIX, ASA].

Description
Make sure NETBIOS_NS traffic (Port 137 in TCP and UDP) is blocked if it is not required.
Cisco IOS Devices

Impact
NETBIOS_NS (Port 137 in TCP and UDP) traffic can enter the router through given interface.
Suggested Fix

Rule 17
Rule
Check if NETBIOS_DGM traffic is allowed [IOS, PIX, ASA].

Description
Make sure NETBIOS_DGM traffic (Port 138 in TCP and UDP) is blocked if it is not required.
Cisco IOS Devices

Impact
NETBIOS_DGM (Port 138 in TCP and UDP) traffic can enter the router through given interface.
4-612
OL-25941-01
Chapter 4

Suggested Fix

Rule 18
Rule
Check if NETBIOS_SSN traffic is allowed [IOS, PIX, ASA].

Description
Make sure NETBIOS_SSN traffic (Port 139 in TCP and UDP) is blocked if it is not required.
Cisco IOS Devices

Impact
NETBIOS_SSN (Port 139 in TCP and UDP) traffic can enter the router through given interface.
Suggested Fix

Rule 19
Rule
Check if XDMCP traffic is allowed [IOS, PIX, ASA].

Description
Make sure XDMCP traffic (Port 177 in UDP) is blocked if it is not required.
Cisco IOS Devices

Impact
XDMCP (Port 177 in UDP) traffic can enter the router through given interface.
Suggested Fix


OL-25941-01
4-613
Chapter 4
Rule 20
Rule
Check if NETBIOS_DS traffic is allowed [IOS, PIX, ASA].

Description
Make sure NETBIOS_DS traffic (Port 445 in TCP) is blocked if it is not required.
Cisco IOS Devices

Impact
NETBIOS_DS (Port 445 in TCP) traffic can enter the router through given interface.
Suggested Fix

Rule 21
Rule
Check if REXEC traffic is allowed [IOS, PIX, ASA].

Description
Make sure REXEC (Remote Exec) traffic (Port 512 in TCP) is blocked if it is not required.
Cisco IOS Devices

Impact
REXEC (Remote Exec) (Port 512 in TCP) traffic can enter the router through given interface.
Suggested Fix

Rule 22
Rule
Check if LPR traffic is allowed [IOS, PIX, ASA].

Description
Make sure LPR traffic (Port 515 in TCP) is blocked if it is not required.
4-614
OL-25941-01
Chapter 4

Cisco IOS Devices

Impact
LPR (Port 515 in TCP) traffic can enter the router through given interface.
Suggested Fix

Rule 23
Rule
Check if TALK traffic is allowed [IOS, PIX, ASA].

Description
Make sure TALK traffic (Port 517 in UDP) is blocked if it is not required.
Cisco IOS Devices

Impact
TALK (Port 517 in UDP) traffic can enter the router through given interface.
Suggested Fix

Rule 24
Rule
Check if NTALK traffic is allowed [IOS, PIX, ASA].

Description
Make sure NTALK traffic (Port 518 in UDP) is blocked if it is not required.
Cisco IOS Devices

Impact
NTALK (Port 518 in UDP) traffic can enter the router through given interface.

OL-25941-01
4-615
Chapter 4
Suggested Fix

Rule 25
Rule
Check if UUCP traffic is allowed [IOS, PIX, ASA].

Description
Make sure UUCP traffic (Port 540 in TCP) is blocked if it is not required.
Cisco IOS Devices

Impact
UUCP (Port 540 in TCP) traffic can enter the router through given interface.
Suggested Fix

Rule 26
Rule
Check if Microsoft SQL Server traffic is allowed [IOS, PIX, ASA].

Description
Make sure Microsoft SQL SERVER traffic (Port 1434 in UDP) is blocked if it is not required.
Cisco IOS Devices

Impact
Microsoft SQL SERVER (Port 1434 in UDP) traffic can enter the router through given interface.
Suggested Fix

Rule 27
Rule
Check if Microsoft UPnP SSDP traffic is allowed [IOS, PIX, ASA].
4-616
OL-25941-01
Chapter 4

Description
Make sure Microsoft UPnP SSDP traffic (Port 1900, 5000 in TCP and UDP) is blocked if it is not
required.
Cisco IOS Devices

Impact
Microsoft UPnP SSDP (Port 1900, 5000 in TCP and UDP) traffic can enter the router through given
interface.
Suggested Fix

Rule 28
Rule
Check if NFS traffic is allowed [IOS, PIX, ASA].

Description
Make sure NFS traffic (Port 2049 in UDP) is blocked if it is not required.
Cisco IOS Devices

Impact
NFS (Port 2049 in UDP) traffic can enter the router through given interface.
Suggested Fix

Rule 29
Rule
Check if X WINDOW System traffic is allowed [IOS, PIX, ASA].

Description
Make sure X WINDOW System traffic (Port 6000-6063 in TCP) is blocked if it is not required.

OL-25941-01
4-617
Chapter 4
Cisco IOS Devices

Impact
X WINDOW System (Port 6000-6063 in TCP) traffic can enter the router through given interface.
Suggested Fix

deny tcp any range 6000 6063 any
Rule 30
Rule
Check if IRC traffic is allowed [IOS, PIX, ASA].

Description
Make sure IRC traffic (Port 6667 in TCP) is blocked if it is not required.
Cisco IOS Devices Cisco PIX Devices Running >= 7.x and ASA devices
Impact
IRC (Port 6667 in TCP) traffic can enter the router through given interface.
Suggested Fix

Rule 31
Rule
Check if NetBus traffic is allowed [IOS, PIX, ASA].

Description
Make sure NetBus traffic (Port 12345-12346 in TCP) is blocked if it is not required.
Cisco IOS Devices

Impact
NetBus (Port 12345-12346 in TCP) traffic can enter the router through given interface.
Suggested Fix

deny tcp any range 12345 12346 any
4-618
OL-25941-01
Chapter 4

Rule 32
Rule
Check if BackOrifice traffic is allowed [IOS, PIX, ASA].

Description
Make sure Back Orifice traffic (Port 31337 in TCP and UDP) is blocked if it is not required.
Cisco IOS Devices

Impact
Back Orifice (Port 31337 in TCP and UDP) traffic can enter the router through given interface.
Suggested Fix

Rule 33
Rule
Check if FINGER traffic is allowed [IOS, PIX, ASA].

Description
Make sure FINGER traffic (Port 79 in TCP) is blocked if it is not required.

Cisco IOS Devices

Impact
FINGER (Port 79 in TCP) traffic can enter the router through given interface.
Suggested Fix

Rule 34
Rule
Check if SNMP traffic is allowed [IOS, PIX, ASA].

Description
Make sure SNMP traffic (Port 161 in TCP and UDP) is blocked if it is not required.

OL-25941-01
4-619
Chapter 4
Cisco IOS Devices

Impact
SNMP (Port 161 in TCP and UDP) traffic can enter the router through given interface.
Suggested Fix

Rule 35
Rule
Check if SNMP_TRAP traffic is allowed [IOS, PIX, ASA].

Description
Make sure SNMP TRAP traffic (Port 162 in TCP and UDP) is blocked if it is not required.
Cisco IOS Devices

Impact
SNMP TRAP (Port 162 in TCP and UDP) traffic can enter the router through given interface.
Suggested Fix

Rule 36
Rule
Check if RLOGIN traffic is allowed [IOS, PIX, ASA].

Description
Make sure RLOGIN traffic (Port 513 in TCP) is blocked if it is not required.
Cisco IOS Devices

Impact
RLOGIN (Port 513 in TCP) traffic can enter the router through given interface.
4-620
OL-25941-01
Chapter 4

Suggested Fix

Rule 37
Rule
Check if WHO traffic is allowed [IOS, PIX, ASA].

Description
Make sure WHO traffic (Port 513 in UDP) is blocked if it is not required.
Cisco IOS Devices

Impact
WHO (Port 513 in UDP) traffic can enter the router through given interface.
Suggested Fix

Rule 38
Rule
Check if RSH_RCP traffic is allowed [IOS, PIX, ASA].

Description
Make sure RSH, RCP, RDIST and RDUMP traffic (Port 514 in TCP) is blocked if it is not required.
Cisco IOS Devices

Impact
RSH, RCP, RDIST and RDUMP (Port 514 in TCP) traffic can enter the router through given interface.
Suggested Fix

Rule 39
Rule
Check if SYSLOG traffic is allowed [IOS, PIX, ASA].

OL-25941-01
4-621
Chapter 4
Description
Make sure SYSLOG traffic (Port 514 in UDP) is blocked if it is not required.
Cisco IOS Devices

Impact
SYSLOG (Port 514 in UDP) traffic can enter the router through given interface.
Suggested Fix

Rule 40
Rule
Check if NEW_WHO traffic is allowed [IOS, PIX, ASA].

Description
Make sure NEW WHO traffic (Port 550 in TCP and UDP) is blocked if it is not required.
Cisco IOS Devices

Impact
NEW WHO (Port 550 in TCP and UDP) traffic can enter the router through given interface.
Suggested Fix

Rule 41
Rule
Check if T0rn rootkit traffic is allowed [IOS, PIX, ASA].

Description
Make sure T0rn rootkit traffic (Port 47017 in TCP) is blocked if it is not required.
Cisco IOS Devices

4-622
OL-25941-01
Chapter 4

Impact
T0rn rootkit traffic (Port 47017 in TCP) traffic can enter the router through given interface.
Suggested Fix

deny tcp any eq 47017 an
Loopback Interfaces
Description
Policies to enforce different protocols to use loopback interface as their source interface.
Cisco IOS Devices

Cisco IOS Devices With NetFlow Capability
References
4.1.6 Page 66, Section 4.1.8, Page 68, Section 4.5.2 Page 145, Section 4.6.4 Page 193 of Version 1.1c)
Center for Internet Security, Benchmark for Cisco IOS.(Section 2.2.1, Page: 39 of Version 2.2, Nov
2007)
Rule 1
Rule
At least one loopback interface should be configured [IOS]

Description
Check that at least one loopback interface is configured

OL-25941-01
4-623
Chapter 4
Cisco IOS Devices

Impact
It is considered best practice, in configuring Cisco routers, to define one loopback interface, and
designate it as the source interface for most traffic generated by the router itself. Adopting this practice
yields several benefits for the overall stability and security management of a network, because the
address of the loopback interface is fixed. When a router is configured to use the loopback interface for
services, it is possible to configure the security of other devices in the network more tightly. (When a
service is configured to use the loopback interface as its source, we say that the service is bound to that
interface. It means that IP packets generated by the router will have the loopback interface's address as
their source address. Also, the loopback interface's address does not appear in any route-based network
maps; hiding administrative aspects of your network from potential attackers is usually good practice.
Suggested Fix
Create a loopback interface and assign it an IP address. For a border router, the loopback's address should
be in the range of the internal or DMZ network, not the external network. Note that the loopback address
cannot be the same as the address of any other interface, nor can it be part of the same network as any
other interface. Configure loopback interface using the command:
interface <loopback interface name> loopback
Rule 2
Rule
Check FTP uses Loopback interface [IOS]

Description
If FTP service is configured on the device, check that it uses loopback interface as its source interface
Cisco IOS Devices

Impact
4-624
OL-25941-01
Chapter 4

Suggested Fix
Configure a loopback interface name as the source interface for FTP service using the command:
ip ftp source-interface loopback
Rule 3
Rule
Check Remote Command uses Loopback interface [IOS]

Description
Check if Remote Commands use loopback interface as their source interface. If RCP or RSH is not
enabled, no check will be done.
Cisco IOS Devices

Impact
Suggested Fix
Configure a loopback interface name as the source interface for Remote Command service using the
command:
ip rcmd source-interface loopback
Rule 4
Rule
Check Syslog uses Loopback interface [IOS]

Description
Check if syslog protocol use loopback interface as their source interface. No check will be done if Syslog
logging is disabled on the device.

OL-25941-01
4-625
Chapter 4
Cisco IOS Devices

Impact
Suggested Fix
Configure a loopback interface name as the source interface for Syslog service using the command:
logging source-interface loopback
Rule 5
Rule
Check NTP uses Loopback interface [IOS]

Description
Check if NTP protocol use loopback interface as their source interface. No check is done if NTP is not
configured on the device.

Impact
Suggested Fix
Configure a loopback interface name as the source interface for NTP services using the command:
ntp source loopback
4-626
OL-25941-01
Chapter 4

Rule 6
Rule
Check RADIUS uses Loopback interface [IOS]

Description
Check if RADIUS protocol use loopback interface as their source interface

Cisco IOS Devices

Impact
Suggested Fix
Configure a loopback interface name as the source interface for RADIUS service using the command:
ip radius source-interface loopback
Rule 7
Rule
Check TACACS uses Loopback interface [IOS]

Description
Check if TACACS protocol use loopback interface as their source interface

Cisco IOS Devices


OL-25941-01
4-627
Chapter 4
Impact
Suggested Fix
Configure a loopback interface name as the source interface for TACACS service using the command:
ip tacacs source-interface loopback
Rule 8
Rule
Check SNMP Trap service uses Loopback interface [IOS]

Description
Check if SNMP Trap service uses loopback interface as its source interface. No check is done if SNMP
Traps are not configured.
Cisco IOS Devices Cisco IOS Devices With NTP_CLIENT Capability Cisco IOS Devices With
NTP_SERVER Capability Cisco IOS Devices With NetFlow Capability
Impact
Suggested Fix
Configure a loopback interface name as the source interface for SNMP service using the command:
snmp-server trap-source loopback
Rule 9
Rule
Check Telnet service uses Loopback interface [IOS]
4-628
OL-25941-01
Chapter 4

Description
Check if Telnet service uses loopback interface as its source interface

Cisco IOS Devices

Impact
Suggested Fix
Configure a loopback interface name as the source interface for Telnet service using the command:
ip telnet source-interface loopback
Rule 10
Rule
Check TFTP service uses Loopback interface [IOS]

Description
Check if TFTP service uses loopback interface as its source interface

Cisco IOS Devices

Impact

OL-25941-01
4-629
Chapter 4
Suggested Fix
Configure a loopback interface name as the source interface for TFTP service using the command:
ip tftp source-interface loopback
Rule 11
Rule
Check if NetFlow service uses loopback interface

Description
Check if NetFlow service uses loopback interface as its source interface


Impact
Suggested Fix
Configure a loopback interface name as the source interface for NetFlow service using the command:
ip flow-export source loopback
Distributed DoS Attacks

Description
This policy checks to make sure that the network can not be used by a malicious attacker to install
Distributed Denial Of Service (DDOS) scripts on any of the machines inside the network. DDOS attacks
use a number of compromised sites to flood a target site with sufficient traffic or service requests to
render it useless to legitimate users.
Cisco IOS Devices

References
1.1c)
4-630
OL-25941-01
Chapter 4

Rule 1
Rule
List of interfaces to check the rules [IOS, PIX, ASA]

Description
This check makes sure configuration on given ports is not allowing any DDoS traffic patterns.
Cisco IOS Devices
Impact
none
Suggested Fix
none
Rule
Description
Constraints
Interfaces to Check

Required: true
Default: [Firewall
External]
Using Interfaces to Check Editor option, you can add,

or remove Interface details. You can also change the
order of the Interface details.
Rule 2
Rule
Check for TRINOO DDoS attack vulnerability [IOS, PIX, ASA]

Description
This check will make sure that a malicious attacker can not install TRIN00 DDOS scripts on any of the
machines inside the network. TRIN00 DDOS scripts that are installed on the devices will cause a DDOS
attack to be generated from this network.
Cisco IOS Devices
Impact

OL-25941-01
4-631
Chapter 4
Network is vulnerable to be installed with DDOS scripts, which can be used by an attacker to launch an
attack originating from this network. This check will make sure the network does not allow any traffic
with destination ports 27665(tcp), 31335(udp), 27444(udp) to enter and leave this network
Suggested Fix
deny tcp any any eq 27665
deny udp any any eq 31335
deny udp any any eq 27444
Rule 3
Rule
Check for Stacheldraht DDoS attack vulnerability [IOS, PIX, ASA]

Description
This check will make sure that a malicious attacker can not install Stacheldraht DDOS scripts on any of
the machines inside the network. Stacheldraht DDOS scripts that are installed on the devices will cause
a DDOS attack to be generated from this network. This check will make sure the network does not allow
any traffic with destination ports (16660(tcp), 65500(tcp)) to enter and leave this network.
Cisco IOS Devices
Impact
attack originating from this network.
Suggested Fix
Rule 4
Rule
Check for TriniyV3 DDoS attack vulnerability [IOS, PIX, ASA]

Description
This check will make sure that a malicious attacker can not install TrinityV3 DDOS scripts on any of the
machines inside the network. TrinityV3 DDOS scripts that are installed on the devices will cause a
DDOS attack to be generated from this network. This check will make sure the network does not allow
any traffic with destination ports (33260(tcp). 39168(tcp)) to enter and leave this network.
Cisco IOS Devices
Impact
4-632
OL-25941-01
Chapter 4

Suggested Fix
Rule 5
Rule
Check for Subseven DDoS attack vulnerability [IOS, PIX, ASA]

Description
This check will make sure that a malicious attacker can not install Subseven DDOS scripts on any of the
machines inside the network. Subseven DDOS scripts that are installed on the devices will cause a
DDOS attack to be generated from this network. This check will make sure the network does not allow
any traffic with destination ports (6711, 6712,6776, 6669, 2222 and 7000) to enter and leave this
network.
Cisco IOS Devices
Impact
Suggested Fix
deny tcp any any range 6711 6712
Web Mode Status

Description
intervening device prevent use of Telnet for that purpose. However, it is important to note that both
Telnet and web-based remote administration reveal critical passwords in clear text. Further, web-based
administration imposes the requirement that users log in at full (level 15) privilege. Therefore,
web-based remote administration should be avoided

OL-25941-01
4-633
Chapter 4
References
Payment Card Industry Data Security Standard(PCI).

cardholder data.
National Security Agency (NSA) Cisco Router Configuration Guide Section 4.2.1 Page 71
Rule
Rule
Web mode should be disabled.

Description
intervening device prevent use of Telnet for that purpose. However, it is important to note that both
Telnet and web-based remote administration reveal critical passwords in clear text. Further, web-based
administration imposes the requirement that users log in at full (level 15) privilege. Therefore,
web-based remote administration should be avoided
Impact
Can be exploited to access the device

Suggested Fix
HTTP can be disable using config network webmode disable.
SNMP Status
Description
into a network.
4-634
OL-25941-01
Chapter 4

References

cardholder data.
Rule
Rule
SNMPV1 Should be disabled

Description
SNMP V1 Should be disabled

Impact
into a network
Suggested Fix
[SNMP trap] and [system shutdown features and finally disabling SNMP Server on the device using the
command:
config snmp version v1 Disable
Rule 2
Rule
SNMP V2 Status should be disabled

Description
SNMPv2 should be disabled

OL-25941-01
4-635
Chapter 4
Impact
into a network
Suggested Fix
command:
config snmp version v2c Disable.
Rule 3
Rule
SNMP V3 Should be disabled

Description
SNMP V3 should be disabled

Impact
into a network
Suggested Fix
command:
config snmp version v3 Disable
Rule 4
Rule
Check write community should not configured.

Description
Configuring SNMP community strings with write access allows users to change the system state. Care
should be taken while doing so
4-636
OL-25941-01
Chapter 4

Impact
While SNMP is helpful because it allows an administrator to remotely configure the router, it also offers
a potentially dangerous conduit into a network. Care should be taken while configuring SNMP
community strings with write access since an attacker can change the system state
Suggested Fix
config snmp community accessmode ro [community string name]
Rule 5
Rule
Traps should be disabled

Description
SNMP Trap messages are generated by the device for configuration event notifications or security alerts.
Impact
SNMP traps carry information in clear text. This information can be easily captured to retrieve sensitive
information
Suggested Fix
config snmp trapreceiver mode disable [snmp community name]
WLAN Security Status

Description
Default ssid,ssid broadcast and pre shareked keys should be disabled

References

cardholder data.
National Security Agency (NSA) Cisco Router Configuration Guide Section 2.1
Rule 1
Rule
Check statis WEP key should be disabled

OL-25941-01
4-637
Chapter 4
Description
static wep keys should be Disabled

Impact
Enable wepkeys may vulnerable device

Suggested Fix
wepkey can disabled useing command config wlan security static-wep-key disable [wlan id]
Rule 2
Rule
Check SSID broadcast on WLAN should be disabled

Description
Broadcast SSID should be Disabled

Impact
enable ssid broadcast may cause device vulanerable

Suggested Fix
ssid broad cast can be disabled using command:

config wlan broadcast-ssid disable [wlan id]
Rule 3
Rule
Default SSID Should not be configured

Description
Default ssid should not be configured

Impact
Device may vulnerable

Suggested Fix
SSID can be configured using config wlan create [wlan id] [profilename]
CDP Status
Description
Cisco Discovery Protocol (CDP) is primarily used to obtain protocol addresses of neighboring devices
and discover the platform of those devices. CDP can also be used to show information about the
interfaces your router uses. CDP is media and protocol-independent, and runs on all Cisco-manufactured
equipment including routers, bridges, access servers, and switches
4-638
OL-25941-01
Chapter 4

References
Rule 1
Rule
CDP Status
Description
routers, bridges, access servers, and switches
Impact

Suggested Fix
To turn off CDP entirely, use the global configuration command config cdp disable.
Syslog Status
Description
device should be configured to send log messages to a designated host on the protected network
References

cardholder data.

OL-25941-01
4-639
Chapter 4
Rule 1
Rule
Check Syslog host should configured

Description
device should be configured to send log messages to a designated host on the protected network
Impact
troubleshoot problems
Suggested Fix
Logging host can configure using command:

config logging syslog host [ip address]/config syslog [ip address]
Telnet Status
Description
protocols
References

cardholder data.
Rule 1
Rule
Telnet should be disabled

Description
protocols
4-640
OL-25941-01
Chapter 4

Impact
An unauthorized user may connect to the device using any undesired protocols violating the set policy
Suggested Fix
Telnet should be disable using command config network telnet disable
Rule 2
Rule
line time out should not be more than 5 min

Description
Make sure that all the lines should configured less than 5 min timeout
Impact
An unauthorized user may connect to the device using any undesired protocols violating the set policy
Suggested Fix
Line time can configure using command config sessions timeout [in minutes]
NTP Server should be Configured

Description
The Network Time Protocol (NTP) is a protocol designed to time-synchronize a network of machines.
NTP is designed to make time synchronization automatic and efficient across all devices in the network.
Having accurate time is important for security, especially for intrusion and forensic analysis
References

cardholder data.
Rule 1
Rule
Check NTP client should configured

OL-25941-01
4-641
Chapter 4
Description
border router
Impact
of intrusion detection and forensics
Suggested Fix
Configure ntp client using the commands:

config time ntp server 1 1.5.2.6
Check IDS Status

Description
Cisco IDS introduces the ability to configure deny actions when policy violations (signatures) are
detected. Based on user configuration at the IDS/IPS system, a shun request can be sent to a WLC in
order to block the packets from a particular IP address.
References

cardholder data.
National Security Agency (NSA) Cisco Router Configuration Guide Section 3.3
Rule 1
Rule
IDS Should be configured on WLC

Description
Cisco IDS introduces the ability to configure deny actions when policy violations (signatures) are
detected. Based on user configuration at the IDS/IPS system, a shun request can be sent to a WLC in
order to block the packets from a particular IP address.
Impact
Device may be vulnerable
4-642
OL-25941-01
Chapter 4

Suggested Fix
IDS can be configured using command:

config wps cids-sensor add [index] [server ip address] [username] [password]
Check Authentication Servers

Description
By using AAA along with security server, you can control access to Device and other network services
References
Payment Card Industry Data Security Standard(PCI)

cardholder data.
Rule 1
Rule
Check at least one TACACS server should configured

Description
By using AAA along with security server, you can control access to device and other network services
Impact
No known impact
Suggested Fix
Configure required TACACS servers using the command:

config tacacs auth add [index] [IP addr] [port] [ascii/hex] [secret]
Rule 2
Rule
Local authentication should configured last

OL-25941-01
4-643
Chapter 4
Description
Local authentication should configured at the end

Impact
Not Known Impact

Suggested Fix
Local authentication at the end configured using command:

config aaa auth mgmt radius or tacacs local
Rule 3
Rule
Check atleast one Radius server should configured for authentication

Description
By using AAA along with security server, you can control access to Device and other network services
Impact
Not Known Impact
Suggested Fix
Configure RADIUS servers using the command:

config radius auth add [index] [IP addr] [port] [ascii/hex] [secret]

CAAM database should always be in sync with LMS database. When a new device is added to LMS or
an unmanaged device is managed, and if the CAAMServer process is down, the device will not be added
to CAAM database. When the CAAMServer process comes up, the device will be added to CAAM
database but the device details such as Inventory, Config and Show Commands will not be updated in
CAAM database. You have to manually perform Inventory, Config and Show Commands collection to
update the CAAM database.
To perform Inventory collection, select Inventory > Job Browsers > Inventory Collection
To perform Config collection, select Configuration > Configuration Archive > Synchronization
To perform Show Commands collection, select Admin > Collection Settings > Compliance Data
Collection

From LMS 4.2.1, LMS-COMP Evaluation Management License will be renamed as Compliance
Management License (PI CM), which is a 60-day evaluation license.
4-644
OL-25941-01
Chapter 4

The following Compliance and Audit Reports require Compliance Management License from LMS
4.2.1:
HIPAA Compliance Reports
SOX (COBIT) Compliance Reports
ISO/IEC 27002 Compliance Reports
NSA Compliance Reports
PCI DSS Compliance Reports
DHS Checklist Reports
DISA Checklists Report
CIS Benchmarks

OL-25941-01
4-645
CH A P T E R
Making and Deploying Configuration Changes

Using NetConfig
Netconfig is one of the Configuration Management applications that provides you with easy access to
the configuration files of all supported devices. It allows you to change the configuration of network
devices, provided the configurations are archived. Netconfig automatically updates the archive when it
changes the configuration.
The advantages of using Netconfig instead of CLI configuration commands include but are not limited
to:
Scheduling jobs
Using jobs to run multiple commands on multiple devices
Using tasks to carry out easy and reliable configuration changes
Mandating approval before running a job
Rolling back configuration changes when a job fails
This chapter contains:
NetConfig Tasks
Preparing to Use NetConfig
Rolling Back Configuration Changes
Using NetConfig
Starting a New NetConfig Job
Using System-defined Tasks
Creating and Editing User-defined Tasks
Handling Interactive Commands
cwcli netconfig

OL-25941-01
5-1
Chapter 5
NetConfig Tasks
NetConfig Tasks
As a NetConfig user, you can:
Define and schedule NetConfig jobs

Use the configuration tasks (system-defined or user-defined) to create the configuration commands
that you want to apply to devices.
Browse and edit NetConfig jobs

Browse all NetConfig jobs on your system and edit, copy, stop, retry or delete them. For information
about a particular job, click the hyperlink of the Job ID in the NetConfig Job Browser.
Use the command line interface for NetConfig jobs

Use the cwcli command line interface to create and schedule NetConfig jobs from the command line.
As a NetConfig administrator, you can:
Create User-defined tasks

Create your own user-defined tasks containing configuration or rollback commands, and download
them to a set of selected devices. You can enter the configuration commands by typing them or by
importing them from a file.
User-defined tasks can be parameterized, that is, they can contain variables that take values from a
specified file that resides on the LMS server.
Assign tasks
Provide selected network operators the rights to execute configuration tasks. You can assign more
than one task to one or more users. By default, only network administrators can use configuration
tasks.
Specify the order of the protocol to deploy the configuration and fetch operations
Specify the protocol order separately for configuration download and update operations of
NetConfig jobs. This enables you to use preferred protocols for downloading and fetching
configurations.
For example, you can use Telnet to download configuration to the device, and TFTP to fetch the
configuration, thus improving the overall performance of NetConfig.
Set default NetConfig job policies

Each NetConfig job has job properties (including enabling job password) that defines how the job
will be executed. You can configure defaults for these properties that will be applied to all future
jobs. For each property, you can specify if users can change the default when creating a job.
See Understanding NetConfig User Permissions.
Note
You can select the log level settings for the NetConfig application at Admin > System > Debug
Settings > Log Level Settings.
5-2
OL-25941-01
Chapter 5


This section details the following pre-requisites for using NetConfig:
Verifying Device Credentials.
Modifying Device Security
Verifying Device Prompts
Configuring Default Job Policies (Optional)
Enabling Job Approval (Optional)
Verifying Device Credentials

NetConfig needs access to device credentials to make device configuration changes. The device
credentials are available in the Device and Credential repository. Use Inventory > Device
Administration > Add / Import / Manage Devices to verify if the devices that you want to configure
are having the correct credentials.
Modifying Device Security

To configure devices, you must disable security that prohibits NetConfig job from running the
commands on the devices. For the list of commands, see Administration of Cisco Prime LAN
Management Solution 4.2.

OL-25941-01
5-3
Chapter 5
Verifying Device Prompts

Table 5-1 describes the CLI prompt formats for NetConfig.
Table 5-1
Transport
Mechanism
Telnet
NetConfig CLI Prompt Formats
Format
For IOS-based devices, Content Engine devices, and Content Service Switch devices
The login prompt must end with a greater-than symbol (>).
The enable prompt must end with a pound sign (#).
For Catalyst devices

The login prompt must end with a greater-than symbol (>).
The enable prompt must end with the text (enable).
SSH
For IOS-based devices, Content Engine devices, and Content Service Switch devices
The login prompt may end with (>), (#), (:), (%).
The enable prompt must end with a pound sign (#).
For Catalyst devices

The login prompt may end with (>), (#), (:), (%).
The enable prompt must end with the text (enable).
Default prompts use these formats. If the defaults formats have been changed, ensure that the prompts
meet these requirements.
Configuring Default Job Policies (Optional)

NetConfig jobs have properties that determine how they run. You can configure the default job policies
(Admin > Network > Configuration Job Settings > Config Job Policies) that apply to all NetConfig jobs.

You can assign task access privileges that determine the configuration tasks each user can use to create
NetConfig jobs. See Understanding NetConfig User Permissions.
Enabling Job Approval (Optional)

Netconfig jobs require approval before they can run. See the section Setting Up Job Approval in
Administration of Cisco Prime LAN Management Solution 4.2.
5-4
OL-25941-01
Chapter 5


NetConfig lets you roll back (undo) the configuration changes made to network devices if a job does not
gets completed. Rollback commands (the configuration commands that are used to roll back the
configuration changes) are created based on how the job was created.
You must configure a NetConfig job to automatically roll back configuration changes, if the job fails to
complete.
NetConfig can roll back configurations only if the device configurations are archived in Configuration
Archive. See Archiving Configurations and Managing them using Configuration Archive.
This section contains:
Creating Rollback Commands
Creating Rollback Commands

For system-defined tasks, the rollback commands are automatically created by the task. For user-defined
tasks, you can enter the rollback commands while creating the task.

You can define a job failure policy so that it automatically rolls back configuration changes, if the job
fails to run. You can select one of the three rollback options:
Rollback device and stopRolls back the changes on the failed device and stops the job.
Rollback device and continueRolls back the changes on the failed device and continues the job.
Rollback job on failureRolls back the changes on all devices and stops the job.

Access to NetConfig functionality is controlled by permissions. Users having only Help Desk
permissions cannot access NetConfig. Other users can access NetConfig, but their access to functionality
is controlled.
In the Permission Report (Reports > System > Users > Permission) check if you have the required
privileges to perform the required NetConfig task.
Job Approval Permissions
User-defined Tasks Permissions
Administrator Task Permissions
Job Editing Permissions

OL-25941-01
5-5
Chapter 5
Using NetConfig
Job Approval Permissions

Users with Approver permissions can approve NetConfig jobs. Jobs must be approved before they are
scheduled to run if Job Approval is enabled on the system. See the section Setting Up Job Approval
in Administration of Cisco Prime LAN Management Solution 4.2.
User-defined Tasks Permissions

By default, only users with Network Administrator permissions can create user-defined configuration
tasks. For more information, see Creating and Editing User-defined Tasks. A Network Administrator can
give other users the required permissions on a task-by-task basis.
Administrator Task Permissions

Network Administrators can perform the tasks listed in the Admin menu.
Administrator tasks are:
Assigning tasks to users
Configuring default job properties
Creating and editing user-defined tasks
For user permissions, see Understanding NetConfig User Permissions.
Job Editing Permissions

After a NetConfig job is created, the owner, or a user with the owner privileges, or a network
administrator can:
Copy a job
Edit a job
Retry a job
Delete a job
Stop a job while it is running
Using NetConfig
NetConfig allows you to do the following tasks:
Create and manage NetConfig jobs using the NetConfig job browser. See:
Create your own NetConfig tasks and run them on a selected set of devices. See Creating and Editing
User-defined Tasks.
Assign tasks to users. You can assign one or more tasks to one or more users. See Assigning Tasks
to Users.
5-6
OL-25941-01
Chapter 5


You can create and schedule:
Device-based jobs
Module-based jobs
Port-based jobs
This section tells you how to:
Create a NetConfig Job based on Device
To manage Netconfig jobs using NetConfig job browser, see Browsing and Editing Jobs Using the
NetConfig Job Browser.
Ensure that you have set the:
Note
Transport protocol order for your job using Admin > Collection Settings > Config > Config
Transport Settings. See Administration of Cisco Prime LAN Management Solution 4.2.
Job and password policy for your job using Admin > Network > Configuration Job Settings
before starting a new NetConfig job. See Administration of Cisco Prime LAN Management Solution
4.2.
View the Permission Report (Reports > System > Users > Permission) to check if you have the required
privileges to perform this task.
Create a NetConfig Job based on Device

To create a new NetConfig job based on Device:
Step 1
Select either:
Configuration > Tools > NetConfig > Deploy
Or
Configuration > Job Browsers > NetConfig
The NetConfig Job Browser appears.

Step 2
Click Create.
The Netconfig Job Type page appears, displaying the following job types:
Step 3
Device Based
Module Based
Port Based
Select Device Based and click Go.

OL-25941-01
5-7
Chapter 5
The Devices and Tasks dialog box appears, with these panes:
Pane
Description
Device Selector Select devices on which the NetConfig job has to run. You can select multiple device categories. For cable
devices, you should select only one device for which you are creating the job.
Task Selector
Select the System-defined tasks or User-defined tasks that you want to run on the selected devices.
All System-defined and User-defined tasks are categorized into various task groups. To select the tasks,
expand the corresponding Task Group node.
You can also search for a task or a group of tasks in the Task Selector by entering the Search expressions
in the Search field.
You can use the wildcard character * along with the Search expression. When you click the Search icon,
the results are displayed in the Search Results tab.
For descriptions of System-defined tasks and the device categories they support, see Using
System-defined Tasks.
For creating and using User-defined tasks, see Creating and Editing User-defined Tasks.
Step 4
Select the devices from the Device Selector pane. See Inventory Management with Cisco Prime LAN
Management Solution 4.2 for information on how to use the Device Selector.
Step 5
Select the tasks from the Task Selector.

You can select one or more tasks at a time. Your selection will appear in the Selection pane.
Step 6
Click Next.
The Add Tasks dialog box appears with these panes:
Pane
Applicable
Tasks
Description
Allows you to add a task. The tasks that you had selected using the Task Selector appear here.
Note
Of the tasks selected, only tasks that apply to the devices selected appear here.
Select a task and click Add to create an instance for the task (see Step 7).
Added Instances Allows you to edit the task instance you have added, view its CLI, or delete it. Select the instance of the
task and click the required button (see Table 5-2).
The buttons available in this page are:
Table 5-2
Tasks Performed by Buttons in the Added Instances Pane
Buttons
Description
Edit
Task pop-up opens with previously assigned values. You can modify these
values and click Save.
5-8
OL-25941-01
Chapter 5

Table 5-2
Tasks Performed by Buttons in the Added Instances Pane (continued)
Buttons
Description
View CLI
Opens the Device Commands pop-up with the list of applicable devices and
the corresponding CLI commands. Devices in your selection for which the
commands are not applicable, are also displayed as Non-Applicable
Devices.
You can modify an instance of a configuration task (and its configuration
commands) any time before the job is run.
Delete
Deletes the selected task instance.

Step 7
Select an applicable task and click Add.

The pop-up for the selected task appears.
Step 8
Set the parameters in the task dialog box and click Save.
(To reset the values that you have selected click Reset. Click Cancel to return to the previous dialog
box, without saving your changes.)
You will see the instance of the task in the Added Tasks pane. The instance appears in the format:
Taskname_n, where Taskname is the name of the task you have added, and n is the number of the
instance. For example, the first instance of a Banner task is Banner_1.
You can add as many instances as required, for a task.
Step 9
Click Next.
The Job Schedule and Options dialog box appears.
Step 10
Field
Set the schedule for the job, in the Scheduling pane:

Description
Scheduling
Run Type
Select the run type or frequency of the jobImmediate, Once, Daily, Weekly, Monthly,
or Last Day of Month.
If Job Approval is enabled, the Immediate option is not available.
Date
At

OL-25941-01
5-9
Chapter 5
Field
Description
Job Info
Job Description
Enter the Job Description.

This is mandatory.
Make each description unique so you can easily identify jobs.
E-mail
Enter the e-mail addresses to which the status notices of the job will be sent. Separate
multiple addresses with commas or semicolons.
You must configure the SMTP server to send e-mails (Admin > System > System
Preferences).
Notification e-mails include a URL that displays the job details (see Viewing Job Details
for more information on the details displayed). You need to be logged in to view the job
details.
Comments
Enter your comments for the job. Comments appear in the job work order and are stored
in the configuration archive.
Approver Comments
Enter comments for the job approver. This field is displayed only if you have enabled job
approval for NetConfig. See Administration of Cisco Prime LAN Management Solution
4.2 for more information.
Maker E-mail
Enter the E-mail ID of the job creator. This field is displayed only if you have enabled
job approval for NetConfig. This is a mandatory field. See Administration of Cisco Prime
LAN Management Solution 4.2 for more information.
Step 11
Set the job options, in the Job Options pane.
Field
Description
Fail on Mismatch of Config

Versions
Select to consider the job to be a failure when the most recent configuration version in
the configuration archive is not identical to the most recent configuration version that
was in the configuration archive when you created the job.
Sync Archive before Job

Execution
Directs LMS archive running configuration before applying configuration changes.
Copy Running Config to Startup
Directs LMS to write the running configuration to the startup configuration on each
device after configuration changes are made successfully.
Does not apply to Catalyst OS devices.
Enable Job Password
Login Username
Enter the Login Username.

This option is available to you if you have set the appropriate job password policy in the
Configuration Management module.
This option overrides the credentials that you have entered at the time of adding the
device in the Device and Credentials Administration module of LMS.
Login Password
Enter the job password.

This option is available to you if you have set the appropriate job password policy in the
Configuration Management module.
5-10
OL-25941-01
Chapter 5

Field
Description
Enable Password
Enter the Enable password. This option is available to you if you have set the appropriate
job password policy in the Configuration Management module.
Failure Policy
Select one of these options to specify what the job should do if it fails to run on a device.
Execution
Stop on failureIf the job fails to execute on a device, the job is stopped. The
database is updated only for the devices on which the job was executed successfully.
Ignore failure and continueIf the job fails on a device, the job skips the device and
continues with the remaining devices. The database is updated only for the devices
on which the job was executed successfully.
Rollback device and stopRolls back the changes on the failed device and stops the
job.
Rollback device and continueRolls back the changes on the failed device and
continues the job.
Rollback job on failureRolls back the changes on all devices and stops the job. See
Configuring a Job to Roll Back on Failure.
Specify the order in which the job should run on the devices.
ParallelAllows the job to run on multiple devices at the same time. By default, the
job runs on five devices at a time.
SequentialAllows the job to run on only one device at a time. If you select
sequential execution, you can click Set Device Order to set the order of the devices.
In the Device Ordering dialog box:
a. Select a device name
b. Click Move Up or Move Down to change its place in the order.
c. Click OK to save the current order and close the dialog box
or
Click Cancel to close the dialog box without making any changes.
Step 12
Click Device Order to view the order of the device.

The Set Device Order pop-up appears. You can reset the order in which the job should be executed on
the devices using the Up and Down arrows.
When you are done, click Done. The pop-up closes.
Step 13
Click Next.
The Job Work Order dialog box appears with the general information about the job, the job policies, the
job approval details (if you have enabled job approval), the device details, the task, and the CLI
commands that will be executed on the selected devices as part of this job.
Step 14
Click Finish after you review the details of your job in the Job Work Order dialog box.
A notification message appears along with the Job ID. The newly created job appears in the NetConfig
Job Browser.

OL-25941-01
5-11
Chapter 5

You can create a NetConfig job for ports or modules by selecting a port or module group from the Group
Selector page in the NetConfig job flow.
You can create a NetConfig job for all devices in the port or module group, which is the default, or for
a few devices in the port or module group. If devices are not available in the port or module groups, then
Netconfig job will not be created and displays the following message No devices in selected group
To run the job for a few select devices, you need to select the devices from the Devices and Groups page
and the port or module from the Group Selector page. The job will run for the selected devices provided
the devices are available in the port or module selected. If there are no devices in Devices and Groups
page, then the Netconfig job will be created only for the devices that are part of port or module groups.
To start a new NetConfig job based on Modules or Ports:
Step 1
Select either:
Or
The NetConfig Job Browser appears.

Step 2
Click Create.
The Netconfig Job Type page appears, displaying the following job flows:
Step 3
Device Based
Module Based
Port Based
Either select:
Module BasedTo create a NetConfig job based on modules.
Or
Step 4
Port BasedTo create a Netconfig job based on ports.
Click Go.
The Device and Group Selector dialog box appears, with these options:
Options
Description
Device Selector Allows you to select the devices on which the NetConfig job has to run. You can select multiple devices.
Group Selector
Step 5
Allows you to select the device groups on which the NetConfig job has to run. You can select multiple
device groups.
Either:
Select the devices using the Device Selector option.
Or
Select the device groups using the Group Selector option.
You can also skip this page by clicking Next and directly go to Group Selector page.
5-12
OL-25941-01
Chapter 5

Click Next.
Step 6
The Group Selector page appears displaying the Port or Module Groups dialog box with these options:
Options
Field/Button
Select Custom
Group
Select the group on which the NetConfig job has to run. You can select multiple groups.
Define an
Adhoc Rule
Descriptions
Module groups are displayed for a Module based NetConfig job.
Port groups are displayed for a Port based NetConfig job.
Allows you to define Adhoc rules for a specific NetConfig job.

Object Type
Select the Object Type to form a group.
ModuleThis Object Type is listed only if you are creating a NetConfig job for
modules.
PortThis Object Type is listed only if you are creating a NetConfig job for
ports.
Variable
Object type attributes, based on which you can define the group.
Operator
Operator to be used in the rule. The list of possible operators changes based on the
Variable selected.
When using the equals operator the rule is case-sensitive.
Value
Value of the rule expression. The possible values depend upon the variable and
operator that you have selected. The value may be free-form text or a list of values.
Wildcard characters are not supported.
Add Rule
Expression
Used to add the rule expression to the group rules.
(Button)
Rule Text
Displays the rule.
Check Syntax
Verifies that the rule syntax is correct.
(Button)
Include
(Button)
Lists all the modules or ports from the selected devices that are not matching the rule.
You can later choose to include the modules or ports for group creation.
Click Include to launch the Include List window.
Exclude
(Button)
Lists all the modules or ports from the selected devices that are matching the rule.
You can later choose to exclude those modules or ports for group creation.
Click Exclude to launch the Exclude List window.
Step 7
Click Next.
The Port or Module Tasks page appears.
Step 8
Select the following task using the Task Selector:

OL-25941-01
5-13
Chapter 5
Port/Module Tasks
Description
GOLD Health Monitoring Test Task
Configure GOLD Health Monitoring tests on modules.
Adhoc Task
Configures user-defined commands on selected interfaces

within a port group.
Manage Auto Smartports
Enables or disables Auto Smartports macros at port level.
Smartports
Applies Smartports macros at port level.
Catalyst Integrated Security Features
Configures port security features.
PoE Task
Configures power policies in ports.
EnergyWise Parameters Task
Configures EnergyWise in ports.
EnergyWise Events Task
Configures EnergyWise events in ports.
SRE Operation Task
Configures the following operations on Services Ready

Engine (SRE) supported devices at port level:
InstallInstall application in service modules.
UninstallUninstall application from service modules.
StatusDisplays the following:

Status of the service module
The applicable running on the module
Status of the installation and uninstallation being
performed in the service module
AbortStop installation on a set of service modules in a

SRE device.
ShutdownShutdown the set of service modules in a

SRE device.
ResetReset service modules in a SRE device.
Your selection appears in the Selection pane.

Step 9
Click Next.
The Add Tasks dialog box appears with these panes:
Pane
Applicable
Tasks
Description
Allows you to add a task. The task that you selected using the Task Selector, appears here.
From your selection, only the tasks that are applicable to at least one device that you have selected, appear
here.
Select a task and click Add Instance to create an instance for the task (see Step 10).
Added Instances Allows you to edit the task instance you have added, view its CLI, or delete it. Select the instance of the
task, and click the required button (see Table 5-3).
5-14
OL-25941-01
Chapter 5

The buttons available in this page are:

Table 5-3
Tasks Performed by Buttons in the Added Instances Pane
Buttons
Description
Edit
Task pop-up opens with previously assigned values. You can modify the
values.
View CLI
Device Commands pop-up opens with the list of applicable devices and
their corresponding CLI commands. Devices in your selection for which
the commands are not applicable, are also displayed as Non-Applicable
Devices.
View Ports
Port Details pop-up opens showing the list of devices, their corresponding
ports and the port group rule.
For example,
Port Group: 100 Mbps Ethernet Ports
Port Group Rule: Port.Speed = "100000000" AND Port.Type = "6"
IN Port.GROUP_ID = "/RME@rme-ch-dev-sf4/All Devices"
Ports matching the port group rule:
4/1
4/2
4/3
4/4
4/5
4/6
4/7
Delete
Deletes the selected task instance.

Step 10
Select the applicable task and click Add.

The pop-up for the selected task appears.
Step 11
Set the parameters in the Task dialog box and click Save.
You will see the instance of the task in the Added Tasks pane of the Add Tasks dialog box. The instance
appears in the format:
Taskname_n, where Taskname is the name of the task you have added, and n is the number of the
instance. For example, the first instance of a Banner task is Banner_1.
You can add as many instances as required, for a task.
Step 12
Click Next.

OL-25941-01
5-15
Chapter 5
Step 13
Set the schedule for the job, in the Scheduling pane:
Field
Description
Scheduling
Run Type
Select the run type or frequency for the jobImmediate, Once, Daily, Weekly, Monthly,
or Last Day of Month.
Date
at
Job Info
Job Description
Enter the Job Description. Make each description unique so you can easily identify jobs.
This is mandatory.
E-mail
Enter e-mail addresses to which the job will send status notices. Separate multiple
addresses with commas or semicolons.
You must configure the SMTP server to send e-mails (Admin > System > System
Preferences).
Notification e-mails include a URL that displays the job details. See Viewing Job Details.
If you are not logged in, you must log in using the provided login panel to view the job
details.
Comments
Enter your comments for the job. Comments appear in job work order and are stored in
configuration archive.
Approver Comments
Enter comments for the job approver. This field is displayed only if you have enabled job
approval for NetConfig. See Administration of Cisco Prime LAN Management Solution
4.2 for more information.
Maker E-mail
Enter the e-mail-ID of the job creator. This field is displayed only if you have enabled
job approval for NetConfig. This is a mandatory field. See Administration of Cisco Prime
LAN Management Solution 4.2 for more information.
Step 14
Set the job options, in the Job Options pane.
Field
Description
Fail on Mismatch of Config

Versions
Select to cause job to be considered a failure when the most recent configuration version
in the archive is not identical to the most recent configuration version that was in the
archive when you created the job.
Sync Archive before Job

Execution
Select to cause job to archive running configuration before making configuration

changes.
Select to cause job to write the running configuration to the startup configuration on each
Enable Job Password
Login Username
Enter the Login Username. This option is available if you have set the appropriate job
password policy in the Configuration Management module.
5-16
OL-25941-01
Chapter 5

Field
Description
Login Password
Enter the job password. This option is available if you have set the appropriate job
This option overrides the credentials that you entered at the time of adding the device in
the Device and Credentials Administration module of LMS.
Enable Password
Enter the Enable password. This option is available if you have set the appropriate job
This option overrides the credentials that you entered at the time of adding the device in
the Device and Credentials Administration module of LMS.
Failure Policy
Select one of these options to specify what the job should do if it fails to run on a device.
Execution
Stop on failureIf the job fails to execute on a device, the job is stopped. The
database is updated only for the devices on which the job was executed successfully.
Ignore failure and continueIf the job fails on a device, the job skips the device and
continues with the remaining devices. The database is updated only for the devices
on which the job was executed successfully.
Rollback device and stopRolls back the changes on the failed device and stops the
job.
Rollback device and continueRolls back the changes on the failed device and
continues the job.
Rollback job on failureRolls back the changes on all devices and stops the job. See
Specify the order in which the job should run on the devices.
ParallelAllows the job to run on multiple devices at the same time. By default, the
job runs on five devices at a time.
SequentialAllows the job to run on only one device at a time. If you select
sequential execution, you can click Set Device Order to set the order of the devices.
In the Device Ordering dialog box:
a. Select a device name
b. Click Move Up or Move Down to change its place in the order.
c. Click OK to save the current order and close the dialog box
or
Click Cancel to close the dialog box without making any changes.
Step 15
Click Device Order to view the device order. The Set Device Order pop-up appears.
You can reset the order in which the job should be executed on the devices using the up and down arrows.
Step 16
Click Next.
The Job Work Order dialog box appears with:
General information about the job
Job policies
Job approval details (if you have enabled job approval)
Device details

OL-25941-01
5-17
Chapter 5
Step 17
Task
CLI commands that will be executed on the selected devices as part of this job
Rule Expression (applicable for Adhoc groups).
Click Finish after you review the details of your job in the Job Work Order dialog box.
A notification message appears along with the Job ID. The newly created job appears in the NetConfig
Job Browser.

You can browse the NetConfig jobs that are registered on the system. Using the NetConfig Job Browser,
you can also manage NetConfig jobs (create, edit, copy, retry, stop, or delete).
To create and start a new NetConfig job, see Starting a New NetConfig Job.
Note
To invoke the NetConfig Job browser that lists all the scheduled report jobs, select either:
Or
The columns in the NetConfig job browser displays the following information:
Column
Description
Job ID
Unique number assigned to a job when it is created.

For periodic jobs such as Daily, Weekly, the job IDs are in the number.x format. The x represents
the number of instances of the job. For example, 1001.3 indicates that this is the third instance
of the job ID 1001.
Click on the hyperlink to view the Job details. See Viewing Job Details.
Status
Status of the job:

The number, within brackets, next to Failed status indicates the count of the devices that had
failed for that job. This count is displayed only if the status is Failed.
For example, If the status displays Failed(5), then the count of devices that had failed
amounts to 5.
CancelledWhen the job has been stopped.
WaitingWhen the job is waiting for approval (if job approval has been enabled).
RejectedWhen the job has been rejected (if job approval has been enabled).
5-18
OL-25941-01
Chapter 5

Column
Description
Description
Owner
Username of the job creator.
Scheduled at
Completed at
Flow Type
Type of the job flowPort, Module, Device.
Schedule Type
Type of job scheduleImmediate, Once, Daily, Weekly, Monthly, Last day of the month.
You can specify when you want to run the NetConfig job.
To do this, select one of these options from the drop-down menu:
WeeklyRuns weekly on the day of the week and at the specified time.
MonthlyRuns monthly on the day of the month and at the specified time.
Last Day of the MonthRuns the job on the last day of the month, beginning with the month
that you specify.
For periodic jobs, the subsequent instances will run only after the earlier instance of the job is
complete.
For example: If you have scheduled a daily job at 10:00 a.m. on November 1, the next instance
of this job will run at 10:00 a.m. on November 2 only if the November 1 job has completed. If
the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, then the next
job will start only at 10:00 a.m. on November 3.
You can filter the jobs using the Filter by field in the NetConfig Job Browser using any of the following
criteria:
Filter Criteria
Description
All
Select All to display all jobs in the job browser
Job ID
Select Job ID and enter the Job ID that you want to display. For non-periodic jobs, the specified Job ID
appears in the browser. For periodic jobs, all the instances of the selected Job ID will also be displayed
in the browser.
Status
Select Status and then select any one of these:
Successful
Failed
Cancelled
Running
Scheduled
Approved
Waiting
Rejected

OL-25941-01
5-19
Chapter 5
Filter Criteria
Description
Description
Select Description and enter the first few letters or the complete description.
Owner
Select Owner and enter the user ID or the beginning of the user ID.
Schedule Type
Select the schedule type and select any one of these:
Flow Type
Refresh
Immediate
Once
Daily
Weekly
Monthly
Last day of the month
Select Flow Type and then select any one of these:
Device
Port
Module
Click this icon to refresh the NetConfig job browser.
(Icon)
You can schedule a default purge job to purge the records of NetConfig jobs.
5-20
OL-25941-01
Chapter 5

You can perform the following operations using the NetConfig job browser. (See Table 5-4):
Table 5-4
Operations Using the NetConfig Job Browser
Button
Description
Usage Notes
Edit
Edits the selected pending job.
Unless you own a job, your login

ID determines whether you can use
this option.
For Device based jobs, the Job definition opens at the Devices and
Tasks dialog box, with current information about the job.
If the job start time occurs during

For Module based jobs, the Job definition opens at the Devices and
editing, it runs without edits. You
Groups dialog box, with current information about the job.
can complete the edits and
For Port based jobs, the Job definition opens at the Devices and
schedule the job to run again, but
Groups dialog box, with current information about the job.
you cannot re-edit the job.
You can edit a job the same way you define and schedule a new job. See To prevent the job from running
Starting a New NetConfig Job.
without edits, either:
The Job ID of an edited job remains unchanged.
Complete your edits before the

job start time.
Or
Cancel the job and create a

new one.

OL-25941-01
5-21
Chapter 5
Table 5-4
Operations Using the NetConfig Job Browser (continued)
Button
Description
Usage Notes
Copy
Copies selected job.
You can copy a job and give it a new schedule.
Tasks dialog box, with all the selections for the job that you are
copying.
For Module based jobs, the Job definition opens at the Devices and
Groups dialog box, with all the selections for the job that you are
copying.
For Port based jobs, the Job definition opens at the Devices and
Groups dialog box, with all the selections for the job that you are
copying.
You can copy a job in the same way you define and schedule a new job.
See Starting a New NetConfig Job.
A new Job ID with the copied job details is created.
Retry
Retry a failed job.
Tasks dialog box.
Unless you own the job, your login

determines whether you can use
this option.
There may be some devices whose

You can edit the job the same way as you would define and schedule
configuration has been
a new job. However, you cannot add new devices or change the tasks
downloaded. However, their
for the job that you are retrying.
running configuration has not been
You can select a few of the failed devices to retry the job.
written to the Startup
For Module based jobs, the Job definition opens at the Devices and configuration.
Groups dialog box.
You can perform Retry Job on
You can edit the job the same way as you would define and schedule these devices just as you can on a
failed job.
a new job. However, you cannot add new devices, modules or
change the tasks for the job that you are retrying.
Groups dialog box.
You can edit the job the same way as you would define and schedule
a new job. However, you cannot add new devices, ports or change
the tasks for the job that you are retrying.
5-22
OL-25941-01
Chapter 5

Table 5-4
Operations Using the NetConfig Job Browser (continued)
Button
Description
Usage Notes
Stop
Stops or cancels a running job.
Unless you own the job, your login

this option.
You will be asked to confirm the cancellation of the job. However, the
job will be stopped only after the devices currently being processed are
successfully completed. This is to ensure that no device is left in an
You cannot restart the stopped job.
inconsistent state.
You can however copy the stopped
If the job that you want to stop is a periodic job, you will also be asked job and Job ID.
whether you want to cancel all the instances of the job.
Click OK to cancel all instances.
If you click Cancel, only the selected instance of the job is cancelled.
The next instance of the job will appear in the Job browser with the
status Scheduled.
Delete
Deletes the selected job from the job browser. You can select more than Unless you own the job, your login
one job to delete.
this option.
You will be asked to confirm the deletion. If the job that you have
selected for deletion is a periodic job, this message appears:
If you delete periodic jobs, or instances of a periodic job,
that are yet to be run, the jobs will no longer run, nor will
they be scheduled to be run again. You must then recreate the
deleted jobs. Do you want to continue?
You must stop a running job before

you can delete it.
Click OK to confirm the deletion. The selected job will be deleted.

You can delete a job that has been successful, failed, or stopped, but you
cannot delete a running job.
Viewing Job Details

You can learn more about any job by viewing its details.
Step 1
Go to the NetConfig Job Browser and click the Job ID hyperlink. See Starting a New NetConfig Job to
invoke the NetConfig Job Browser.
The Job Details pop-up appears, displaying the day, date and time details in the header at the top of the
report. The Job ID and the Status appear in the header of the report.
The Job Details dialog box has two panes. The left pane contains a table of contents for the job results.
The results appear in the right pane.
Step 2
Click a content in the left pane to view its corresponding report in the right pane.
Step 3
Click expand and collapse icons to open and close the folder tree in the left pane.
If a folder has subfolders, the next level of subfolders appears under it. Otherwise, its corresponding
report appears in the right pane.
The contents of the left pane depends on the state of the job. The left pane can contain:
Job Summary (in the Job Details folder).
Downloaded Devices (in the Device Details folder).
Work Order

OL-25941-01
5-23
Chapter 5
Page/Folder
Description
Job Details
Job Summary
Click to display summary of completed job:
Job Summary:
Status
Start Time
End Time
Job Messages:
Pre-job Execution
Post-job Execution
Device Update:
Successful
Failed
Not attempted
Pending
Devices Pending Registration for Smart Call Home (SCH)
The URL https://tools.cisco.com/sch/pendingDevices.do is displayed

only for SCH NetConfig jobs. Click the URL to register the devices that
are pending to process SCH messages at Cisco.com.
For more information on Devices Pending Registration for SCH, see the
Smart Call Home User Guide at:
http://www.cisco.com/en/US/services/ps2827/ps2978/ps7334/networkin
g_solutions_products_genericcontent0900aecd806f52c2.pdf
Device Details
Downloaded Devices Contains detailed job results for each device in a table:
DeviceList of devices on which the job ran.
StatusStatus of job (success, failure, etc.)
MessageA message about the status of a job.

If the job failed on the device, the reason for failure is displayed.
If the job was successful on the device, the message Deploy Successful
is displayed.
You can filter the devices by selecting a status and clicking Filter.
This page displays the number of rows you have set for display in the Rows per
Page field. You can increase the rows up to 500 in each page.
You can navigate among the pages of the report using the navigation icons at the
right bottom of this table.
Click on a device to view the details such as protocol, status and reason when
applicable, task used and the CLI output for that device. These details appear in a
pop-up window.
Double-click to display status folders that correspond to possible device status.
5-24
OL-25941-01
Chapter 5

Page/Folder
Description
StatusFolder
Update
Successful
Devices that were successfully updated.
Update Failed
Devices that were not updated.

Includes devices on which rollback was attempted, regardless of whether the rollback was successful.
Not Attempted
Job did not try to update devices, even though they were selected.
Usually occurs when a previous device failed and failure property was set to Stop on Failure.
Work Order
Click to display Job Work Order, which contains the same information as the workorder that was displayed
when the job was created. (For the workorder details, see Step 16 in Starting a New NetConfig Job).
For retried jobs, the job definitions are not updated. For such jobs, the original job definitions are retained.
ViewPorts
Port Details pop-up opens showing the list of devices, their corresponding ports and the group rule.
(button)
The View Ports button is available only for jobs that are either in Scheduled, Waiting for Approval, or in
Rejected states.
To perform actions, click one of the following (For detailed descriptions of these operations see
Operations Using the NetConfig Job Browser in Table 5-4):
Edit
Copy
Retry
Stop
Delete

You can create User-defined Tasks and add one or more templates to each task.
The template, in turn, is associated with the Meta-Data Framework (MDF) categories of devices, for
which these templates will be applicable.
The templates contain configuration commands and rollback commands (see Creating Rollback
Commands). You can enter the configuration commands either by typing them or by importing them
from a file.
You can create a new task and add one or more templates to it. You can also add templates to an existing
task. Name a task when you create it and as it is saved for future use. You can copy, edit, and reuse your
tasks. You can assign access privileges to tasks while or after you create them (see Assigning Tasks to
Users).
You cannot add User Defined Templates to System Defined Tasks.
After you have successfully created a User-defined Task, this task will appear under the User-defined
Tasks group in the Task Selector of the NetConfig Job creation wizard. You can create a NetConfig job
using the User-defined task. For details on the Task Selector and job creation, see Step 2 in Starting a
New NetConfig Job.

OL-25941-01
5-25
Chapter 5
For each template, you should specify all the information including the configuration commands,
rollback commands (see Rolling Back Configuration Changes), mode (Config or Enable), and the device
category for which these commands will be applicable.
At the time of job creation, you should ensure that the User-defined task that you have selected is
applicable to the MDF categories of the devices that you have selected.
If the task that you have selected does not apply to the categories of any of the devices that you have
selected, it will not be displayed in the Applicable Tasks pane of the NetConfig job wizard, during job
creation.
For example, if you have selected an CatalystOS category of device, but selected a user-defined task that
is applicable to a Cable device, then the task will not appear in the Applicable Tasks pane of the job
wizard and you will not be able to proceed further with the job creation. For details on the Applicable
Tasks pane and job creation, see Step 6 in Starting a New NetConfig Job.
Caution
NetConfig does not validate the commands you enter in a user-defined template within a task. If you
enter incorrect commands you might misconfigure or disable the devices on which the job using the
template runs.
Step 1
Select Configuration > Tools > NetConfig > User Defined Tasks.
The User-defined Tasks dialog box appears. If you are creating a task for the first time, the system
displays a message that there are no user-defined tasks.
The User-defined Tasks dialog box has a Tasks browser in its left pane. After you create a task, the task
is displayed in the Tasks browser along with its templates.
Step 2
Define or edit a User-defined task by entering the following information in the dialog box.
Area/Field/Button
Description
Usage Notes
Name
Enter name for the new task. This is a mandatory field. To create new task from a copy of an existing
task:
1.
Select the name from Templates list,
2.
Enter the new name.
3.
Save the task.
To modify a task, select it from the tasks list

but do not modify its name.
You can modify a task by adding or deleting
templates, modifying existing templates and
changing other details.
Template Name
Enter the template name. This is a mandatory field.
Template Name is provided for User Defined

Tasks when you create a template for more
than one device category which has different
commands to execute.
5-26
OL-25941-01
Chapter 5

Area/Field/Button
Description
Usage Notes
Command Mode
Select mode (config or enable) in which commands will Each user-defined template can run
run.
commands in one mode only.
If you select Enable, enter Rollback
Commands area is disabled because only
config commands can be rolled back.
Parameterized
Select Parameterized if you want to create a

parameterized template.
The template parameters will be picked up

from a file that you specify, at the time of
scheduling a job using this task. See
Parameterized Templates.
Device Type
Select device category template will configure.
You can associate any number of MDF

categories with a template, if the command is
applicable to them.
CLI Commands
Enter configuration commands or select the

configuration commands file.
To enter configuration commands, do any of

the following:
The configuration commands file should reside in the

default location:
On Solaris and Soft Appliance:

/var/adm/CSCOpx/files/rme/netconfig/cmdFiles/
Or
Enter the default file location of the

configuration command files in the
Import from File field.
Click Browse.
On Windows:
NMSROOT\files\rme\netconfig\cmdFiles
Where, NMSROOT is the LMS install directory.
If you want to import the configuration commands from
an existing file, enter the default file location in the
Import from File field.
Alternatively, when you click on the Browse button, a
file browser opens with the default location of the
configuration commands file. You cannot change this
default import directory.
Type in larger text box, one command in

each line.
A file browser opens with the default

location of the configuration commands
file. You cannot change this default
import directory.
You can also enter interactive commands and
multi-line commands. See Handling
Interactive Commands.

OL-25941-01
5-27
Chapter 5
Area/Field/Button
Description
Usage Notes
Rollback
Commands
Enter configuration commands for the template to run

when the job fails and the failure policy is set to the
rollback option.
To enter rollback commands, do any of the

following:
If you want to import the rollback commands from an

existing file, enter the file location in the Import from
File field.
The rollback commands file should reside in the default
location:
Type in larger text box, one command in

each line.
Enter the default file location of the

rollback command files in the Import
from File field.
Click Browse.

/var/adm/CSCOpx/files/rme/netconfig/cmdFiles/
On Windows:
A file browser opens with the default

location of the configuration commands
file. You cannot change this default
import directory.
NMSROOT\files\rme\netconfig\cmdFiles
Alternatively, when you click on the Browse button, a
file browser opens with the default location of the
rollback commands file. You cannot change this default
import directory.
Click Save to save the task with the current information.

Or
Click Delete to delete the current task from the system.
To cancel the user-defined task you are creating, select a command from the Jobs or Admin menu (or a
corresponding button) and click Yes in the resulting dialog box.
To add a user-defined task, select Configuration > Tools > NetConfig > User Defined Tasks. The
User-defined Tasks dialog box appears with no values.
To copy a user-defined task:
Step 1
Select the task from the Tasks browser.

The details appear in the right pane of the User-defined Tasks dialog box.
Step 2
Change the name of the Task and click Save.
5-28
OL-25941-01
Chapter 5

To modify a user-defined task:

Step 1
Select the task from the Tasks browser.

The details appear in the right pane of the User-defined Tasks dialog box.
Step 2
Select templates associated with the task from the Task browser, and modify them
You can change details such as the command mode, parameterization option, the device type, the CLI
commands or the rollback commands.
You can add a template or delete an existing one. When you click Save, a message appears that the task
is modified.
Parameterized Templates
Creating a Parameters File (XML file)
Parameters File: More Examples
Parameterized Templates
You can include parameterized templates within User-defined tasks. A parameterized template allows
the configuration commands in the templates to contain user-defined variables.
Multiline feature of parameterized templates is not supported. However, interactive command deploy is
supported.
You can select the Parameterized option when you create a User-defined task (see Creating and Editing
User-defined Tasks).
If you select the Parameterized option, you should enter the actual values for the parameters in the
template in a separate Parameters file (see Creating a Parameters File (XML file)) when you create a
NetConfig job (see Creating and Editing User-defined Tasks). The Parameters file is the XML file that
contains the parameter values.
The Parameters file should reside on the server at this location:
NMSROOT\files\rme\netconfig\cmdFiles (On Windows)
/var/adm/CSCOpx/files/rme/netconfig/cmdFiles/ (On Solaris and Soft Appliance)
where NMSROOT is the LMS install directory.

For details See Parameters File: More Examples.
To create a Parameterized User-defined task and apply this in a NetConfig job:
Step 1
Create a User defined Task with variables embedded in the command body. For details see Creating and
Editing User-defined Tasks.
For example:
You can enter the command ntp server $ntpServer in the CLI Commands text box in the User-defined
Tasks dialog box.
Step 2
Select the Parameterized check box in the User-defined Tasks dialog box.
Step 3
Click Save to save your User-defined Parameterized task.

OL-25941-01
5-29
Chapter 5
Step 4
Create the Parameters file (XML file) containing the values for $ntpServer task. For details, see
Creating a Parameters File (XML file).
For example:
<DEVICE NAME = 10.76.38.54>
<CMDPARAM NAME = ntpServer>
<value>mytimeserver</value>
</CMDPARAM>
</DEVICE>
Step 5
Repeat the above step in the Parameters file, for all the devices that you plan to include in the job, if each
device refers to a different ntpServer.
Alternatively, you can have a global section if that variable does not change for each device. For details,
see Creating a Parameters File (XML file).
Step 6
Store the Parameters file in:
NMSROOT\files\rme\netconfig\cmdFiles directory (On Windows)

where NMSROOT is the LMS install directory.
Step 7
Create a NetConfig job and select your User-defined Parameterized task. For details see Starting a New
NetConfig Job.
You are prompted to enter the filename while adding the task to the NetConfig job.
You can check the syntax of the text file that contains the parameters. To do this, select Check Syntax.
Step 8
Complete the job creation. For details, see Creating and Editing User-defined Tasks.
Creating a Parameters File (XML file)

A specific format is defined for embedding variables in User-defined tasks and the corresponding
Parameters file that contains the values for the parameters.
The variables in the User-defined tasks, which you enter in the CLI Commands text area of the
User-defined Tasks dialog box (see Creating and Editing User-defined Tasks), should be preceded by $.
For example, for an NTP server parameter, it should be: $ntpServer
Similarly, the Parameters file also follows a specified format.
5-30
OL-25941-01
Chapter 5

Here is the sample format and example of the Parameters file (the XML command file that contains the
values for the parameters) for a parameterized template:
<GLOBAL>
<CMDPARAM NAME = password>
<value>abc</value>
</CMDPARAM>
<CMDPARAM NAME = message>
<value>test all</value>
</CMDPARAM>
</GLOBAL>
<DEVICE NAME = 10.76.38.54>

<CMDPARAM NAME =
ntpServer>
<value>ServerName</value>
</CMDPARAM>
</DEVICE>
You can assign the device-specific values to variables in the <DEVICE> area. If there are no
device-specific values, the default values in the <GLOBAL> area are considered as actual values for these
variables. You do not need to add a <GLOBAL> area in the Parameters file if you are referencing each
device explicitly (using the <DEVICE> area for each device).
Parameters File: More Examples

This section gives more examples of the format of the text to be entered in the CLI Commands body at
the time of creating a User-defined Task, and the commands to be entered in the corresponding
Parameters file.
For example, you can enter these parameters while creating a User-defined task, in the CLI Commands
text box:
ntp server
ntpServer
ip http port
ip address
portValue
ipAddress
In the corresponding Parameters file, which is stored under:
NMSROOT\files\rme\netconfig\cmdFiles directory (On Windows)
where NMSROOT is the LMS install directory, enter:

<GLOBAL>
<value>10.10.10.10</value>
</CMDPARAM>
<CMDPARAM NAME = portValue>
<value>90</value>
</CMDPARAM>
<CMDPARAM NAME = ipAddress>

OL-25941-01
5-31
Chapter 5
<value>1.1.1.1</value>
</CMDPARAM>
</GLOBAL>
<DEVICE NAME = 10.76.38.54>

<value>20.20.20.20</value>
</CMDPARAM>
<CMDPARAM NAME =
portValue>
<value>55</value>
</CMDPARAM>
</DEVICE>
<DEVICE NAME = 10.77.202.229>

<value>30.30.30.30</value>
</CMDPARAM>
</DEVICE>
In such a case, when the NetConfig job contains the device 10.76.38.54, the following commands are
generated:
ntp server 20.20.20.20
ip http port 55
(taken from the device-specific section of the Parameters file)
ip address 1.1.1.1
(taken from the global section of the Parameters file)
When the job contains the device 10.77.202.229, the following commands are generated:
ip http port 90
ip address 1.1.1.1
When the job contains other devices, all the values are taken from the global section of the XML file,
and the following commands are generated:
ip http port 90
ip address 1.1.1.1
If the value for a parameter is not found in the command file, the syntax check (in the job creation flow)
displays an error.
You can enter any special character, except <, >, and $, that is accepted by the device as the value for a
parameter in the command file. This is because NetConfig does not process the parameter values.
NetConfig only reads the value given between <value> and </value> tags and generates the command.
5-32
OL-25941-01
Chapter 5


You can assign access privileges to NetConfig tasks, to users with Network Operator privileges or lesser.
All other users with privileges higher than Network Operator are assigned all tasks by default.
A network administrator must assign task access privileges to other users. See Understanding NetConfig
User Permissions section for details.
Note
To assign tasks to users:
Step 1
Select Configuration > Tools > NetConfig > Assigning Tasks.

The Assign Tasks dialog box appears.
Step 2
Enter the username of the user to whom you want to assign the tasks.
This should be a valid LMS user.
Step 3
Select the task that you want to allocate to the user from the Available tasks list box and click Add.
You can select more than one task, by holding down the Shift key while selecting the task.
The selected tasks appear in the Selected Tasks list box.
To remove assigned tasks, select the tasks from the Selected Tasks list box and click Remove.
Step 4
Add all the required tasks to the Selected Tasks list box.
Step 5
Click Assign to assign the task access privileges to the specified user.
For a specified user, to see the assigned tasks, enter the username in the Username field and click Show
Assigned.
The tasks assigned to the user appear in the Selected Tasks list box.
Step 6
Click Report to generate the User Task Report.

The User Task Report shows the list of users and the tasks assigned for each user.
Note
By default, all the tasks are assigned to admin users. Therefore, the User Task Report will not list the
users with Admin privileges.
Handling Interactive Commands

An interactive command is the input you will have to enter, following the execution of a command.
For example, on a Catalyst device, a clear counters command on a Cat 5000 will give the following
output:
c5000# (enable) clear counters. This command will reset all MAC and port counters reported
in CLI and SNMP. Do you want to continue (y/n) [n]?

OL-25941-01
5-33
Chapter 5
In LMS, such commands can be included in config jobs executed via NetConfig or ConfigEditor. For
more details also see Editing and Deploying Configurations Using Config Editor.
You can handle interactive commands using NetConfig user-defined templates, and by using Adhoc
tasks. See Using NetConfig User-defined Templates and Adhoc Tasks.
You cannot run interactive commands through NetConfig CLI.
Using NetConfig User-defined Templates and Adhoc Tasks

You can enter an interactive command in the Enter CLI Commands area, using the following syntax:
CLI Command<R>command response 1 <R>command response 2
<R>
tag is case-sensitive and this must be entered in uppercase only.
Example
For a Catalyst device, a clear counters command will give the following output
c5000# (enable) clear counters This command will reset all MAC and port counters reported
in CLI and SNMP. Do you want to continue (y/n) [n]?
To clear the counter, the syntax is:
clear counters <R>y
To accept the default, the syntaxes are:
clear counters <R>n
or
clear counters <R>
To accept the default value, you do not need to enter any values after the tag <R>.

You can enter multi-line commands as a part of User-defined and Adhoc tasks. The multi-line commands
must be within the tag <MLTCMD> and </MLTCMD>.
These tags are case-sensitive and you must enter them only in uppercase. You cannot start this tag with
a space.
Example
<MLTCMD> banner login "Welcome to
Cisco Prime LMS
Essentials - you are using
You can have a blank line within a multi-line command. The commands within the MLTCMD tags are
considered as a single command and will be downloaded as a single command onto the device.
5-34
OL-25941-01
Chapter 5


NetConfig provides System-defined configuration tasks. You can create configuration commands by
using these tasks (see Understanding the System-defined Task User Interface (Dialog Box)).
Each task supports one or more device categories (see Table 5-5). Table 5-5 displays a comprehensive
list of all templates available and a brief description of each.
For Device-based jobs, the System-defined tasks are available in the Devices and Tasks dialog box
of the NetConfig job wizard.
For Port-based jobs, the System-defined tasks are available in the Port Tasks page of the NetConfig
job wizard.
For Module-based jobs, the System-defined tasks are available in the Module Tasks page of the
NetConfig job wizard.
All System-defined tasks are categorized into various task groups in the Tasks Selector. To select the
tasks, you must expand the corresponding Task Group node.
After you select the devices and the tasks and click Next (see Starting a New NetConfig Job), the
selected tasks appear in the Applicable Tasks pane of the Add Tasks dialog box (in the Job wizard).
When you select an applicable task and click Add Instance, a dialog box appears for the selected
System-defined configuration task.
This is a dynamic user interface. The task dialog box displays parameters, based on the devices that you
selected in Device Selector.
For example, if you have selected IOS devices, you can specify IOS parameters in this dialog box. If not,
this section will not be available to you.
When you enter information in the fields of the task and click Save, the task appears as a numbered
instance in the Added Instances pane of the Add Tasks dialog box.
For the detailed procedure and for information on how to edit the task instances, view CLI, or delete the
instances, see Starting a New NetConfig Job.
You can add multiple instances of a configuration task to a job by selecting an applicable task, adding
information, and saving this information. You need to do this whenever you add instances. However, you
can include only one instance of a task in a job.
Each System-defined task also creates Rollback commands that you can use to roll back the changes to
devices if the job fails.
View the Permission Report (Reports > System > Users > Permission) to check whether you have
the required privileges to perform this task.
If you use TFTP protocol to deploy NetConfig templates to devices, the DCR does not reflect the
updates.

OL-25941-01
5-35
Chapter 5
Table 5-5
NetConfig System-Defined Tasks Supported by LMS Device Categories
Task Group
Task
Description
IOS
CatOS
CSS
CE
NAM
PIX
Cable
General
Adhoc Task
Enter any configuration

commands as required.
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Authentication Proxy
Task
Configure Authentication
Proxy.
Yes
Yes
Banner Task
Add, remove, or edit banners.
Yes
Yes
Yes
CDP Task
Configure Cisco Discovery

Protocol (CDP).
Yes
Yes
Yes
Yes
DNS Task
Configure DNS.
Yes
Yes
Yes
Yes
Yes
Yes
HTTP Server Task
Configure HTTP access on

VPN devices.
Yes
Yes
IGMP Configuration
Task1
Configure IGMP of selected

cable interfaces.
Yes
Internet Key Exchange

(IKE) Configuration
Task2
Configure IP security (IPSec).
Yes
Yes
Yes
Interface IP Address
Configuration Task
Configure IP interface address

of selected interface.
Yes
NTP Server
Configuration Task
Configure Network Time

Protocol (NTP).
Yes
Yes
Yes
Yes
Yes
RCP Configuration Task Configure rcp
Yes
Yes
Reload Task
Reload devices
Yes
Yes
Yes
Yes
Smart Call Home Task
Register devices with Cisco

Smart Call Home
Yes
Syslog Task
Configure Syslog message

logging.
Yes
Yes
Yes
Yes
Yes
Yes
Transform
System-Defined Task
Configure IPSec.
Yes
Yes
Yes
User-defined Protocol
Task
Configure the User-defined

protocol on NAM devices.
Yes
Web User Task
Configure the web user for

NAM devices
Yes
Yes
5-36
OL-25941-01
Chapter 5

Table 5-5
Task Group
Task
Description
IOS
CatOS
CSS
CE
NAM
PIX
Cable
Cable
Cable BPI/BPI+ Task
Assign self-signed certificate,

configure cable interface, and
set BPI/BPI+ options.
Yes
Cable DHCP-GiAddr
and Helper Task1
Configure DCHP-GiAddr and

Helper Address of the selected
cable interface.
Yes
Cable Downstream Task1 Activate/Deactivate DS Ports,

Interleave Depth, MPEG
Framing Format, Modulations,
Channel ID and Frequency of
the selected cable interfaces.
Yes
Cable Interface Bundling Configure Interface Bundling

Task1
on selected cable interface.
Yes
Cable Spectrum
Management Task
Assign Spectrum Groups and

Interfaces on a selected cable
interface.
Yes
Cable Trap Source Task
Configure SNMP Traps hosts,

notification, message and
notification of SNMP Traps on
a cable interface.
Yes
Cable Upstream Task1
Activate and configure

upstream on selected cable
interfaces.
Yes
Enable Password Task
Configure, or change enable or

secret password to enter in
enable mode on devices.
Yes
Yes
Yes
Yes
Local Username Task
Configure local username and

password authentication on
devices.
Yes
Yes
Yes
SSH Configuration Task Configure SSH.
Yes
Yes
Yes
Yes
Telnet Password
Configuration Task
Add, remove, and edit Telnet

passwords.
Yes
Yes
Yes
Yes
Certification Authority
Task2
Create, or modify Certification

Authority. Provides
manageability and scalability
for IP security (IPSec)
standards on VPN devices.
Yes
Yes
Crypto Map Task2
Configure IPSec.
Yes
Yes
Yes
Embedded Event
Manager Task
Configure EEM Scripts or

Applets on the devices
Yes
EEM Environmental
Variables Task
Configure EEM Environmental Yes

Variables on the devices
EnergyWise
Configuration Task
Configure EnergyWise in
Devices
Credential
Encryption
EEM
EnergyWise
Yes
Yes

OL-25941-01
5-37
Chapter 5
Table 5-5
Task Group
Task
Description
IOS
CatOS
CSS
CE
NAM
PIX
Cable
GOLD
GOLD Boot Level Task
Configure Boot Level

Diagnositc tests on the devices
Yes
GOLD Monitoring Test

Task
Configure GOLD Monitoring

tests on devices
Yes
SNMP Community
Configuration Task
Add, remove, and edit SNMP

community strings
Yes
Yes
Yes
Yes
Yes
Yes
Yes
SNMP Security
Configuration Task
Configure SNMP Security

feature on devices.
Yes
Yes
Yes
SNMP Traps
Configuration Task
Configure SNMP traps.
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Port Macros Auto Smartports
Configure Auto Smartport

macros on devices.
Yes
TACACS
TACACS Configuration
Task
Configure TACACS
authentication.
Yes
Yes
TACACS+
Configuration Task
Configure TACACS+
authentication
Yes
Yes
Yes
Yes
Yes
RADIUS Server
Configuration Task
Configure RADIUS server and

task.
Yes
Yes
Yes
Yes
SNMP
User-defined Tasks
Lists all user-defined tasks
1. You can apply this task only to a single device, at a time because cable templates configure interfaces on devices.
2. You must follow this sequence to complete the configuration of the IPSec on devices:
a. IKE configuration System-defined task.
b. Transform System-defined task.
c. Crypto Map System-defined task.
5-38
OL-25941-01
Chapter 5

Understanding the System-defined Task User Interface (Dialog Box)

NetConfig tasks support devices in the following device categories:
IOS
Catalyst OS
Content Engine
CSS
NAM
PIX OS
Cable
Each of the system-defined tasks have their own dynamic user interface, or dialog box, that displays
fields for a specified category of devices only if you have selected that category of device.
The dialog boxes for system-defined tasks may have these groups, links, and buttons:
Common ParametersThis group of fields appears at the top of the task dialog box. In the fields
under this group, you can enter the parameters that are common to all the categories of devices that
you have selected.
Device Category-specific ParametersThis group of fields is specific to a device category. If, for
a specified device category, only the common parameters are applicable, this message appears in the
user interface:
No Category-specific Commands
Applicable DevicesThis link is available in the device category-specific group of fields and
enables you to view the devices in your selection, to which the device-specific parameters apply.
Buttons in the system-defined tasks interface:
Button
Action
Save
Saves the information that you have entered in the fields in the task dialog box.
Reset
Clears all the fields.
Cancel
Cancels your changes, and closes the task dialog box.
For the cable devices, you can apply a task only to a single device at a time, because cable templates
configure interfaces on devices.
Also, for the cable tasks to work correctly, you must have valid SNMP credentials in Device and
Credential Repository (DCR). See Administration of Cisco Prime LAN Management Solution 4.2 for
more information on setting valid SNMP credentials.
Therefore, if you have selected more than one cable device and selected tasks for them, the task may not
appear in the Applicable Tasks pane of the Add Tasks dialog box. For the tasks that are applicable to
cable devices, see Table 5-5.

OL-25941-01
5-39
Chapter 5
Understanding the NetConfig Credentials Configuration Tasks
NetConfig provides for tasks to configure credentials on devices. These tasks are:
Enable Password (See Enable Password Task.)
Local Username (See Local Username Task.)
Radius Server (See RADIUS Server Configuration Task.)
TACACS TACACS Configuration Task
TACACS+ (See TACACS+ Configuration Task.)
SNMP Community (See SNMP Community Configuration Task.)
SNMP Security (See SNMP Security Configuration Task.)
The credential store allows only one set of login credentials per device - Primary username and primary
password, irrespective of the authentication type.
Hence, this imposes certain limitations on the NetConfig templates, especially, when you are
configuring/modifying the authentication method on the device.
To overcome this, an option to specifically update the credential store is provided in the credential tasks.
The credential store is updated only when this option is chosen with the values specified.
The usage of NetConfig credentials tasks to configure the credentials on a device should be based on the
active credentials (e.g. Telnet, TACACS, etc.) in the device. For example if the device is configured with
TACACS+, you should use only TACACS+ template to configure the credentials.
Example
When you remove the TACACS+ authentication for the device, the device reverts to the authentication
method that was earlier configured on it. For example, the local username.
However, LMS is unaware of the fallback authentication method, and the respective credentials. If
Device and Credential Repository is not updated with the right credentials, the subsequent device
operations from LMS will fail.
In this case, you should select the option to update the local credential store and specify the local
username credentials. When the job runs, NetConfig updates Device and Credential Repository with this
set of credentials, so that for subsequent devices, access from LMS will be successful.
Adhoc Task
You can use the Adhoc system-defined task to add configuration commands to a job, during job
definition.
You cannot save an instance of an Adhoc task, for future use. If you need to reuse a template that
provides capabilities unavailable from the system-defined tasks, you can create a user-defined tasks (see
Creating and Editing User-defined Tasks).
Caution
NetConfig does not validate commands you enter in the Adhoc task. If you enter incorrect commands,
you might misconfigure or disable devices on which jobs that use the task run.
Groups for each of the device categories that you have selected, appear in the Adhoc Configuration
dialog box. To invoke the Adhoc Configuration dialog box, see Starting a New NetConfig Job.
5-40
OL-25941-01
Chapter 5

You can enter configuration and rollback commands for these device categories:
IOS (including Cable devices)
Catalyst OS
Content Engine
CSS
NAM
PIX OS
For more details, see Table 5-5.
Note
As Cable devices fall under the IOS category, you can enter adhoc commands in the IOS group of fields
in the Adhoc Configuration dialog box.
For the features of system-defined tasks and a description of the features of a system-defined task dialog
box, see Understanding the System-defined Task User Interface (Dialog Box).
The fields in the Adhoc Configuration dialog box are:
Group
Field
Description
Commands
CLI
Command
Enter configuration commands.
Rollback
Command
Command Mode Config or
Enable
You can also enter interactive commands (see Handling Interactive Commands) and
multi-line commands see Handling Multi-line Commands).
Enter rollback commands.
Select the mode (config or enable) in which the task configuration commands will run.
If you have selected Catalyst OS, or NAM devices, then the enable mode is preselected,
and you do not have the option to select the config mode.
The Command Mode group is not available for the Adhoc Task selected in the Port Based
flow of the NetConfig job.
If you enter any credential command in the CLI Commands or Rollback Commands fields, then those
credentials will be masked in the job work order and the job results page.
For example, the command, snmp-server community public ro will be displayed as snmp-server
community ***** ro.
For each device category, click on Applicable Devices to view the devices in your selection, to which
this task applies.
Authentication Proxy Task

The Authentication Proxy feature helps users to log into the network or access the Internet using HTTP.
Their specific profiles are automatically retrieved and applied from a CiscoSecure ACS, or other
RADIUS, or TACACS+ authentication server.

OL-25941-01
5-41
Chapter 5
The Cisco Secure Integrated Software authentication proxy feature allows network administrators to
apply specific security policies on a user to user basis. You can use the Authentication Proxy
system-defined configuration Task on IOS devices, which have been configured for VPN functionality.
The IOS category of devices (including Cable devices) are supported by this task.
You can enter the details of this task in the Authentication Proxy Configuration dialog box. (To invoke
this dialog box, see Starting a New NetConfig Job.)
The fields in the Authentication Proxy Configuration dialog box are:
Group
Sub-Group
Field
Description
IOS
Parameters
Authorization
(AAA)
Action
Select the required option to enable, disable or make no

change to the authorization configuration.
Method 1
Select either TACACS+ or RADIUS as your first method of

authorization.
Method 2
Select either TACACS+ or RADIUS as your second method

of authorization, based on your selection in the first method
Minutes
(1-2147483647)
Timeout value. The default timeout value can be in the range

of 1 and 2,147,483,647.
Set to default
Select this to set the default cache timeout value of 60

seconds.
Action
Select Enable or Disable to set or reset Banner display in the

login page.
Cache Timeout
Banner
If you select Enable, the router name is displayed in the

login page.
If you select Disable, then the router name is not

displayed.
If you do not want to make any changes to the banner, select

No Change.
Banner Text (Optional)
Enter the text that you want displayed in the banner. If you
enter the banner text, then this text is displayed instead of the
router name in the login page.
This is an optional field.
Authentication
Proxy Rule
Action
Select Enable or Disable an authentication proxy rule.
If you select Enable, a named authentication proxy rule

is created and associated with access list.
If you select Disable, the associated proxy rule is

removed.
Select No Change if you do not want to make changes to the

Authentication Proxy Rule group of fields.
5-42
OL-25941-01
Chapter 5

Group
Sub-Group
Field
Description
Name
Enter a name for the authentication proxy rule.

The name can be up to 16 alphanumeric characters.
Overriding Timeout
Enter a timeout value to override the default cache timeout.
[optional(1-2147483647
This is an optional field. The overriding timeout value should
)]:
be in the range of 1 and 2,147,483,647.
ACL Number/Name
[optional]:
Enter a Standard Access list to be used with the

Authentication proxy.
This is an optional field.
New Model
Action
Select to enable, disable, or make no change to new model

state.
Click on Applicable Devices to view the devices in your selection, to which this task applies.
IOS Devices with VPN Images
You can determine VPN images from the naming convention used for IOS images. The naming
convention follows the xxxx-yyyy-ww format.
Where, xxxx represents platform, yyyy represents features and ww represents format. If the middle value
(yyyy) contains, the number 56 or Kn, where n is a number between 1 and 9, then this is a VPN image.
For example, C7100-IS56I-M is a VPN image, since it contains the number 56.
Banner Task
You can use the Banner system-defined, configuration task to change banners on devices.
The following device categories are supported by this task:
Catalyst OS

You can enter the details of this task in the Banner Configuration dialog box. (To invoke this dialog box,
see Starting a New NetConfig Job.)
The fields in the Banner Configuration dialog box are:
Group
Sub Group
Field
Description
Common
Parameters
Motd Banner
Action
Select the appropriate option to add or remove a message of

the day banner. Select No Change, if you are modifying an
existing task, and you do not want to change the value in this
field.
Message
Enter message, if you selected Add in Action field.

OL-25941-01
5-43
Chapter 5
Group
Sub Group
IOS Parameters Exec Banner
Incoming Banner
Login Banner
Slip-PPP Banner
CatOS
Parameters
No category-specific
commands.
Field
Description
Action
Select the appropriate option to add or remove an Exec

banner. Select No Change, if you are modifying an existing
task, and you do not want to change the value in this field.
Message
Action
Select the appropriate option to add or remove an Incoming

Message
Action
Select the appropriate option to add or remove a Login

Message
Action
Select the appropriate option to add or remove a Slip/PPP

Message
This device category does not have any

device-category-specific commands. Use the Common
Parameters group to assign the values.
this task applies.
CDP Task
You can use the CDP system-defined task to configure Cisco Discovery Protocol (CDP) on devices.
Catalyst OS
Content Engine

You can enter the details of this task in the CDP Configuration dialog box. (To invoke this dialog box,
The fields in the CDP Configuration dialog box are:
5-44
OL-25941-01
Chapter 5

Group
Sub Group
Field
Description
Common
Parameters
Run
Action
Select to enable, disable, or make no change to the

CDP state.
Hold Time
Seconds (10-255)
Enter holdtime in seconds.

The CDP holdtime specifies how much time can
pass between CDP messages from neighboring
devices before the device is no longer considered
connected and the neighboring entry is aged out.
Value must be greater than value in Update Time
field.
Update Time
Set to Default
Select this for the default hold time of 60 seconds
Seconds (5-254)
Enter time between CDP updates, in seconds.

Value must be less than value in Hold Time field.
CDP Version
Set to Default
Select this for the default update time of 60

seconds
Run
Select the CDP Version (CDPv1 or CDPv2. CDP

version 2 is the default value.
If you are modifying the CDP Task and you do not
want to change this field, select No Change.
IOS Parameters No category-specific

commands.

device-category-specific commands. Use the
Common Parameters group to assign the values.
CatOS
Parameters
Mod/Ports
(Ex:2/1-12,3/5)
Enter modules and ports on which to enable or

disable CDP.
Mod/Ports
You can enter a single module and port or a range

of ports, for example, 2/1-12,3/5-12.
CDP Format
All mod/ports
Select to enable or disable CDP in all ports in all

modules.
Format
The options are:
No Change (Does not allow you to make any

modifications to the specified CDP format.)
MAC
Other
Select the required option.

CE Parameters
No category-specific
commands.

device-category-specific commands. Use the
Common Parameters group to assign the values.
this task applies.

OL-25941-01
5-45
Chapter 5
Certification Authority Task

You can use the Certification Authority (CA) system-defined configuration task to provide
manageability and scalability for IP Security (IPSec) standards. The Certification Authority task can be
used only on IOS devices configured for VPN functionality.
This task is applicable to IOS devices (including Cable devices).
You can enter the details of this task in the Certification Authority Configuration dialog box. (To invoke
For this task to work correctly, you must use a CLI-based protocol (Telnet or SSH) as the download
protocol.
The fields in the Certification Authority Configuration dialog box are:
Group
Sub-Group
Field
Description
IOS Parameters
Declare CA
Action
Select Enable or Disable to activate/deactivate

Certification Authority (CA).
If you select Enable you can create or modify CA.
If you select Disable, you can delete the CA.
Select No Change, to leave the CA Name unchanged.

CA Name
Enter the CA name. This name is used to identify the

certification authority to be configured.
This name is the CA domain name.
Enrollment URL
Action
Value
Select Enable to allow router to connect to the CA,

using the URL specified in the Value field.
Select Disable, if you do not want to connect to the CA.
Select No Change to leave the Enrollment URL field

unchanged.
Enter the URL of the CA.

The URL should include any available non-standard cgi-bin
script location.
Enrollment Mode
Action
LDAP Server
Select Enable if the CA provides a Registration

Authority (RA).
Select Disable to disable the specified LDAP Server.
Select No Change to leave the Enrollment Mode field

unchanged.
Enter the LDAP server of the CA, if your CA system

provides an RA.
LDAP server contains the location of CRLs (certification
revocation lists) and certificates.
5-46
OL-25941-01
Chapter 5

Group
Sub-Group
Field
Description
Enrollment Retry
Period
Minutes [1- 60]
Enter the wait period between certification request retries.
Enrollment Retry
Count
CRL Optional
The wait period is between 1 to 60.

Set to Default
Select this option to set the default wait period to 1 minute.
Number [1- 100]
Enter the certification request retry number.

The retry number must be between 1 and 100.
Set to Default
Select this option to set the default retry period to 1 minute.
Action
Select Enable to bypass the Certificate Revocation List.

If you select Disable, Certificate Revocation list is checked.
Certificate Query
RSA Key pairs
Action
Action
Select an option to enable, disable or make no change to

certificate query.
If you select Enable, certificate query will be added to

all trust points on the router.
If you select Disable, the certificate will not be queried.
Select an option to generate, delete or make no change to the

RSA key pairs. This feature allows you to configure a Cisco
IOS router to have multiple key pairs.
Thus, the Cisco IOS software can maintain a different key
pair for each identity certificate.
Key Type
Specify the key type:
General PurposeTo generate a general purpose key

pair that is used for both encryption and signature.
UsageTo generate separate usage key pairs for

encrypting and signing documents.
this task applies.
convention follows the xxxx-yyyy-ww format.
For example, C7100-IS56I-M is a VPN image, since it contains the number 56.
Crypto Map Task

You can use the Crypto Map Server system-defined task to configure IPSec on devices.
Note
You must configure the IKE configuration system-defined task (see Internet Key Exchange (IKE)
Configuration Task) and Transform system-defined task (see Transform System-Defined Task) before
configuring the Crypto Map system-defined task.

OL-25941-01
5-47
Chapter 5
PIX OS

You can enter the details of this task in the Crypto Map Configuration dialog box. (To invoke this dialog
box, see Starting a New NetConfig Job.)
The fields in the Crypto Map Configuration dialog box are:
Group
Sub-Group
Field
Descriptions
IOS
Parameters
Configuration
Action
Select an option to add, remove, or make no change to the IOS

configuration.
Map Name
Enter the name for the Crypto Map.
Map Number
Enter the number for the Crypto Map.

The value must be between 1 and 65535.
PIX
Parameters
Configuration
Map Type
Select the map type (manual or isakmp) for the Crypto Map.
Map Description
Enter the description for the Crypto Map.
Crypto ACL
Enter the extended access list for Crypto Map.
IPSec Peer
Enter the IPSec peer to be associated with the Crypto Map.
Transform Set
name
Enter the transform set name to be used with the Crypto Map.
Action
Select an option to add, remove, or make no change to the PIX

configuration.
Map Name
Enter the name for the Crypto Map.
Map Number
Enter the number for the Crypto Map.

Value must be between 1 and 65535.
Map Type
Select the type (manual or isakmp) for the Crypto Map.
Crypto ACL
Enter the extended access list for Crypto Map.
IPSec Peer
Enter the IPSec peer to be associated with the Crypto Map.
Transform Set
name
Enter the transform set name to be used with the Crypto Map.
this task applies.
5-48
OL-25941-01
Chapter 5

DNS Task
You can use the DNS system-defined task to configure DNS (Domain Name Server) on devices.
Catalyst OS
Content Engine
CSS
NAM
PIX OS

You can enter the details of this task in the DNS Configuration dialog box. (To invoke this dialog box,
The fields in the DNS Configuration dialog box are:
Group
Sub-Group
Field
Description
Common
Parameters
DNS Server
Add
Enter the IP addresses of DNS name server(s) that you want to add.
Separate multiple addresses with commas.
If the device accepts only one DNS server, then the first address will
be considered.
Remove
Enter the IP addresses of DNS name server(s) that you want to

remove.
Domain Name
Name
Enter the domain names to complete unqualified hostnames.

If a device has a domain list enabled, it will be used to complete
unqualified hostnames instead of the domain name.
Separate multiple addresses with commas. If the device accepts only
one domain name, then the first entry will be considered.
IOS
Parameters
Domain List
Remove
Select this option to remove the domain names.
Domain Lookup
Select to enable or disable IP DNS-based hostname-to-address

translation.
CLNS NSAP
Select to enable or disable or make no change to the CLNS NSAP

option. If this option is enabled, any packet with the specified CLNS
NSAP prefix causes CLNS (Connectionless Network Service)
protocol to behave as if no route were found.
OSPF
Select to enable or disable or make no change to the OSPF (Open

Shortest Path First) protocol option.
Action
Select an option to add, remove, or make no change to the domain list.

OL-25941-01
5-49
Chapter 5
Group
Sub-Group
Field
Description
Domain List
Enter domain names to complete unqualified hostnames, or add to the

existing list.
Separate multiple domain names with commas.
Do not include an initial period before domain names.
CatOS
Parameters
Content
Engine
Parameters
CSS
Parameters
Secondary
DNS Server
1st Server Primary
Select to have a DNS name server entered in Add field, as the default
or the primary name server.
Domain Lookup
Select an option to enable, disable, or make no change to the domain

lookup.
Serial Lookup
Select an option to enable, disable, or make no change to the serial

lookup.
Add (Hostname or IP Enter the hostname or an IP address of a secondary server, that you
Address)
want to add.
A maximum of two IP addresses are allowed. The order in which you
enter them is the order in which they are used if the primary DNS
server fails.
Separate multiple addresses with a comma.
Remove (Hostname
or IP Address)
Enter a hostname or an IP address of a secondary server, that you want

to remove.
A maximum of two IP addresses are allowed.
Separate multiple addresses with a comma
NAM
Parameters
Disable
Nameservers
Select to disable domain name servers.
this task applies.
Enable Password Task

You can use the Enable Password system-defined, configuration task to change the enable and secret
passwords, which allow users to enter the enable mode on devices.
When you enable or disable an enable password, the change is made on the device and in Device and
Credential Repository.
Note
If you disable the enable password on a device, you cannot enter the enable mode on that device unless
you previously enabled an alternative type of enable mode authentication.
Catalyst OS
PIX OS
5-50
OL-25941-01
Chapter 5

You can enter the details of this task in the Enable Password Configuration dialog box. (To invoke this
dialog box, see Starting a New NetConfig Job.)
Note
If you change the enable password on a Catalyst device with an RSM module using this task, the RSM
enable password is also changed.

OL-25941-01
5-51
Chapter 5
The fields in the Enable Password Configuration dialog box are:

Group
Sub-group
Field
Description
Common
Parameters
Setup
Action
Select an option to enable, disable or make no

change to the enable password.
Password
Enter the enable password.
Verify
Re-enter the password.
Level (1-15)
Set the Enable Password level. The level can

be between 1 and 15. 15 is the default level.
IOS Parameters
Password
For an IOS device, it is advisable not to

disable both Enable Password and Enable
Secret password.
This is because the IOS device will not allow
you to go into the Enable mode of the device.
You can do this only if you have the console
password for the device.
If you have selected Enable Password as No
Change in the Common Parameters pane, and
selected Disable for Enable Secret in the IOS
Parameters pane, then Enable Secret Password
is updated in the Device and Credentials
database.
If you have selected Enable Password as
Disable in the Common Parameters pane, and
selected No Change for Enable Secret in the
IOS Parameters pane, then Enable Password is
updated in the Device and Credentials
database.
Secret
CatOS Parameters
Password
Encrypted
Select this option to encrypt the password.
Update Credentials
Select this to update credentials. For details

see Understanding the NetConfig Credentials
Configuration Tasks
Action
Select an option to enable, disable or make no

change to the secret password.
Secret
Enter the secret password.
Verify
Level (1-15)
Set the password level. The level can be

between 1 and 15. 15 is the default level.
Encrypted
Select this option to encrypt the password.
Apply Command on Modules
Select to apply the command on the modules.

If you have selected Disable as the action in
the Common Parameters group, then the
password will be removed.
5-52
OL-25941-01
Chapter 5

Group
Sub-group
PIX Parameters
Field
Description
Level(0-15)
Set the password level. The level can be

between 0 and 15. 15 is the default level.
Encrypted (Password should

be 16 characters)
Select this option if the password you are

entering is already encrypted. If you select this
option ensure that your password is 16
characters.
this task applies.
HTTP Server Task

You can use HTTP Sever to configure HTTP access on IOS devices, which have been configured for
VPN functionality.
Catalyst OS

You can enter the details of this task in the HTTP Server Configuration dialog box. (To invoke this dialog
The fields in the HTTP Server Configuration dialog box are:
Group
Sub-group
Field
Description
Common
Parameters
Server
Action
Select an option to enable, disable or make no change to the

HTTP access on the device.
Port
Number [0-65535]
Specify the HTTP server port number.
Set to Default
Select this option to set the default port (80).
Action

authentication method.
Method
Select an authentication method:
IOS
Parameters
Authentication
Access List
Action
AAA
enable
local
TACACS

access list.

OL-25941-01
5-53
Chapter 5
Group
Sub-group
Field
Description
ACL Number/Name
Enter the Access Control List number or name to be used. The

access list number must be between 1 to 99.
CatOS
Parameters
No category-specific commands.
this task applies.
You will lose Telnet access to the device if you configure HTTP Server. The Device may require
TACACS/RADIUS/Local username and password after configuring HTTP Server. You should make
sure that the device has the appropriate login configured. The username and password has to be stored
in the LMS Database.
convention follows xxxx-yyyy-ww format.
For example, C7100-IS56I-M is a VPN image, since it contains the number 56
Local Username Task

You can use the Local Username system-defined task configure local username and password
authentication on devices.
CSS

You can enter the details of this task in the Local Username Task Configuration dialog box. (To invoke
The fields in the Local Username Task Configuration dialog box are:
Group
Sub-Group
Field
Description
Common
Parameters
Local User Setup
Action
Select an option to add, remove or make no change to the local

username setup.
Username
Enter the local username.
Password
Enter local username password.
Verify
5-54
OL-25941-01
Chapter 5

Group
Sub-Group
Field
Description
IOS Parameters
Local User Setup
Privilege Level
[0-15]
Set the required privilege level.
Privilege Level
[0-15]
Set the required privilege level.
No HangUp
Select this option to enable No Hang Up mode.
No Escape
Select this option to enable No Escape mode.
Action
Select to enable, disable or make no change to the local user

authentication group of fields.
Username
Values are entered in Device and Credential Repository only.

They do not affect device configuration. For details see
Understanding the NetConfig Credentials Configuration
Tasks.
Password

Tasks.
Verify

Tasks.
Local User Setup
Local User Login

Authentication
Local Username
Credentials
CSS Parameters
For CSS devices:
Local User Setup
Directory Access
The username length should be between 1 and 16

characters.
The local password length should be between 6 and 16

characters.
The DES-Encrypted password length should be between 6

and 64 characters.
SuperUser
Select this option to designate the local user as superuser.
Password Type
Select the password type from these options:
Local
Encrypted
DES_Encrypted
Configure
Select this option if you want to configure directory access.
Directory Access Defines the CSS directory access levels.
By default, CSS assigns users with read and write access to the
directories. Changing the access level also affects the use of
the CLI commands associated with the directories.
Directories
Script
Select the required access option to the Script directory:
No Access
Read And Write
Read
Write

OL-25941-01
5-55
Chapter 5
Group
Sub-Group
Field
Description
Log
Select the required access option to the Log directory:
Root
Archive
Release Root
Core
MIB
No Access
Read And Write
Read
Write
Select the required access option to the Root directory:
No Access
Read And Write
Read
Write
Select the required access option to the Archive directory:
No Access
Read And Write
Read
Write
Select the required access option to the Release Root

directory:
No Access
Read And Write
Read
Write
Select the required access option to the Core directory:
No Access
Read And Write
Read
Write
Select the required access option to the MIB directory:
No Access
Read And Write
Read
Write
this task applies.
5-56
OL-25941-01
Chapter 5

IGMP Configuration Task

You can use this task to configure the Internet Group Management Protocol (IGMP) on a cable interface.
Note
You can apply this task only on a single IOS device at a time. For details, see Table 5-5.
You can enter the details of this task in the IGMP Configuration dialog box. (To invoke this dialog box,
The fields in the IGMP Configuration dialog box are:
Group
Sub-group
Field
Description
Interface
Interfaces
Select the required option to specify the interface to be configured

for IGMP, or to make no change to the existing interface selection:
IOS Parameters
IGMP
Configuration
IGMP
Parameters
Not Selected
FastEthernet0/0
FastEthernet0/
Cable1/0
Action
Select the required option to enable, disable, or make no change to

the Interface sub-group of fields.
PIM Mode
Select the required PIM mode option. Select No Change to retain

any previous mode selection:
No Change
dense-mode
sparse-mode
sparse-dense-mode
Action
Select the required option to replace the values in, or to make no

change to the IGMP Parameters group of fields.
IGMP Version
Select the required IGMP version from the supported versions:
Last Memory
Query Interval
[100-25500 in
msec]
Enter the time interval between the IGMP specific messages sent by
the router.
Enter the last memory query interval in seconds. You can enter an
interval between 100 and 25500 milliseconds. The default is 1000
milliseconds.

OL-25941-01
5-57
Chapter 5
Group
Sub-group
Field
Description
Query Maximum
Response
Time[1-25 in sec]
Enter the maximum response time advertised in the IGMP queries.

This option is enabled when IGMP version 2 is configured.
Query Interval
[1-65535 in sec]
Indicates a time interval when the Cisco IOS software sends IGMP
host queries. Enter a query interval between 1 and 65535 seconds.
The default is 60 seconds.
Query Timeout
[60-300 in sec]
Indicates the timeout period when the router takes the query of an
interface after the previous query has stopped querying.
You can enter a response time between 1 and 25 seconds. The default
is 10 seconds.
You can enter a value between 60 and 300 seconds. The default is 2*
Query Interval second.
Helper Address
(Should be in IP
address format)
Indicates the IP address that will receive all IGMP host reports, and
also where you can leave messages. This option is enabled when
IGMP version 2 is configured.
Enter the Helper Address in the IP Address format.
Group
Configuration
Action
Select the required option to add values to, or to make no change to

the Group Configuration group of fields.
Allows you to control the multicast groups. You can enter either the
ACL to control
joining of Multicast IP access list name or number. The valid range is between 1 and 99.
Group
Adds Join Group Multicast Address to the Multicast Address table.
Join Group
Multicast Address Enter the addresses, separated by commas.
(multiple addresses
should be separated
by commas)
Adds Static Group Multicast Address to the Multicast Address table.
Static Group
Multicast Address Enter the addresses, separated by commas.
(multiple addresses
should be separated
by comma)
Populate for all
Groups
Allows you to apply the configuration to all groups.
Interface IP Address Configuration Task

You can use this task to configure the IP address of a cable interface.
Note
You can apply this task only on a single IOS device at a time. For details, see Table 5-5.
You can enter the details of this task in the Interface IP Address Configuration dialog box. (To invoke
5-58
OL-25941-01
Chapter 5

The fields in the Interface IP Address Configuration dialog box are:
Group
Sub-group
Field
Description
Cable Interface
Select the required cable interface for configuring the IP

address, or select Not Selected to make no change to the
previous selection:
Cable
Parameters
Interface IP
Configuratio
n
Action
IPAddress
Subnet Mask
Note
Not Selected
FastEthernet0/0
FastEthernet0/1
Cable1/0
Select the following action:
No ChangeMakes no change to the IP Addresses
ReplaceReplaces the IP Addresses
Remove PrimaryRemoves the primary IP Address.
Remove SecondaryRemoves the secondary IP Address.
Remove AllRemoves both primary and secondary IP

Addresses.
Primary
Enter the primary IP address.
Secondary
Enter the secondary IP address.
Primary
Enter the primary subnet mask.
Secondary
Enter the secondary subnet mask.
The values for interfaces are as returned by device.

Internet Key Exchange (IKE) Configuration Task

Use the Internet Key Exchange (IKE) Configuration System task to configure IPSec on devices.
PIX OS

You can enter the details of this task in the IKE Configuration dialog box. (To invoke this dialog box,

OL-25941-01
5-59
Chapter 5
Group
Sub-group
Field
Description
Action
Select to enable, disable, or make no change to ISAKMP.
Action
Select to add, remove, or make no change to ISAKMP policy priority.
Priority
[1-10000]
Enter the policy priority number
Action
Select to enable, disable, or make no change to encryption type.
Type
Select the type of encryption for the policy:
IOS
Parameters
ISAKMP
ISAKMP
Policy
ISAKMP
Policy Priority
Encryption
Hash
Authentication
Group
3des
des
Action
Select to enable, disable, or make no change to the hash algorithm.
Algorithm
Select the type of hash algorithm:
sha
md5
Action
Select to enable, disable, or make no change to the authentication method.
Method
Select the type of authentication method:
rsa-sig
rsa-encr
pre-share
Action
Select to enable, disable, or make no change to the Diffie-Hellman group

identifier.
Value
Enter the Diffie-Hellman group identifier.

Value must be 1 or 2.
Lifetime
Action
Select to enable, disable, or make no change to the lifetime value.
Seconds
[60-86400]
Enter the lifetime value in seconds.
Action
Select to enable, disable, or make no change to ISAKMP.
Interface
Select the interface:
Value must be between 60 and 86400 seconds.
PIX
Parameters
ISAKMP
ISAKMP
Policy
ISAKMP
Policy Priority
Action
Inside
Outside
Select to add, remove, or make no change to ISAKMP policy priority.
5-60
OL-25941-01
Chapter 5

Group
Sub-group
Encryption
Hash
Authentication
Group
Field
Description
Priority
[1-65534]
Enter the policy priority number
Action
Select to enable, disable, or make no change to encryption type.
Type:
Select the type of encryption:
aes
aes-192
aes-256
des
3des
Action
Select to enable, disable, or make no change to the hash algorithm.
Algorithm
Select type of hash algorithm:
sha
md5
Action
Select to enable, disable, or make no change to the authentication method.
Method
Select the type of authentication method:
rsa-sig
pre-share
Action
Select to enable, disable, or make no change to the Diffie-Hellman group

identifier.
Value
Enter the Diffie-Hellman group identifier.

Value must be 1, 2 or 5.
Lifetime
Action
Select to enable, disable, or make no change to the lifetime value.
Seconds
[120-86400]
Enter the lifetime in seconds.

Value must be between 120 and 86400 seconds.
this task applies.
NTP Server Configuration Task

You can use the NTP Server system-defined task to configure Network Time Protocol (NTP) on devices.
Catalyst OS
CSS
CE

OL-25941-01
5-61
Chapter 5
You can enter the details of this task in the NTP Server Configuration dialog box. (To invoke this dialog
Group
Sub-group
Field
Description
Common
Parameters
NTP Server
Action
Select to add, remove, or make no change to Network Time

Protocol.
Host Name/IP Address
Enter the IP address of the NTP server to which devices will

send time-of day requests.
Server Type
Select the required server type.
Version
Select the server version.
Server Key
(0-4294967295)
Enter the NTP server Key. The value must be between 0 and
4294967295.
Verify Server Key
Re-enter the Key to confirm.
IOS Parameters
NTP Server
Source Interface (Interface Enter the source interface name.

Name)
NTP
Authentication
Key
Preferred
Select an option to specify whether the interface is a

preferred interface.
Action
Select to add, remove, or make no change to the NTP

authentication Key.
Number [1 to 4294967295] Enter the number of Key bits. The value must be between 1
and 4294967295 Key bits.
Verify Number
Re-enter the number to confirm.
MD5 Number (Max 8

chars)
Enter the MD5 number which can contain a maximum of 8

characters.
NTP
Authentication
NTP Authentication
Select to enable, disable, or make no change to NTP

authentication.
NTP Calendar
Action

calendar.
NTP Access
Group
Action
Select to add, remove, or make no change to the NTP access

group.
Access Type
Select the required action type:
NTP Trusted
Key
QueryOnly
ServeOnly
Serve
Peer
ACL Number [1-99]
Enter the ACL number which should be a value between 1

and 99.
Action

trusted Key.
5-62
OL-25941-01
Chapter 5

Group
CatOS
Parameters
CE Parameters
Sub-group
Field
Description
Key Number
[1-4294967295]
Enter the Key number whcih must be a value between 1 and

4294967295.
Verify Key Number
Re-enter the Key number to verify.
Server Key [Range:1 to

4292945295]
Enter the NTP server Key which must be between 1 to

4292945295.
Verify Server Key
NTP Client
Client Action
Select to enable, disable, or make no change to NTP client.
NTP
Authentication
NTP Authentication
Select to enable, disable, or make no change to NTP

authentication.
NTP Key
Action
Select to add, remove, or make no change to the NTP Key.
Key Number [1 to
4292945295]
Enter the NTP server Key and the value must be between 1
to 4292945295.
Verify Key Number
Type
Select the required Key type.
MD5 Number [Max 32

chars]
Enter the MD5 number which should be a maximum of 32

characters.
Action
Select to enable, disable, or make no change to the NTP

server.
Server Type
Select the required server type.
NTP Server Version
Select the required NTP server version.
Action
Select to add, remove, or make no change to the NTP poll

interval.
Poll Interval [16-16284

seconds]
Specify the poll interval. The value must be between 16 and

16284 seconds.
NTP Server
NTP Server
CSS Parameters
NTP Server
Poll Interval
RADIUS Server Configuration Task

You can you use the RADIUS system-defined task to configure RADIUS on devices.
CSS
CE

You can enter the details of this task in the RADIUS Server Configuration dialog box. (To invoke this

OL-25941-01
5-63
Chapter 5
Group
Sub-group
Field
Description
Action
Select to enable, disable, or make no change to the server

configuration.
Server Name
Enter the server name.
Auth Port
(0-65536)
Enter port used for authentication by RADIUS server.
Action
Select to enable, disable, or make no change to the key

configuration.
Key
Enter RADIUS authentication and encryption key string used by

server specified in Host area.
Verify
Re-enter RADIUS key.
Action
Select to enable, disable, or make no change to the login

authentication.
Common
Parameters
Host
Configuration
Key
Configuration
Login
Authentication
The Login Authentication is not applicable for CSS

RADIUS
Credentials
Username
Enter the username. For details see Understanding the

NetConfig Credentials Configuration Tasks.
In case of CSS devices, this value will be used to update the
Primary login details.
Password
Enter the password. For details see Understanding the

Verify
Re-enter the password to verify. For details see Understanding

the NetConfig Credentials Configuration Tasks.
IOS Parameters
Login
Authentication
List
Type
Name
Enter default or named list.
Set to Default
Select to set the default list.
Options
Select the required option:
(Drop-down list
1)
No Choice
radius
tacacs+
line
enable
local
none
Similarly, select the type from the other three drop-down lists.
5-64
OL-25941-01
Chapter 5

Group
Sub-group
Field
Description
New Model
Action
Select to enable, disable, or make no change to new model state.
Enable mode
Authentication
Action
Select to add, remove, or make no change to the enable mode

authentication.
Username
Enter the enable username.
Password
Verify
Re-enter the enable password.
Options
Credentials
Type
(Drop-down list
1)
No Choice
radius
tacacs+
line
enable
local
none
Content Engine
Parameters
CSS Parameters
No category-specific commands.
Host Configuration Action
Select to enable, disable, or make no change to the host

configuration.
Secondary Server Enter the secondary server hostname or IP address.

Name (Host
Name or IP
Address)
Secondary Server Enter the key for the secondary server. Defines the secret string
Key
for authentication transactions between the RADIUS server and
the CSS. Enter a case-sensitive string with a maximum of 16
characters.
Verify
Re-enter the key to verify.
Authentication
Port (1-65535)
Enter custom authentication port of the RADIUS server. Value

must be between 0 and 65535.
Optional field. Defines the UDP port on the secondary RADIUS
server that receives authentication packets from clients. Enter a
number from 0 to 65535. The default is 1645.
Other Parameters
Dead Time in
seconds (1-255)
Enter the dead time in seconds. The value must be between 0 and
255.
Enter a number from 0 to 255. The default is 5.
If you enter 0, the dead time is disabled and the CSS does not
send probe access-request packets to the non-responsive server.
This command applies to primary and secondary servers.
Remove
Select to remove the dead time specification. Use the no form of

this command to reset the dead-time period to its default of 5
seconds.

OL-25941-01
5-65
Chapter 5
Group
Sub-group
Field
Description
Retransmit
(1-30)
Enter the retransmit value (between 1 and 30) number of times

that the CSS retransmits an authentication request. Enter a
number from 1 to 30. The default number is 3.
Remove
Use the no form of this command to reset the retransmission of

authentication request to its default of 3.
Source Interface Enter the source interface hostname or IP address.

Host (Host Name Source Interface Host configuration is required to accept
or IP Address)
authentication from the RADIUS client. Note that this IP
interface address is used for the NAS-IP-Address RADIUS
attribute in the RADIUS Authentication Request.
Remove
Select to remove the source interface specification.
Timeout (1-255): Enter the timeout value (between 1 and 2555). Timeout specifies
the period of which the CSS waits for a reply to a RADIUS
request before retransmitting requests to the RADIUS server.
Remove
Select the remove option to reset the interval to its default of 10

seconds.
this task applies.
RCP Configuration Task

You can use the RCP system-defined configuration task to configure RCP on devices.
This task supports the IOS category of devices including Cable devices.
You can enter the details of this task in the RCP Configuration dialog box. (To invoke this dialog box,
box, see Understanding the System-defined Task User Interface (Dialog Box)
The fields in the RCP Configuration dialog box are:
Group
Sub-group
Field
Description
IOS Parameters
Enable
Action
Select to enable or disable rcp state.

To make rcp setup changes without enabling or disabling rcp,
select No Change.
RCP User Setup
Action
Select the required option to add to, or to remove current user

from rcp authentication list.
To make rcp setup changes without enabling or disabling rcp,
select No Change.
Local Username
Enter local name of user whose rcp access you are modifying.
Remote Host
Enter IP address of remote host from which local device will

accept remotely executed commands.
5-66
OL-25941-01
Chapter 5

Remote
Username
Enter username on remote host from which device will accept

remote commands.
Enable Mode
Commands
Click to allow remote user to run enable commands using rsh or

to copy files to device using rcp.
add/remove
Click Add to add current user to rcp authentication list.

Click Remove to remove current user from rcp authentication list.
this task applies.
Reload Task
You can use the Reload task to schedule reload of devices. This task supports the IOS, Cat OS, SFS,
NAM, CE, FastSwitch, PIX, CSS and Cable categories of devices. For more details, see Table 5-5.
You can enter the details of this task in the Reload Configuration dialog box. (To invoke this dialog box,
box, see Understanding the System-defined Task User Interface (Dialog Box)
The fields in the Reload Configuration dialog box are:
Group
Sub-group
Field
Description
Common
Parameters
Reload
Action
Select either:
Reload to enable reloading selected devices.
or
IOS Parameters
Do not Save
config before
reload
Action
No Change if you do not want to schedule a reload for the

selected devices.
You can:
Check this option if you do not want to save the

configurations before reloading.
or
CatOS
Parameters
CE Parameters
Uncheck this option if you want to save the configurations

before reloading.
No category-specific parameters.
Do not Save
config before
reload
Action
You can:

or

before reloading.

OL-25941-01
5-67
Chapter 5
NAM Parameters Do not Save

config before
reload
Action
You can:

or

before reloading.
SFS Parameters
Fast Switch
parameters
PIX Parameters
Do not Save
config before
reload
Action
You can:

or
CSS Parameters

before reloading.
Cable Parameters Do not Save

config before
reload
Action
You can:

or

before reloading.
the reload task applies.
SNMP Community Configuration Task

You can use the SNMP Community Configuration system-defined task to replace, add, and remove
device SNMP community strings.
Catalyst OS
Content Engine
CSS
NAM
PIX OS

You can enter the details of this task in the SNMP Community Configuration dialog box. (To invoke this
5-68
OL-25941-01
Chapter 5

The fields in the SNMP Community Configuration dialog box are:
Group
Sub-group
Common
Read-only
Parameters
Field
Description
Action
Select an option to replace, add, remove, or make no change to a read-only

SNMP community string.
If you select Replace, the new community string replaces the

corresponding community string in the Device and Credential
Repository (DCR). This action also deletes the current SNMP
credentials on the device.
If you select the Add or Remove option, the new SNMP community
strings are configured in the device alone and DCR is untouched.
However if you select Replace, then the new SNMP community strings
replace the community strings in the device as well as in DCR.
If you select No Change, no change will be made to the Read-only
Community string.
Read-write
Community
String
Enter the community string.
Verify
Re-enter the community string.
Action
Select an option to replace, add, remove, or make no change to a read-write

SNMP community string.
If you select Replace, the new community string replaces the

corresponding community string in the Device and Credential
Repository.
If you select Add or Remove, the new SNMP community strings are
configured in the device alone and DCR is untouched.
However if you select Replace, then the new SNMP community strings
replace the community strings in the device as well as in DCR.
If you select No Change, no change will be made to the Read-write
Community string.
IOS
Setup View
Parameters (Optional)
Community
String
Verify
Re-enter the community string.
MIB View
(Optional)
Enter name of a previously defined view that defines objects available to

community.
Optional field.
OID -Tree
Indicates the Object Identifier of ASN.1 subtree that is to be included or

excluded from the view.
To identify an Object Identifier ASN.1 subtree, enter a numerical string
such as 1.3.6.2.4 or a word such as system.
To identify a subtree family, enter a wildcard, for example an asterisk (*),
where the string will read 1.3.*.4.
Enter the MIB OID-Tree name.

OL-25941-01
5-69
Chapter 5
Group
Sub-group
Access List
(Optional)
Field
Description
Type
Include or exclude all the objects specified in the MIB OID subtree you
identified in the previous field. Select Included or Excluded from the drop
down list.
Access List
(Optional)
Enter an integer from 1 to 99 to specify a named or numbered access list of

IP addresses that are allowed to use the community string to access SNMP
agent.
Optional field.
CatOS
Parameters
CE
Parameters
PIX
Parameters
CSS
Parameters
NAM
Parameters
this task applies.
SNMP Security Configuration Task

You can use this task to configure the SNMP Security feature on the following device categories:
Content Engine

You can enter the details of this task in the SNMP Security Configuration dialog box. (To invoke this
5-70
OL-25941-01
Chapter 5

The fields in the SNMP Security Configuration dialog box are:

Group
Sub-group
Common
Parameters
Field
Description
Action
Select an option, to add, remove, or make no change to the

common parameters.
(Drop-down list)
Select the required option for SNMP Groups/Users:
Group & Users
Group
Users
When you select the Group option while adding task instances
for this task, the user fields will not be disabled. This is because
NetConfig needs the user information for configuring SNMP
group commands in Catalyst OS devices.
Group Name
Enter the group name. Indicates the SNMP Group in the SNMP
protocol context.
SNMP Versions
Select the SNMP version.

SNMP version 1 and version 2 have No Auth and No Privacy.
Version 3 has all levels of security.
Users *
User Names
- The entries in
the first row will
be updated in
Device and
Credential
Repository
Authen Pswds
Authen Algorithm
UsernameIndicates the name of the user in the SNMPv3

protocol.
Authenticating PasswordsIndicates that the user is part of

the group that is assigned Auth No Privacy or Auth Privacy
security level.
Authenticating AlgorithmIndicates the authenticating

algorithm is assigned to a group with Auth No Privacy or
Auth Privacy security levels.
Privacy passwordsIndicates user is part of a group

assigned Auth Privacy level of security.
Privacy Paswds
You can specify up to five usernames, for which you can enter
authentication passwords, select the authentication algorithm,
and specify the privacy passwords.
Config Access
Control
[optional]
IOS Parameters
Access Control
(optional)
This section allows you to configure access options for an SNMP

group.
Read View
Specify the read view. This view is for users assigned to a

specified group. Indicates an alphanumeric label, not exceeding
64 characters, for the SNMP view entry you are creating or
updating.
Write View
Specify the write view. Allows all users in the specified group to
add, modify, or create a configuration.
Notify View
Specify the notify view. This view notifies all the users in the
specified group.
Access List [1-99]
Enter the number of an Access List (1 and 99).

OL-25941-01
5-71
Chapter 5
Group
Sub-group
Field
Description
Engine ID
[optional]
Action
Select to add, remove, or make no change to the engine

configuration. SNMP Engine ID is an identification name for the
local or remote SNMP engine.
Type
Select the type of engine:
Content Engine
Parameters
LocalLocal SNMP server engine.
RemoteRemote SNMP server engine.
ID
Enter the Engine ID (identification name for the local or remote

SNMP engine).
Remote host
Enter the hostname or IP address of the remote SNMP entity to

which the user belongs.
Remote Engine ID
[Optional]
Enter the remote engine ID. This is an optional field.
The SNMP Security template enables you to configure Groups as well as Users with certain privileges.
These Groups can be rolled back but the Users cannot be rolled back.
This is because the User details will not be available in the running configuration. Since NetConfig uses
the running config to do roll back, rolling back Users is not possible.You should run a separate job to
remove or add Users as required.
For each device category, click on Applicable Devices to view the devices in your selection.
SNMP Traps Configuration Task

You can use this task to configure the host, trap notification, and trap/inform parameters. You can specify
security parameters to communicate securely with the SNMP host. See SNMP Security Configuration
Task to configure the SNMP security.
Catalyst OS
Content Engine
CSS
NAM

You can enter the details of this task in the SNMP Traps Configuration dialog box. (To invoke this dialog
5-72
OL-25941-01
Chapter 5

The fields in the SNMP Traps Configuration dialog box are:

Group
Sub-group
Field
Description
Common Parameters
Traps Notification
Action
Select to enable, disable, or make no change to the traps

notification configuration.
If you select Enable, the server will receive SNMP traps.
If you select Disable the server will not receive any SNMP
traps.
IOS Parameters
Traps Notification
Options
Type
Host Configuration
Environmental
Select to send only environmental traps to the host.
SNMP
Select to send the SNMP traps to the host.
Action
Select to add, remove, or make no change to the host

configuration.
Username
Specifies the user name that is used for authentication. This

field is available when No Authentication, Authentication
or Privacy are selected.
Host
Enter the hostname or IP address.
SNMP Security
Select the SNMP security method:
SecureV2c
NoAuthenticationV3
AuthenticationV3
PrivacyV3
None
Notification Type Select the notification type:
Community String
Direct Traps To
Host
Trap/Inform
Configuration
Traps Message
Trap
Inform
UDP Port
[0-65535]
Indicates the port that will receive the SNMP requests.
String
Verify
Re-enter the community string to confirm.
Environmental
Select to send only environmental traps to the host.
SNMP
Select to send the SNMP traps to the host.
Action
Select to change, replace, disable or make no change to the

trap configuration.
Trap Timeout
[1-1000 s]:
Specify the trap timeout value. This value must be between

1 and 1000 seconds.
The range for a valid port number between 0 and 65535. The
default is 162.

OL-25941-01
5-73
Chapter 5
Group
Sub-group
Inform Request
CatOS Parameters
ContentEngine
Parameters
PIX Parameters
Field
Description
Trap Queue
Length [1-1000
events]:
Specify the trap queue length. The number of events that

you specify must be between 1 and 1000.
Action
Select to replace, disable, or make no change to the inform

request.
Inform Retries
[0-100]
Enter the inform retires. The value should be between 0 and

100.
Inform Timeout
[0-4294967295]
Specify the inform timeout value. This value must be

between 0 and 4294967295.
Inform Pending
[0-4294967295]
Specify the inform pending value. This value must be

between 0 and 4294967295.

configuration.
Host
Community
String
Verify

configuration.
Host
Community
String
Verify
SNMP Security
Select the SNMP security method.

configuration.
Host
Specify an IP address of the SNMP management station to

which traps should be sent and/or from which the SNMP
requests come. You can specify up to five SNMP
management stations.
Interface
Select the interface:
Inside [default]
Outside
Notification Type Select the notification type:
Trap & Poll [default]Allows both traps and polls to

be acted upon.
TrapOnly traps will be sent. This host will not be

allowed to poll.
PollTraps will not be sent. This host will be allowed

to poll.
5-74
OL-25941-01
Chapter 5

Group
CSS Parameters
Sub-group
Field
Description
Action
Select to add, remove, or make no change to the parameters

such as host name or IP address, trap community, source IP
address in traps, specific host, trap type, and event.
Host Name or IP
Address
Enter the hostname or IP address of an SNMP host that has

been configured to receive traps. A maximum of 5 hosts can
be configured.
Trap Community Enter the trap community string/name to be used when

sending traps to the specified SNMP host. Enter an
unquoted text string with no spaces and with maximum
length of 12 characters.
Verify
Re-enter the trap community string to confirm.
Source IP
Address in Traps
Select the source IP address in traps. To set the source IP

address in the traps generated by CSS select one of these
options:
Egress PortObtains the source IP address for the

SNMP traps from the VLAN circuit IP address
configured on the egress port used to send the trap.
You do not need to enter an IP address because the
address is determined dynamically by the CSS.
ManagementPlaces the management port IP address

in the source IP field of the trap. This is the default
setting.
Specific HostAllows the user to enter the IP address

to be used in the, source IP field of the traps.
Enter the IP address in dotted-decimal notation (for
example, 192.168.11.1) in the Specific Host field (the
next field).
No Change (No change will be made to the source IP

address if you select this option.)
Specific Host
In the previous field, that is, Source IP Address in Traps, if

you have selected the Specific Host option, then specify the
IP Address of the specific host in this field.
Trap Type
Select the trap type:
No Change (No change will be made to the trap type if

you select this option).
EnterpriseWhen you use this keyword alone, it

enables enterprise traps. You must enable enterprise
traps before you configure an enterprise trap option.
GenericThe generic SNMP traps consist of cold start,

warm start, link down, and link up.

OL-25941-01
5-75
Chapter 5
Group
Sub-group
NAM Syslog Host

Configuration
Parameters
Field
Description
Event
Select the event:
None
Module Transition
Power Supply Transition
Illegal Packet DOS attack
LAND DOS attack
Smurf DOS attack
SYN DOS attack
Lifetick message failure
Login Failure
System reload
Reporter state transitions
Service transition
Action
Select to add, remove, or make no change to the syslog host

configuration.
Index[1-65535]
Enter the syslog host index. The value should be between 1

and 65535.
Host IP Address
Enter the host name or IP address.
Community
String
Verify
Verify the community string.
UDP
Port[1-65535]
Enter the UDP port. The value should be between 1 and

65535.
this task applies.
Smart Call Home Task

You can use the Smart Call Home task to configure the LMS managed Cisco Catalyst 6500 devices with
the Call Home feature.
You can enter the details for this task in the Smart Call Home Configuration dialog box. To invoke this
dialog box, see Starting a New NetConfig Job.
5-76
OL-25941-01
Chapter 5

The fields in the Smart Call Home Configuration dialog box are:
Field/Button
Description
General Configuration
Call Home Service
Select any of these:
Enable Enables Smart Call Home service.
Disable Disables Smart Call Home service.
No Change No change is made to Smart Call Home Service.
Contact E-mail Addresses
Action
Contact E-mail
Address
Add Adds the contact e-mail addresses
Remove Removes the contact e-mail addresses
No Change The contact e-mail addresses is not changed. This is the default option.
Enter contact email address. You can enter one or more e-mail IDs. Each e-mail ID to be entered on a
separate line.
E-mail Server
Action
Add Adds one or more e-mail servers.

You can add a maximum of five e-mail servers.
E-mail Servers
Replace Adds new e-mail servers after removing all earlier e-mail servers.
Remove Removes one or more e-mail servers
No Change The e-mail servers are not changed. This is the default option.
Enter one or more e-mail servers. Enter each e-mail server on a separate line and specify priority for
each of them. The priority can be between 1 and 100.
Sender From Email Address
Action
Sender E-mail
Address (from)
Add Adds a sender e-mail address
Remove Removes the sender e-mail address
No Change The sender e-mail address is not changed. This is the default option.
Enter the e-mail address from which the mail is sent.
Sender Reply-to Address
Action
Sender Reply-to
Address
Add Adds a sender reply-to e-mail address
Remove Removes the sender reply-to e-mail address
No Change Not to change the sender reply-to e-mail address. This is the default option.
Enter a sender reply to e-mail ID.

OL-25941-01
5-77
Chapter 5
Field/Button
Description
Install Cisco Security Certificate
Install Cisco
Security Certificate
Check to install the HTTP certificate.
Profile Configuration
Profile
Select either:
CiscoTAC-1 Profile
Or
Profile Name
Other Profiles
Enter a profile name.

This option is activated only if you have selected Other Profiles option in the Profile field.
Activate Profile
Enable Activates the selected profile.
Disable Deactivates the selected profile.
No Change Not to add or remove a profile. This is the default option
Transport Options
Connect To
Select:
Cisco.com if you want to connect to Smart Call Home using Cisco.com
Transport Gateway, if you want to connect to Smart Call Home using a transport gateway.
Other, if you want to connect to Smart Call Home using transport option other than Cisco.com or
Transport Gateway.
CiscoTAC-1 profile does not support the Transport Gateway and Other option. So this option is not
activated when you select CiscoTAC-1 profile.
Transport Details
Transport Method
Select:
No Change To make no change to the transport settings
E-mail To use e-mail as the transport method. This option is selected if Transport Gateway is
selected as the Connect to option and the HTTPS option is not activated.
HTTPS To use HTTPS as the transport method.
E-mail Address
Enter the e-mail address, if you have selected E-mail as the transport method.
HTTPS URLs
Enter the HTTPS URL, if you have selected HTTPS as the transport method.
Alert Groups
Inventory
Select any of the following:
Enable if you want to subscribe to the Inventory Alert Group.
Disable if you do not want to subscribe to the Inventory Alert Group.
No Change if you do not want to subscribe to or unsubscribe from Inventory Alert Groups. This
is the default option.
If you have selected CiscoTAC-1 Profile, you cannot change the Alert groups or Alert group settings.
If you have selected Other Profiles, you can change the Alert groups and Alert group settings.
5-78
OL-25941-01
Chapter 5

Field/Button
Description
Periodicity
Specify the periodicity for receiving these Inventory alerts. You can select:
DOW
Asynchronous To receive the Inventory alerts on a specified day or time. In other words, not
in a periodic manner.
Daily To receive the Inventory alerts every day
Weekly To receive the weekly consolidated Inventory alerts.
Monthly To receive the monthly consolidated Inventory alerts
DOW refers to Date of Week.

This list box is activated only if you select Weekly as the periodicity for receiving the Inventory alerts.
Select any of the following days of the week:
Sun
Mon
Tue
Wed
Thu
Fri
Sat
Sun is the default value.

For example:
Select Tue if you want to receive Inventory alerts every Tuesday.
DOM
DOM refers to Date of Month.

This list box is activated only if you select Monthly as the periodicity for receiving the Inventory
alerts.
Select any value from 1 and 31 to receive Inventory alerts every month on the specified date.
Day 1 is the default value.
For example:
Select 5, if you want to receive Inventory alerts on the 5th day of every month.
Begin Time
Specify the date and time at which you want to receive the Inventory alerts.
The format supported is hh:mm, where hh refers to hours and mm refers to minutes.
Configuration
Enable if you want to subscribe to the Configuration Alert Group.
Disable if you do not want to subscribe to the Configuration Alert Group.
No Change if you do not want to subscribe to or unsubscribe from Configuration Alert Groups.
This is the default option.

OL-25941-01
5-79
Chapter 5
Field/Button
Description
Periodicity
Specify the periodicity for receiving these Configuration alerts. You can select:
DOW
Asynchronous To receive the Configuration alerts on a specified day or time. In other words,
not in a periodic manner.
Daily To receive the Configuration alerts every day.
Weekly To receive the weekly consolidated Configuration alerts.
Monthly To receive the monthly consolidated Configuration alerts
DOW refers to Date of Week.

This list box is activated only if you select Weekly as the periodicity for receiving the Configuration
alerts.
Select any of the following days of the week:
Sun
Mon
Tue
Wed
Thu
Fri
Sat
Sun is the default value.

For example:
Select Tue if you want to receive Configuration alerts every Tuesday.
DOM
DOM refers to Date of Month.

This list box is activated only if you select Monthly as the periodicity for receiving the Configuration
alerts.
Select any value from 1 and 31 to receive Configuration alerts every month on the specified date.
Day 1 is the default value.
For example:
Select 5, if you want to receive Inventory alerts on the 5th day of every month.
Begin Time
Specify the date and time at which you want to receive the Configuration alerts.
The format supported is hh:mm, where hh refers to hours and hh refers to minutes.
Syslog
Enable if you want to subscribe to the Syslog Alert Group.
Disable if you do not want to subscribe to the Syslog Alert Group.
No Change if you do not want to subscribe to or unsubscribe from Syslog Alert Groups. This is
the default option.
5-80
OL-25941-01
Chapter 5

Field/Button
Description
Severity
Select from any of these severities:
catastrophic
disaster
fatal
critical
major
minor
warning
notification
normal
debugging
You will be notified when a syslog of the selected severity occurs.

Patterns
Specify a pattern of Syslogs for which you want to receive alerts.
Environment
Enable if you want to subscribe to the Environmental Alert Group.
Disable if you do not want to subscribe to the Environmental Alert Group.
No Change if you do not want to subscribe to or unsubscribe from Environment Alert Groups. This
is the default option.
Severity
catastrophic
disaster
fatal
critical
major
minor
warning
notification
normal
debugging
You will be notified when an environment event of the selected severity occurs.

OL-25941-01
5-81
Chapter 5
Field/Button
Description
Diagnostics
Enable if you want to subscribe to the Diagnostics Alert Group.
Disable if you do not want to subscribe to the Diagnostics Alert Group.
No Change if you do not want to subscribe to or unsubscribe from the Diagnostics Alert Groups.
This is the default option.
Severity
catastrophic
disaster
fatal
critical
major
minor
warning
notification
normal
debugging
You will be notified when a diagnostics alert of the selected severity occurs.
Applicable Devices
Allows you to view the IOS devices in your selection.
Save
Saves the information you have specified.
Reset
Clears all fields and reverts to the default settings.
Cancel
Ignores your changes.
5-82
OL-25941-01
Chapter 5

Syslog Task
You can use the Syslog system-defined task to configure the collection of syslog messages from devices.
Content Engine
CSS
NAM
PIX OS

You can enter the details of this task in the Syslog Configuration dialog box. (To invoke this dialog box,
The fields in the Syslog Configuration dialog box are:
Group
Sub-group
Field
Description
Common
Parameters
Logging Host
Action
Select the required option to enable, disable, or make no change to list

of hosts that receive syslog messages.
Ex:
Enter the IP addresses of hosts to be added to or removed from the list
host1.domain,hos of hosts that receive syslog messages.
t2,1.2.3.4:
IOS
Parameters
Logging On
Action

syslog state.
Select No Change to make syslog setup changes without enabling or
disabling syslog logging.
Logging
Facility
Logging Level
Buffered
Action

syslog logging facility.
Parameter
Select the logging facility to which the syslog messages are logged.
Action
Select the required option to enable, disable, or make no change to the

buffered logging level.

OL-25941-01
5-83
Chapter 5
Group
Sub-group
Console
Field
Description
Conditions
Select the required logging level from the drop-down list:
Default
alerts
critical
debugging
emergencies
errors
informational
notifications
warnings
Action

console logging level.
Conditions
Select the required logging level from the drop-down list.
Action

monitor logging level.
Conditions
Action

trap logging level.
Conditions
Console
Logging On
Action

console logging.
Server Logging
On
Action

server logging.
Logging Level
Action

logging level.
Facility
Select the logging facility to which the syslog messages are logged.
Level
Logging On
Action

logging.
Destination
Console
Select this option to specify the console as the logging destination.
Disk
Select this option to specify the disk as the logging destination.
Action

Parameter
Select the logging facility to which the syslog messages are to be

logged.
Monitor
Trap
CatOS
Parameters
Content Engine
Parameters
Logging
Facility
5-84
OL-25941-01
Chapter 5

Group
Sub-group
Field
Description
Logging
Priority
Console
Action

console logging priority.
Conditions
Select the required logging priority from the drop-down list.
Action

disk logging priority.
Conditions
Action

host logging priority.
Conditions
Time Stamp

time stamp specification.
Disk
Host
PIX
Parameters
Logging On
Logging
Facility
Message
Logging Level
Buffered
Console
Monitor
Trap
CSS
Parameters
Logging to
Disk
Action

Parameter
Select the logging facility to which the syslog messages are to be

logged.
Action

syslog message configuration.
Syslog Message
ID
Enter the syslog message ID.
Conditions
Clear Buffer
Select to clear the buffer.
Action

buffered logging level.
Conditions
Action

console logging level.
Conditions
Action

monitor logging level.
Conditions
Action

trap logging level.
Conditions
Facility
Select the logging facility to which to log syslog messages.
Logging Level
CLI Command
Select the required option to add, remove, or make no change to the

CLI commands.
Disk

option of logging to disk.

OL-25941-01
5-85
Chapter 5
Group
Sub-group
Logging to
Line
Logging to
Mail
NAM
Parameters
Field
Description
Logfile Name
Enter the log file name.
Buffer

buffer configuration.
Size [0-64000]
Enter the size of the buffer. Enter a value between 0 and 64000 bytes.
To sys.log

option of logging to a file called sys.log.
Line
Choose this option to send the log activity of a subsystem to an active

CSS session.
Active Session
Name
Enter the name of the active session. Enter a case-sensitive unquoted

text string with a maximum length of 32 characters.
Send Mail

e-mail option.
Mail Address
Enter the e-mail IDs (comma separated).
SMTP Host
(Name or IP
Address)
Enter the SMTP hostname or the IP address.
Logging Level
Domain Name
(Optional)
Enter the domain name of the SMTP host. This is an optional field.
MIB Threshold Local
Voice
System
Debug

local MIB threshold.
Remote

remote MIB threshold.
Local

voice (local).
Remote

voice (remote).
Local

system (local).
Remote

system (remote).
System

Debug (system).
this task applies.
5-86
OL-25941-01
Chapter 5

SSH Configuration Task

You can use the SSH system-defined task to configure SSH on devices.
Content Engine
CSS
NAM

You can enter the details of this task in the SSH Configuration dialog box. (To invoke this dialog box,
For this task to work correctly, you must use a CLI-based protocol (Telnet or SSH) as the download
protocol.
this task applies.
Group
Sub-group
Common
Key
Parameters Configuration
Field
Description
Action
Select the required option to enable, disable, or make no change to the key
configuration.
IOS
Prerequisites
Parameters
The Hostname and Domain name need to be configured for the devices.
Key
Configuration
Number of Key
Bits [360-2048]
Enter the number of Key bits to be used for Key generation. The value must
be between 360 and 2048 Key bits.
Timeout
Action
Select the required option to add, remove, or make no change to the timeout
value.
Timeout Value
[1-120):]
Enter timeout value for SSH sessions. The value should be between 1 and
120.
Action
Select the required option to add, remove, or make no change to the number
of retries.
Number of
Retries [1-5]
Enter the number of retries allowed. The number must be between 1 and 5.
SSH Daemon
Select the required option to enable, disable, or make no change to the SSH
daemon.
Number of Key
Bits [512-2048]
SSH Timeout
Enter login grace time for SSH sessions, in seconds. Value must be between
1 and 99999.
Retries
CE
SSH
Parameters Prerequisites
Password-guesse Specify the number of password retries allowed. The value must be
s [1-99]
between 1 and 99.

OL-25941-01
5-87
Chapter 5
Group
Sub-group
CSS
Parameters
Port
Field
Description
Number of
Server Key Bits
[512-32768]
Action
Select the required option to enable, disable, or make no change to the port
configuration.
Port Number
[22-65535]
Enter the port number. This value can be between 22 and 65535.
KeepAlive
Select the required option to add, remove, or make no change to keepalive.
this task applies.
TACACS Configuration Task

You can use the TACACS system-defined task to configure TACACS authentication.
This task supports the IOS device category including Cable devices.
You can enter the details of this task in the TACACS Configuration dialog box. (To invoke this dialog
Group
Sub-group
Field
Description
Action
Select to enable, disable, or make no change to the TACACS Server

configuration.
Hostname or IP
Address
Enter the hostname or the IP address of the TACACS server.
Action
Select to enable, disable, or make no change to the login authentication

details.
Username
Enter the username. These values are entered only in the Device and
Credential Repository. They do not affect device configuration. For
details see Understanding the NetConfig Credentials Configuration
Tasks.
Password
Enter the enable password. For details see Understanding the

Verify
Re-enter the enable password. For details see Understanding the

Action
Select to enable, disable, or make no change to the server retransmit

configuration.
Common
Parameters
Server
Configuration
Login
Authentication
Credentials
IOS Parameters
Server
Retransmit
5-88
OL-25941-01
Chapter 5

Group
Sub-group
Server Timeout
Field
Description
Retries [0-100]
Enter the number of re-tries.
Action
Select to enable, disable, or make no change to the server timeout

value.
Timeout [1-1000] Enter the timeout value.

Enable mode
Authentication
Credentials
Action
Select to enable, disable, or make no change to the enable mode

authentication.
Username
Enter the username
Password
Verify
TACACS+ Configuration Task

You can use the TACACS+ system-defined template to configure TACACS+ on devices.
This task supports the following device categories:
Catalyst OS
Content Engine
NAM

You can enter the details of this task in the TACACS+ Configuration dialog box. (To invoke this dialog
Group
Sub-group
Field
Description
Server
Action
Select to enable, disable, or make no change to the TACACS Server

configuration.
Hostname or IP
Address
Enter the hostname or the IP address of the TACACS server.
Action
Select to add, remove, or make no change to the TACACS

encryption Key.
Key
Enter the TACACS encryption key. The key is used to set

authentication and encryption. This key must match the key used on
the TACACS+ daemon. The key can be of any size.
Verify Key
Common
Parameters
TACACS Server
Configuration
Key

OL-25941-01
5-89
Chapter 5
Group
Sub-group
Login
Authentication
Credentials
Field
Description
Action
Select to enable, disable, or make no change to the TACACS+

authentication.
If login authentication is enabled, then when you try to login to

the device, you are authenticated by the TACACS server.
If login authentication is disabled, then you are not

authenticated by the TACACS server when you log in to the
device.
Username
Enter TACACS+ username. These values are entered only in the

Device and Credential Repository. They do not affect device
configuration. For details see Understanding the NetConfig
Credentials Configuration Tasks.
Password
Enter TACACS+ password. For details see Understanding the

Verify
Re-enter the password to confirm. For details see Understanding the

Action
Select to enable, disable, or make no change to the enable mode

authentication.
Password
Verify
Name
Enter default or named list.
Set to Default
Select to set the default list.
(Drop-down list
1)
IOS Parameters
Enable mode
Authentication
Credentials
List
Type
No Choice
radius
tacacs+
line
enable
local
none
New Model
Action
Select to enable, disable, or make no change to the new model state.
Action
Select to add, remove, or make no change to the enable mode

authentication.
Password
Verify
CatOS
Parameters
Enable mode
Authentication
Credentials
Server Options Primary
Click to designate specified server as primary TACACS server.
5-90
OL-25941-01
Chapter 5

Group
ContentEngine
Parameters
Sub-group
Field
Description
All
Click to clear all hosts from the list of TACACS servers, if you
selected remove in Action field.
Server Option
Primary
Select to specify the server as primary.
Password
Option
ASCII Password
Select for an ACSII password.
Connection
Options
Timeout
Enter the timeout value.
Retries
Enter the number of retries.
NAM Parameters
No category-specific commands
The TACACS Server Key should be DES encrypted for NAM
devices.
At the time of enabling login authentication or enable mode authentication, it is mandatory for you to
enter the username and password.
At the time of disabling login authentication or enable mode authentication, these fields are optional.
While disabling login authentication or enable mode authentication, if username and password are not
provided, then the corresponding fields in DCR are cleared and left blank. This may make the device
unreachable. Therefore we recommend that you provide the username and password at the time of
disabling login authentication.
Telnet Password Configuration Task

You can use the Telnet Password system-defined configuration task to change the Telnet password on
devices.
Catalyst OS
PIX OS

You can enter the details of this task in the Telnet Password Configuration dialog box. (To invoke this
For details on the NetConfig credentials configuration tasks, see Understanding the NetConfig
Credentials Configuration Tasks.
If you change the Telnet password on a Catalyst device with an RSM module using this template, the
RSM Telnet password is also changed.

OL-25941-01
5-91
Chapter 5
The fields in the Telnet Password Configuration dialog box are:

Group
Sub-group
IOS
Vty Lines
Parameters
Console Line
Aux Line
CatOS
Telnet
Parameters Password
Field
Description
Action
Select an option to enable, disable, or make no change to the Vty Line

password.
Password
Enter the Vty Line password. If you select vty, the change affects all device
vty lines, and the Device and Credential Repository is updated with the new
password.
Verify
Re-enter the Vty Line password to confirm.
Action
Select an option to enable, disable, or make no change to the Console Line

password.
Password
Enter the Console Line password.
Verify
Re-enter the Console Line password to confirm.
Action
Select an option to enable, disable, or make no change to the Auxiliary

(AUX) Line password.
Password
Enter the Aux Line password.
Verify
Re-enter the Aux Line password to confirm.
Action
Select an option to enable, disable, or make no change to the Telnet

password.
The Device and Credential Repository is updated with the new password.
Password
Enter the Telnet password.
Verify
Re-enter the Telnet password to confirm.
Apply command
on modules
Select this option to update only the non IP addressable modules.

If you select the Action as Disable, the password will be removed.
Disable will set

an empty
password
PIX
Parameters
Action
Select the required option to replace, reset, or make no change to the

password.
Password
Enter the password.
Verify
Re-enter the password to confirm.
Encrypted
Password
Select this option, if the password you are entering is already encrypted.
Transform System-Defined Task

You can use the Transform system-defined task to configure IPSec on devices. You must configure the
IKE configuration system-defined task before configuring the Transform system-defined task.
PIX OS
5-92
OL-25941-01
Chapter 5

You can enter the details of this task in the Transform Set Configuration dialog box. (To invoke this
The fields in the Transform Set Configuration dialog box are:
Group
Sub-Group
Field
Description
Seconds
Configuration
Seconds
[120-86400]
Enter the number of seconds that will be used for

negotiating IPSec security association (SA).
Remove
Select this option to remove previously specified seconds

value, if any.
Kilo Bytes
[2560-536870912]
Enter the amount of traffic in kilobytes that will be used for

negotiating IPSec SA.
IOS Parameters
Security
Association
Configuration
Kilo Bytes
Configuration
IPSec Transform
Set Configuration
Remove
Select this option to remove previously specified value, if

any.
Action
Select the required option to add, remove or make no

change to transform set configuration.
This sub-group of fields is applicable only to IOS version
12.1 and above.
Note: Only for IOS

12.1 and higher.
Transform Set
Name
Enter a name for the transform set.
Auth Header
Select the type of authentication algorithm.
ESP Encryption
Select the type of encryption algorithm with ESP.
ESP Authentication Choose the type of authentication algorithm with ESP.

IP Compression
Select to use IP compression with LZS algorithm.
Transport Mode
Select the mode of transport.
Seconds
[120-86400]
Enter the number of seconds that will be used for

PIX Parameters
Security
Association
Configuration
The value must be between 120 and 86400 seconds.

Kilo Bytes
Enter the amount of traffic in kilobytes that will be used for

The value must be between 2560 and 536870912 kilo
bytes.
IPSec Transform
Set Configuration
Action
Select the required option to add, remove or make no

change to transform set configuration.
Transform Set
Name
Enter the name for the transform set.
Auth Header
Select the type of authentication algorithm.

OL-25941-01
5-93
Chapter 5
Group
Sub-Group
Field
Description
ESP Encryption
Select the type of encryption algorithm with ESP.
ESP Authentication Select the type of authentication algorithm with ESP.

IP Compression
Select to use IP compression with LZS algorithm.
Transport
Select the mode of transport.
Web User Task

You can use the Web User configuration task to configure the web user for NAM devices. This is a
System-defined task. For more details, see Table 5-5. You can enter the details of this task in the Web
User Configuration dialog box.
To invoke this dialog box, see Starting a New NetConfig Job.
box, see Understanding the System-defined Task User Interface (Dialog Box).. The fields in the in the
Web User Configuration dialog box are:
Group
Sub-group
Field
Description
NAM Parameters
Web User
Action
Select an option to add, remove, or make no change

to the web user group of fields.
Username
Enter the username of the web user.
Password
Enter the password for the username.
Verify
Re-enter the password to confirm.
Account Management
Select the required option to enable, disable or

make no change to account management.
System Config

make no change to system configuration.
Capture

make no change to the capture configuration.
Alarm Config

make no change to the alarm configuration.
Collection Config

make no change to the collection configuration.
Privileges
Click Applicable Devices to view the devices in your selection to which this task applies.
User-defined Protocol Task

You can use the User-defined Protocol task to configure the user-defined protocol on NAM devices. This
is a system-defined task.
You can enter the details of this task in the User-defined Protocol Configuration dialog box. (To invoke
5-94
OL-25941-01
Chapter 5

The fields in the in the User-defined Protocol Configuration dialog box are:
Group
Sub-group
Field
Description
NAM Parameters
User Defined
Protocol
Action
Select an option to add, remove or replace the

user-defined protocol.
Protocol
Select the protocol:
Affected Stats
TCP
UDP
Port [0 - 65535]
Enter the port number. You can enter any port

number in the range of 065535.
Name
Enter the name of the user-defined protocol.
Host
Select this option to enable hostExamines a

stream of packets; produces a table of all network
addresses observed in those packets (also known
as the collection data).
Each entry records the total number of packets and
bytes sent and received by that host and the
number of non-unicast packets sent by that host.
Conversations
Select this option to enable host conversations.
ART
Select this option to enable Application Response

Time.
Cable BPI/BPI+ Task

You can use the Cable BPI/BPI+ Task to assign BPI/BPI+ options.
This task is applicable to the Cable device category. For more details, see Table 5-5.
You can enter the details of this task in the Cable BPI/BPI+ Configuration dialog box. (To invoke this

OL-25941-01
5-95
Chapter 5
The fields in the Cable BPI/BPI+ Configuration dialog box are:

Group
Sub-Group
Field
Description
BPI/BPI+
Interface
Configuration
Cable Interface Allows you to select an interface to modify the other fields. You must select
at least one interface.
Select the cable interface that you want to change.
BPI
Key Lifetime
Action
Select the appropriate option:
No ChangeDoes not change the existing configuration.
EnableEnables this option.
DisableDisables this option.
Select the appropriate option:
No ChangeDoes not modify this option.
ReplaceModifies this option to your specification.
DefaultResets this option to the system default.
KEK Lifetime Replaces the time (in seconds) using the specified values or resets the time
[300 - 604800] using the system default.
Enter time in seconds to reset the time.
Enter a value from 300604800 seconds. The default is 604800 seconds.
Select the check box to reset the field to system default.
TEK Lifetime Replaces the time (in seconds) using your values or resets the time using
[180 - 604800] the system default.
Enter time in seconds to reset the time using your values.
The range is 180 - 604,800 seconds and the default is 43,200 seconds.
Select the check box to reset the field to system default.
BPI/BPI+
Options
Action
Select the required options:
Mandatory
Select to force all modems to use BPI.
Authenticate
Modem
Select to turn the BPI modem authentication on or off.
Authorize
Multicast
Select to turn BPI Multicast option on or off.
OAEP Support Select to enable or disable Optimal Asymmetric Encryption Padding

(OAEP) BPI+ encryption.
DSX Support
Select to enable or disable encryption for dynamic services SIDs.
40 Bit Des
Select to indicate that you have chosen the 40 bit DES encryption.
The system default is 56 DES encryption. This is the Cisco recommended
encryption.
5-96
OL-25941-01
Chapter 5

Click Applicable Devices to see the devices in your selection, to which this task applies.
Cable DHCP-GiAddr and Helper Task

You can use this task to configure the GiAddr field of DHCPDISCOVER and DHCPREQUEST packets
with a relay IP address before they are forwarded to the DHCP server. You can apply this task only for
a single Cable-CMTS device at a time.
You can enter the details of this task in the Cable DHCP-GiAddr and Helper Configuration dialog box.
(To invoke this dialog box, see Starting a New NetConfig Job.)
Note
You can apply this task only to a single device at a time because cable templates configure interfaces on
devices.
The fields in the Cable DHCP-GiAddr and Helper Configuration dialog box are:
Group
Config Setup
Sub-Group
Field
Description
Cable Interface
Select a cable interface to make the configuration changes

to the selected interface, from the drop-down list.
If there are no interfaces available, you will see the option
No Interfaces Found in the drop-down list. You should make
sure that the device is reachable and then select a valid
interface.
Action
Select an option from the drop-down list.

The options are:
No ChangeDoes not change the current

configuration.
Add/ModifyAdds a new GiAddr or Helper Address

or both, or modifies an existing GiAddr or Helper
Address or both.
RemoveRemoves the GiAddr or Helper Address or

both.
Select an option to Add or Modify, from the drop-down list:
DHCP-Giaddr & Helper-AddressEnables you to set

the DHCP GiAddr to Policy or Primary. You can also
specify values for the fields in the Cable Helper
Addresses group.
DHCP-GiaddrEnables you to set the DHCP GiAddr

to Policy or Primary.
Helper-AddressEnables you to specify values for the

fields in the Cable Helper Addresses group.

OL-25941-01
5-97
Chapter 5
Group
Sub-Group
Field
Description
Cable DHCP Giaddr
Policy
Allows you to set the DHCP GiAddr to Policy or Primary:
Primary
PolicySelects the control policy, so the primary

address is used for cable modems and secondary
addresses are used for hosts.
PrimaryAlways selects the primary address for

GiAddr field.
Enable this field by selecting Helper Address.

Cable Helper
Addresses
Helper Address
Cable-Modem
Host
Host &
Cable-Modem
Allows you to enter the Helper Address to Cable Modem,

Host or Host & Cable Modem.
Cable-ModemSpecifies that only Cable Modem UDP

broadcasts are forwarded.
HostSpecifies that only host UDP broadcasts are

forwarded.
Host & Cable ModemSpecifies that both host and

cable modem broadcasts are forwarded.
Enable this field by selecting Action as DHCP GiAddr &

Helper Address or by selecting Action as Helper Address.
Cable Downstream Task

You can use this task to configure the Annex, Channel-ID, Frequency, Modulation, Interleave depth, and
Set rate limit of a downstream cable interface. You can also configure the Radio Frequency (RF) output
of a downstream cable interface on a Cisco uBR7100 router.
This task is applicable only to Cable devices.
You can enter the details of this task in the Downstream Configuration dialog box. (To invoke this dialog
Note
You can apply this task to a maximum of one Cable-CMTS device at a time.
5-98
OL-25941-01
Chapter 5

The fields in the Downstream Configuration dialog box are:

Group
Sub-Group
Cable
Parameters
Activate/
Shutdown
Field
Description
Cable Interface
Select the required option from the drop-down list. Select a

cable interface to make the required configuration changes.
If you do not want to select any cable interface, choose the
Not Selected option.
Action
Allows you to shutdown or activate the selected interface.
Configure
The options are:
Interleave Depth
Interleave Depth
No ChangeDoes not allow modification of any fields

in this sub-group of fields.
ShutdownDeactivates the DS port.
No ShutdownActivates the DS port.
Allows you to select the interleave depth of a channel. The

depth can be between 8 and 128. The default is 32.
Specify the interleave depth by selecting the appropriate
option from the drop-down list.
Framing Format
Modulation
Remove
Select to remove the interleave depth configuration.
MPEG Framing Format
Select the MPEG framing format from the drop-down list.

The options are:

Annex AFor Cisco uBR-MC16E cable interface card

and Cisco uBR7111E and Cisco uBR7114E Universal
Broadband Routers.
Annex BFor all other Cisco cable interface cards.
Remove
Select to remove a previously-specified MPEG framing

format configuration.
Modulation
Sets the modulation for a downstream port on a cable

interface.
Select the required option. The options are:
Channel
Frequency

64 qam
256 qam
Remove
Select to remove a previously-specified modulation

configuration.
Channel ID (0-255):
Channel-ID can be from 0 and 255. Specify the channel-ID.
Remove
Select to remove the Channel ID.
Frequency (54-858 MHz)
Frequency range can be from

54MHz -1,000MHz. Enter the frequency.
Remove
Select to remove a previously-specified frequency range.

OL-25941-01
5-99
Chapter 5
Group
Sub-Group
Traffic Shaping
Field
Description
Rate Limit
Select the required option from the drop-down list. The

options are:
Rate Limit Algorithm

(Optional):
Token Bucket
(Optional)
Granularity in Milli
seconds (Optional):

in this group of fields.
NoneDoes not modify the rest of the fields.
Token-bucket with DS Traffic ShapingModifies the

Token Bucket Algorithm option.
Token-bucket without DS Traffic ShapingModifies

the Token Bucket without DS Traffic Shaping
Algorithm option
Weighted-discardModifies the Weighted Discard

option.
Specifies traffic shaping granularity in milliseconds.

This field is enabled only if you have selected the Rate Limit
Algorithm as Token-bucket with DS Traffice Shaping.
Select the required value from the drop-down list. You can
choose a value between 1 and 16 msec.
Max Delay in Milli

seconds (Optional):
Sets the maximum buffering delay in milliseconds.

Algorithm as Token-bucket with DS Traffice Shaping.
Select the required value from the drop-down list. You can
choose a value between 128 and 1024.
Weighted
Discard (1-4)
(Optional)
Weight for the exponential Sets the weighted discard algorithm.

moving average of loss
rate
Algorithm as Weighted Discard.
Enter a weight between 1 and 4.
Click Available Devices to view the list of devices from your selection, to which this task applies.
Cable Upstream Task

Use this task to configure the frequency, minislot size, power level and admission control on upstream
cable interfaces. You can apply this task to a maximum of one Cable-CMTS device at a time.
This task is applicable only to Cable devices.
You can enter the details of this task in the Upstream Configuration dialog box. To invoke this dialog
box, see Starting a New NetConfig Job.
5-100
OL-25941-01
Chapter 5

Note
You can apply this task to a maximum of one cable device at a time.
The fields in the Upstream Configuration dialog box are:
Group
Sub-Group
Config Setup
Field
Description
Cable Interface
Allows you to select cable interfaces for configuration.

Select the cable interfaces from the drop-down list.
Activate/
Activate/Deactiv
Deactivate US Port ate
Frequency
Value [5-42
MHz]
Select one of these options from the drop-down list.

The options are:
ShutdownDeactivates this port.
No ShutdownActivates this port.
Enter the required frequency value in the range 542 MHz.

The range for the frequency is:
Set to Default
565 MHz for Cisco uBR-MC16E cable interface line card
542 MHz for all other cable interface line cards.
Select this option to set the default frequency. A negation

command is generated to remove the frequency value and set the
default.
This is because the default frequency value is dynamic and varies
from device to device.
Power
Configuration
Power Level
Power Adjustment
Value [-10-+25
dBmV]:
Enter the power level.
Set to Default
Select this option to set the default power level. The default is
0dBmV.
Continue [2-15
dB]
Enter the power adjustment value.
Set to Default
Select this option to set the default power adjustment value. The
default is 2dB.
Noise
Enter the power adjustment noise level.
The valid range for the power level is between -10dBmV and
+25dBmV.
The valid range for power adjustment value is between 2dB and
15dB.
The valid range for the power adjustment noise value between 10
and 100%.
Set to Default
Select this option to set the default noise value. The default is 30%.
Threshold [0-10
dB]
Enter the power adjustment threshold value.
Set to Default
Select this option to set the default power adjustment threshold

value. The default is 1dB.
The valid range for the power adjustment threshold value is

between 1dB and 10dB.

OL-25941-01
5-101
Chapter 5
Group
Sub-Group
Admission
Control
Field
Description
Value [0 1000%]
Indicates the maximum cumulative bandwidth reservation allowed

before new CMs are rejected.
The valid range is between 10% and 1000%.
Minislot Size
Set to Default
Select this option to set the default admission control value. The
default value is 100%.
Size
Select the required options. The options are:
No Change
16
32
64
128
[default]
Select No Change to make no changes in this field.

Channel
Width(Hz)
Size
Select the required channel width option. The options are:
No ChangeDoes not modify the existing configuration.
200000
400000
800000
1600000 (default)
3200000
Select No Change to make no changes in this field.

Concatenation
FEC
Concatenation
FEC
Fragmentation
Fragmentation
Select one of these options:
No ChangeDoes not modify the existing configuration
Select one of the following options for Enable Forward Error

Correction (FEC):
No Change - Does not modify the existing configuration.
Enable - Enables this option.
Disable - Disables this option.
Select the required fragmentation option. The options are:
5-102
OL-25941-01
Chapter 5

Group
Rate Limit
Data Backoff
Sub-Group
Field
Description
Rate Limit
Select the required rate limit option. The options are:
Apply Token
Bucket
Algorithm
Click the check box to apply this option.
Enable Traffic
Shaping
Click the check box to apply this option.
Data Backoff
Select the required data backoff option. The options are:
If you choose Enable, you can perform data back off

automatically, or manually by entering the start and end values.
Automatic
Choose this to apply a default value for data automatically.
Start Value [0-15] Enter the start value.

The valid range for the start value is 0 and 15. There is no default
value.
End Value [0-15] Enter the end value.
The valid range for the end value is 0 and 15. There is no default
value.
Range Backoff
Range Backoff
Automatic
EnableAllows you to perform data back off automatically,

or manually by entering the start and end values.
Select this, to apply a range back-off value automatically.
Start Value (0-15) Enter the start value.

The valid range for the start value is 0-15. There is no default
value.
End Value (0-15) Enter the end value.
The valid range for the end value is 0-15. There is no default value.
Click Available Devices to view the list of devices from your selection, to which this task applies

OL-25941-01
5-103
Chapter 5
Cable Interface Bundling Task

You can use this task to configure the interface bundling. You can apply this task only to a single
Cable-CMTS device at a time.
You can enter the details of this task in husbanded Configuration dialog box. (To invoke this dialog box,
Note
At a time, you can apply this task only to a single device, because cable templates configure interfaces
on devices.
The fields in the Bundle Configuration dialog box are:
Group
Field
Description
Cable
Parameters
Action
No ChangeDoes not modify the existing parameters.
AddEnables you to configure an interface as a master interface or a slave interface.
RemoveEnables you to change the previous configuration of the interface (master to slave
or vice versa).
Choose the option from the drop down list.

Bundle ID
(1-255)
Indicates the bundle identifier.
Master
Interface
Allows you to configure the primary interfaces.
Enter a bundle ID between 1 and 255.

Select the cable interface from the list of primary interfaces.
Select Not Selected if you do not want to select a primary interface.
Slave
Interface
Allows you to configure the secondary interfaces.

Select the cable interface from the list of secondary interfaces.
Select Not Selected if you do not want to select a secondary interface.
Cable Spectrum Management Task

You can use this task to create and assign spectrum groups to cable interfaces and upstream interfaces.
This task supports cable devices.
You can enter the details of this task in the Cable Spectrum Management Configuration dialog box. To
invoke this dialog box, see Starting a New NetConfig Job.
5-104
OL-25941-01
Chapter 5

The fields in the Cable Spectrum Management Configuration dialog box are:
Group
Sub-Group
Spectrum
Spectrum
Management Group
Field
Description
Action
No ChangeDoes not allow you to make any changes in

the Spectrum group of fields.
AddAllows you to add options.
RemoveAllows you to remove options.
Spectrum Group ID [1 - 32] Enter the Spectrum Group ID. The range for Spectrum Group
ID is 132.
Frequency Setting
Select one of these frequency settings:
Start Frequency [5 - 42
MHz]
BandEnter a range of frequencies.
FixEnter a fixed frequency.
Enter the start frequency.

The range of frequencies is:
uBR-MC16E cable interface card
5MHz65MHz for Cisco
5MHz42MHz for all other cable interface cards
End Frequency [5 - 42 MHz] Enter the end frequency.

The range of frequencies is:
uBR-MC16E cable interface card
5MHz65MHz for Cisco
5MHz42MHz for all other cable interface cards.
This field is enabled only if you choose Fix as the value in the
Frequency Setting filed, in the Spectrum Group.
Optional
Configuration
Power Level [-10 - 25

dBmV]
Enter the Power Level.
Hop Period [5 - 300 Sec]
Enter the Hop period.
The valid power levels are between -10dBmV and +25dBmV.

The default is 0dBmV.
The valid range for a Hop Period (in seconds) is between 1 and
3600. The default for Advanced Spectrum Management is 25
seconds. For all others, the default is 300 seconds.
This field is enabled only if you choose Add as the value in
the Action field, in the Spectrum Group.
Hop Threshold [0 - 100%]
Enter the Hop Threshold.

The valid range for Hop Threshold is between 1 and 100%.
The default is 20%.
This field is enabled only if you select Add as the value in the
Action field, in the Spectrum Group.

OL-25941-01
5-105
Chapter 5
Group
Sub-Group
Schedule
Interface
Assignment
Field
Description
Shared RF Spectrum Group

Configuration
Indicates that the upstream ports in a spectrum group can share

the same upstream frequency.
Schedule
Select one of these options from the drop down list:
No ChangeDoes not allow you to enter the scheduling

information.
AddAllows you to add a scheduled task.
DeleteAllows you to delete a scheduled task.
Schedule Day
Select the schedule day from the drop-down list.
Schedule Time (hh:mm:ss)
Enter the schedule time in the hh:mm:ss format.
Action
Select one of these option from the drop-down list:
No ChangeDoes not allow changes to the existing

assignment.
AssignAllows you to assign an interface.
UnassignAllows you to unassign an interface.
Cable Interface
Select a cable interface from the drop-down list.
Spectrum ID [1 - 32]:
Enter the Spectrum ID. The range for Spectrum ID is between

1 and 32.
This field is disabled if you chose Unassign as the value in the
Action field, in the Interface Assignment sub-group.
Cable Trap Source Task

You can use this task to configure SNMP Traps hosts, notification, message and notification of SNMP
Traps on a cable interface.
This task supports cable devices.
You can enter the details of this task in the Trap Source Configuration dialog box. (To invoke this dialog
The fields in the Trap Source Configuration dialog box are:
Group
Sub-Group
Field
Description
Trap Source
Configuration
Trap Source
Interface
Action
Select the required option to add, remove or make no change to a

Trap Source interface.
Trap Source
Interface
Select the required trap source interface from the drop-down list.
5-106
OL-25941-01
Chapter 5

Group
Sub-Group
Field
Description
CM On/Off Trap
Interval
Cable Interface Select the cable interface on which to specify the trap interval.
Interval [0 86400]
Specify a value for the trap interval in the range 0 and 86400
seconds.
Set to Default
Select this to set the trap interval to the default value of 600
seconds.
Support for Auto Smartports and Smartports

Smartport macros provide an easy way to save and share common configurations. Each Smartport macro
is a group of CLI commands. When you apply a Smartport macro on a port, the CLI commands within
the macro will be deployed on the port. If the command fails when applying a macro, either due to a
syntax error or a configuration error, the macro continues to apply the remaining commands on the port.
Auto Smartports macros apply the configuration commands on a port automatically based on the policy
definitions configured in the device.
As part of provisioning Smartports and Auto Smartports, LMS provides the following Netconfig tasks:
Auto SmartportsTask applicable for Device based Netconfig flow
Manage Auto SmartportsTask applicable for Port based Netconfig flow
SmartportsTask applicable for Port based Netconfig flow
Auto Smartports
LMS allows you to configure Auto Smartports macro policies on a device.
If Auto Smartports macro is enabled at device level, all the available ports in the device will be enabled
for auto smartports, except for the ports that are in disabled state.
You can use the Auto Smartports task to:
Enable or disable auto smartports functionality at device level
Apply or remove auto smartports policy definitions
You can enter the details of this task in the Auto Smartports Configuration dialog box.
To invoke this dialog box, see Starting a New NetConfig Job.
Note
The Auto Smartports task is available only in the Device based flow of a NetConfig job. For applying
Auto Smartports task, the minimum supported version of the IOS image should be 12.2(50) SE.

OL-25941-01
5-107
Chapter 5
The fields in the Auto Smartports Configuration dialog box are:

Group
Field
Description
Action
You can select the following actions to enable or disable auto smartports
functionality at device level:
IOS Parameters
Enable/Disable Auto
Smartports
Enable CDP fallback

Built-in Auto
Smartports macro
EnableSelect this action to enable auto smartports
DisableSelect this action to disable auto smartports
Check to enable CDP fallback.
Event trigger identifier Select the following event trigger identifier from the drop-down list:
Associated macro
CISCO_PHONE_EVENT
CISCO_ROUTER_EVENT
CISCO_SWITCH_EVENT
CISCO_WIRELESS_AP_EVENT
CISCO_WIRELESS_LIGHTWEIGHT_AP_EVENT
The macro associated with the event trigger identifier.

The field is automatically populated based on the event trigger identifier
selected.
The following are the macros associated with the event trigger identifier:
Access VLAN
CISCO_PHONE_AUTO_SMARTPORTMacro associated with the

event trigger identifier CISCO_PHONE_EVENT
CISCO_SWITCH_AUTO_SMARTPORTMacro associated with the

event trigger identifier CISCO_SWITCH_EVENT
CISCO_ROUTER_AUTO_SMARTPORTMacro associated with

the event trigger identifier CISCO_ROUTER_EVENT
CISCO_AP_AUTO_SMARTPORTMacro associated with the event

trigger identifier CISCO_WIRELESS_AP_EVENT
CISCO_LWAP_AUTO_SMARTPORTMacro associated with the

event trigger identifier
Enter the Access VLAN value.

The value entered must be greater than zero. For example, 2.
By default, the value for Access VLAN will be 1.
This field is enabled only if you have selected the following event trigger
identifier:
CISCO_PHONE_EVENT
5-108
OL-25941-01
Chapter 5

Group
Field
Description
Voice VLAN
Enter the Voice VLAN value.

By default, the value for Voice VLAN will be 2.
This field is enabled only if you have selected the event trigger identifier
CISCO_PHONE_EVENT
Native VLAN
Enter the Native VLAN value.

By default, the value for Native VLAN will be 1.
This field is enabled only if you have selected the following event trigger
identifier:
User-defined Auto
Smartports macro
Action
Event trigger type
CISCO_ROUTER_EVENT
CISCO_SWITCH_EVENT
You can select the following actions to apply or remove auto smartports
policy:
ApplySelect this action to define auto smartports policy
RemoveSelect this action to remove the existing auto smartports

policy
Select the following event trigger type:
Pre-defined triggerTo associate the auto smartports macro with a

pre-defined event trigger.
User-defined triggerTo associate the auto smartports macro with a

user-defined event trigger.
Event trigger identifier Select the following event trigger identifier from the drop-down list:
CISCO_PHONE_EVENT
CISCO_ROUTER_EVENT
CISCO_SWITCH_EVENT
This drop-down list is enabled only if you have selected the Event trigger
type as Pre-defined trigger.
User-defined event
trigger identifier
Enter the name of the event trigger identifier.

This field is enabled only if you have selected the Event trigger type as
User-defined trigger.

OL-25941-01
5-109
Chapter 5
Group
Field
Description
User defined macro

input mode
Enter the auto smartports CLI commands either through CLI command
interface or import from a file (.txt) that has CLI commands. You can select
the following options:
Macro command(s)
CLI command
Import CLI command from the file
Enter the CLI commands.

For example,
if [[ $LINKUP -eq YES ]]; then
conf t
interface
$INTERFACE
macro description $TRIGGER

switchport access vlan 1
exit
end
fi
if [[ $LINKUP -eq NO ]]; then
conf t
interface
$INTERFACE
no macro description
no switchport access vlan 1
exit
end
fi
This field is enabled only if you have selected the User-defined macro input
mode as CLI command.
Select macro
command input file
from the server
Files
Click Browse and select the file (.txt) that has the CLI commands.
The CLI command file (.txt) should reside in the default location:

/var/adm/CSCOpx/files/rme/netconfig/
On Windows:
NMSROOT\files\rme\netconfig\

Applicable Devices
(Button)
Save
Allows you to view the IOS devices in your selection on which you want
to configure Auto Smartports macros.
(Button)
Reset
Clears all fields and reverts to the default setting.
(Button)
Cancel
(Button)
5-110
OL-25941-01
Chapter 5

Manage Auto Smartports

You can use the Manage Auto Smartports task to enable or disable auto smartports functionality on a
port.
You can enter the details of this task in the Manage Auto Smartports Configuration dialog box. To invoke
this dialog box, see Starting a New NetConfig Job.
Note
The Manage Auto Smartports task is available only in the Port based flow of a NetConfig job.
The fields in the Manage Auto Smartports Configuration dialog box are:
Group
Field
Description
Action
Select the following actions:
IOS Parameters
EnableEnables auto smartports functionality on the port.
DisableDisables auto smartports functionality on the port.
Enable Auto Smartports at

device level
Check the checkbox to enable auto smartports at a device level.
Enable CDP fallback
Check to enable CDP fallback.
Applicable Devices
Allows you to view the IOS devices in your selection on which

you want to configure auto smartports macros.
(Button)
Save
(Button)
Reset
(Button)
Cancel
(Button)
When you schedule a NetConfig job for Manage Auto Smartports task and if you have selected any of
the following Failure Policies, in the Job Schedule and Options dialog box, the rollback functionality
will happen only if the archived configuration contains the command macro auto global processing
[cdp-fallback].
Rollback device and stop
Rollback device and continue
Rollback job on failure

OL-25941-01
5-111
Chapter 5
Smartports
You can use the Smartports task to apply Smartports to a port by selecting the predefined smartports
macros.
You can enter the details of this task in the Smartports Configuration dialog box. To invoke this dialog
box, see Starting a New NetConfig Job.
Note
The Smartports task is available only in the Port based flow of a NetConfig job.
The fields in the Smartports Configuration dialog box are:
Group
Field
Description
Smartport Macro
Select the following predefined smartport macros from the

drop-down list:
IOS Parameters
Built-in Smartport
Macro
Access VLAN
cisco-desktop
cisco-phone
cisco-switch
cisco-router
cisco-wireless
Enter the Access VLAN value.

This field is enabled only if you have selected the following
smartports macros:
Voice VLAN
cisco-desktop
cisco-phone
Enter the Voice VLAN value.

This field is enabled only if you have selected cisco-phone as the
smartports macro.
Native VLAN
Enter the Native VLAN value.

This field is enabled only if you have selected the following
smartports macro:
Applicable Devices
(Button)
cisco-switch
cisco-router
cisco-wireless
Allows you to view the IOS devices in your selection on which

you want to configure auto smartports macros.
5-112
OL-25941-01
Chapter 5

Group
Field
Description
Save
(Button)
Reset
(Button)
Cancel
(Button)
When you schedule a NetConfig job for Smartports task and if you have selected any of the following
Failure Policies, in the Job Schedule and Options dialog box, the rollback functionality will not happen.
Rollback device and stop
Rollback device and continue
Rollback job on failure
PoE Task
You can use the PoE task to configure Power and Power Policing in ports. Power Policing allows you to
turn off power while generating syslogs. This is needed if the real-time power consumption exceeds the
maximum power allocation on the port.
Power policing and ePoE are supported only on Catalyst 3750-E and Catalyst 3560-E switches with PoE
ports.
You can enter the details of this task in the PoE Configuration dialog box. To invoke this dialog box, see
Note
The PoE task is available only in the Port based flow of a NetConfig job.
The fields in the PoE Configuration dialog box are:
Field
Description
Power Management
Power Mode
Select the following power modes:
Auto
Static
Disable
If you select Disable as the power mode, the detection and power for the inline power
capable interface will be disabled.
Max Power
Enter the maximum power for the selected mode.

Maximum power can be upto 20,000 milliwatts.
Power Policing

OL-25941-01
5-113
Chapter 5
Field
Description
Policing
Select the following options for power policing:
On Violation
Enable
Disable
Select the following to either generate a Syslog or to turn off power to the device.
Generate Syslog
Turn-Off Power
Applicable Devices
Allows you to view the IOS devices in your selection on which you want to configure PoE
policies.
Save
(Button)
Reset
(Button)
Cancel
(Button)
You can generate PoE MAX Power Violation syslog report for this task. See Reports Management with
Cisco Prime LAN Management Solution 4.2 for more information.
Catalyst Integrated Security Features

You can use the Catalyst Integrated Security Features task to configure Port Security, DHCP Snooping,
Dynamic ARP Inspection, IP Source Guard and Security Violation on ports.
The Catalyst Integrated Security Feature is supported only on Catalyst 2960, 3560, 3560E, 3750, 3750E
switches.
You can enter the details of this task in the Catalyst Integrated Security Features Configuration dialog
box. To invoke this dialog box, see Starting a New NetConfig Job.
Note
The Catalyst Integrated Security Features task is available only in the Port based flow of a NetConfig
job.
The fields in the Catalyst Integrated Security Features Configuration dialog box are:
Field
Description
IOS Parameters
Port Security
Action
Select the following actions to limit the number of MAC addresses that can be learned
through a port:
Change
Disable
5-114
OL-25941-01
Chapter 5

Field
Description
Maximum Number of MAC

Addresses
Enter the number of MAC addresses.
Security Violation
Select the following security violation modes for a port:
This field is enabled only if the action Change is selected.
ProtectPackets with unknown source addresses are dropped until the sufficient
number of secure MAC addresses drops below the maximum value.
RestrictPackets with unknown source addresses are dropped until the sufficient
number of secure MAC addresses drops below the maximum value, and the Security
Violation counter is incremented.
ShutdownInterface immediately goes into an error-disabled state and sends an SNMP

trap notification.
DisableDisables security violations
DHCP Snooping
Global DHCP Snooping
Enables or disables DHCP Snooping globally.
VLAN DHCP Snooping
Enables or disables DHCP Snooping only on VLAN.
VLAN ID or VLAN Range
Enter the VLAN ID or VLAN range or both.

For example,
Port Trusting
DHCP Messages Per Second
You can enter the VLAN ID as 10.
You can enter the VLAN range separated by a space or a hypen as 1 4,4-8.
You can enter both VLAN ID and VLAN range as 10, 4-8.
Configure port trusting by selecting the following options:
Trust
UnTrust
Configure the DHCP messages rate limit for the ports and enter the number of DHCP
messages that can be received per second.
Dynamic ARP Inspection
VLAN Dynamic ARP Inspection Enables or disables Dynamic ARP Inspection only on VLAN.
VLAN ID or VLAN Range
Enter the VLAN ID or VLAN range or both.

For example,
You can enter the VLAN ID as 10.
You can enter the VLAN range separated by a space or a hypen as 1 4,4-8.
You can enter both VLAN ID and VLAN range as 10, 4-8.
Port Trusting
ARP Messages Per Second
Configure port trusting by selecting the following options:
Trust
UnTrust
Configure the ARP messages rate limit for the ports and enter the number of ARP request
messages that can be received per second.
IP Source Guard

OL-25941-01
5-115
Chapter 5
Field
Description
Action
Configure the IP souce guard by selecting the following actions:
Enable Filter By Source IP
Enable Filter By Source IP and MAC Address
Disable Filter By Source IP
Disable Filter By Source IP and MAC Address
Applicable Devices
Allows you to view the IOS devices in your selection on which you want to configure
Catalyst Integrated Security Features on the ports.
Save
(Button)
Reset
(Button)
Cancel
(Button)
You can generate a Syslog Analyzer report for this task, which lists only the Syslogs that are specific to
Catalyst Integrated Security Features. See Reports Management with Cisco Prime LAN Management
Solution 4.2 for more information.
EEM Environmental Variables Task

You can use this task to configure EEM Environmental Variables (that are used by the TCL script) on
Cisco Catalyst 6500, 2900XL, 2970, 2960, 3550, 3560, 3750, and 3750E switches.
You can enter the details for this task in the Environmental Variables Configuration dialog box. To
invoke this dialog box, see Starting a New NetConfig Job.
The fields in the EEM Environmental Variables Configuration dialog box are:
Field/Button
Description
IOS Parameters
EEM Environmental Variables
Action
Select either:
Add - to add one or more variables.

Or
Variable Name
Remove - to remove one or more variables.
Enter the name for the variable.

Example:
my_counter
You can create a maximum of five variables at a time. If you want to create more variables, create
another instance by clicking Add Instance Button.
5-116
OL-25941-01
Chapter 5

Field/Button
Description
Value
Enter the value for the variable.

Example:
15
Now the variable my_counter will have the value 15.

Applicable Devices
Allows you to view the IOS devices in your selection, to which these variables would be applied to.
Save
Reset
Cancel
Embedded Event Manager Task

You can use this task to configure EEM Scripts or Applets on Cisco Catalyst 6500, 2900XL, 2970, 2960,
3550, 3560, 3750, and 3750E switches.
You can enter the details for this task in the Embedded Event Manager Configuration dialog box. (To
invoke this dialog box, see Starting a New NetConfig Job.)
The fields in the Embedded Event Manager Configuration dialog box are:
Field/Button
Description
IOS Parameters
EEM Configuration
Policy Type
Select either Script or Applet as the policy.
Action
Select Register or Unregister to register or unregister a script or applet.

OL-25941-01
5-117
Chapter 5
Field/Button
Description
Device Directory Options
Create New
Directory
Check this option if you want to create a new directory on the device to copy the applet or script.
If you select this checkbox, the input given in the Directory Name textbox is used to create a new
directory.
This option is activated only when the Script Policy and Register Action options are selected.
Directory Name
Enter the absolute path of the directory where the file needs to be placed on the device.
Example:
disk0:/Testing
Here a new directory Testing is created in the device under disk0 Partition.
Ensure that the selected directory has enough space before the script files are copied.
This option is activated only when the Script Policy and Register Action options are selected.
Upload Script/Applet files from Server
Files
Use this option to either:
Enter the file location to upload the scripts to deploy on the device.
Ensure that you enter the absolute path along with the filename.
You can specify multiple filenames separated by commas.
Or
Browse to the directory and select one or more scripts to deploy on the device.
Use CTRL to select more than one file.
Use Browse to browse to the directory.
You cannot combine tcl files and applet files in a single NetConfig task.
Applicable Devices
Allows you to view the IOS devices in your selection, to which the scripts or applets apply.
Save
Reset
Cancel

For more information, see Monitoring and Troubleshooting with Cisco Prime LAN Management Solution
4.2.
EnergyWise Configuration Task

You can use the EnergyWise Configuration Task to configure EnergyWise on devices.
You can enter the details of this task in the EnergyWise dialog box. To invoke this dialog box, see
Note
The EnergyWise Configuration task is available only in the Device based flow of a NetConfig job.
5-118
OL-25941-01
Chapter 5

The fields in the EnergyWise Configuration dialog box are:

Field
Description
IOS Parameters
Enable/Disable EnergyWise
Configure EnergyWise
Select the following options to enable or disable EnergyWise configuration on the

devices:
EnableTo enable EnergyWise configuration on the devices
DisableTo disable EnergyWise configuration on the devices
No ChangeTo make no change to the EnergyWise configuration on the device.
Domain Configuration
EnergyWise Entity Domain
Enter an EnergyWise domain name. For example, myDomain

This field is disabled if you have selected Disable as the Configure EnergyWise
option.
EnergyWise Entity Secret
Enter the EnergyWise Entity secret name.

option.
Advanced Configuration
Entity Importance (1-100)
Enter the value for EnergyWise Importance.

Importance allows you to differentiate among devices in the domain. The value for
Importance ranges from 1 to 100, where a value of 1 is the lowest and a value of 100
is the highest.
option.
Entity Keywords (comma separated) Enter the keyword. For example, myLobbyphones.
You can set Keyword to identify a specific device or group of devices. You can use
these keywords to query the devices for specific data.
option.
Entity Role
Enter the role for a specific device or device group access.

option.

OL-25941-01
5-119
Chapter 5
Field
Description
EnergyWise Level
Select the following EnergyWise level to be configured on the devices:
0 - Shut
1 - Hibernate
2 - Sleep
3 Standby
4 Ready
5 Low
6 Frugal
7 Medium
8 Reduced
9 High
10 - Full
This drop-down list is disabled if you have selected Disable as the Configure
EnergyWise option.
Management Configuration
EnergyWise Port Number
Enter the EnergyWise port number that sends and receives queries.
The range is from 1 to 65000. The default is 43440.
After entering the EnergyWise port number, you must select either:
InterfaceSelect Interface and specify the EnergyWise Interface ID.
Or
IP AddressSelect IP Address and specify the EnergyWise IP Address.
Or
Use Mgmt IP Address of DevicesSelect to use the management IP Address of

devices added in the DCR.
EnergyWise Interface
Specify the EnergyWise Interface ID from which the EnergyWise messages are sent.
For example, FastEthernet0/2.
EnergyWise IP Address
Specify the EnergyWise IP Address from which the EnergyWise messages are sent.
Applicable Devices
EnergyWise.
(Button)
Save
(Button)
Reset
(Button)
Cancel
(Button)
4.2.
5-120
OL-25941-01
Chapter 5

EnergyWise Parameters Task

You can use the EnergyWise Parameters task to configure EnergyWise on ports. You can enter the details
of this task in the EnergyWise Parameters Configuration dialog box. To invoke this dialog box, see
Note
The EnergyWise Parameters task is available only in the Port based flow of a NetConfig job.
The fields in the EnergyWise Parameters Configuration dialog box are:
Field
Description
Configure EnergyWise Parameters
Entity Keywords (comma

separated)
Enter the keyword name.

Keywords can be set to identify a specific interface or group of interfaces. For example,
lab1
Entity Role
Enter the role for a specific device or device group access. For example, lobbyaccess
Entity Importance (1-100)
Enter the value for Importance.

Allows you to differentiate among devices in the domain. The value for Importance ranges
from 1 to 100, where a value of 1 is the lowest and a value of 100 is the highest.
Applicable Devices
(Button)
Save
EnergyWise.
Saves the information that you have specified.
(Button)
Reset
(Button)
Cancel
(Button)
EnergyWise Events Task

You can use the EnergyWise Events task to configure EnergyWise events on ports of EnergyWise
supported devices.
You can enter the details of this task in the EnergyWise Events Configuration dialog box. To invoke this
dialog box, see Starting a New NetConfig Job.
Note
The EnergyWise Events task is available only in the Port-based flow of a NetConfig job.

OL-25941-01
5-121
Chapter 5
The fields in the EnergyWise Events Configuration dialog box are:

Field
Description
IOS Parameters
Action
Select the following actions to enable or disable EnergyWise events on ports:
EnergyWise Level
EnableTo enable EnergyWise events configurations on ports
DisableTo disable EnergyWise events configurations on ports
Select the following EnergyWise event levels:
0 - Shut
1 - Hibernate
2 - Sleep
3 Standby
4 Ready
5 Low
6 Frugal
7 Medium
8 Reduced
9 High
10 - Full
This drop-down list is disabled if you have selected Disable as the Action.
Recurrence
Configure Recurrence level
Check the checkbox to configure event recurrence level.
Importance (1-100)
Enter the value for Importance.

Allows you to differentiate among devices in the domain. The value for Importance
ranges from 1 to 100, where a value of 1 is the lowest and a value of 100 is the highest.
Hour [00 - 23]
Select the hour interval to configure the event recurrence interval.

You can select the hourly time between 00 and 23 hours.
Minute [00 - 59]
Select the minute interval to configure event recurrence interval.

You can select the minute interval between 00 and 59 minutes
Month [1 - 12]
Enter the month in number format, separated by comma.

You can enter the value for one month [3], or for a range of months [7-9], or both [3, 7-9].
If this field is left blank, the Netconfig job considers the value as applied for all the
months [1-12].
Day of the Month [1 - 31]
Enter the day of the month in number format, separated by comma.

You can enter the value for one day [20], or for range of days [15-19], or both [10, 15-20].
If this field is left blank, the Netconfig job considers the value applied for all the days of
a month [1-31].
5-122
OL-25941-01
Chapter 5

Field
Description
Day of the Week
Select the day of the week by checking the checkbox.

If all the days of the week are left unchecked, the Netconfig job considers the value being
checked for all the days of a week [Sunday, Monday, Tuesday, Wednesday, Thursday,
Friday, Saturday].
Time Range
Enter the EnergyWise IOS time-range configured in the Global Config mode.
For example, if you have configured the time range Periodic Friday 07:00 to 20:00 to a
time-range name Friday in the Global Config mode in the EnergyWise IOS, you must
enter Friday in this Time Range field.
This option is applicable for EnergyWise enabled devices running EnergyWise 2.0
software image.
Applicable Devices
Allows you to view the IOS devices in your selection.
(Button)
Save
Saves the information that you have specified.
(Button)
Reset
(Button)
Cancel
(Button)
GOLD Boot Level Task

You can use this task to configure Boot Level Diagnositc tests on the following device category:
Cisco Catalyst 6500 devices
You can enter the details for this task in the GOLD Boot Level Configuration dialog box. (To invoke this
The fields in the GOLD Bootup Level Configuration dialog box are:
Field/Button
Description
Action
Select either Enable to enable the actions or Disable to disable the actions
Level
Select either Complete to set the boot level to Complete or Minimal to set the boot level to Minimal
This option is activated only if the Action option is enabled. This option is not activated, if you have
selected Disable in the Action field.
Save
Reset
Cancel

4.2.

OL-25941-01
5-123
Chapter 5
GOLD Monitoring Test Task

You can use this task to configure GOLD Monitoring tests on the following device categories:
Cisco Catalyst 6500 IOS switches
Cisco Catalyst 2900XL, 2970, 2960, 3550, 3560, 3750, and 3750E Switches
You can enter the details of this task in the GOLD Monitoring Tests Configuration dialog box. To invoke
this dialog box, see Starting a New NetConfig Job.
The fields in the GOLD Monitoring Test Configuration dialog box are:
Pane
Description
GOLD Monitoring Test Configuration

Configuring Health Monitoring Diagnostics
Action
Enter Vendor
Type or Name
Add Interval - To add an interval
No Interval. - To not add an interval
No Change - To make no change
Enter the Vendor type or Module Name. You can enter one or more comma separated module names.
Example:
cevCat6kVsS72010G
This is a mandatory field and is available only if you select Cisco Catalyst 6500 devices.
Enter Switch ID Enter the Switch ID.

You can enter a single switch ID or a number of switch IDs separated by comma.
Example 1:
Enter 2 if you want to include switch with ID 2.
Example 2:
Enter 3, 6 if you want to include switches with IDs 3 and 6.
This is a mandatory field and is available only if you select Cisco Catalyst 2900XL, 2970, 2960, 3550,
3560, 3750, or 3750E stack switches.
Enable/Disable Health Monitoring Diagnostics Test
Action
Enable - To start the Health Monitoring tests
Disable - To stop the running Health Monitoring tests.

The tests once stopped, will not start again until the Action is enabled.
No Change - No change to Action
Test Details
All
Allows you to configure all diagnostic tests.
Enter Testnames Allows you to manually enter the test names.

Enter one or more test names separated by comma.
This option is activated only if the Enable Action is selected.
5-124
OL-25941-01
Chapter 5

Pane
Description
Range
Allows you to enter a range for tests to be run.

This option is activated only if the Enable Action is selected.
Example:
Enter 2-8 if you want to run tests with IDs from 2 to 8.
Configure Health Monitoring Interval
No. of Days
Enter the number of days till which you require the tests to be run on the devices.
The number of days can be any value between 0 - 20.
The default value is 1 day.
Hours
Select the hour frequency at which the tests should be run. You can enter any value between 00 and 23 for
hour.
This is a mandatory field and is enabled only if you have selected Add Interval.
Minutes
Select the minute frequency at which the tests should be run. You can enter any value between 00 and 59
for the minute.
Seconds
Enter the seconds frequency at which the tests should be run. You can enter any value between 00 and 59
for the second.
Milliseconds
Enter the millisecond frequency at which the tests should be run. You can enter any value between 0 and
999 for the second.
Applicable
Devices
Allows you to view the IOS devices in your selection that you want to monitor with GOLD Monitoring
Tests.
Save
Reset
Cancel

4.2.
GOLD Health Monitoring Test Task

You can use this task to configure GOLD Health Monitoring tests on Cisco Catalyst 6500 IOS switches
device categories.
This task is available only for the Module-based netconfig job wizard.
You can enter the details of this task in the Gold Health Monitoring Test Configuration dialog box. To
invoke this dialog box, see Create a NetConfig Job based on Module or Port.

OL-25941-01
5-125
Chapter 5
The fields in the GOLD Health Monitoring Test Configuration dialog box are:
Pane
Description
GOLD Health Monitoring Test Configuration

Configuring Health-Monitoring Diagnostics for Cat6k Devices
Action
Run Test - To run a test
Add Test - To add a test
Remove Test - To remove a test
Test Details
All
Allows you to configure all diagnostic tests.
Pre-defined
Allows you to select the following pre-defined tests:
TestLoopback
TestNetflowInlineRewrite
TestEobcStressPing
TestFirmwareDiagStatus
TestAsicSync
Enter Testnames Allows you to manually enter the test names.

Enter one or more test names separated by comma.
Range
Allows you to enter a range for tests to be run.

Example:
Enter 2-8 if you want to run tests with IDs from 2 to 8.
Configure Health Monitoring Interval
No. of Days
Enter the number of days till which you require the tests to be run on the devices.
The number of days can be any value between 0 - 20.
The default value is one day.
This field is enabled only if you have selected Add Test.
Hours
Select the hour frequency at which the tests should be run. You can enter any value between 00 and 23 for
the hour.
Minutes
Select the minute frequency at which the tests should be run. You can enter any value between between 00
and 59 for the minute.
Seconds
Enter the seconds frequency at which the tests should be run. You can enter any value between 00 and 59
for the second.
Milliseconds
Enter the millisecond frequency at which the tests should be run. You can enter any value between 0 and
999 for the millisecond.
5-126
OL-25941-01
Chapter 5

Pane
Description
Apply the Monitoring Test
Run the above

monitoring test
case
Check the checkbox to run the above monitoring test case.
Configure
Syslog
Check the checkbox and select the following options to enable or disable Syslog:
Applicable
Devices
Enable
Disable
Allows you to view the IOS devices in your selection that you want to monitor with GOLD Health
Monitoring Tests.
(Button)
Save
(Button)
Reset
(Button)
Cancel
(Button)
4.2.
SRE Operation Task

You can use the SRE Operation task to perform the following operations in the service modules of SRE
supported devices:
Install application in service modules
Uninstall application from service modules
Understand:
Application that is running on the module
Status of the current installation in the service module
Status of uninstallation in the service module
Stop the installation on a set of service modules in a SRE device
Reset service modules in a SRE device
Shutdown the set of service modules in a SRE device
You can enter the details of the SRE Operation task in the SRE Operation Configuration dialog box. To
invoke this dialog box, see Create a NetConfig Job based on Module or Port.

OL-25941-01
5-127
Chapter 5
cwcli netconfig
The fields in the SRE Operation Configuration dialog box are:

Field
Description
Action
Select the following actions:
InstallInstall application in service modules.
UninstallUninstall application from service modules.
StatusDisplays the following:

The applicable running on the module
Status of the installation and uninstallation being performed in the service module
Script Name [Optional]
AbortStop installation on a set of service modules in a SRE device.
ShutdownShutdown the set of service modules in a SRE device
ResetReset service modules in a SRE device.
Name of the script file that should be picked up during installation.

This field is optional and is enabled only if the Install action is selected.
Argument to the Script

[Optional]
String argument passed to the script.

The string argument must be entered within quotes. For example, argument.
This field is optional and enabled only if Install action is selected.
URL of the installation source

directory
URL path of the package from where the device needs to download the image for
installation.
For example, ftp://180.180.180.80/nibbler/012609/pkg1/foundation.sme.1.4.40.18.pkg
This is a mandatory field. If this field is blank, an error message appears.
Applicable Devices
Allows you to view the devices in your selection that you want to configure SRE operation.
Save
(Button)
Reset
(Button)
Cancel
(Button)
cwcli netconfig
This command is described in the cwcli framework chapter. For details see Running the cwcli netconfig
Command.
5-128
OL-25941-01
Chapter 5

cwcli netconfig
Use Case: Using NetConfig Templates to change Configurations for many

Devices
Case
As a Network Administrator, you would want to change configuration for a set of devices in few simple
steps.
Solution
You can use NetConfig to change the configurations of many devices in one step. You can select the
devices and the corresponding system-defined or user-defined tasks and schedule a NetConfig job.
Let us say, you want to change the Local Username and Telnet password for a few devices. To perform
this:
Step 1
Go to Configuration > Configuration > NetConfig.

The Devices And Tasks dialog box appears.
Step 2
Select the required devices from the Device Selector.
Step 3
Select the Local Username and Telnet Password tasks from the Task Selector.
NetConfig Tasks are also referred to as NetConfig templates.
Step 4
Click Next.
From your selection, only the tasks that are applicable to at least one device that you have selected,
appear here. If the task that you have selected do not apply to the categories of any of the devices that
you have selected, it will not be displayed in the Applicable Tasks pane.
Step 5
Select a task and click Add to create an instance for the task.
Step 6
After creating the instances, select the Local Username_1 instance and click View CLI button to view
the CLI commands that will be deployed onto the applicable and non applicable devices.
Alternatively, you can click Edit to edit the selected instance or click Delete to delete an instance. You
can only delete one instance at a time.
Step 7
Click Next.
The Job Schedule and Options page appears.
For more information on how to schedule a NetConfig job, see Starting a New NetConfig Job.
Step 8
Provide the required information in the Job Schedule and Options dialog box and click Finish.
The Job Work Order screen appears.
Step 9
Click Finish.
A notification indicating the successful creation of a job appears.
Example
Job 1007 was created successfully.
The NetConfig job will be executed at the scheduled date and time. The Local Username Configuration
and Telnet Password Configuration changes effected will be deployed on the selected applicable devices.
To know the status of the job scheduled, go to Configuration > Configuration > NetConfig >
NetConfig Jobs.

OL-25941-01
5-129
Chapter 5
cwcli netconfig
5-130
OL-25941-01
CH A P T E R
Archiving Configurations and Managing them

using Configuration Archive
Configuration Archive maintains an active archive of the configuration of devices managed by LMS. It
enables you to perform the following tasks:
Fetch, archive, and deploy device configurations
Search and generate reports on archived data
Compare and label configurations, compare configurations with a baseline, and check for
compliance.
You can also perform some of the Configuration Archive tasks using command line utility cwcli
config.
You can also export the configuration data using the cwcli export config command.
Note
Device configuration archive file size should be less than or equal to 2.5 MB.
See CLI Utilities for further details on cwcli config and cwcli export config commands.
This chapter gives information on performing Configuration Archive tasks (see Performing
Configuration Archive Tasks for details).
Checking Configuration Archival Status

OL-25941-01
6-1
Chapter 6
Configuration Quick Deploy
Configuring Labels
Using Search Archive
Comparing Configurations
Using Configuration Archive Job Browser

Configuration Archive allows you to:
Check archival status

You can check the overall status of the configuration archive (For example, Successful, Partially
Successful, etc.).
See Checking Configuration Archival Status for further details.
Update the archive

In addition to scheduling configuration archive update, you can also update the archive manually.
This ensures that you have the latest configurations.
See Scheduling Sync Archive Job for more details. To define the Configuration Collection Settings,
see Administration of Cisco Prime LAN Management Solution 4.2.
Determine Configuration Protocol usage details

You can view the protocol usage details for successful configuration fetches for devices. You can
also change the transport protocol order after analyzing the protocol usage trends.
See Using the Config Fetch Protocol Usage Report for more details.
Determine out-of-sync configuration files

You can list the devices for which running configurations are out-of-sync- with the startup
configuration.
See Generating an Out-of-Sync Report and Scheduling Sync on Device Job for further details.
View Version Tree

You can view all configuration versions of selected devices in the form of a graphical display.
See Using the Configuration Version Tree for further details.
View Version Summary

You can view the latest three archived configurations for selected devices. It also has a link to view
a particular configuration running on the device and to generate differences between versions in the
archive.
See Viewing the Configuration Version Summary for further details.
Search for device configuration files

You can search the archive for configuration containing text patterns for selected devices.
See Using Search Archive for further details.
6-2
OL-25941-01
Chapter 6

Create custom configuration queries (See Creating a Custom Query.)

You can create and run custom queries that generate reports. These reports display device
configuration files from the archive for the devices you specify. You can use custom queries while
searching archives.
Compare configurations
You can compare the following:
Startup and running configurations
Running and latest archived configurations
Two configuration versions of the same device
Two configuration versions of different devices
Base configuration and latest version of different devices
See Comparing Configurations for further details.

You can create an immediate job to deploy the version of configuration that you are viewing on the
device. You can deploy the configuration either in the Overwrite or Merge mode. You can also use
job-based password.
See Configuration Quick Deploy for further details.
Configuration Archive Job Browser

You can see the status of your Configuration Archive jobs.
See Using Configuration Archive Job Browser for further details.
Label Configuration
You can select configuration files from different managed devices and then group and label them.
See Configuring Labels for further details.
Set the debug mode for Configuration Archive

You can set the debug mode for Configuration Archive feature in the Log Level Settings dialog box
(Admin > System > Debug Settings).
See Administration of Cisco Prime LAN Management Solution 4.2 for more details.

After you add devices, their configurations are gathered and stored in the configuration archive. You can
check the overall status of the configuration archive (Successful, Partially Successful, and Failed). It
provides the status of the last archival attempt.
Refresh
Click on this icon to refresh the configuration archive status window.
(Icon)
Note
View Permission Report (Reports > System > Users > Permission) to check if you have the required

OL-25941-01
6-3
Chapter 6
To check the configuration archive status:

Step 1
Select Configuration > Configuration Archive > Summary.

The Configuration Archival Summary dialog window appears with the following information.
Archival Status
Description
Successful
Number of devices for which all supported configurations have been fetched successfully.
Click No.of Devices to see the Successful Devices Report.
Failed
Number of devices for which fetch of all supported configurations has failed.
Click No.of Devices to see the Failed Devices Report.
Partial Successful
Number of devices for which fetch of any one of the supported configurations has failed.
Number of Catalyst 5000 devices for which sub-modules were not pulled into archive. Only the main
configuration of supervisor engine module is archived for Catalyst 5000 devices.
Click No.of Devices to see the Partially Successful Devices Report.
Configuration Never Number of devices for which the supported configurations has never been collected.
Collected
Click No.of Devices to see the Configuration Never Collected Devices Report.
Step 2
Select one or all of the Config Archival Status and click Sync Archive to schedule an immediate job to
update the archive status.
You can check the status of your scheduled Sync Archive job by selecting Configuration > Job
Browsers > Configuration Archive.
Configuration Archival Reports

The following are the Config Archival reports:
Successful Devices Report
Failed Devices Report
Partially Successful Devices Report
6-4
OL-25941-01
Chapter 6

Successful Devices Report

A device appears in this report if all supported configurations have been fetched successfully.
Note
These dates do not necessarily reflect when the archive was last updated.
This report contains the following information:
Column Names
Description
Device Name
Device Name as entered in Device and Credential Repository.

Click on the device name to launch the Troubleshooting page.
Config Type
Defines the type of configuration PRIMARY, SECONDARY, or VLAN.
PRIMARY/SECONDARYContains the Running and Startup configuration files information.
VLANContains running vlan.dat configuration file information. This config type does not
contain Startup configuration file information.
For ONS devices, the PRIMARY configuration type displays the configuration information from
the active CPU, at that instance.
File Type
Defines the configuration file type as either Running or Startup configuration.
Accessed At
Date and time at which LMS pulled running configuration from device in an attempt to archive. The
configuration is archived only if there has been a change.
Description
Displays the archival status.
Failed Devices Report

A device appears in this report if fetch for all of the supported configurations has failed. This report also
contains the reasons configuration could not be pulled.
Column Names
Description
Device Name

Config Type
Defines the type of configuration as PRIMARY, SECONDARY, or VLAN.
PRIMARY/SECONDARYContains information about the Running and Startup configuration

files.
VLANContains running vlan.dat configuration file information. This configuration type does not
For ONS devices, the PRIMARY configuration type displays the configuration information from the
active CPU, at that instance.
File Type
Accessed At
Date and time that LMS pulled running configuration from device in an attempt to archive. The
Description
Reason why LMS could not pull running and startup configuration from device.

OL-25941-01
6-5
Chapter 6
If you have enabled TACACS for a device and configured custom TACACS login and passwords
prompts, you may experience Telnet problems, since LMS may not recognize the prompts.
To make your prompts recognizable, you must edit the TacacsPrompts.ini file in:
NMSROOT\objects\cmf\data\TacacsPrompts.ini (On Windows)
NMSROOT/objects/cmf/data/TacacsPrompts.ini (On Solaris and Soft Appliance)
Partially Successful Devices Report

A device shows up in this report if fetch for any one of the supported configurations has failed.
The Partially Successful Devices report lists the Catalyst 5000 family devices for which sub-module
information could not be pulled from the device. Only the main configuration of the supervisory module
is archived for Catalyst 5000 devices.
Column Names
Description
Device Name

Config Type
File Type
Accessed At
Description
Reason why LMS could not pull running or startup configuration from device.

A device appears in this report if fetch for the supported configuration has never been collected.
6-6
OL-25941-01
Chapter 6


Column Names
Description
Device Name

Config Type
File Type
Accessed At
Description
Reason why LMS could not pull running or startup configuration from device.

You can schedule a job to update the configuration archive for a selected group of devices.
You have an option to poll device configuration before updating the archive and to fetch Startup
configuration.
Note
Note
When config collection is fetched via TFTP protocol, ensure Read-Write Community String is
configured in DCR under SNMP credential section.
To schedule a job to update the device configuration:
Step 1
Select Configuration > Configuration Archive > Synchronization.

The Sync Archive dialog box appears.
Step 2
Select either:
Device Selector To schedule a job for a static set of devices.

The sync archive job fails if devices are removed from the DCR. For example, a sync archive job is
scheduled to run for all the devices that are part of the selected group in Device Selector. If a device,
part of the selected group in Device Selector, is deleted from DCR while the job is running then the
job fails for that particular device. However, the job succeeds for the remaining devices in the group,
but the status of the job still remains failed.
Or
Group Selector To schedule a job for a dynamic group of devices.

OL-25941-01
6-7
Chapter 6
The job is scheduled only for the devices that are present in the selected group at the time when the
job is run. The customizable group selector for jobs evaluates static groups also as dynamic during
run time.
Step 3
Field
Enter the following information:

Description
Scheduling
Run Type
You can specify when you want to run the Sync Archive job.
6 - hourlyRuns this task every 6 hours, starting from the specified time.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance of this
job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1 job has
completed.
If the 10.00 a.m. November 1 job has not completed before 10:00 a.m. November 2, the next job will
start only at 10:00 a.m. on November 3.
Date
You can select the date and time (hours and minutes) to schedule the job.
The Date field is enabled only if you have selected an option other than Immediate in the Run Type
field.
Job Information
Job Description
Enter a description for the job. This is mandatory. You can enter only alphanumeric characters.
E-mail
Enter e-mail addresses to which the job sends messages at the beginning and at the end of the job.
You can enter multiple e-mail addresses separated by commas.
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box (Admin
> System > System Preferences).
We recommend that you configure the LMS E-mail ID in the View / Edit System Preferences dialog
box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent with
the LMS E-mail ID as the sender's address.
Job Options
Poll device before

configuration
collection
Configuration Archive polls the device and compares the time of change currently on the device with
the time of last archival of configuration to determine if configuration has changed on a device.
If the polling is not supported on the device, then configuration fetch will be initiated without
checking for the changes.
See Understanding Configuration Retrieval and Archival section in Administration Guide for Cisco
Prime LMS 4.2 for further details on configuration polling.
Fetch startup config
Configuration Archive fetches the startup configuration.
6-8
OL-25941-01
Chapter 6

Click Submit.
Step 4
A message appears, Job ID is created successfully.

Where ID is a unique Job number.
Click OK.
Step 5
You can check the status of your scheduled Sync Archive job by selecting Configuration > Job

You can view the configuration protocol usage details for successful configuration fetches using the
Config Fetch Protocol Usage Report.
Note
Select Configuration > Configuration Archive > Protocol Usage Summary to generate a Config
Fetch Protocol Usage Report.
The Config Fetch Protocol Usage Report window displays the following information:
Column Name
Description
Protocol
Protocols used by LMS for configuration fetches.
Config Type
The Configuration types for the various protocols. The available types are:
Running Count of the successful running configuration fetches for each protocol
Startup Count of the successful startup configuration fetches for each protocol
VLAN Count of the successful VLAN configuration fetches for each protocol. This configuration
fetch is supported by only Telnet and SSH protocols.
Click on the Count link to view a detailed report for a protocol and corresponding Config Type. The
detailed report shows the list of devices which are accessed using a particular protocol and for which
successful Config Fetch has happened.
Example:
If you click on a Count link, 20, for Telnet protocol and Running config type, a detailed report is generated
with the following fields:
Device Name Name of each device.
Accessed At Date and time at which each device was accessed for Config Fetch purpose.
Config Type Configuration type for each device.
File Type - Configuration file type for each device.
This detailed report shows only the devices for which Telnet has successfully fetched configurations.
You can use the export icon to export the list of devices from this detailed report to the device selector.

OL-25941-01
6-9
Chapter 6
Column Name
Description
Edit Settings
Click this button, if you want to change the transport protocol order.
(Button)
For more information, see Administration of Cisco Prime LAN Management Solution 4.2 for further
details.
Refresh
Refreshes the Config Fetch Protocol Usage Report.
(Icon)

You can generate an Out-of-Sync report for the group of devices for which running configurations are
not synchronized with the startup configuration.
Note
Select Configuration > Compliance > Out-of-Sync Summary to generate an Out-of-sync report. The
Startup and Running Out-Of-Sync Summary window displays the following information:
Column Name
Description
Device Name
Startup
Startup configuration of the device. This configuration is fetched from the configuration
archive.
Click on the displayed date to view the configuration.
Diff
Difference between the archived Startup and archived Running configurations.

Click on the icon to see the difference between the archived Startup and archived Running
configurations.
Running
Running configuration of the device. This configuration is fetched from the configuration
archive.
Click on the displayed date to see detailed information on the Running configuration.
Sync on Device
Use this button to schedule a Sync on device job.
(Button)
You can schedule a Sync on device job to copy the running configuration of a device to the
startup configuration.
For more information see, Scheduling Sync on Device Job.

You can schedule a Sync on device job using the Sync on Device button on Startup and Running
Out-Of-Sync Summary window.
Note
6-10
OL-25941-01
Chapter 6

To schedule a Sync on device job:

Step 1
Select Configuration > Compliance > Out-of-Sync Summary.

The Startup and Running Out-Of-Sync Summary dialog box appears.
Step 2
Select a device.
Step 3
Click Sync on Device.

Step 4
Field

Description
Scheduling
Run Type
You can specify when you want to run the Startup and Running Out-Of-Sync Summary report.
completed.
Date
field.
Job Information
Job Description
E-mail
Approver Comments Enter comments for the job approver.

This field appears only if you have enabled Job Approval for Configuration Archive.
Maker E-Mail
Enter the e-mail-ID of the job creator. This is a mandatory field.

This field appears only if you have enabled Job Approval for Configuration Archive.

OL-25941-01
6-11
Chapter 6
Field
Description
Job Options
Job Password
If you have enabled the Enable Job Password option and disabled the User Configurable option
in the Job Policy dialog box (Admin > Network > Configuration Job Settings > Config Job
Policies) enter the device login user name and password and device Enable password.
If you have enabled the Enable Job Password option and enabled the User Configurable option in
the Job Policy dialog box (Admin > Network > Configuration Job Settings > Config Job Policies)
either:
Enter the device login user name and password and device Enable password
or
Disable the Job Password option in the Job Schedule and Options dialog box.
Step 5
Click Submit.
Step 6
Click OK.
You can check the status of your scheduled Copy Running Config to Startup job by selecting
Configuration > Job Browsers > Configuration Archive.

You can view all configuration versions of the selected devices in the form of a graphical display. You
can also perform a configuration quick deploy for a selected device.
Note
To view the configuration Version Tree:
Step 1
Select Configuration > Configuration Archive > Views > Version Tree
The Device Selection dialog box appears.
Step 2
Select a device. See Inventory Management with Cisco Prime LAN Management Solution 4.2 for
information on how to use the Device Selector.
6-12
OL-25941-01
Chapter 6

Click OK.
Step 3
The Config Version Tree dialog box appears.

Click either the configuration version which is a hyper link or select the radio button for the
configuration version.
Step 4
To expand the configuration version folder, click on the plus icon and select the configuration version
to view the configuration.
The Config Viewer dialog box appears. See Understanding the Config Viewer Window for further
information.
If you want to perform a configuration quick deploy (Configuration Quick Deploy), click the Deploy
button.

The Config Viewer is a HTML-based window that displays the configurations of specified devices.
You can specify how you want to view the contents of the configurations by selecting one of the options
under Show:
Click Raw to view data exactly as it appears in the configuration file.
Click Processed to view data with the commands ordered and grouped.
The Config Viewer window contains two columns.

Column
Description
Configlets
Click on any configlets to display the corresponding information. The available configlets vary from
device to device; the following are examples:
Configuration file
name
AllEntire contents of the configuration files.
SNMPSNMP configuration commands. For example, snmp-server community public RO.
IP RoutingIP routing configuration commands. For example, router abcd 100.
Interface folderThe different interface configuration commands. For example,

Interface Ethernet0 and Interface TokenRing.
GlobalGlobal configuration commands. For example no ip address.
Line con 0configuration commands for line console 0.
IPIP configuration commands. For example, ip http server.
View the contents of the configuration file.

OL-25941-01
6-13
Chapter 6
The buttons on the Config Viewer are:

Button
Description
Download Config
Downloads the configuration file to the client machine.
(Icon)
This option to download the configuration file is available only in the Raw mode. The configuration file
will be downloaded through the Web browser with the file name convention as
DeviceName-Version_Number.txt.
You can download the configuration file only if you have the privileges of a Network Administrator.
Note
Export
(Icon)
The Credentials in the configuration file will be exposed and shown as clear text.
Export the configuration file.
If you are using the Raw mode then the exported file format is cfg. The file name convention is
DeviceName-VersionNumber.cfg.
If you are using the Processed mode then the exported file format is XML. The file name convention
is DeviceName-VersionNumber.xml.
Where DeviceName is the device name as entered in Device and Credential Repository and
VersionNumber is the device configuration version.
The default directory to which Configuration Archive file is exported is:
On Solaris and Soft Appliance server,
/var/adm/CSCOpx/files/rme/dcma/configexport
On Windows server,
NMSROOT\files\rme\dcma\configexport
6-14
OL-25941-01
Chapter 6

Button
Description
Export (continue)
To export a file:
1.
Click on the icon.

The Export Config File dialog box appears.
2.
Enter the folder name on the LMS server.

You must enter the default export directory. You cannot enter any other directory.
or
Browse to select a folder on the LMSserver.
The Server Side File Browser dialog box appears.
a. Select a folder on the LMS server.
b. Click OK.
The Browse button takes you to the default directory. It does not allow you to change this default
export directory.
3.
Click OK.
If you have exported configuration in the Raw mode, the notification message displays, Config file
ExportedFolder\DeviceName-VersionNumber.cfg
exported as
If you have exported configuration in the Processed mode, the notification message displays, Config
file exported as ExportedFolder\DeviceName-VersionNumber.XML
Where ExportedFolder is the location where configuration file is exported.
4.
Print
Click OK.
Generates a format that can be printed.
(Icon)
Compare with
previous version
Compares configuration with previous version. When you click on this button, a new window Config
Diff Viewer opens to show configurations side by side.
See Understanding the Config Diff Viewer Window for further details.
This button gets activated only if you have a previous version of the configuration.
Compare with next Compares configuration with next version. When you click on this button, a new window Config Diff
version
Viewer opens to show configurations side by side.
This button gets activated only if you have a next version of configuration.
Edit
Launches Config Editor window.

This button is active only if you are viewing the configuration version from the archive.
See Editing and Deploying Configurations Using Config Editor for further details.
Deploy
Perform a quick configuration deploy.

See Configuration Quick Deploy.

OL-25941-01
6-15
Chapter 6

You can view all archived configurations for selected devices. It also provides a link to view a particular
configuration running on the device and to generate differences between versions in the archive.
You can view the last three configuration versions for each device regardless of the number of versions
stored in the archive.
Note
To view the Config Summary, follow this workflow:
Step 1
Select Configuration > Configuration Archive > Views > Version Summary.
Step 2
Step 3
Click OK.
The Summary of Archived Versions window appears with the information in Table 6-1.
Table 6-1
Fields in the Summary of Archived Versions Window
Column
Description
Device Name

Config Type
VLANContains running vlan.dat configuration file information. This configuration type does
not contain Startup configuration file information.
Startup
Configuration running when device was started. This configuration is fetched from the device.
Click on the Startup icon to view the Startup configuration.
Diff
Differences between Startup and Running configurations.

To view the difference between Startup and Running configurations, click on the Diff icon.
Running
Configuration currently running on device.

Click on the Running icon to view the Running configuration.
The configuration that appears, is fetched from the device. This happens if the fetched configuration
is different from the latest configuration that is in the archive. Otherwise, the latest configuration from
the archive appears.
Diff
Differences between the Running Configuration on the device and the most recent archived
configuration.
To view the difference between the two running configurations, click on the Diff icon.
6-16
OL-25941-01
Chapter 6

Table 6-1
Fields in the Summary of Archived Versions Window (continued)
Column
Description
Latest
Displays date and time of most recent configuration archive. The time shown here is the time when
the file was actually archived. If the file was archived on 03/07/2004 5.00 PM PST, that's the time that
will appear in this report. Time will be shown based on the client's time zone.
To view the device configuration, click on Date and Time.
The Archived At fields that appear in other configuration reports shows the last time the configuration
was taken from the device in an attempt to archive. The system archives the configuration only if there
is a change in the newly obtained configuration when compared with the archived one. So there could
be different time values.
Diff
Differences between the most recent and the second most recent archived configurations.
Latest-1
Date and time the second most recent configuration was archived.
Diff
Differences between the second most recent and third most recent configurations in archive.
Latest-2
Date and time the third most recent configuration was archived.

You can create an immediate job to deploy the version of configuration being viewed on the device. You
can deploy the configuration either in overwrite or merge mode.
Features of Configuration Quick Deploy
The following are the features of Configuration Quick Deploy:
It can be performed for both running and startup configurations of all categories of devices.
The job is executed immediately. Therefore Job approval should not be enabled at the time of
Configuration Quick Deploy.
The jobs cannot be rolled back.
The jobs use TFTP, Telnet, SSH, SCP, RCP, HTTPs transport protocols.
It provides an option to select either merge or overwrite mode when you deploy configuration on a
device.
It cannot be performed for VLAN configurations. However, you can deploy VLAN configurations
using the CLI command, cwcli config put. See Overview: cwcli config Command for more
information.
It is supported for configuration versions in the archive only. That is, you cannot deploy for
configuration version available on a device.
The jobs use the same protocol order that you have specified in the Config Transport Settings
(Admin > Collection Settings > Config > Config Transport Settings).

OL-25941-01
6-17
Chapter 6
Performing a Configuration Quick Deploy

You can perform a configuration quick deploy using the Config Viewer window.
For example, you can launch Config Viewer window by clicking on Startup configuration or Running
Configuration links while performing tasks such as generating Out-Of-Sync Summary report, viewing
the Version Summary report etc.
Note
Step 1
Click Deploy on the Config Viewer (Understanding the Config Viewer Window) window.
The Job Option Details dialog box appears.
Step 2
Field

Description
Job Information
E-mail
Configure the SMTP server to send e-mails in the View / Edit System Preferences dialog box
(Admin > System > System Preferences).
We recommend that you configure the LMS E-mail ID in the View / Edit System Preferences
dialog box (Admin > System > System Preferences). When the job starts or completes, an e-mail
is sent with the LMS E-mail ID as the sender's address.
Job Options
Job Password
If you have enabled the Enable Job Password option and disabled the User Configurable
option in the Job Policy dialog box (Admin > Network > Configuration Job Settings >
Config Job Policies) enter the device login user name and password and device Enable
password.
If you have enabled the Enable Job Password option and enabled the User Configurable
Config Job Policies) either:
or
6-18
OL-25941-01
Chapter 6

Field
Description
Deploy Mode
Overwrite
Select the Overwrite option, if you want to replace the existing running configuration on the
device, with the selected configuration.
This is the default option for the configuration deployment.
The configuration that you have selected is compared with the latest running configuration in the
Configuration Archive. (LMS assumes that the latest running configuration in the archive is the
same as the configuration currently running on the device.)
The Overwrite mode ensures that the running configuration on the device is overwritten with the
selected configuration. This means, after the configuration is successfully deployed, the selected
configuration and the running configuration on the device are the same.
Merge
Select the Merge option, if you want to add incremental configuration to the device.
The configuration that you have selected is deployed on to the device as is. This means, the
existing running configuration of the device is updated incrementally with the commands in the
selected configuration.
The selected running configuration is not compared with the running configuration in the
We recommend that you use this option on newly deployed devices. This is because, the Merge
option effectively deploys the entire configuration from the archive, on to the device.
Step 3
Click Submit.
An immediate Quick Deploy of Configuration on Device job will be scheduled.
Step 4
Click OK.
You can check the status of your scheduled Config Quick Deploy job by selecting Configuration > Job
What Happens During Configuration Quick Deploy
Before Configuration Management deploys the configuration on the device, it verifies whether the
device is locked.
The deploy process follows the configured transport protocol order and the fallback option is active.
At end of this task, Configuration Management will:
Unlock the device
Check in the new version of configuration if the deploy completes successfully.
After uploading the configuration on the device, Configuration Management writes to the Change Audit
log.

OL-25941-01
6-19
Chapter 6
Configuring Labels
Configuring Labels
A label is a name given to a group of customized selection of configuration files. You can select
configuration files from different devices, group and label them.
These labeled files are not purged along with the other configuration files. You have to explicitly select
the Purge labeled files option to purge the labeled files. These labeled files are not purged if this option
is not enabled.
You can purge the label config files using Admin > Network > Purge Settings.
See Inventory Management with Cisco Prime LAN Management Solution 4.2 for further details.
The Label Config window displays the following information:
Column
Description
Label Name
Displays the label name.
Description
Displays the label description.
Created by
Displays the user who created this label.
Created on
Displays the label creation time.
You can click on any column heading to sort the information by that column. If you double-click a
heading, the order is reversed.
The Label Configs window contains the following buttons:
Button
Description
Create
Create a label. See Creating a Label for further details.
Edit
Edit a labeled configuration. See Editing a Labeled Configuration for further details.
This button is active only after you select a Label.
View
View a labeled configuration. See Viewing the Labeled Configuration for further
details.
Delete
Delete labeled configuration. See Deleting the Labeled Configuration for further
details.
6-20
OL-25941-01
Chapter 6

Configuring Labels
Creating a Label
You can use Label Configuration to create a group of configuration files from selected devices.
Note
You can create a label file using the following workflow:
Step 1
Select Configuration > Configuration Archive > Label Configs.

The Label Configs dialog box appears.
Step 2
Click Create.
Step 3
In Device Selector pane, select the devices. See Inventory Management with Cisco Prime LAN
Step 4
Go to the Label selection pane and:
Step 5
Step 6
Step 7
Enter the Label Name. You can enter up to 64 characters.
Enter the Label Description. You can enter up to 128 characters.
Go to the Config Type pane and select Primary or VLAN.

Option
Description
Primary
Contains the Running and Startup configuration

files information.
VLAN
Contains running vlan.dat configuration file

information. This configuration type does not
Go to the Version pane and select Latest to include the most recent configuration only, or All to view
all configuration versions.
If you have selected Latest, you can click Finish button in the Select Devices page and complete the
Label creation.
If you have selected All, go to Step 7.
Click Next.
The Select Configs to be Labelled dialog box appears.
To view the configuration, select a configuration version file from the left pane and click View. The
Config Viewer (Understanding the Config Viewer Window) window appears.
To add the selected configuration, select a configuration version file from the left pane and click
Add.
To remove the selected configuration, select a configuration version file from the right pane and
click Remove.

OL-25941-01
6-21
Chapter 6
Configuring Labels
Step 8
Click Finish.
A message appears, Label LabelName created successfully.
Where LabelName is the name of the label that you entered.
Step 9
Click OK.
Editing a Labeled Configuration

You can make the following changes to a label:
Note
Modify the Label Description.
Remove configuration files from the Selected Versions list.
Add new configuration files from the Devices list.
You can edit a label file using the following workflow:
Step 1

Step 2
Select a label and click Edit.

The Device Selection dialog box appears. The devices that are already part of the labeled file are
selected.
Step 3
Go to the Device Selector pane and select a new device or deselect a device. See Inventory Management
with Cisco Prime LAN Management Solution 4.2 for information on how to use the Device Selector.
Step 4
Go to the Version pane and select Latest to include the most recent configuration only, or All to view
all configuration versions.
Step 5
Click Next.
The Label Details dialog box appears with the current details of the label.
Step 6
Do either of the following:
Change the Label Description. You can enter up to 128 characters.
Select a configuration version file from the left pane, click Add to add the selected configuration
file.
If you selected Latest in the previous dialog box, the left pane will show devices and the latest
archived configuration file. The right pane contains labeled configuration.

If you selected All in the previous dialog box, the left pane will show devices and all available
archived configuration files. The right pane contains labeled configuration.
Note
You can select only one configuration file for a device.
6-22
OL-25941-01
Chapter 6

Configuring Labels
Step 7
To remove the selected configuration, select a configuration version file from the right pane and
click Remove.
To view the configuration, select a configuration version file from the left pane and click View. The
Config Viewer (Understanding the Config Viewer Window) window appears.
Click Finish.
A message appears, Label LabelName updated.
Where LabelName is the name of the label as entered by you.
Step 8
Click OK.
Viewing the Labeled Configuration

You can view configurations of a label from the label listing.
Note
Step 1
Step 2
Select a label and click View.

The Label Config Viewer window appears with the following information:
Column Name
Description
Device Name
Config Type
VLANContains running vlan.dat configuration file information. This configuration type does
not contain Startup configuration file information.
Version
Version of configuration file.

Click on the version to display Config Viewer (see Understanding the Config Viewer Window), which
shows contents of corresponding configuration file.
In the Config Viewer window, you can click the Deploy button if you want to perform a Configuration
Quick Deploy (Configuration Quick Deploy)
Created On
Date and time at which configuration file was created.
Change Description
Description of the configuration change.

OL-25941-01
6-23
Chapter 6
Deleting the Labeled Configuration

You can delete a label from the list of labels in the label configuration dialog box:
Note
Step 1
Step 2
Select the labels and click Delete.

A message appears, Are you sure you want to delete the label(s)?
Step 3
Click OK to delete the labels.

You can search the archive for configuration containing text patterns for selected devices. You can
specify ten different combinations of patterns or strings as part of search criteria.
For example:
Search all devices for configurations having pattern set banner motd and set banner exec.
Search all devices for configurations having pattern set banner motd and set banner exec and
set password.
You can also specify an option to ignore or consider the case sensitive property.
You can create a custom configuration query that searches information about the specified configuration
files.
If you monitor devices X, Y, and Z every morning, you can create a custom query on them. When you
run the query, LMS quickly gathers all the archived configuration files for these devices and displays
them in a report.
The Custom Queries window displays the following information:
Column
Description
Query Name
Custom Query name.
Description
Custom Query description.
Created By
User who created this Custom Query.
Created On
Custom Query creation time.
You can click on any column heading to sort the information by that column. If you double-click a
6-24
OL-25941-01
Chapter 6

The Custom Queries window contains the following buttons:

Button
Description
Create
Create a custom query. See Creating a Custom Query for further details.
Edit
Edit a custom query. See Editing a Custom Query for further details.
This button is active only after you select a custom query.
Run
Run a custom query. See Running a Custom Query for further details.
Delete
Delete custom queries. See Deleting the Custom Queries for further details.
The user who creates the custom query has full permission to perform tasks such as edit and run on the
Custom Queries.
See Searching Archive for the procedure to search the configuration with and without a search pattern.
Creating a Custom Query

To create a custom query:
Note
Step 1
Select Configuration > Configuration Archive > Views > Custom Queries.
The Custom Queries dialog box appears
Step 2
Click Create.
Step 3
Do any of the following:
Enter the Custom Query name. You can enter up to 64 characters.
Enter the Custom Query description. You can enter up to 128 characters.
Enter patterns to search for, for example, http server. You can enter text patterns up to 64 characters.
To search for more than one pattern, enter the second and third patterns in the Pattern 2 and Pattern
3 fields. You can specify ten different combinations of patterns as part of search criteria.
You cannot search for special characters or regular expressions, for example, Control-C, boot*, etc.
Select the search criteria Contains/Does Not Contain.
If you have entered string as a search pattern, you can select Match Any to search for any given
pattern string or Match All to search for all pattern strings.
Click Match Case to perform a case-sensitive search, which is more efficient when you know the
exact pattern you want to match. By default, Match Case is disabled.

OL-25941-01
6-25
Chapter 6
Step 4
Click OK.
A message appears, Custom Query CustomQueryName created successfully.
Where CustomQueryName is the name of the custom query as entered by you.
Step 5
Click OK.
Running a Custom Query

To run a custom query:
Note
Step 1
The Custom Queries dialog box appears.
Step 2
Select a Custom Query and click Run.

Step 3
Select the devices. See Inventory Management with Cisco Prime LAN Management Solution 4.2 for
Step 4
Click OK.
The Custom Query Search Result window appears with the following information:
Column Name
Description
Device Name

Version
Versions of configuration file.

Click on the version to display Config Viewer (see Understanding the Config Viewer Window),
which shows contents of corresponding configuration file.
In the Config Viewer window, you can click on the Deploy button if you want to perform a
configuration quick deploy (Configuration Quick Deploy)
Created On
Date and time at which the configuration file was created.

You can perform the following tasks from this window:
Select the devices and click NetConfig to make any changes to the device configuration using
NetConfig templates.
Select a device and click Edit to edit the device configuration using the Config Editor application.
6-26
OL-25941-01
Chapter 6

Editing a Custom Query

You can edit the Custom Query description and modify the search patterns and their criteria. To edit a
custom query:
Note
Step 1
Step 2
Select a Custom Query and click Edit.

The Custom Query Window appears.
Step 3
Step 4
Update the Custom Query description. You can enter up to 128 characters.
Either add a new search pattern or delete or update an existing search pattern and its criteria. You
can enter up to 64 characters.
Modify the string search option Match Any to Match All or vice versa.
Enable or Disable the case-sensitive search.
Click OK.
A message appears, Custom Query CustomQueryName updated successfully.
Where CustomQueryName is the name of the Custom Query.
Step 5
Click OK.
Deleting the Custom Queries

To delete the custom queries:
Note
Step 1
Step 2
Select a Custom Query and click Delete.

A message appears, The query will be deleted.
Step 3
Click OK.

OL-25941-01
6-27
Chapter 6
Searching Archive
You can search the device configuration file with or without the search pattern. You can also narrow
down your search using Label Configuration files and Custom Queries.
You can view the search report in two ways:
Note
Search Archive Result
To search the configuration archive:
Step 1
Select Configuration > Configuration Archive > Views > Search Archive.
The Search Archive dialog box appears.
Step 2
Field
Enter the following:

Description
Left Pane
Label Config
Enable this option and select a label name.

The configuration version options Latest and All are disabled.
Device Selector
Select the devices. See Inventory Management with Cisco Prime LAN Management Solution 4.2 for
If you have selected Label Config, you need not select devices. If you have selected any devices,
only the devices that are specified in the label configuration are searched. Other devices are ignored.
Select Latest to search the most recent configuration only or All to search all configuration versions.
Version
If you have selected Label Config, then you cannot specify the versions.
View Type
Select one of these view types:
Version to view the Device Configuration Version Report. This displays all versions of the
configuration, the time and date the configurations were archived, and reason for archival.
Quick View to view the Device Configuration Quick View Report. This displays the contents
of the configuration files.
Right Pane
Custom Query
Select a Custom Query.

The search patterns that are defined in the Custom Query appear in the Pattern Details text boxes.
In addition to Custom Query search patterns, you can also add additional search patterns.
6-28
OL-25941-01
Chapter 6

Field
Description
Pattern Details
Perform the following tasks:
Enter patterns to search for, for example, http server. You can enter text patterns up to 64
characters.
To search for more than one pattern, enter the second and third patterns in the Pattern 2 and
Pattern 3 fields. You can specify ten different combinations of patterns as part of search criteria.
You cannot search for special characters, for example, Control-C, boot*.
You can also search the device configuration file without the search pattern. The search will list
all archived configuration for all selected devices.
If you have selected the version as Latest, the search will list latest archived configuration
for all selected devices.

If you have selected the version as All, the search will list all archived configurations for
all selected devices
Date Range
pattern string or Match All to search for all pattern strings
Click Match Case to perform a case-sensitive search, which is more efficient when you know
the exact pattern you want to match. By default, Match Case is disabled.
Select any of the following Date Range types:
As onSearch config archives on or before the specified date and time.
FromSearch config archives for the specified period.
LastSearch config archives for the last N number of days, weeks, months or years; where N
is the value entered for the number of days, weeks, months or years.
The following maximum values for N can be specified:
DaysThe maximum number of days that can be specified is 999.
WeeksThe maximum number of weeks that can be specified is 999.
MonthsThe maximum number of months that can be specified is 99.
YearsThe maximum number of years that can be specified is 9.
If you have selected Latest as the version, the Date Range option searches for the most recent config
archives.
Step 3
Click Search.
Based on your View type selection, either Search Archive Result or Device Configuration Quick View
Report appears.

OL-25941-01
6-29
Chapter 6

The Search Archive Result displays information about the device configurations. The Search Archive
Result contains the following details of the selected configurations:
Column Name
Description
Device Name

Config Type
PRIMARY/SECONDARYContains the Running and Startup configuration files

information.
VLANContains running vlan.dat configuration file information. This config type does not
For ONS devices, the PRIMARY config type displays the configuration information from the
Version

Click on the version to display Config Viewer (see Understanding the Config Viewer Window),
which shows contents of the corresponding configuration file.
Created On
Change Description
Cause of configuration change.

You can perform the following tasks from this window:
Select the devices and click NetConfig to make changes to the device configuration using
NetConfig templates.
Select a device and click Edit to edit the device configuration using the Config Editor application.

The Device Configuration Quick View report lists the devices, configuration version numbers, and
configuration details of the device configuration version you specified.
You can specify how you want to view the contents of the configurations by selecting one of the options
under Show:
Click Raw to view data exactly as it appears in the configuration file. There are two panes, one lists
all devices and the other displays the configuration.
Click Processed to view data with the commands ordered and grouped. There are three panes, one
lists all devices, the second pane lists all configlets, and the third pane displays the configuration.
6-30
OL-25941-01
Chapter 6

Column
Description
Devices

Configlets
You can click on any configlets to display the corresponding information. The available configlets vary
from device to device. The following are examples:
AllThe entire contents of the configuration files.
Interface folderThe different interface configuration commands. For example,

GlobalGlobal configuration commands. For example no ip address.
Line con 0Configuration commands for line console 0.
IPIP configuration commands. For example, ip http server.
Configuration file You can view the contents of configuration file.

name
The following buttons are available on the Config Viewer:
Button
Description
Export
Exports the configuration file.
(Icon)
If you are using the Raw mode then the exported file format is cfg. The file name convention
is DeviceName-VersionNumber.cfg.
If you are using the Processed mode then the exported file format is XML and the file name
convention is DeviceName-VersionNumber.xml.
Where DeviceName is the Device Name as entered in Device and Credential Repository and
The default directory where Configuration Archive file is exported is:
On Windows server,

OL-25941-01
6-31
Chapter 6
Button
Description
Export (continue)
To export a file:
1.
Click on the icon.

2.

or
Browse to select a folder on the LMS server.
b. Click OK.
The Browse button takes you to the default directory. The Server Side File Browser does not
allow you to change this default export directory.
3.
Click OK.
If you have exported configuration in the Raw mode, the notification message displays, Config
file exported as
If you have exported configuration in the Processed mode, the notification message displays,
Config file exported as ExportedFolder\DeviceName-VersionNumber.XML
Where ExportedFolder is the location to which the configuration file is exported.
4.
Print
Click OK.
(Icon)
Compare with previous Compares configuration with the previous version. When you click on this button, a new window
version
Config Diff Viewer opens to show configurations side by side.
This button is active only if you have a previous version of configuration.
Compare with next
version
Compares configuration with the next version. When you click this button, a new window Config
Diff Viewer opens to show configurations side by side.
This button is active only if you have a next version of configuration.
Edit
Launches Config Editor window.

See Editing and Deploying Configurations Using Config Editor for further details.
Deploy
You can perform a configuration quick deploy.

See Configuration Quick Deploy.
6-32
OL-25941-01
Chapter 6

You can compare two device configuration files from version to version or from device to device. You
can also compare the configuration when a device was started with the current configuration, and the
current configuration with the most recently archived configuration.
You can list the commands that have to be excluded while comparing configurations.
To do this select Admin > Collection Settings > Config > Config Compare Exclude Commands
Configuration.
You can compare the configurations in these ways:
Startup vs. RunningCompares the configuration when the device was started with the current
configuration. These configurations are fetched from the device.
See Comparing Startup vs. Running Configurations.
Running vs. Latest ArchivedCompares the running configuration with the most recently archived
configuration. The Running configuration is fetched from the device.
See Comparing Running vs. Latest Archived Configurations.
Two Versions of the Same DeviceCompares two archived configuration versions.

See Comparing Two Configuration Versions of the Same Device.
Two Versions of Different DevicesCompares any two configurations in the configuration archive.
See Compare Two Configuration Versions of Different Devices.
Base Config vs. Latest Version of Different DevicesCompares the base configuration of a device
with the latest configuration of other devices.. These configurations are fetched from the device.
See Compare Base Config vs. Latest Configuration Version of Multiple Devices.
Comparing Startup vs. Running Configurations

You can compare the configuration when a device was started with the current configuration. These
configurations are fetched from the device.
Note

OL-25941-01
6-33
Chapter 6
To compare Startup vs. Running configurations:

Step 1
Select Configuration > Configuration Archive > Compare Configs.

The Compare Configurations dialog box appears.
Step 2
Select Startup vs. Running and click Compare.

Step 3
Step 4
Click OK.
The Understanding the Config Diff Viewer Window window appears.
Comparing Running vs. Latest Archived Configurations

You can compare the configuration currently running on a device with the most recent configuration
stored in the configuration archive. The Running configuration is fetched from the device.
Note
To compare Running vs. latest archived configurations:
Step 1

Step 2
Select Running vs. Latest Archived and click Compare.

Step 3
Step 4
Click OK.
6-34
OL-25941-01
Chapter 6

Comparing Two Configuration Versions of the Same Device

You can compare two different archived configurations of the same device.
Note
To compare two versions of the same device:
Step 1

Step 2
Select Two Versions of the Same Device and click Compare.

Step 3
Step 4
Click Next.
The Select First Configuration dialog box appears with the following information:
Column Name
Description
Config Version
File Type
Config Type

information.
VLANContains running vlan.dat configuration file information. This configuration type

does not contain Startup configuration file information.
Created On

Step 5
Click on the first configuration to compare and click Next.

The Select Second Configuration dialog box appears with the same information as the Select First
Configuration window.
Step 6
Click on the second configuration to compare it with first configuration and click Finish.
The Understanding the Config Diff Viewer Window appears.

OL-25941-01
6-35
Chapter 6
Compare Two Configuration Versions of Different Devices

You can compare two archived versions of a configuration of the same or different devices.
Note
To compare two versions of different devices:
Step 1

Step 2
Select Two Versions of Different Devices and click Compare.

The Select Device and Pattern dialog box appears.
Step 3
Field
Perform the following and click Next:

Description
Left Pane
Device Selector
Select the devices.

See Inventory Management with Cisco Prime LAN Management Solution 4.2 for information on how
to use the Device Selector.
Select Latest to view the most recent configuration or All to view all configuration versions.
Version
Right Pane
Pattern Details

1.
Enter patterns to search for, for example, http server. You can enter text patterns up to 64
characters.
To search for more than one pattern, enter the second and third patterns in the Pattern 2 and
Pattern 3 fields. You can specify ten different combinations of patterns as part of search criteria.
You cannot search for special characters or regular expressions, for example, Control-C, boot*.
You can search the device configuration file without the search pattern.
2.

pattern string or Match All to search for all pattern strings.
3.
Click Match Case to perform a case-sensitive search, which is more efficient when you know
the exact pattern you want to match. By default, Match Case is disabled.
6-36
OL-25941-01
Chapter 6

The Select First Configuration dialog box appears with the following information:
Column Name
Description
Device Name
Config Version
File Type
Config Type

information.
VLANContains running vlan.dat configuration file information. This configuration type

does not contain Startup configuration file information.
Created On

Step 4
Click on the first configuration to compare and click Next.

The Select Second Configuration dialog box appears with the same information as the Select First
Configuration window.
Step 5
Click on the second configuration to compare with first configuration and click Finish.

OL-25941-01
6-37
Chapter 6
Compare Base Config vs. Latest Configuration Version of Multiple Devices

You can compare and sync the base configuration of a device with the latest configuration version of
multiple devices. The base configuration can be Running, Startup, or User archives.
Note
To compare the base configuration with the latest configuration version of different devices:
Step 1

Step 2
Select Base Config vs. Latest Version of Multiple Devices and click Compare.
The Select a Base Device dialog box appears.
Step 3
Select a base device. See Inventory Management with Cisco Prime LAN Management Solution 4.2 for
Step 4
Click Next.
The Select Config Version of the Base Device to Compare dialog box appears.
Step 5
Step 6
Select the configuration version of the base device from the Config Version tree.
If you check Filter Same Device Category Devices, it displays devices that belong to the base
device category. These devices are displayed in the Select Other Devices to Compare page.
If you uncheck Filter Same Device Category Devices, it displays all devices that belong to other
device categories that are managed by LMS. These devices are displayed in the Select Other Devices
to Compare page.
Click Next.
The Select Other Devices to Compare dialog box appears.
Step 7
Select the devices to compare with the configuration of the base device.
You can select devices using the Device Selector. See Inventory Management with Cisco Prime LAN
Step 8
Click Next.
The Add Exclude Commands dialog box appears
Step 9
Do the following in the Add Exclude Commands dialog box:
6-38
OL-25941-01
Chapter 6

Field/Button
Description
Exclude Commands
Enter the exclude commands one in each line.

For example,
ip address.*,
end.*,
exec-timeout.*,
length.*,
ntp clock-period.*
The commands will be excluded while comparing configuration.

You can enter multiple commands separated by commas.
For more information, see Examples for Exclude Commands.
View Base Config
Click View Base Config to launch the Config Viewer window.
(Button)
See Understanding the Config Viewer Window for further information.

Step 10
Click Finish.
The Compare Config window appears, displaying the following details:
Field Name/Buttons
Description
Summary
Total No.of Device(s)

selected for comparison
Number of devices selected for comparision.
Number of Compliant
devices
Number of devices that comply with the base configuration.
Number of
Non-Compliant devices
Number of devices that do not comply with the base configuration.
Number of Excluded
devices
Number of devices excluded from comparision.
Base Device
Name of the base device.
Base Config Type
Configuration type of the base device.
Base Config Branch
Configuration branch version of the base device. For example, DeviceArchive.
Non-Compliant Devices
Device Name
Latest Version
Version of configuration file against which the compliance was checked.

Click on the version to display Config Viewer (see Understanding the Config Viewer Window).
This shows the contents of corresponding configuration file against which the compliance was
checked.
Diff
Differences between base configuration and the lastest configuration version of mutiple devices.
To view the difference between the base configuration and the latest configuration version of other
devices, click on the Diff icon. The Config Diff Viewer window appears. For more information,
see Understanding the Config Diff Viewer Window.

OL-25941-01
6-39
Chapter 6
Field Name/Buttons
Description
Excluded Devices
Device Name
Reason for Exclusion
Displays the cause for exclusion.
Buttons
Export
Exports the data to a file of PDF or CSV format.
(Icon)
Print
(Icon)
Step 11
Click Diff to view the differences between base configuration and the lastest configuration version of
multiple devices.
The Config Diff Viewer window appears. For more information, see Understanding the Config Diff
Viewer Window.
Step 12
Click Deploy to sync the base configuration with the latest configuration.
The Job Options Details pop-up window appears, displaying the following details:
Field
Description
Job Information
E-mail
Enter the e-mail address.
Retain new config additions in

<<config version>>
Check to retain new config additions in the configuration file.
Job Options
Job Password
Check to enable Job Password option
Login username
Enter the login username.
Password
Enter the login password.
Enable password
Submit
Click Submit to run the job.
(button)
Step 13
Enter the Job Information and Job Option details.
Step 14
Click Submit to run the job.
Examples for Exclude Commands
This section contains examples for exclude commands:
6-40
OL-25941-01
Chapter 6

Scenario
Command Type (Examples)
To exclude anything after IP Address
ip address .*
To exclude IP address range from 172.20.115.1 to ip address

255
172\\.20\\.115\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0
-9]?) 255.255.255.128
To exclude SNMP host that contain either inside
or outside characters
snmp host \\b(inside|outside) 10.77.203.176

community public
For more information, see the regex API guide for Java 1.4.2 from Oracle
http://download.oracle.com/javase/1.4.2/docs/api/java/util/regex/Pattern.html for other patterns.
Understanding the Config Diff Viewer Window

The Configuration Version Compare report shows the differences between the two selected
configurations. You can access the Configuration Version Compare report by comparing device
configurations.
You can specify how you want to view the differences between the configurations by selecting one of
the options under Show:
Click Raw to view the differences between the two raw configurations.
Click Processed to view the differences with the commands ordered and grouped.
The color conventions that are used on Config Diff Viewer are:
BlackAll unchanged text.
RedLines that have changed from one version to another.
BlueLines that have been added or deleted from one of the versions.

OL-25941-01
6-41
Chapter 6
The Configuration Versions Compare report has three columns:

Column
Description
Configlets
You can click on any configlet to display the corresponding information. The available configlets
vary from device to device. The following are examples:
DiffsDisplays the differences between the two configuration files (if you selected more than
one).
AllThe entire contents of the configuration files.
Interface folderThe different interface configuration commands. For example, Interface

and Interface TokenRing.
Ethernet0
GlobalDisplays global configuration commands. For example no ip address.
Line con 0Displays configuration commands for line console 0.
IPDisplays IP configuration commands. For example, ip http server.
First configuration file
Contains the contents of the first configuration file.
Second configuration
file
Contains the contents of the second configuration file.
The buttons on the Config Diff Viewer are:

Button
Description
Export
Export the configuration file.
(Icon)
If you are using the Raw mode then the exported file format is cfg. The file name convention
is DeviceName-VersionNumber.cfg.
If you are using the Processed mode then the exported file format is XML. The file name
convention is DeviceName-VersionNumber.xml.
The default directory where Configuration Archive file is exported is:
On Windows server,
6-42
OL-25941-01
Chapter 6

Button
Description
Export (continue)
To export a file:
1.
Click on the icon.

2.

or
Browse to select a folder on the LMS server.
b. Click OK.
The Browse button takes you to the default directory. It does not allow you to change this
default export directory.
3.
Click OK.
If you have exported configuration in the Raw mode, the notification message displays, Config
file exported as
If you have exported configuration in the Processed mode, the notification message displays,
Config file exported as ExportedFolder\DeviceName-VersionNumber.XML
Where ExportedFolder is the location where configuration file is exported.
4.
Click OK.
This option is not available in the Config Diff Viewer page when you compare Base Config vs.
Latest Version of Different Devices.
Print
(Icon)
This option is not available in the Config Diff Viewer page when you compare Base Config vs.
Latest Version of Different Devices.

OL-25941-01
6-43
Chapter 6

You can browse the Configuration Archive jobs that are registered on the system. From the Archive
Management Jobs dialog box you can also retry, delete, stop jobs and view a job's details.
Retrying a Config Job
Stopping a Config Job
Deleting the Config Jobs
The Archive Management Jobs window displays the following information:

Column Name
Description
Job ID
Unique number assigned to the job when it is created.

For periodic jobs such as Daily, Weekly, etc., the job IDs are in the number.x format. The x represents
the number of instances of the job. For example, 1001.3 indicates that this is the third instance of the
job ID 1001.
Click on the Job ID to view the Configuration Archive job details (see Viewing the Configuration
Archive Job Details).
Job Type
Type of the configuration job.
Sync ArchiveAppears if you had scheduled a Sync Archive job (Configuration >
Configuration Archive > Synchronization).
Get ConfigAppears if you had scheduled a configuration fetch job using the CLI command,
cwcli config get.
Put ConfigAppears if you had scheduled a configuration retrieve job using the CLI command,
cwcli config put.
Import ConfigAppears if you had scheduled a job that retrieved the configuration from a file
and if you had transferred it to the device using the CLI command, cwcli config import.
Write to Running ConfigAppears if you had scheduled a job that downloaded the differences
between the specified configuration file and the latest configuration version in the archive for the
specified device, using the CLI command, cwcli config write2run.
6-44
OL-25941-01
Chapter 6

Column Name
Job Type
Description
Write to Startup ConfigAppears if you had scheduled a job that erased the contents of the
device Startup configuration and if you wrote contents of a specified file as new Startup
configuration, using the CLI command, cwcli config write2start.
Copy Running Config to StartupAppears if you had scheduled a job that overwrote with the
Startup configuration of the device with the Running configuration, using the CLI command,
cwcli config run2start.
Copy Startup Config to RunningAppears if you had scheduled a job that merged the Startup
configuration with the Running configuration, using the CLI command, cwcli config
start2run.
Reload DeviceAppears if you had scheduled a job that rebooted the devices, using the CLI
command cwcli config reload.
Config Quick DeployAppears if you had created an immediate Configuration Quick Deploy
job, using the Config Viewer window.
Compliance CheckAppears if you had scheduled a Compliance Check job (Configuration >
Compliance > Compliance Templates > Compliance Check and click the Compliance Check
button).
Check Compliance and DeployAppears if you had scheduled a Compliance Check job with the
job option, Check compliance and deploy enabled (Configuration > Compliance > Compliance
Templates > Compliance Check and click the Compliance Check button).
Deploy Baseline templateAppears if you had scheduled a Baseline Template deploy job
(Configuration > Compliance > Compliance Templates > Direct Deploy and click the Deploy
button).
Deploy Compliance ResultsAppears if you had scheduled a Deploy job on the non-complaint
devices (Configuration > Compliance > Compliance Templates > Jobs and click the Deploy
button).
(Continue)
Status
Job states:
CancelledRunning job stopped by you.
FailedFailed job. Click on the Job ID to view the job details.

The number, within brackets, next to Failed status indicates the count of the devices that had failed
for that job. This count is displayed only if the status is Failed.
For example, If the status displays Failed(5), then the count of devices that had failed is 5.
RunningJob still running.
ScheduledJob scheduled to run.
RejectedJob rejected by an approver. Click on the Job ID to view the rejection details.
SuccessfulJob completed successfully
Waiting for ApprovalJob waiting for approval.
Description
Job description entered during job definition
Owner
User who created this job.
Scheduled at
Date and time at which the job is scheduled to run.
Completed at
Date and time at which job was completed.
Schedule Type
Run type of the job: Immediate, Once, 6 - hourly, 12 - hourly, Daily, Weekly, and Monthly.

OL-25941-01
6-45
Chapter 6
You can click on any column heading to sort information by that column. If you double-click on a
You can use the Filter button to do a quick search on the Configuration Archive jobs. You can perform
filters by using these options:
Filter Options
Description
Job ID

For periodic jobs such as Daily, Weekly, etc., the job IDs are in the number.x format. The x
represents the number of instances of the job.
For example, 1001.3 indicates that this is the third instance of the job ID 1001.
Job Type
Types of Configuration Archive jobs.

For example: Sync Archive, Write to Running Config.
Status
Status of the job.

For example: Successful, Failed.
Description
Job description.
Owner
Owner of the job.
Schedule Type
Job schedule Type.

For example: Immediate, Weekly.
Refresh
Click on this icon to refresh the Configuration Archive Job Browser.
(Icon)
You can perform the following tasks on this window:

You can retry only a failed job. You cannot retry a job that is scheduled to run periodically (Daily,
Weekly, and Monthly).
Note
To retry a job:
Step 1
Select Configuration > Job Browsers > Configuration Archive.

The Archive Management Jobs dialog box appears.
Step 2
Select a failed job and click Retry.

6-46
OL-25941-01
Chapter 6

Step 3

Based on your retry job selection, some of the options may not be visible.
For example, 6 - hourly and 12 -hourly Run Type options are visible only if you are retrying a Sync
Archive job. This is not visible for other types of Configuration Archive jobs.
Field
Description
Scheduling
Run Type
You can specify when you want to run the selected Retry job.
The subsequent instances of periodic jobs will run only after the earlier instance of the job is
complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance
of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November 1
job has completed.
If the 10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, the
next job will start only at 10:00 a.m. on November 3.
Date
You can select the date and time (hours and minutes) at which to schedule a job.
The Date field is enabled only if you have selected an option other than Immediate in the Run
Type field.

OL-25941-01
6-47
Chapter 6
Field
Description
Job Information
Approver Comments
Enter comments for the job approver.

This field appears only if you have enabled job approval for Configuration Archive.
Maker E-Mail

Job Password
password.
Or
E-mail
dialog box (Admin > System > System Preferences). When the job starts or completes, an
e-mail is sent with the LMS e-mail ID as the sender's address.
Step 4
Click Submit.
A message appears, Job resubmitted successfully.
Step 5
Click OK.

You can stop the following running job types (See Using Configuration Archive Job Browser for details
on the job types):
Put Config
Import Config
Write to Running Config
Write to Startup Config
Copy Startup Config to Running
Reload Device
6-48
OL-25941-01
Chapter 6

Note
Config Quick Deploy
Check Compliance and Deploy
Deploy Baseline template
Compliance check
To stop an Configuration Archive job:
Step 1

Step 2
Select a running job and click Stop.

A message appears, Selected job(s) will be stopped.
Step 3
Click OK.

You can delete jobs with status:
Cancelled
Failed
Scheduled
Rejected
Successful
Waiting for Approval
You cannot delete a running job.
Note
To delete jobs:
Step 1

Step 2
Select a running job and click Delete.

A message appears, Selected job(s) will be deleted.
Step 3
Click OK.

OL-25941-01
6-49
Chapter 6

From the Archive Management Jobs window, you can learn more about one job by viewing its details.
You can view these details by clicking the Job ID on the Config Job window.
Note
The Archive Management Job Details window contains the following information:
Page/Folder
Description
Execution Summary
Displays summary of completed job:
Execution SummaryInformation about the job status, start time and end time.
Device SummaryInformation about the job completion status on the devices you have
selected. For example, number of successful devices where the job is executed
successfully.
Click on Device Details folder and device status link and on the Device link to see the
complete job execution details.
Device Details
Execution Message (Pre-Execution and Post-Execution)Information about any e-mails

sent.
Contains detailed job results for each device. Displays status folders that correspond to
possible device status:
Successful DevicesDevices were successfully executed.
Failed DevicesDevices were not successfully executed.
Partially Failed DevicesJob partially failed to run on these devices.
Pending DevicesJob did not try to update devices, even though they were selected.
Not AttemptedJob did not attempt to run on these devices.
Click on Status to see the job details. Details include a record of the entire CLI session
between LMS and the device.
When the configuration fetch takes unusually long, this error message appears,
Unable to get results of job execution for device. Please retry the job
This could happen because of slow device response, Network latency, etc.
Work Order
Contains the Summary of the job definition such as,
Detailed information, such as owner, schedule type, and Job Approval state.
Policies configured for the job, such as E-mail Notification and Job Based Password.
Devices on which the job runs. Also, gives details about the commands.
For retried jobs, these job definitions are not updated. For such jobs the original job definitions
are retained.
6-50
OL-25941-01
Chapter 6

The buttons on the Job Details window are:
DeleteYou can delete jobs with the following Job Status:

Cancelled
Failed
Scheduled
Rejected
Successful
Waiting for Approval
You cannot delete a running job.
StopYou can stop the following running job types (See Using Configuration Archive Job Browser
for details on the job types):
Put Config
Import Config
Write to Running Config
Write to Startup Config
Copy Startup Config to Running
Reload Device
Config Quick Deploy
Check Compliance and Deploy
Deploy Baseline template
Compliance check

OL-25941-01
6-51
CH A P T E R
Using Baseline Templates to Check

Configuration Compliance
This chapter contains the following:
Baseline Template Management Window
Deploying a Baseline Template

Baselining refers to identifying a set of standardized policy based commands that you would want to
have on a set of devices. You can create a Baseline template containing a set of commands identified
through the baselining process. This template contains placeholders for device-specific values to be
substituted.
For example:
set vtp domain
[name] password [xxx]
set snmp community read-write
[Read write community string]
Where name, xxx and Read write community string are variables that are substituted with the values you
provide.
You can compare the Baseline template with the configuration of devices in the archive. You can also
generate a non-compliance configuration report and deploy this template onto the devices to make it
compliant. You can deploy a Baseline template to a group of devices by just scheduling one job.
When you add a new device of the same type to the network, you can use the existing Baseline template,
which consists of two parts, command and values. You can create configurations for any device of the
same type in the network by specifying the values for the variables in the Baseline template.

OL-25941-01
7-1
Chapter 7
Figure 7-1
Baseline Template Usage Flow Diagram
Sample Input file for Baseline Template
You can use the following input file for creating Baseline template:
<?xml version="1.0" encoding="UTF-8" ?>
- <ConfigTemplate Name="Banner1" DeviceFamily="268437899,268438038" Version="1">
- <Commandlet Name="Commands" ControlStmt="false" Parent="none" Submode="false"
Condition="false" Ordered="false">
- <CommandInfo CheckType="1">
<Command>banner motd "******************** WARNING *****************************
<NL>This is a private system and only authorized individuals are allowed!<NL>All
others will be prosecuted to the fullest extent of the law!
<NL>*************************************************************************"****
</Command>
</CommandInfo>
<ContextModeCommand />
<PreCondition />
</Commandlet>
</ConfigTemplate>
7-2
OL-25941-01
Chapter 7

Handling Multi-line Commands in Baseline
Multi-line commands should be separated with <NL> tag and should be in the same line within the
template.
You can use the following command to run the compliance check. This is considered as a single line
command:
Below is the command that the customer can use in the compliance check for this use case. Please note
this is a single line command.
+ banner motd "************************* WARNING **************************************
<NL>This is a private system and only authorized individuals are allowed!<NL>All others
will be prosecuted to the fullest extent of the law!
<NL>*************************************************************************"

The features of Baseline templates are:
You can use this Baseline template to compare with other device configurations and generate a
report that lists all the devices that are non-compliant with the Baseline template.
You can easily deploy the Baseline template to the same category of devices in the network.
You can schedule a compliance check job and deploy the Baseline template on the non-compliant
devices. This can be performed as a single job or as a separate job.
You can import or export a Baseline template. This template is stored in XML format.
Rules for Specifying Baseline Templates
The rules for specifying the Baseline templates are:
All the commands that are disallowed should begin with a -.
All commands that are mandatory should begin with a +.
All comment entries should begin with a #.
Commands that do not begin with (- or +) are considered as comments and ignored.
The command values can be a wildcard match.

+ ip address
[ip-address] [netmask]
+ ip address [#10\.76\.38\..*#]
[netmask]
+ ip address [#10\.72\..*\..*#]
[netmask]
To find a match for any octet in an IP address you must use \..*.
In the examples shown above, the command will apply for all the devices with the IP address starting
with 10.76.38.* [netmask] and 10.72.*.* [netmask].
The regular expressions must be enclosed with #.

For example:
snmp-server location
[#.*#]
This command will fail compliance check for snmp-server location loc1 loc2 loc3, because the
check will be performed only for one word after snmp-server location.

OL-25941-01
7-3
Chapter 7
To overcome this, you have to define the command as:

+ [# snmp-server location .*#]
Then the compliance check will be performed for all forms of snmp-server commands like
snmp-server location loc1 loc2.....n,etc.
Negation in Regular expressions :

Example 1: When there are multiple entries in the configuration files.
Let us say, the commands in the device configuration are:
logging name1
logging name2
logging name3
The command available in the template is:
+logging [#!name1#]
Based on the command in the template, the negation of name1 is done. This returns true as there are
other logging commands present with other names. So the template is compliant.
Example 2: When there is only one entry in the device configuration file.
Let us say, the command in the device configuration is:
logging name1
+logging [#!name1#]
Based on the command in the template, the negation of name1 is done. This returns False, as there
is no other command in the device configuration file with logging statement except logging name1.
So the template is non-compliant.
Example 3: When there are no logging commands in the device configuration files.
Let us say, the command in the device configuration is:
No logging commands
+ logging [# !name1 #]
Based on the command in the template, the negation of name1 is done. This returns False, as there
are no login commands. So the template is non-compliant.
The Baseline template uses java.util.regex engine for regular expressions. For more information, see
the regex API guide for Java 1.4.2 from Oracle:
http://download.oracle.com/javase/1.4.2/docs/api/java/util/regex/Pattern.html
Submode commands are provided only if the commands are to be compared inside a submode.
For example:
interface
[#Ethernet.*#]
+ no shutdown
The no shutdown command will apply to all Ethernet interfaces.
7-4
OL-25941-01
Chapter 7

Defining Commandsets
The commandsets are a set of one or more CLI commands. You can define a commandset while creating
a Baseline template in the Advanced mode.
The features of the commandsets are:
If the commands in commandset are in a submode (ip/interface) a submode command must be

specified for such a commandset.
Commandsets can have one or more child commandsets.
Child commandsets inherit parents submode command.
You can define commandsets that have to be checked before running the actual commands.
The features of the prerequisite commandsets are:
A commandset can have another commandset as its prerequisite.
A prerequisite commandset is used only for comparison and is not deployed onto the device.
A commandset is compared with the config only if its prerequisite condition is satisfied.
LMS evaluates the commandsets in different ways depending on whether you have defined the
commandset as Parent or Prerequisite.
For example, assume that you have defined two commandsets, commandset1 and commandset2:
Commandset defined as Prerequisite

commandset1 as the Prerequisite of commandset2. When LMS evaluates the Baseline template, it
evaluates commandset1 first, and commandset2 next.
If commandset1 does not contain submode and is not present in a device, then commandset2 is not
evaluated and the device is displayed in the excluded list in the compliance report.
If commandset1 contains submode and is not present in applicable submodes, then commandset2 is
not evaluated and the device is displayed in the excluded list in the compliance report.
Commandset defined as Parent

commandset1 as the Parent of commandset2. When LMS evaluates the Baseline template, it
evaluates commandset1 first, and commandset2 next.
If either of these commandsets are missing, the template is considered non-compliant.

To access the Baseline Template Management Window go to Configuration > Compliance >
Compliance Templates > Templates.
This window lists all the system-defined and user-defined Baseline templates. It also displays the
following details of the Baseline template:

OL-25941-01
7-5
Chapter 7
Column Name
Description
Name
Name of the Baseline template.

The following template examples are displayed, by default:
CISF_DHCP_SnoopingTemplate for Catalyst Integrated Security Feature
TemplateExample1Basic template with Regular expression
TemplateExample2Advanced template with Submode, Parent and child options
TemplateExample3Advanced template with prerequisite options
TemplateExample4Advanced template with ordered set options
VRFComplianceTemplate for VRF Compliance
Click the template name to view the command sets. For more information, see Command Sets.
Device Type
Type of device for which the defined Baseline template can be used.
Description
Description of the Baseline template.

If you have imported Baseline templates, the description given is Imported.
Created On
Displays the Baseline template creation date and time.

You can click on any column to sort the information by that column. If you double-click a heading, the
order is reversed.
This window contains the following buttons:
Button
Description
Edit
Edit a Baseline template.

This button is active only after you select a Baseline Template.
See Editing a Baseline Template for further details
Export
Export a Baseline template file.

See Exporting a Baseline Template for further details.
Delete
Delete a Baseline template.

See Deleting a Baseline Template for further details.
Create
Create a Baseline template.

See Creating a Baseline Template for further details.
Import
Import a Baseline template file.

See Importing a Baseline Template for further details.
7-6
OL-25941-01
Chapter 7

Command Sets
To view the template command sets:

Step 1
Go to Configuration > Compliance > Compliance Templates > Templates.

The Baseline Templates window appears, displaying the list of all the user-defined Baseline templates.
Step 2
Click the template name. For example, CISF_DHCP_Snooping.

The BaseLine Config Viewer window appears, displaying the command sets used in the template.
Table 7-1 provides information on the command sets used in the template examples.
Table 7-1
Command Sets
Template
Command Sets
CISF_DHCP_Snooping
Name: Commands SubMode: No isPrerequisite: No Ordered: No Prerequisite-Commandset:

none Parent: none
+
TemplateExample1
dhcp
snooping
Name: Commands SubMode: No isPrerequisite: No Ordered: No Prerequisite-Commandset:

none Parent: none
+
TemplateExample2
ip
snmp-server
community
[#.*#]
RW
Name: Global SubMode: No isPrerequisite: No Ordered: No Prerequisite-Commandset : none

Parent: none
Name: parent SubMode: Yes isPrerequisite: No Ordered: No Prerequisite-Commandset: none
Parent: none policy-map V3PN-teleworker
Name: child SubMode: Yes isPrerequisite: No Ordered: No Prerequisite-Commandset: none
Parent: parent class VOICE
+
TemplateExample3
priority 64
Name: Global SubMode: No isPrerequisite: No Ordered: No Prerequisite-Commandset: none

Parent: none
Name: prereq SubMode: No isPrerequisite: Yes Ordered: No Prerequisite-Commandset: none
Parent: none
+
class-map
match-all
GOLD
Name: parent SubMode: Yes isPrerequisite: No Ordered: No Prerequisite-Commandset: prereq

Parent: none policy-map GSB_Policy
Name: child SubMode: Yes isPrerequisite: No Ordered: No Prerequisite-Commandset: none
Parent: parent class GOLD
+
bandwidth percent 25

OL-25941-01
7-7
Chapter 7
Table 7-1
Command Sets
Template
Command Sets
TemplateExample4
Name: Global SubMode: No isPrerequisite: No Ordered: No Prerequisite-Commandset: none

Parent: none
Name: acceslist SubMode: No isPrerequisite: No Ordered: Yes Prerequisite-Commandset: none
Parent: none
VRFCompliance
access-list
101
deny
tcp
access-list
101
deny
tcp
access-list
101
permit
ip
10.77.209.0
any
gt
any
0.0.0.255
1023
host
any
10.1.1.1
eq
23
any
Name: Commands SubMode: Yes isPrerequisite: No Ordered: No Prerequisite-Commandset:

none Parent: none interface [#.*#]
+
ip
vrf
forwarding
[#red|green|blue#]
7-8
OL-25941-01
Chapter 7

Editing a Baseline Template

You can edit all Baseline template fields except for Template Name.
Note
To edit the Baseline templates:
Step 1
Select Configuration > Compliance > Compliance Templates > Templates.

The Baseline Templates dialog box appears.
Step 2
Select a Baseline template.
Step 3
Click Edit.
The Select Creation Mode dialog box appears. The mode that you have selected while creating the
Baseline template is retained. You cannot change this mode.
Step 4
You can provide a description in the Description text field.
You can select or deselect devices in the Device Type Selector listbox.
Click Next.
The Add Template Details dialog box appears.
Step 5
Select the commandset that you want to edit.
Step 6
Edit the required information.

See Creating an Advanced Baseline Template for more information on field descriptions for the fields
that appear in the Add Template Details dialog box.
Step 7
Click Finish.
A message appears, Template is modified. Do you wish to save the changes?
Step 8
Click OK.
A notification appears, Successfully updated the template BaselineTemplateName.
Step 9
Click OK to save changes.

OL-25941-01
7-9
Chapter 7
Exporting a Baseline Template

You can export a Baseline template. The exported file is in XML format.
The default path in the LMS Server to which the XML file is exported to is:
NMSROOT\files\rme\dcma\baselinetemplates (On Windows)
/var/adm/CSCOpx/files/rme/dcma/baselinetemplates (On Solaris and Soft Appliance)
Where, NMSROOT is the LMS installed directory.

You cannot change the default export path in the LMS Server. If you do so, an error message will be
displayed.
Note
To export a Baseline Template:
Step 1

Step 2
Select one or more Baseline templates and click Export.

The Export a Baseline Template dialog box appears.
Step 3
Click Browse.
Step 4
Select a folder.
Step 5
Click OK in the Server Side File Browser dialog box.
Step 6
Click OK.
A message appears, CMA0086: Selected Template(s) are successfully exported.
The naming convention followed for the baseline parameter file is Template Name.xml.
The file will be exported to the default location at the specified path in XML format.
7-10
OL-25941-01
Chapter 7

Deleting a Baseline Template

To delete a baseline template:
Note
Step 1
Step 2
Select one or more Baseline templates and click Delete.

A message appears, The selected Template will be permanently deleted.
You can delete only user-defined templates and not system-defined templates.
Step 3
Click OK.
A message appears, Successfully deleted the template.
Step 4
Click OK.
The selected Baseline Template is removed from the Baseline Templates window
Note
You cannot delete Example Templates.
Creating a Baseline Template

You can create a Baseline Template by:
Creating a Basic Baseline Template
Creating an Advanced Baseline Template
There are few example templates that are available. You can use these templates as a base to create new
templates.
Note
Creating a Basic Baseline Template - an Example
Creating an Advanced Baseline Template - an Example

OL-25941-01
7-11
Chapter 7
Creating a Basic Baseline Template

To create a Basic Baseline template:
Step 1

The Baseline Templates window appears.
Step 2
Click Create.
The Select Creation Mode dialog box appears.
Step 3
In the Template Details section, select Basic as the mode.
Step 4
Field
Description
Name

You can enter up to 254 alphanumeric characters (including underscores). Do not enter special
characters, including spaces and hyphens.
Description
Description for the Baseline template. You can enter up to 254 characters.
Device Type Selector
Device family to which you can apply this template.

Click the check box to select the device family.
Step 5
Click Next.
Step 6
Field
Enter the following in the Baseline Template page.

Description
Conditional Block
Check for compliance only Check this option if you want to run a compliance check based on any condition.
if the following condition is
satisfied.
Global
Select this option if you want to check the conditional commands in Global mode.
This option is activated only if Check for compliance only if the following condition is
satisfied is checked.
Submode
Select this option if you want to check the conditional commands in a specific submode.
If you select this option, the textbox next to this option is activated. Enter the command for the
required submode.
For example:
interface
[#Ethernet.*#]
This option is activated only if the Check for compliance only if the following condition is
satisfied option is checked.
7-12
OL-25941-01
Chapter 7

Field
Description
CLI Commands
Enter the conditional CLI commands in this text area.

This option is activated only if Check for compliance only if the following condition is
satisfied is checked.
Enter the Conditional CLI commands.
For example:
# Routers CLI Commands
+ set snmp community read-write
[read-write-community-name-string]
- set snmp community read-only public
Explanation:
The first line is considered as a comment as it does not begin with either + or -.
The second line is mandatory as it begins with +.
The third line is disallowed as it begins with -.
In the above example, read-write-community-name-string is a command value. The command

value should not contain spaces.
Compliance Block
Global
Select this option if you want to check the compliance commands in global mode.
Use the SubMode of above

condition
This option is activated only if the Conditional Block options, Check for compliance only if
the following condition is satisfied and the Submode options are selected.
The submode command entered in the submode textbox under the Conditional Block appears in
the submode textbox of Compliance Block. So, the submode command of the Conditional Block
is used by the Compliance Block.
You cannot edit the submode commands in the Compliance Block. However, you can edit the
submode commands in the Conditional Block, which in turn updates the submode commands in
the Compliance Block.
Submode
Select this option if you want to check the compliance commands in a specific submode.
If you select this option, the textbox next to this option is activated. Enter the command for the
required submode.
The compliance command will be checked for the submode that you enter.

OL-25941-01
7-13
Chapter 7
Field
Description
CLI Commands
Enter the Compliance CLI commands. This is a mandatory field.

For example, you can enter:
Routers CLI Commands
# this is the Compliance Block
Explanation:
The first line is considered as a comment as it does not begin with either + or -.
The second line is also considered as a comment as it begins with a #.
The third line is mandatory as it begins with +.
The fourth line is disallowed as it begins with -.
In the above example, read-write-community-name-string is a command value. The command

value should not contain spaces.
Order Sensitive
Select this option to make the system consider the order of the commands while performing a
compliance check.
In other words, the commands in the device config should appear in the same order as that of
the CLI commands definition order in the Command Set.
If you want to preview the changes to the template command details before the template is created,
click Preview. The changed template details are displayed in a window.
If you want to reset the changes click Reset.
If you want to know about the options and the functionality of Basic flow click Help.
You can perform a Compliance check without using the Conditional Block.
A message appears, Successfully created the template BaselineTemplateName.
Where BaselineTemplateName is the Template Name as given by you.
Step 7
Click OK.
The Baseline Templates window appears with the newly created Baseline template.
7-14
OL-25941-01
Chapter 7

Creating a Basic Baseline Template - an Example

You want to create a baseline template to check if all Ethernet interfaces that are up and running have
"10.77.*.*" IP Address configured with the subnet mask 255.255.255.128.
To perform this task, you must create a template that checks for the following compliances:
If there are interfaces that do not contain the shutdown command.

and
If all Ethernet interfaces are configured with IP address 10.77.*.* 255.255.255.128.
You can create a Basic Baseline Template by entering the condition check, as well as the compliance
check.
To create a Basic Baseline Template for the above scenario:
Step 1

The Baseline Templates window appears.
Step 2
Click Create.
Step 3
In the Template Details section, select Basic as the mode.
Step 4
Field
Description
Name
Enter NewBaseline
NewBaseline is the name of the new template.
Description
Enter the following description:

This is a Basic Baseline template that checks if all Ethernet interface are up and running and have
"10.77.*.*" IP address configured with the subnet mask 255.255.255.128

Step 5
Check the Routers checkbox to select all routers.

Click Next.
Step 6
Select Check for compliance only if the following condition is satisfied so that you can enter the
condition to be checked.
Step 7
Select Submode
The textbox next to Submode is activated.
Step 8
Enter the following command in the Submode textbox:

interface
Step 9
[#Ethernet.*#]
Enter the following Conditional CLI commands in the Conditional Block CLI command text area:
- shutdown
This command indicates that shutdown should not be present in the Ethernet interfaces.
Step 10
Go to Compliance Block
The Use the SubMode of above condition option is selected automatically.

OL-25941-01
7-15
Chapter 7
Enter the following CLI commands in the Compliance Block CLI command text area:
Step 11
ip address [#10.77.*.*#] 255.255.255.128
This command helps you to ascertain if the specified IP addresses are configured on the Ethernet
interfaces.
Click Finish
Step 12
A message appears, Successfully created the template NewBaseline.

Where NewBaseline is the Template Name as entered by you.
Click OK.
Step 13
The Baseline Templates window appears with the newly created Baseline template.
Creating an Advanced Baseline Template

To create an Advanced Baseline template:
Step 1

Click Create.
Step 2
The select Creation Mode dialog box appears.

Step 3
Select Advanced as the mode from the Template Details section.
Step 4
Field
Description
Name

You can enter up to 254 alphanumeric characters (including spaces). Do not enter any special
characters, including underscores and hyphens.
Description
Description for the Baseline template. You can enter up to 254 characters.
Device family for which you can apply this template.

Check the check box to select the device family.
Step 5
Click Next.
Step 6
Field

Description
Commandset Options
Name
Name of the commandset.

You can enter only alphanumeric characters up to 254 characters. Do not enter any special characters.
This includes spaces, underscores and hyphens.
7-16
OL-25941-01
Chapter 7

Field
Description
Parent
Enter the parent name for the commandset, if required. This is case sensitive.
You can also use this to logically group the commandsets.
For example: To work on ATM permanent virtual connections (PVCs) commands, you must first get into
the interface mode from the global mode and then run the PVC specific-commands.
Commandset 1: ATM
[#atm.*#]
interface
+
ip address
[ip-addr] [net-mask]
Commandset 2: PVC
[#pvc.*#]
+
encapsulation
abr
ubr
vbr-nrt
vbr-rt
protocol ip
exit
aal5
[encap-type]
[output-pcr1] [output-mcr]
[output-pcr2]
[output-pcr3] [output-scr] [output-mbs]
[peak-rate] [average-rate] [burst]
[proto-ip] [type]
Here, commandset 1 is the parent for commandset 2.

LMS evaluates the Baseline template, commandset1 is evaluated first and commandset2 is evaluated
next. If either of these commandsets is missing, the template is considered as non-compliant.
Prerequisite
Select the mandatory commandset name that you must enter before running the current commandset.
In the example (See Mark as Prerequisite row), if you had marked commandset 1 as the Prerequisite, you
can select commandset 1: IntCheck from the drop-down menu.
Before running the commandset 2, the commandset 1 is run. That is, commandset1 is evaluated first and
commandset2 is evaluated next.
If there is no commandset1 or if commandset1 failed, commandset2 is not evaluated and the devices will
be moved to excluded state. In this case, the template will be considered as non-compliant.

OL-25941-01
7-17
Chapter 7
Field
Description
Mark as
Prerequisite
1.
Select the checkbox to mark a particular commandset as a prerequisite.

For example,
Commandset 1: IntCheck
interface
[intname]
+ ip address
[#10\.76\.38\..*#] [net-mask]
(To find a match for any octet in an IP address you must use \..*.)
2.
Select the Mark as Prerequisite check box for the Commandset 1: IntCheck.
For example,
Commandset 2: IntDownload
interface
[intname]
+ no cdp enable
3.
Select the Prerequisite from the dropdown menu for the Commandset 2: IntDownload.
If a commandset has a Prerequisite commandset, you cannot select the Mark as Prerequisite check box
for that particular commandset.
That is, in the above example, you cannot select the checkbox Mark as Prerequisite for Commandset
2:IntDownload.
CLI Commands
Submode
Enter the command to get into interface mode from the global mode.
For example: interface [intname]
Here, interface is a command keyword and intname is command value. The command value should not
contain spaces.
You can also run the command for a set of interfaces.
For example: interface [#Ethernet.*#]
Here, the command will be executed on all the interfaces having Ethernet.
7-18
OL-25941-01
Chapter 7

Field
Description
Ordered Set
Select this option to make the system consider the order of the commands while performing compliance
check.
In other words, the commands in the device config should appear in the same order as that of the CLI
commands definition order in the Command Set.
See Behavior of Ordered Set for Access Lists for more details.
CLI Commands
Enter the CLI commands.

For example:
# Routers CLI Commands
Explanation:
The first line is considered as a comment as it begins with a #.
The second line is mandatory as it begins with +.
The third line is disallowed as it begins with -.
There should be a space between the commands and the - or +. If there is no space, the commands
are considered as comments and ignored.
In the above example, read-write-community-name-string is a command value. The command value
should not contain spaces.
If you want to add a new commandset to the template click Add. The CLI Commands window is
displayed with the default help comments. These help comments serve as guidelines to create
commandsets.
If you want to delete a Commandset from the Command set list, click Delete.
If you want to preview the changes to the Commandset details before finishing up the creation of
the template, click Preview. The changed Commandset details is displayed in a window.
If you click Save, for the first time, the following message appears,
Do you wish to create a new template?
Note
Step 7
If you click Save, for the second time, the following message appears,
Successfully updated the template BaselineTemplateName.
If the Commandsets consist of Prerequisite commandset then these commandsets appear in red
color in the Preview details.
If you want to reset the changes made to a Commandset, click Reset
Click OK.
A message appears,
Successfully created the template
BaselineTemplateName.
Where BaselineTemplateName is the name of the Baseline Template.

OL-25941-01
7-19
Chapter 7
Step 8
Click OK.
If you want to add one more commandset repeat this procedure from Step 4.
Step 9
Click Finish.
A message appears,
Do you wish to save the changes?
Step 10
Click OK.
A message appears,
Successfully created the template.
Step 11
Click OK.
The Baseline Configs window appears with all the available Baseline templates.
Creating an Advanced Baseline Template - an Example

This section consists of two examples:
Example 1
Example 2
Example 1
This is a procedure to create a Baseline template to disable CDP on an interface that belongs to a specific
subnet.
Step 1

Step 2
Click Create.
Step 3
Select Advanced and click Next.

The Create a Baseline dialog box appears.
Step 4
Field
User data
Template Name
DisablingCDP
You can enter up to 254 alphanumeric characters. Do not enter any special characters, except
underscores.
Device Type
Routers
Description
Baseline Template for DisablingCDP
Commandset Option
Name
PrerequisiteCheck.
You can enter up to 254 alphanumeric characters. Do not enter any special characters including spaces,
underscores and hyphens.
7-20
OL-25941-01
Chapter 7

Field
User data
Parent
Global
Prerequisite
Do not select any value.
Mark as
Prerequisite
Select the check box to mark the commandset as prerequisite.
CLI Commands
Submode
interface [intname]
Where, intname is a variable. The variables should not contain spaces.
Ordered Set
Select this so that the system orders commands while performing compliance check.
See, Behavior of Ordered Set for Access Lists for more details on the behavior of Ordered Set for
Access Lists.
CLI Commands
+ ip address
[#10\.76\.38\..*#] [netmask]
To find a match for any octet in an IP address you must use \.[0-9]{1,3}.
This checks for subnet mask with IP address starting from 10.76.38.*.
Step 5
Click Save.
A message appears to say that the template will be created.
Step 6
Click OK.
A message appears to say that the template is created.
Step 7
Click OK.
To add another commandset to the same Baseline template, Disabling-CDP, enter the following
information.
Field
User Data
Commandset Option
Name
DisableCDP.
You can enter up to 254 alphanumeric characters. Do not enter any special characters. This includes
spaces, underscores and hyphens.
Parent
Global
Prerequisite
Select the PrerequisiteCheck from the dropdown menu.
Mark as Prerequisite
Do not select the checkbox.
CLI Commands
Submode
interface [intname]
Ordered Set
Select this so that the system orders commands while performing compliance check.
CLI Commands
+ no cdp enable
This will disable the CDP in all the interfaces even if any one interface contains the subnet mask
starting with IP address 10.76.38.*.
Step 8
Click Save.
A message appears to say that the template is updated.

OL-25941-01
7-21
Chapter 7
Step 9
Click OK.
Step 10
Click Finish.
A message appears to say that the template will be saved.
Step 11
Click OK.
Step 12
Click OK.
The Baseline Configs window appears with the details of Disabling-CDP Baseline template.
Example 2
This is a procedure to create an Advanced Baseline Template to check the presence of the command "ip
address 10.77.209.8 255.255.255.224" in the Ethernet interfaces that have CDP disabled.
Step 1

Step 2
Click Create.
Step 3
Select Advanced and click Next.

The Create a Baseline dialog box appears.
Step 4
Field
User Data
Template Name
CheckIPTemplate
You can enter up to 254 alphanumeric characters. Do not enter any special characters except
underscores.
Device Type
Routers
Description
Baseline Template for Interface level check.
Commandset Option
Name
PrerequisiteCheck.
You can enter up to 254 alphanumeric characters. Do not enter any special characters including spaces,
underscores and hyphens.
Parent
Do not enter anything.
Prerequisite
Do not select any value.
Mark as
Prerequisite
Select the check box to mark the commandset as prerequisite.
CLI Commands
Submode
interface [#Ethernet.*#]
Ordered Set
CLI Commands
+ no cdp enable
7-22
OL-25941-01
Chapter 7

Step 5
Click Save.
A message appears to say that the template will be created.
Step 6
Click OK.
A message appears to say that the template is created.
Step 7
Click OK.
To add another commandset to the same Baseline template, CheckIPTemplate, enter the following
information.
Field
User data
Commandset Option
Name
IPCheck.
You can enter up to 254 alphanumeric characters. Do not enter any special characters including
spaces, underscores and hyphens.
Parent
PrerequisiteCheck
Prerequisite
Select the PrerequisiteCheck from the dropdown menu.
Mark as Prerequisite
CLI Commands
Submode
Do not enter anything
Ordered Set
CLI Commands
+ ipaddress
10.77.209.8 255.255.255.224
The above command will be deployed on the Ethernet interfaces that have CDP disabled.
Step 8
Click Save.
Step 9
Click OK.
Step 10
Click Finish.
A message appears to say that the template will be saved.
Step 11
Click OK.
Step 12
Click OK.
The Baseline Configs window appears with the details of CheckIPTemplate Baseline template.

OL-25941-01
7-23
Chapter 7
Behavior of Ordered Set for Access Lists

1.
Create a baseline template with few commands and ordered set option checked.
2.
Compare the configurations in the device with the baseline template, to check for Compliance
The commands available in the device is compared in the same order as available in the Baseline
template.
3.
If the commands found in the device are not compliant with the Baseline template, the same
configlet commands available in the device are negated first and then the commands available in the
Baseline template are deployed on the device.
This is the recommended behavior for Access lists. This behavior is also supported by the submodes.
Importing a Baseline Template

You can import a template as Baseline template. The imported file must be in XML format.
The default path in the LMS Server from which the XML file is imported is
NMSROOT\files\rme\dcma\baselinetemplates (On Windows)
/var/adm/CSCOpx/files/rme/dcma/baselinetemplates (On Solaris and Soft Appliance)

You cannot change the default import path in the LMS Server. If you do so, an error message will be
displayed.
To import a Baseline Template:
Note
Step 1
Step 2
Select a Baseline template and click Import.

The Import a Baseline Template dialog box appears.
Click Browse.
Step 3
Select the XML file.
Step 4
Click OK in the Server Side File Browser dialog box.
Step 5
Click OK.
A message appears, Template successfully imported.
Step 6
Click OK.
The imported file appears in the Baseline Templates window with the description, Imported baseline.
7-24
OL-25941-01
Chapter 7


To run a compliance check:
Step 1
Select Configuration > Compliance > Compliance Templates > Compliance Check.
Step 2
Select the template and click Compliance Check.

The Select Devices dialog box appears.
Step 3
Select either:
Device Selector, if you want to schedule a job for a static set of devices. See Inventory Management
with Cisco Prime LAN Management Solution 4.2 for information on how to use the Device Selector.
Or
Group Selector, if you want to schedule a job for a dynamic group of devices.
The job is scheduled only for the devices that are present in the selected group at the time when the
job is run. The customizable group selector for jobs evaluate static groups also as dynamic during
run time.
Step 4
Click Next.
The Schedule dialog box appears.
Step 5
Field

Description
Scheduling
Run Type
You can specify when you want to run the Baseline template compliance job.
complete.
completed.
If the 10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, the next job
will start only at 10:00 a.m. on November 3.
Date
You can select the date and time (hours and minutes) at which to schedule.
field.

OL-25941-01
7-25
Chapter 7
Field
Description
Job Info
Job Description
E-mail
Attachment
Check this option if you want the job notification mail to consist of attachments in either CSV or PDF
format.
Select either:
CSV if you want the attachment in CSV format.

Or
PDF if you want the attachment in PDF format. This is the default format.
The CSV and PDF radio options will be enabled only if the Attachment checkbox is checked.
If the Attachment option is disabled, go to Admin > System > System Preferences to change the
settings. For more information on configuring attachment settings as well as the maximum size of
attachments allowed in notification mails, see Administration Online Help.
Job Options
Check compliance
and deploy
Enable this to check the compliance of the archived file with that of the Baseline template and deploy
the commands if it is non-compliant. This option is not supported for Group selector.
Copy Running
Config to Startup
This option is active only if you select the Check compliance and deploy option.
Select to make the job write the Running configuration to the Startup configuration on each device
after configuration changes are made successfully.
Job Password
If you have enabled the Job Password option and disabled the User Configurable option in the
Job Policy dialog box (Admin > Network > Configuration Job Settings > Config Job Policies)
enter the device login user name and password and device Enable password.
If you have enabled the Enable Job Password option and enabled the User Configurable option
Policies) either:
Or
7-26
OL-25941-01
Chapter 7

Step 6
Click Next.
The Job Work Order window appears with the job details that you have selected.
Step 7
Click Finish.
Step 8
Click OK.
You can check the status of your scheduled job by selecting Configuration > Job Browsers >
Note
privileges to perform this compliance check task.
The compliance check job requires approval if you have enabled Job Approval during the compliance
check job scheduling.
For further details on the baseline template, see Understanding the Baseline Compliance Report.
Understanding the Baseline Compliance Report

The Baseline Compliance Report contains the following information:
Field Name
Description
Summary
Template Name
Name of the Baseline template entered at the time of creating the Baseline template.
Number of
Non-Compliant devices
Number of devices that are non-compliant.
Number of Compliant
devices
Number of devices that are compliant.
Number of Excluded
devices:
List of devices in which the job did not run. The jobs may have failed either because:
The device configuration was not archived.
Or
The device was not reachable.
Further details of the failed job are given in the Configuration > Job Browsers > Configuration
Archive (See Using Configuration Archive Job Browser).
Compliant Devices
Device Name
Latest Version

This shows the contents of the corresponding configuration file against which the compliance was
checked.

OL-25941-01
7-27
Chapter 7
Field Name
Description
Created On
Non-Compliant Devices
Device Name
Latest Version

This shows the contents of the corresponding configuration file against which the compliance was
checked.
Created On
Commands to Deploy
List the commands where the device configuration is non-compliant.
Excluded Devices
Device Name
Reason for Exclusion
Displays the cause for exclusion.

In addition, this report contains two buttons:
Button
Description
Export to File
Exports this report in either PDF or CSV format.
(Icon)
Print
(Icon)

When you add a new device of the same type to the network, you can use the existing Baseline template.
This template consists of two parts, command and values.
You can create configurations for any device of the same type in the network by specifying the values
for the variables in the Baseline template.
You can deploy Baseline template on the devices in two ways:
User Interface (See Deploying a Baseline Template Using User Interface for the procedure.)
File System (See Deploying a Baseline Template Using File System for the procedure.)
The deployment job requires approval if you have enabled Job Approval during the deployment job
scheduling.
7-28
OL-25941-01
Chapter 7

Deploying a Baseline Template Using User Interface

To deploy a Baseline template using User Interface:
Step 1
Select Configuration > Compliance > Compliance Templates > Direct Deploy.
Step 2
Select a Baseline template and click Deploy.

The Deploy Input Options dialog box appears.
Step 3
Select Enter Data From User Interface and click Next.

The Select Devices dialog box appears.
The device list contains only devices of the type devices selected while creating the Baseline Template.
For example, if you have selected Device Type as Router, only routers are listed.
Step 4
Select devices under the following tabs:
In the All tab,

Devices are grouped under All Applicable Devices and All Applicable Device Groups. All
Applicable Device Groups categorizes devices under Routers, Switches, and so on.
In the Search Results tab,

The results of simple search and advanced search are listed here.
In the Selection tab,

All the devices that are selected are listed and you can deselect the devices.
Step 5
Click Next.
The Commands Generation dialog box appears.
Step 6
Field Name
Description and Action
Device list
This pane lists the selected devices that you have selected in the Select Devices dialog box.
Select the device for which you want to deploy the Baseline template.
Edit
Select a device from the device drop-down list and click Edit to edit information for the device.
Save
Click Save to save the changes made for the selected device.
You can change the details for multiple devices in one go, by using the Save button.
Device
The selected device in the Device List pane is displayed in this text box.
Commandsets
The pane contains all the commandsets that are defined in the Baseline template.
Select a commandset.
While creating the Baseline template, if you have defined the multiple occurrences as the
commandset feature, after selecting that particular commandset, the Add Instance button is
activated.

OL-25941-01
7-29
Chapter 7
Field Name
Add Instance
This button is active only if you have selected a commandset with multiple occurrences.
The occurrences of a commandset are defined while creating the Baseline template.
When you click on the Add Instance button, one more instance of multiple commandset is added in
the Commandsets pane.
Enter the command value for that commandset in the Device Data pane.
Delete Instance
Use the Delete Instance button to delete the instance after selecting the instance from the
Commansets pane. You can select one or more instances and click on the Delete Instance button to
delete the instances.
You can delete the selected instances. The exception being that at least one instance of the
commandset is available.
Templates
The pane contains the CLI commands for the selected commandset.
You cannot modify the commands in this pane.
Device Data
The field displays the command values that you have defined in your Baseline template.
The command value is appended with a unique number.
Enter the command value.
For example: If your Baseline template contains this command:
Interface
[#Ethernet[.*]#]
+ no shutdown
Then, #Ethernet[.*]# is the command value.

The Device Data field names appear as:
#Ethernet.*[0]
If the commandset is a prerequisite commandset, you do not need to specify parameter values for
the Device data field as they are not deployed.
Step 7
Click Next.
The Job Schedule dialog box appears.
7-30
OL-25941-01
Chapter 7

Step 8
Field

Description
Scheduling
Run Type
You can specify when you want to run the Baseline template deploy job.
completed.
Date
field.
Job Info
Job Description
E-mail
box (Admin > System > System Preferences). When the job starts or completes, an e-mail is sent
with the LMS E-mail ID as the sender's address.
Job Options
Approver Comments Enter comments for the job approver.

Maker E-Mail


OL-25941-01
7-31
Chapter 7
Field
Description
Copy Running
Config to Startup
Select to cause the job to write the running configuration to the startup configuration on each device
after configuration changes are made successfully.
Job Password
If you have enabled the Enable Job Password option and disabled the User Configurable option
Policies) enter the device login user name and password and device Enable password.
If you have enabled the Enable Job Password option and enabled the User Configurable option in
the Job Policy dialog box (Admin > Network > Configuration Job Settings > Config Job
Policies) either:
Or
Step 9
Click Next.
The Work Order dialog box appears with job details that you have entered.
Step 10
Click Finish.
Step 11
Click OK.
You can check the status of your scheduled job using Configuration > Job Browsers > Configuration
Archive. The Job Type for this deploy job is Deploy Baseline template result.
Deploying a Baseline Template Using File System

You can deploy a Baseline template using the Baseline Parameter file.
The parameter file specifies the variable values for template deployment. To generate the parameter file:
Step 1
Step 2
Click the hyperlink of the required template. The Baseline Config Viewer popup appears.
Step 3
Click Generate Param File. A popup appears.
Step 4
Click Browse to specify the folder with the parameter file.
See Exporting a Baseline Template for further information.
7-32
OL-25941-01
Chapter 7

To deploy a Baseline template using File System:

Step 1
Select Configuration > Compliance > Compliance Templates > Direct Deploy.
Step 2
Select a Baseline template and click Deploy.

The Deploy Input Options dialog box appears.
Step 3
Select Enter Data From File System and click Next.

The Select Input File dialog box appears.
Step 4
Enter the folder name and the file name with the file format extension XML.
or
a.
Click Browse.
b.
Select the XML file.
c.
Click OK.
The Select Input File dialog box appears with the selected Baseline Parameter file.
Step 5
Click Next.
Step 6
Field

Description
Scheduling
Run Type
You can specify when you want to run the Baseline template deploy job.
WeeklyRuns weekly on the specified day of the week and at the

specified time.
MonthlyRuns monthly on the specified day of the month and at the

specified time.
The subsequent instances of periodic jobs will run only after the earlier
instance of the job is complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1,
the next instance of this job will run at 10:00 a.m. on November 2 only if the
earlier instance of the November 1 job has completed.
If the 10.00 a.m. November 1 job has not completed before 10:00 a.m.
November 2, the next job will start only at 10:00 a.m. on November 3.
Date
The Date field is enabled only if you have selected an option other than
Immediate in the Run Type field.

OL-25941-01
7-33
Chapter 7
Field
Description
Job Info
Job Description
Enter a description for the job. This is mandatory. You can enter only
alphanumeric characters.
E-mail
Enter e-mail addresses to which the job sends messages at the beginning and
at the end of the job.
Configure the SMTP server to send e-mails in the View / Edit System
Preferences dialog box (Admin > System > System Preferences).
We recommend that you configure the LMS E-mail ID in the View / Edit
System Preferences dialog box (Admin > System > System Preferences).
When the job starts or completes, an e-mail is sent with the LMS E-mail ID as
the sender's address.
7-34
OL-25941-01
Chapter 7

Field
Description
Job Options
Approver Comments

This field appears only if you have enabled job approval for Configuration
Archive.
Maker E-Mail

This field appears only if you have enabled job approval for Configuration
Archive.
Select to make the job write the Running configuration to the Startup
configuration on each device after configuration changes are made
successfully.
Job Password
If you have enabled the Enable Job Password option and disabled the User
Configurable option in the Job Policy dialog box (Admin > Network >
Configuration Job Settings > Config Job Policies) enter the device login
user name and password and device Enable password.
If you have enabled the Enable Job Password option and enabled the User
Configurable option in the Job Policy dialog box (Admin > Network >
Configuration Job Settings > Config Job Policies) either
Enter the device login user name and password and device Enable
password
Or
Disable the Job Password option in the Job Schedule and Options
dialog box.
Step 7
Click Next.
Step 8
Click Finish.
If you have specified incorrect filename/XML file format or if the hostname field is not updated, an error
message appears, Specified file could not be read. Please specify a valid file name.
See Exporting a Baseline Template for further information.
Check the XML file format or update the hostname field and restart this procedure from Step 2.
Step 9
Click OK.
Archive. The Job Type for this deploy job is Deploy Baseline template result.

OL-25941-01
7-35
Chapter 7

You can check the status of the Baseline jobs using Configuration > Compliance > Compliance
Templates > Jobs.
Deploying the Commands
Deleting the Compliance Jobs
This window contains the following information:

Field Name
Description
Job ID

For periodic jobs such as Daily, Weekly, the job IDs are in the number.x format. The x
represents the number of instances of the job. For example, 1001.3 indicates that this is the
third instance of the job ID 1001.
Description
Job description entered during job definition.
Compliant/Deployed
Devices
Displays the number of devices that are compliant out of the total number of devices that were
selected while creating the compliance job.
See Understanding the Baseline Compliance Report to view the Baseline Compliance Report..
Status
Status of the job. The status can be Successful, Failed, and Running.
The jobs may have failed either because:
The device configuration is not archived.
Or
The device is not reachable.
Further details of the failed job are given in the Configuration > Job Browsers >
You can also check the status of the Baseline job at Configuration > Job Browsers >
The Baseline Jobs window contains the following buttons:
Buttons
Description
Deploy
You can schedule a job to deploy the standard configuration on all non-compliant devices.
This button is active only after selecting a Job.
See Deploying the Commands.
Retry
You can reschedule a failed job using this button.

This button is active only on selecting a Failed job.
Reschedule the deployment job by providing the required information.
7-36
OL-25941-01
Chapter 7

Buttons
Description
Delete
You can delete the compliance jobs.

This button is active only after selecting a Compliance Jobs.
See Deleting the Compliance Jobs
Refresh
Click on this icon to refresh the Compliance Jobs Window.
(Icon)
For usecases and examples on Baseline Templates, refer to the Baseline Template Whitepaper
Deploying the Commands

You can deploy the commands on the devices that are non-complaint.
Before you use this Deploy button, you must run the Compliance Report,
If there are any non-complaint device, you must select the relevant compliance job and deploy the
baseline template.
If there are no non-complaint device and if you click on the Deploy button, a message appears,
Could not deploy selected Job.
Reason: No Non-Compliant devices present in the report.
Click on the Job ID to view the Baseline Compliance Report. See Understanding the Baseline
Compliance Report for further details.
Note
To deploy the commands:
Step 1
Select Configuration > Compliance > Compliance Templates > Jobs.

The Baseline Jobs dialog box appears.
Step 2
Select a Compliance Job.
Step 3
Click Deploy.
The Substitute Parameters for Devices dialog box appears.
Step 4
Perform the following:
Field Name
Device list
The list contains all the devices which are non-complaint.

Select a device.
Device
The selected device in the Device List pane appears in this text box.

OL-25941-01
7-37
Chapter 7
Field Name
Commandsets
The pane contains all the commandsets that are defined in the Baseline template.
In the Baseline template, if you have defined the multiple occurrences as the commandset
feature then based on the compliance check, the commandset will appear more than once.
Select a commandset.
Templates
The pane contains the CLI commands for the selected commandset.
You cannot modify the commands in this pane.
Device Data
The field displays the command values that you have defined in your Baseline template.
The command value is appended with a unique number.
Enter the command value.
For example: If your Baseline template contains this command:
+ ip address [#10\.76\.38\..*#] [netmask]
Then, #10\.76\.38\..*# and netmask are the command values.
The Device Data field names appear as:
#10\.76\.38\..*#[1000]
netmask[1000]
If you have more than one device to deploy then you have to repeat Step 4 for all the devices.
Step 5
Click Next.
Step 6
Field

Description
Scheduling
Run Type
You can specify when you want to run the deploy configuration job.
Date
You can select the date and time (hours and minutes) to schedule.
The Date field is enabled only if you have selected an option other than Immediate in the Run
Type field.
7-38
OL-25941-01
Chapter 7

Field
Description
Job Info
Job Description
E-mail
Attachment
Check this option if you want the job notification mail to consist of attachments in either CSV
or PDF format.
Either select:
CSV if you want the attachment in CSV format.

Or
PDF if you want the attachment in PDF format. This is the default format.
The CSV and PDF radio options will be enabled only if the Attachment checkbox is checked.
If the Attachment option is disabled, go to Admin > System > System Preferences to change
the settings. For more information on configuring attachment settings as well as the maximum
size of attachments allowed in notification mails, see Administration Online Help.
Job Options
Approver Comments

Maker E-Mail

Copy Running Config to

Startup
Select to make the job to write the Running configuration to the Startup configuration on each
Job Password
password.
Or
disable the Job Password option in the Job Schedule and Options dialog box.
Step 7
Click Next.

OL-25941-01
7-39
Chapter 7
Step 8
Click Finish.
Step 9
Click OK.
Archive. The Job Type for this deploy job is Deploy Baseline comparison result.
Deleting the Compliance Jobs

You can delete the job that have been completed or stopped. You cannot delete a running job.
Note
To delete Compliance jobs:
Step 1
Select Configuration > Compliance > Compliance Templates > Jobs.

The Compliance Jobs dialog box appears.
Step 2
Select a job and click Delete.

A message appears, The selected job will be deleted.
Step 3
Click OK.
The selected Compliance job is removed from the Compliance Jobs window.
You can also delete the compliance jobs from Configuration > Job Browsers > Configuration Archive
window (see Using Configuration Archive Job Browser)
7-40
OL-25941-01
CH A P T E R
Editing and Deploying Configurations Using

Config Editor
The Config Editor provides easy access to configuration files. Config Editor allows a network
administrator with the appropriate security privileges to edit a configuration file that exists in the
configuration archive.
The Configuration Management application stores the current and a user-specified number of previous
versions of the configuration files for all supported Cisco devices maintained in the Inventory. It
automatically tracks changes to configuration files and updates the database if a change is made.
You can open the configuration file, change it, and download it to the device.
To start Config Editor from the LMS desktop, select Configuration > Tools > Config Editor.
The Config Editor window appears.
To set user preferences in Config Editor, select Configuration > Tools > Config Editor > Edit
Mode Preference.
The User Preferences window appears.
Config Editor Tasks
Undoing All
Replacing All

OL-25941-01
8-1
Chapter 8
Config Editor Tasks
Overview: Syntax Checker
Selecting Configs
Scheduling a Job
Config Editor Tasks

Config Editor users can:
Open a configuration file version of a device for editing.
Open configuration file version based on search criteria.
Open an external configuration file.
Save modified configuration file in private work area on the server and open the saved file when
required.
Save a configuration file in a public location.
Send configuration file to syntax checker utility.
Deploy configuration files to the device.
Send configuration download jobs for approval.
View all download jobs and perform job management operations.
List out all the modified files, allow the user to select and download or close the configuration.
Compare configurations that they are editing with the original configuration file version and other
configuration versions of the selected device.
Open a baseline configuration stored in config archive.
8-2
OL-25941-01
Chapter 8


Config Editor allows you to edit and download configuration files to devices using a GUI instead of the
command line interface (CLI). Use Config Editor to edit individual device configurations within LMS
and then download them again to the device.
A copy of the updated configuration will automatically be stored in the Configuration Archive. See
Figure 8-1.
Figure 8-1
Config Editor Functional Flow
Configuration
archive
Device
Archive
User
Archive
Baseline
Template
External
Config
Deploy
Edit
Edit
Deploy
Credential Editing
Compare and
View Changes
UndoAll/ReplaceAll
Interface to Syntax
Checker
Private
Config
120644
Telnet
TFTP
SSH
RCP
HTTPS
Table 8-1 shows the tasks you can accomplish with the Config Editor option.
Table 8-1
Config Editor Tasks
Task
Description
Open a
configuration
file.
Open a configuration file for editing. You Select Configuration > Tools > Config Editor > Config
can open a configuration file in four
Editor.
ways:
Edit
configuration
files from the
archives.
Device and Version
Pattern Search
Baseline
External Location
Action
Edit a configuration file from the archive. Select Configuration > Tools > Config Editor > Config Editor
> Device and Version > Edit.

OL-25941-01
8-3
Chapter 8
Table 8-1
Config Editor Tasks (continued)
Task
Description
Edit a
configuration
file by pattern
Edit a configuration file by searching for Select Configuration > Tools > Config Editor > Config Editor
a pattern. A pattern can be any text string. > Pattern Search > Finish.
Action
Create a baseline configuration from the

Edit a
baseline template maintained in
configuration
file by baseline configuration archive.
template
Select Configuration > Tools > Config Editor > Config Editor
> Baseline > Finish.
Associate a device with the selected

Edit a
configuration file from an external
configuration
file by external location in the server.
location
Select Configuration > Tools > Config Editor > Config Editor
> External Location> Edit.
Print
configuration
files.
Remove
configuration
file from the
private area
Print a configuration file.
Remove a configuration file from the

private work area on the server.
Remove a configuration file from the

Remove a
public work area on the server.
configuration
from the public
work area
Save a
configuration
file in the
public work
area.
Save an edited configuration file in the

public work area on the server and
retrieve the saved file when required.
Save a
configuration
file in the
private work
area.
Save an edited configuration file in the

private work area on the server and
retrieve the saved file when required.
1.
Select Configuration > Tools > Config Editor > Config

Editor.
2.
Select the configuration file and click Edit.
3.
Select the Print icon at the top right corner.
1.
Select Configuration > Tools > Config Editor > Private

Configs.
2.
Select the configuration file and click Delete.
1.
Select Configuration > Tools > Config Editor > Public

Configs.
2.
Select the configuration file and click Delete.
1.

Configs.
2.
3.
Click Save.
1.

Configs.
2.
3.
Click Save.
To undo editing changes of a file in the private work area:

Undo editing or Undo editing or typing changes when
typing changes editing a file. You can undo editing
1. Select Configuration > Tools > Config Editor > Private
changes of files in private or public work
Configs.
areas.
2. Select the configuration file and click Edit.
3.
Click Undo All.
To undo editing changes of a file in the public work area:

1.

Configs.
2.
3.
Click Undo All.
8-4
OL-25941-01
Chapter 8

Table 8-1
Task
Description
Action
Find and
replace text
Find and replace all occurrences of the

text when editing a configuration file in
the Raw mode or find the text in a
particular configlet in the Processed
mode.
To find and replace text of a file in the private work area:

1.

Configs
2.
3.
Click Replace All.
To find and replace text of a file in the public work area:
Export
Configuration
File Changes
Close
Configuration
File
Exporting Changes of a Configuration

File to a PDF file.
Close a configuration file.
1.

Configs.
2.
3.
Click Replace All.
1.
Select Configuration > Tools > Config Editor > Config

Editor.
2.
3.
Select the Export icon at the top right corner.
To close a configuration file in the private work area:

1.

Configs.
2.
3.
Click Close.
To close a configuration file in the public work area:
Configure Job
Policies.
Configure a default policy for job

properties that applies to all future jobs.
1.

Configs.
2.
3.
Click Close.
Select Admin > Network > Configuration Job Settings >

Config Job Policies.
You can also specify whether the property

can be modified when the job is created.

OL-25941-01
8-5
Chapter 8
Table 8-1
Task
Description
Action
Set up the
default editing
mode.
Set up or change your default editing

preferences.
Select Configuration > Tools > Config Editor > Edit Mode
Preference.
Config Editor remembers your preferred

mode even across different invocations of
the application.
You can also change the mode when you
open a configuration file using the Device
and Version option.
However, Config Editor does not
remember this change across different
invocations of the application. Only the
changes made using the Admin function
are remembered.
View changes
View the changes made to the opened

configuration file. LMS compares the
edited file with the original version.
To view changes made to a configuration file in the private work

area:
1.
Select Configuration > Configuration > Config Editor >

Private Configs.
2.
3.
Click Tools.
4.
Select View Changes.
To view changes made to a configuration file in the public work

area:
1.

Configs.
2.
3.
Click Tools.
4.
Select View Changes.
8-6
OL-25941-01
Chapter 8

Table 8-1
Task
Description
Compare
versions of the
configuration
files.
Compare the edited files with any version To compare versions of configuration files in the private work
in the Configuration Archive.
area:
Action
1.

Configs.
2.
3.
Click Tools.
4.
Select Compare Config.
To compare versions of configuration files in the public work

area:
View list of
modified files.
View a list of files edited by all users in

private or public work areas.
1.

Configs.
2.
3.
Click Tools.
4.
To view a list of modified configuration files in private work

area, select Configuration > Tools > Config Editor >
Private Configs.
To view a list of modified configuration files in public work

area, select Configuration > Tools > Config Editor >
Public Configs.
Browse and
edit Config
Editor jobs.
Browse the Config Editor jobs that are

Select Configuration > Job Browsers > Config Editor > Edit.
registered on the system and edit them as
necessary.
View job
details.
Select Configuration > Job Browsers > Config Editor.

View detailed information about a
registered Config Editor job and perform
job management operations.
You can also edit a job from its detailed
view.
Deploy a
config
Define a deploy job. Defines jobs to

deploy configuration files to the device.
Select Configuration > Job Browsers > Config Editor >

Create.
Copy a job
Copy a job
Select Configuration > Job Browsers > Config Editor > Copy.
Delete a job
Delete a job
Select Configuration > Job Browsers > Config Editor >

Delete.
Stop a job
Stop a job
Select Configuration > Job Browsers > Config Editor > Stop.

OL-25941-01
8-7
Chapter 8
Table 8-1
Task
Description
Check the
configuration
file syntax.
Check the syntax of the configuration file To check the configuration syntax of a file in the private work
with an external syntax checker that is
area:
registered in CMIC Link registration.
1. Select Configuration > Tools > Config Editor > Private
Configs.
Action
2.
3.
Click Tools
4.
Click External Syntax Checker.
To check the configuration syntax of a file in the public work

area:
Update DCR
after deploy
Updates DCR after successfully

deploying credential commands. This is
applicable only for Telnet/SSH based
download.
1.

Configs.
2.
3.
Click Tools
4.
Click External Syntax Checker.
User configurable. An option is provided in the job creation

flow.
You can use this feature to set up your editing preferences. Config Editor remembers your preferred
mode, even across different invocations of the application.
You can change the mode using the Device and Version, Pattern Search, Baseline or External
Configuration option but the changes do not affect the default settings.
To set up preferences:
Step 1
Select Configuration > Tools > Config Editor > Edit Mode Preference.
The User Preferences dialog box appears.
Step 2
Set the default edit mode:
Select Processed to display the file in the Processed mode.

The configuration file appears at the configlet level (a set of related configuration commands). The
default edit mode is Processed.
Select Raw to display the file in the Raw mode.

The entire file appears as shown in the device.
Step 3
Click Apply to apply the specified preferences.
8-8
OL-25941-01
Chapter 8


The Editor is a core component in Config Editor. It acts as the interface to open a configuration file,
make a local copy, save the changed configuration and commit the changes back to the original location.
You can edit a file by:
Selecting the device and the version of the configuration file
Searching for a pattern
Selecting a baseline configuration file
Selecting a configuration file stored in an external location
You can edit a previously opened file, that is, a file from your private area or public work area.
You can edit the files in either the Raw or Processed mode.
Raw modeThe entire file is displayed. After you open a file in a specific mode, you can view it
only in that mode.
Processed modeOnly the file commands are displayed at the configlet (set of related configuration
commands) level.

You can use the editor to:
Edit and save changes to the configuration file in public or private work area.
Undo editing or typing changes
Replace a string in opened configuration files
Compare configuration files with the same device configuration
View changes made in the configuration file
Run Syntax Checker
Processed Mode
Raw Mode
Editing Configuration Files by Handling Interactive Commands in Config Editor Jobs
Modifying Credentials
The Editor window opens in Raw or Processed mode, based on your preference.
To launch the Editor:
Step 1
Select Configuration > Tools > Config Editor > Config Editor.
Step 2
Open a configuration file using any of the following methods:
Using the selection criteria. See Overview: Opening a Configuration File
Using Private Configs
Using Public Configs

OL-25941-01
8-9
Chapter 8
Using Private Configs

a.
Select Configuration > Tools > Config Editor > Private Configs to open a configuration file
stored in a private work area.
The List of Private Configs window appears.
LMS converts the character : in the IPv6 address to %03A. The Archive Name field in the List
of Private Configs window might not display the actual IPv6 address.
b.
Select the configuration and click Edit.
Using Public Configs

a.
Select Configuration > Tools > Config Editor > Public Configs to open a configuration file stored
in public work area.
The User Archived Configs window appears.
LMS converts the character : in the IPv6 address to %03A. The Name field in the User Archived
Configs window might not display the actual IPv6 address.
b.
Select the configuration and click Edit.
Step 3
Edit the credential commands in the Raw or Processed mode. See Processed Mode and Raw Mode.
Step 4
Save to save changes to the configuration file. See Saving a Configuration File.
Save As to save changes to the configuration file in a specified location.
Undo All to undo editing or typing changes. See Undoing All.
Replace All to replace a string in the opened configuration files. See Replacing All.
Deploy to deploy a configuration file to a device.
Tools... to launch the Config Editor tools. See Selecting Configuration Tools.
Close to close the Config Editor window. See Closing a Configuration File.
Processed Mode
The configuration file appears at the configlet level (a set of related configuration commands). The
default is Processed.
In the Processed mode, Editor window is divided into two panes.
The left pane displays the configuration tree according to the grouping of configlets.
The right pane displays the commands of configlets in two sections:

The lower section, called the credential area contains all the credential commands with the
credentials masked. Click on the encrypted link to modify credentials.

The upper section, called the non-credential area contains only non-credential commands. The
non-credential commands are editable.
8-10
OL-25941-01
Chapter 8

Raw Mode
The entire file appears as shown in the device. After you open a file in a specific mode, you can view it
only in that mode.
In Raw mode there are two sections for the entire configuration.
Note
The upper section, called the non-credential area contains only non-credential commands. The
non-credential commands are editable.
The lower section contains all the credential commands with the credentials masked. The credential
commands can be edited.
Do not delete or edit the placeholder that describes the credential position. If you do so, the file generates
errors.
Editing Configuration Files by Handling Interactive Commands in Config Editor

Jobs
An interactive command is the input you will have to enter, after a command runs.
For example, in the case of Catalyst 5000 series devices, intereactive command would be:
set vtp v2 enable
This command enables version 2 of VTP on the device. This command is an interactive command and
requires user intervention after running the command.
You can download this command through ConfigEditor using:
#INTERACTIVE
set vtp v2 enable<R>y
#ENDS_INTERACTIVE
Such commands can be included in config jobs run using a Config Editor. You can handle interactive
commands by editing configuration files.
To edit configuration files using interactive commands:
Step 1
Select Configuration > Tools > Config Editor > Private Configs to open a configuration file stored in
a private work area.
Or
Select Configuration > Tools > Config Editor > Public Configs to open a configuration file stored in
public work area.
The Public Configs window appears.
You can also perform any of the editor operations by opening a configuration file for editing based on
Device and Version, Pattern Search, Baseline and External Location.
For more details see, Overview: Opening a Configuration File.
Step 2
Click Edit.
The Editor window appears.

OL-25941-01
8-11
Chapter 8
Step 3
Enter an interactive command in the configuration file, in the upper section that contains only
non-credential commands using the following syntax:
#INTERACTIVE
command1<R>response1<R>response2
command2<R>response1<R>response2<R>response3
command3<R>response1
command4<R>response1<R>response2
#ENDS_INTERACTIVE
<R>
Step 4
tag is case-sensitive and this must be entered in uppercase only.
Enter modification comments in the Change Description field.
Modifying Credentials
You can use this feature to modify or delete the credentials of a configuration file.To do this:
Step 1
private work area.
Or
public work area.
You can also perform any of the editor operations by opening a configuration file for editing by Device
and Version, Pattern Search, Baseline and External Location.
Step 2
Click Edit.
Step 3
Click the masked credential link in the With Credentials pane. (The masked credential appears as
multiple *s.)
The Modify Credentials dialog box appears.
Step 4
Enter the information required to modify credentials.

Field
Description
Modify
Modifies credentials of the selected configlets.
Delete
Deletes the existing credentials of the selected configlets.
Modify Mode
Old Credential
Old credential appears in clear text in a non-editable text box.
8-12
OL-25941-01
Chapter 8

Step 5
Field
Description
New Credential
Enter the new password of the selected configlets. This field

is editable when you select the Modify option.
Confirm Credential
Enter the new password of the selected configlets again to

confirm the new value. This field is editable when you select
the Modify option.
Click Submit to record changes.

The changes are reflected in the Editor window.
Step 6
Enter modification comments in the Change Description field.

You can use this feature to remove configuration files from a private work area or a public work area
using Config Editor.
To remove a configuration file stored in the private work area:
Step 1
Select Configuration > Tools > Config Editor > Private Configs.
Step 2
Select the configuration files that need to be removed.
Step 3
Click Delete.
To remove a configuration file stored in the public work area or the user archive:
Step 1
Select Configuration > Tools > Config Editor > Public Configs.
Step 2
Select the configuration files that need to be removed.
Step 3
Click Delete.
Device and Version, Pattern Search, Baseline and External Location. For more details see, Overview:
Opening a Configuration File.

OL-25941-01
8-13
Chapter 8

You can use this feature to save your changes to the configuration file. The changes can be saved in either
a private area or a public area. You can open the file later to modify it or to deploy it to the device.
To save a configuration file:
Step 1
Or
a public work area.
Step 2

Step 3
Click Save.
The Save Config dialog box appears, only if you are saving the configuration file for the first time. The
subsequent saving of a file is done directly to its previously saved location.
Step 4
Field
Enter the information required to save a configuration file.

Description
Saves the files in the
public area.
Saves the files in the
private area.
Public
Private
Usage Notes
None.
When a configuration from a list of private configs is opened and saved in
the public area (user archive) with the same name as the private
configuration, the private configuration with that name gets deleted.
However, the reverse is not true. That is when a config is opened from the
public area (user archive) and saved in the private area, the public
configuration is not deleted.
Branch Name
Step 5
Name of branch.
Private area to where configuration files are stored locally.
Click either:
Submit to save the configuration file.

Or
Cancel to return to the previous setting.
After the configuration file opened from the Device Archive is saved to the private or public archive, all
the subsequent operations (compare, show changes) behave as if the configuration is opened from a
private or public location.
8-14
OL-25941-01
Chapter 8

Undoing All
Undoing All
You can use this feature to undo editing or typing changes. To do this:
Step 1
Or
a public work area.
Step 2

Step 3
Edit the configuration file.
Step 4
Click Undo All.

A message window appears with the message:
Do you want to discard all the changes?
Step 5
Click either:
OK to return to the last saved configuration file.

Or
Cancel to avoid making any changes.
Replacing All
You can use this feature to search for and replace text in the file. To do this:
Step 1
Or
a public work area.

OL-25941-01
8-15
Chapter 8
Step 2

Step 3
Click Replace All.

The Replace All dialog box appears.
Step 4
Enter the text to search for in the Find field.
Step 5
Enter the replacement text in the Replace With field.
Step 6
Click either:
Replace All to replace all instances of the text in the text area.
Or
Cancel to avoid making any changes.

You can use this feature to print the configuration file. To do this:
Step 1
Or
a public work area.
Step 2

Step 3
Select the Print icon at the top right corner.

A new browser window appears. The details are in PDF format. You can print the information, using the
Print option provided by the browser.
8-16
OL-25941-01
Chapter 8


You can use this feature to export the modified configuration file to either cfg or XML formats based on
the edit operation. To do this:
Step 1
Or
a public work area.
Step 2

Step 3
Select the Export icon at the top right corner.

A new browser window appears to select the directory to which the modified Configfile is exported
either in cfg or XML formats.
If you are using the Raw mode then the exported file format is cfg. The file name convention is
DeviceName-VersionNumber-raw.cfg.
If you are using the Processed mode then the exported file format is XML. The file name convention
is DeviceName-VersionNumber-proc.xml.
The default directory where the modified Configuration file is exported is:
/var/adm/CSCOpx/files/rme/cfgedit/configexport
On Windows server,
NMSROOT\files\rme\cfgedit\configexport

OL-25941-01
8-17
Chapter 8

You can use this feature to deploy a configuration file to a device.
To deploy a configuration file:
Step 1
Or
a public work area.
Step 2
Select the configuration file and click Deploy.

The Job Option Details dialog box appears.
Step 3
Field

Description
Job Information
E-mail
Job Options
Job Password
password.
or
8-18
OL-25941-01
Chapter 8

Field
Description
Deploy Mode
Overwrite
Select the Overwrite option, if you want to replace the existing running configuration on the
device, with the selected configuration.
The configuration that you have selected is compared with the latest running configuration in the
Configuration Archive. (LMS assumes that the latest running configuration in the archive is the
same as the configuration currently running on the device.)
The Overwrite mode ensures that the running configuration on the device is overwritten with the
selected configuration. This means, after the configuration is successfully deployed, the selected
configuration and the running configuration on the device are the same.
Overwrite mode supports Write2Run of the configuration only.
Merge
Select the Merge option, if you want to add incremental configuration to the device.
The configuration that you have selected is deployed on to the device as is. This means, the
existing running configuration of the device is updated incrementally with the commands in the
selected configuration.
The selected running configuration is not compared with the running configuration in the
We recommend that you use this option on newly deployed devices. This is because, the Merge
option effectively deploys the entire configuration from the archive, on to the device.
Merge mode supports both Write2Run and Write2Start of the configuration.
Step 4
Click Submit.
An immediate Deploy of Configuration on Device job will be scheduled.
Step 5
Click OK.
You can check the status of your scheduled Config Editor Deploy job by selecting Configuration > Job
Browsers > Config Editor.
Configurations edited from Raw mode (.RAW) can be downloaded to both Startup or Running
configuration of the device.
Configurations edited from Processed mode (.PROC) can only be downloaded to the Running

OL-25941-01
8-19
Chapter 8

You can use this feature to close the configuration file without exiting the application. If the file contains
unsaved changes, you are prompted to save before closing.
To close the configuration file:
Step 1
Or
a public work area.
Step 2

Step 3
Click Close.
If the file contains any unsaved changes, a message window appears with the message:
You have done some changes since last save. Do you want to the save the changes?
Step 4
Click either:
OK to save the configuration file in a private area.

Your changes are saved.
Or
Cancel to ignore your changes.

You can use this feature to choose a configuration tool from the list of configuration tools. The list of
configuration tools available are as follows:
8-20
OL-25941-01
Chapter 8

To select a configuration tool:

Step 1
Or
a public work area.
Step 2

Step 3
Click Tools.
The Select Tool dialog box appears with the following tools:
Option
Description
Compare Config
Compares the current file with any earlier version in the configuration
archive.
View Changes
Displays the changes made in the opened file.
External Syntax Checker
1.
Select this option to check the configuration file using an external

syntax checker that is registered with Cisco Management Integration
Center (CMIC).
2.
Click Submit.
Config Editor launches the URL, displaying the configuration
commands and sysobject ID of the device as input to the external
syntax checker.
Step 4
Select a tool.
Step 5
Click either:
3.
View the output displayed by the external syntax checker.
4.
Modify the commands in Config Editor.
Submit to launch the tool.
Or
Cancel to close the window.

OL-25941-01
8-21
Chapter 8

You can use this feature to compare the current file with any earlier version in the configuration archive.
The Compare option is enabled only if a file is open.
To compare versions of configuration files:
Step 1
Or
a public work area.
Step 2

Step 3
Click Tools.
The Select Tool dialog box appears.
Step 4
Step 5
Click either:
Submit to view the Version Selector dialog box and proceed to the next step.
Or
Step 6
Cancel to close the window without making any changes.
Select a version with which you want to compare the current open file, from the list of other versions.
The Configuration Compare Report appears.
Step 7
Select the View mode.
Step 8
Click Processed to display files in Processed mode. This is the default option.
Files appear at the configlet level (a set of related configuration commands).
Step 9
Click Raw to display the files in Raw mode.

The entire file appears.
If you want to print the report, click Print.
You can select Diff only option to view the differences, or All to view the entire configurations and
compare the differences.
8-22
OL-25941-01
Chapter 8


You can use this feature to display the changes made in the opened file. The text file in archive is
compared with the opened version.
The View Changes option is enabled only if a file is open
To display the changes in the open file:
Step 1
Or
a public work area.
Step 2

Step 3
Click Tools.
The Select Tool dialog box appears.
Step 4
Select View Changes option.
Step 5
Click either:
Submit to view the differences in a new window.
Or
Cancel to close the window without making any changes.

Config Editor provides ways to check the syntax of config commands using syntax checker. Config
Editor checks syntax using the Interface to External Syntax Checker.
Interface to External Syntax Checker

The external syntax checker has to be registered with Cisco Management Integration Center (CMIC)
using Link Registration.
For details see, Registering an External Syntax Checker Application With CMIC. Config Editor queries
CMIC to check if the application is registered with the name Config Syntax Checker.

OL-25941-01
8-23
Chapter 8
If the application is registered, Config Editor knows the External Syntax Checker URL to be launched
and parameters to be passed to the syntax checker.
Config Editor launches the URL with two parameters, deviceSysObjID and cfgCmds:
deviceSysObjIDsysObjectID of the device. External Syntax Checker uses deviceSysObjID to

identify the device type.
cfgCmdsList of commands for which the syntax has been checked.
ConfigEditor launches the External Syntax Checker URL in POST method. When the URL is launched
you can view the configuration commands for which the syntax has been checked.
To validate the results and correct the commands in Config Editor:
Step 1
Step 2
Select Device and Version in the Selection Area page.
Step 3
Click Go.
The Device and Version dialog box appears.
Step 4
Select the required device using Device Selector.
Step 5
Select the information required to open a configuration file.
Field
Description
Version
Latest
Select the latest version of the configuration file.
Earlier
Select an earlier version of the configuration file.
Version Number
Version number of the configuration file. This option is enabled when you
select Earlier in the version field.
This field is not editable.
To enter the version number:
1.
Click Select to open the Version Tree dialog box.
2.
Select the desired version.
3.
Either:
Click OK to select the version
Or
Click Cancel to close the window.
Step 6
Click Edit to edit a configuration file

The Configuration Editor dialog box appears.
Step 7
Click Tools.
The Select Tool dialog box appears with the tools.
8-24
OL-25941-01
Chapter 8

Step 8
Select External Syntax Checker.
Step 9
Click Submit to launch the tool.

Config Editor launches the External Syntax Checker URL.
Registering an External Syntax Checker Application With CMIC

To register an external syntax checker application with CMIC (Cisco Management Integration Center):
Step 1
Select Link Registration.

The Registered Links window appears.
Step 2
Click Registration in the Links Registrations Status page.

The Enter Link Attributes window appears.
Step 3
Enter the inputs for the following fields:

Field
User Notes
Name
Enter Config Syntax Checker.
URL
Enter the External Syntax Checker URL.
Display Location
Select Third Party.
The Registered Links window appears with the list of registered links.

You can use this feature to display a list of configuration files modified by any user in a private work
area (select Private Configs) or a public work area (select Public Configs).
To list out all the modified files:
Step 1
Or
a public work area.
You can also perform any of the editor operations by opening a configuration file for editing by Device
and Version, Pattern Search, Baseline and External Location.

OL-25941-01
8-25
Chapter 8
Step 2
Select the file and click Edit to edit an opened configuration file.
The Configuration Editor dialog box appears.
Select the file and click Deploy to deploy a job.

The Select Configs dialog box appears.
Select the file and click Delete to remove an opened configuration file.
The screen is refreshed and the file is removed.
You can open a raw config in processed format. However, you cannot open a processed config in raw
format.

You can use this feature to open a configuration file for editing.
You can open a configuration file by:
Device and VersionOpens a configuration file from the archive.
Pattern SearchOpens a configuration file by searching for a pattern.
BaselineOpens a configuration file using a baseline template stored in the device configuration
management repository.
External LocationOpens a configuration file stored in an external location
If another user has opened the configuration file, config editor opens another copy of the file.
To open a configuration file:
Step 1
Step 2
Select an option in the Selection Area page.
Step 3
Click Go.
The Option dialog box opens in a new window.

You can use this feature to open a configuration file from the archive. The file opens in read-write mode
depending on your edit permissions.
The file appears in either the Raw or Processed mode, based on your preferences.
To open a configuration file from the archive:
Step 1
Step 2
Select Device and Version in the Selection Area page.
8-26
OL-25941-01
Chapter 8

Step 3
Click Go.
The Device and Version dialog box appears.
Step 4
Select the required device using the Device Selector.
Step 5
Select the information required to open a configuration file.

Field
Description
Version
Latest
Select the latest version of the configuration file.
Other
Select an earlier version of the configuration file.
Version Number
Version number of the configuration file. This option is enabled

when you select Other in the version field.
This field is not editable.
To enter the version number:
1.
Click Select to open the Version Tree dialog box.
2.
Select the version you need.
3.
Either:
Click OK to select the version
Or
Click Cancel to close the window.
Format
Step 6
Raw
Displays the entire configuration file. After you open a file in

a specific mode, you can view it only in that mode.
Processed
Displays only the commands.
Click either:
Edit to edit a configuration file

The configuration editor dialog box appears.
Or
Reset to clear all fields and get to the default setting.

You can use this feature to open a configuration file by
Selecting a label set in Config Archive
Selecting a custom query of default patterns
Searching for a pattern.

OL-25941-01
8-27
Chapter 8
A pattern can be any text string. The file is displayed in either the Raw or Processed mode, based on
your preferences.
To open a configuration file:
Step 1
Step 2
Select Pattern Search in the Selection Area page.
Step 3
Click Go.
The Pattern Search dialog box appears.
Step 4
Open a configuration file by selecting a label set in Config Archive. See Configuring Labels for
more information.
Open a configuration file by selecting a custom query of default pattern
Open a configuration file by searching for a pattern
Open a configuration file by selecting a label set in Config Archive. See Configuring Labels for more
information.
a.
Select Label to enable the Select a Config Label drop-down list box
b.
Select the required label from the Select a Config Label drop-down list box
If you select a label and some devices from the Device Selector, and click Search, the search results
will only be for the devices that are part of the selected label.
Open a configuration file by selecting a custom query of default pattern

Select the required Custom Query from the Select Custom Query drop-down list box. To create a
custom query, select Configuration > Configuration Archive > Views > Custom Queries.
Open a configuration file by searching for a pattern
a.
Enter a pattern in the editable Pattern Column. For example, http server.
To search for more than one pattern, enter the second and third patterns in the Pattern 2 and Pattern
3 fields and so on. You cannot search for special characters. For example, control-C.
Step 5
b.
Click the corresponding Contains/Does not contain row to view the selection drop-down list box.
c.
Select Include if you wish to search for configurations that match the patterns you entered and select
Exclude if you wish to search for configurations that do not match the patterns you entered. Select
the required devices using the Device Selector.
Select the required options:

Field
Description
Setting
Match Any
Searches for configurations that have at least one of the patterns you entered.
Match All
Searches for configurations that include all patterns you entered.
Match Case
Searches for configurations that are identical to the pattern entered.
Search Versions
Latest
Searches in the latest version of the configuration file
All
Searches in all the versions of the configuration file
8-28
OL-25941-01
Chapter 8

Step 6
Click Search.
The Search Archive Result window appears in the Pattern Search Results page with the search results.
The columns in this window are:
Step 7
Column
Description
Device Name
Name of the device
Version
Version of the configuration file
Created On
Date on which the configuration file was created
Change Description
Modification comments
Edit to open the selected configuration file in a pop up window for editing. The search result page
will be retained. You can select another configuration from the search result page and open that file
too for editing.
Back to return to the Pattern Search page.
Finish to complete the search.
Cancel to return to the Selection Criteria page.

You can use this feature to open a baseline configuration template maintained in the configuration
archive. You can create a baseline configuration from the baseline template by replacing all the variables
that appear in the configuration.
Config Editor does not check whether you have changed the template variables.
Note
The baseline template will be opened only in Raw format.

To open a baseline configuration template:
Step 1
Step 2
Select Baseline in the Selection Area page.
Step 3
Click Go.
The Baseline Config dialog box appears.
Step 4
Select the required devices using the Device Selector.
Step 5
Click Next
The Baseline Template window appears with the following details:

OL-25941-01
8-29
Chapter 8
Column
Description
Baseline Name
Description
Brief description about the template.
Created On
Date on which the template was created.
Step 6
Select a Baseline template based on the device type.
Step 7
Back to return to the Baseline Config page.
Finish to associate the selected template to a device.
Cancel to return to the Selection Criteria page.
While editing a baseline template, you are required to replace variables that appear in the template with
actual values.
For example, in the following line [msg] is the variable.
banner motd [msg]
You should replace [msg] with actual value.

You can use this feature to edit the Baseline template of the configuration file. To do this:
Step 1
Step 2
Select Baseline in the Selection Area page.
Step 3
Click Go.
The Baseline Config dialog box appears.
Step 4
Step 5
Click Next.
The Baseline Template window appears with the following details:
Column
Description
Baseline Name
Description
Brief description about the template.
Created On
Date on which the template was created.
Step 6
Select a Baseline template based on the device type.
Step 7
Click Finish.
The Baseline Configuration Editor dialog box appears.
Step 8
Edit the text area. (The upper section contains only non-credential commands and is called the text area.)
8-30
OL-25941-01
Chapter 8

Step 9
Enter comments for changes in baseline in the Change Description field.
Step 10
Save to save changes to the configuration file.
Undo All to undo editing or typing changes.
Replace All to replace a string in the opened configuration files.
Tools... to launch the Config Editor tools.
Close to close the Config Editor window.

You can use this feature to associate a device with the selected configuration file from an external
location (other than archive) in the server. The file appears in either a Raw or Processed mode, based on
your preferences.
For example, if you associate the selected configuration to an IOS device in the Processed mode, then
the given configuration is processed based on the IOS rules defined in LMS.
The file in the archive can be opened with a specified format from the temp directory on the local server,
from another file system mapped drive or any mount. The file opened is validated for format with
DCMA.
To open a configuration file from an external location:
Step 1
Step 2
Select External Location in the Selection Area page.
Step 3
Click Go.
The External File Selection dialog box appears.
Step 4
Click Browse to select the external file location.

The External Config Selector dialog box appears with the following fields:
Field
Description
Usage Notes
File
Location of the file
Enter the file location. For example, D:/CSCOpx
Directory content
Name of the directory
Select the directory. For example, bin/
Drive
Name of the drive
Select the drive. For example, D:\
Step 5
Click either:
OK to enter the external location.

Or
Step 6
Cancel to return to the External File Selection page.

OL-25941-01
8-31
Chapter 8
Step 7
Either:
Click Edit to edit a configuration file

The configuration editor dialog box appears.
Or
Click Reset to clear all fields and get to the default setting.
You can control the access to directories/folders present on the server. There is a property file for this
purpose located at:
NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/classes/com/cisco/nm/rmeng/config/cfgedit
/ConfigEditor.properties (On Solaris and Soft Appliance)
NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\classes\com\cisco\nm\rmeng\config\cfgedit
\ConfigEditor.properties (On Windows)
NMSROOT is the LMS install directory.

This file has two variables:
DIR_LISTYou can mention all the directories or files separated by pipe symbol (|).
ALLOWYou can set as true or false. If you set the value as true, you can access only those
directories or files given as values for the variable DIR_LIST. If you set the value as false, you
cannot access those directories or files given as values for the variable DIR_LIST.
The default values for the variables are:
DIR_LISTetc/passwd
ALLOWfalse

Overwrite Mode
Config Editor assumes that the latest archived version is the same as the running configuration on the
device.
Before Config Editor downloads the archived configuration on the device, it compares the archived
version (which you have modified) with the latest version. The application then overwrites the running
configuration on the device with the archived version. This means, after the configuration is successfully
deployed, the selected configuration and the running configuration on the device are the same.
For example, assume that the archived version contains commands a, b, c, and d; and that the latest
running version, contains commands a, b, e, f, and g. After the archived configuration has been restored,
the running configuration on the device, will contain commands a, b, c, and d.
Ensure that all the required commands are in the archived version. You can review the work order and
make necessary changes by editing the archived version, if required.
This is the default mode for the configuration deployment.
8-32
OL-25941-01
Chapter 8

Merge Mode
The configuration that you have selected is deployed on to the device as is. This means, the existing
running configuration of the device is updated incrementally with the commands in the selected
configuration.
The selected running configuration is not compared with the running configuration in the Configuration
Archive.
We recommend that you use this mode on newly deployed devices. This is because, the Merge option
effectively deploys the entire configuration from the archive, on to the device.

To download a configuration file to the device and to the archive, you must:
Create a download job.
Select the configuration file on which the job will run.
Configure the job properties.
Set the job approvers.
Review the job work order.
When a job starts to download, the users on the job approver list are notified by e-mail. At least one
approver must approve the job before it can run. Make sure that an approver list with the approvers you
want exists.
If there is no approver list but you have the correct access privileges, you must modify or create approver
lists, using the Job Approval option. Otherwise, contact your system administrator. See Administration
of Cisco Prime LAN Management Solution 4.2 for more information.

You can use the Create Config Download Job wizard to define and schedule a download job.
Step 1

The Config Deploy Job Browser window appears.
Step 2
Click Create.
The Create Config Download Job wizard appears.

OL-25941-01
8-33
Chapter 8
All dialog boxes of the wizard contain the following buttons:

Button
Description
Back
Returns to the previous page.
Next
Returns to the next page.
Finish
Completes creation of jobs.
Cancel
Cancels creation of job.
8-34
OL-25941-01
Chapter 8

Selecting Configs
Selecting Configs
You can use the Select Configs dialog box to select configuration files of devices on which the download
job will run.
You must start a new download job before you start selecting configuration files. To do this:
Step 1
Select a configuration file on which to run the job using device selector on the left pane.
The select configuration file dialog has two panes.
Step 2
Left PaneThe Device Selector appears.
Right PaneThe list of selected configuration files appear.
Click either:
Add Latest to move the latest version of the selected configuration file to the Selected
Configuration Files pane
Or
Step 3
Add Other Version to move any version of the selected configuration file to the Selected
Configuration Files pane
Click Next to proceed to the Job Schedule and Options dialog box.
Click Cancel to stop creating a download job.
Select a configuration file from the Selected Configuration Files pane and click Delete to remove a
configuration file.

OL-25941-01
8-35
Chapter 8
Scheduling a Job
Scheduling a Job
This feature allows you to assign a job name, schedule the job and set job options.
Before scheduling a job you must:
1.
Start a new download job.
2.
Select Configs.
To schedule a job:
Step 1
Field
Enter the following information in the Job Schedule and Options dialog box.
Description/Action
Usage Notes
Scheduling
Run Type
Schedules the job to You can specify when you want to run the job.
run immediately or in To define this, select an option from the drop down menu:
the future.
OnceJob will run once in the future. You can specify the Starting Date
Select either Once or
and Time for the job to be run
Immediately.
ImmediatelyJob will run immediately. This option is not available if Job
Approval is enabled.
Date
Date on which you

want to run the job.
Select date for the job to run.
Time when you want

to run the job in the
future.
Select time for the job to run.
At
If Run Type is Immediate, the system date is automatically selected.

If Run Type is Immediate, the system time is automatically selected.
Job Info
Job Description
Enter job description. Make each description unique so you can easily identify jobs.
E-mail
Allows you to enter

the e-mail addresses
to which the job will
send status notices.
E-mail notification is sent when job is created, started, deleted, canceled, and
completed.
Separate multiple
addresses with
commas.
Comments
Allows you to enter

comments.
Approval Comment Allows you to enter

approval comments.
This field is not active if approval comments were not set using administration
approval.
Select Configuration > Config Jobs > Job Approval to set approval comments.
For more information, see Administration of Cisco Prime LAN Management
Solution 4.2.
8-36
OL-25941-01
Chapter 8

Scheduling a Job
Field
Description/Action
Usage Notes
Maker E-mail
Mail ID of the person This field is not active if approvers were not set using administration approval.
who created the job.
Select Configuration > Config Jobs > Job Approval to set approval comments.
For more information, see Administration of Cisco Prime LAN Management
Solution 4.2.
Job Options
Fail on mismatch of Select this option, if A job is considered Failed when the most recent configuration version in the
Configuration
you want to cause the configuration archive is not identical to the configuration that was running
Version
job to be considered when you created the job.
Failed, if there is a
version mismatch.
Synchronize archive before running a job policy gets selected when Fail on
Sync archive before Select this option if
mismatch of Configuration Version policy is selected.
running a job
you want to archive
the running
configuration before
making configuration
changes.
Applicable only to private configuration files.
Delete Config after Select this option if
Download
you want to delete the
configuration file
after download.
Copy running to
Startup
This does not apply to Catalyst OS devices.

Select this option if
you want to copy the
running configuration
to the startup
configuration on each
device after
configuration
changes are made
successfully.
Enable Job
Password
Select this option to

enable username and
password.
Login User Name
Enter the username

configured on the
device.
Login Password
Enable Password
This field is editable only when you select the Enable Job Password option.
LMS ignores the username in the database and uses the newly entered username
instead.
Enter the password

for the device.
Enter the enable

password configured
on the device.
LMS ignores the password in the database and uses the newly entered password
instead.
LMS ignores the password in the database and uses the newly entered password
instead.

OL-25941-01
8-37
Chapter 8
Scheduling a Job
Field
Description/Action
Failure Policy
Specify what the job

should do if it fails to
run on the device.
Usage Notes
Select Ignore Failure and Continue from the drop-down list box to
continue the job and make configuration changes to the remaining devices,
configured by the job
Or
Select Stop on Failure to stop making changes to the remaining devices.
Mode in which the job 1. Select Parallel to run the job on multiple devices at same time
is executed. There are
Or
two options, Parallel
Select Sequential to run the job one device at a time.
and Sequential.
Execution
2.
Click Device Order.

The Set Device Order dialog box appears.
Deploy Mode
3.
Use the Up and Down arrows to move a device up or down.
4.
Click Done.

Mode in which the
configuration file is
Select the Overwrite option, if you want to replace the existing running
downloaded. The two
configuration on the device, with the selected configuration.
modes are Overwrite
and Merge.
The configuration that you have selected is compared with the latest
running configuration in the Configuration Archive. (LMS assumes that the
latest running configuration in the archive is the same as the configuration
currently running on the device.)
The Overwrite mode ensures that the running configuration on the device
is overwritten with the selected configuration. This means, after the
configuration is successfully deployed, the selected configuration and the
running configuration on the device are the same.
Overwrite mode supports only Write2Run of the configuration.
Or
Select the Merge option, if you want to add incremental configuration to the
device.
The configuration that you have selected is deployed on to the device as is.
This means, the existing running configuration of the device is updated
incrementally with the commands in the selected configuration.
The selected running configuration is not compared with the running
configuration in the Configuration Archive.
We recommend that you use this option on newly deployed devices. This is
because, the Merge option effectively deploys the entire configuration from
the archive, on to the device.
Merge mode supports both Write2Run and Write2Start of the
configuration.
8-38
OL-25941-01
Chapter 8

Field
Description/Action
Usage Notes
Write To
The method in which Do either of the following:

the Configuration is
Select the Running option, if you want to replace the existing running
pushed. The two
configuration on the device, with the selected configuration file. This is
methods are Running
also referred to as Write2Run.
and Startup
Or
Select the Startup option, if you want to erase the contents of the device's
startup configuration and write the contents of the given file as the device's
new startup configuration. This is also referred to as Write2Start.
Configurations edited from Raw mode (.RAW) can be downloaded to both

Startup or Running configuration of the device.
Configurations edited from Processed mode (.PROC) can only be downloaded
to the Running configuration of the device.
Update credentials
after deploy
Step 2
Update the
credentials in DCR
after deployment, if
the deployed
commands include
any credentials
commands.
Choose this option if you want to update the DCR with the deployed credentials
commands such as SNMP community strings, Telnet username/password etc.
Write2Start does not support changing the credentials after deployment.
Back to return to the Select Configs dialog box.
Next to proceed to the Job Summary dialog box.
Cancel to stop creating a Download job.

The work order summarizes the job you created. If you find any changes missing when you review the
work order you can go back and change the options.
Complete the following prerequisite steps of the job definition process:
1.
Start a new download job
2.
Select configs
3.
Configure job properties
4.
Set job approvers, if Job Approval is enabled

OL-25941-01
8-39
Chapter 8
To review the work order:

Step 1
Step 2
Review the information in the Work Order dialog box. The fields in this dialog box are:
Field
Description
General Info
Detailed information about the job, such as owner, description and

schedule.
Job Approval Info
Status of approval.
Job Policies
Policies configured for the job. Edit in Job Properties dialog box.
Devices
Devices on which the job will run. Edit in Device Selector dialog box.
Device Commands
Commands that the job will run.
Username
Username of the job owner.
To modify the job, return to any previous dialog box and change the information.
To return to a previous dialog box, click Back until the dialog box appears.
Click Finish in the Work Order dialog box to register the job.

You can use this feature to view the status of all pending, running, and completed jobs. You can create
a new job or edit, copy, stop and delete a job that you have opened.
You can only Edit one job at a time while you can Stop or Delete multiple jobs at a time.
8-40
OL-25941-01
Chapter 8

To view all the downloaded jobs:

Step 1

The List of Deploy Jobs window appears with the list of all the jobs.
Column
Description
Job ID
Unique number assigned to job at creation. Never reused.
Run Status
Job states:
Canceled
Suspended
Missed start
Rejected
Succeeded
Succeeded with info
Failed, Crashed
Failed at start
Running.
Description
Description of the job, as entered during job definition.
Owner
Name of the user who owns the configuration file.
Scheduled On
Date and time the job is scheduled to run.
Completed At
Date and time at which the job is completed.
Schedule Type
Job schedule types:
Status
Suspended
Scheduled
Waiting for approval
Rejected
Canceled.
Status of running or completed jobs: Job Started, Progress, Job

Cancelled, Job Failed, Job Successful.
Pending jobs have no status.

OL-25941-01
8-41
Chapter 8
Step 2
Click one of the following buttons:
Button
Description
Create
Creates a new job.
Usage Notes
1.
Click Create.
The Create Config Deploy Job wizard appears.
2.
Edit
Use the wizard to define and schedule a download job.
Edits pending job.
Click Edit to edit only jobs you own.
The Job definition opens with

the current information,
including Job ID.
If the job start time occurs during editing, it will run without the edits.
In such a case, you can complete your edits, reschedule the job, and re-edit
it.
You can edit the job in the same To prevent job from running unedited:
way as you can define and
1. Complete edits before job start time.
schedule a new job.
2.
Copy
Copies job.
Cancel job and create new one.
Click Copy.
You can edit the job in the same The Job definition opens with the current information and the new ID
except job schedule details filled in.
way as you can define and
schedule a new job.
Stop
Stops a running job.
1.
Click Stop.
You are prompted to confirm stopping a job.
2.
Click OK.
You can stop only the jobs that you own. Admin level users can stop all
jobs.
Delete
Removes the job from the Job

Scheduler.
1.
Click Delete.
You are prompted to confirm stopping a job.
2.
Click OK or Cancel.
You can remove only the jobs that you own. Admin level users can remove
all jobs.
8-42
OL-25941-01
CH A P T E R
Managing Software Images Using Software

Management
Manually upgrading your devices to the latest software version can be an error-prone, and
time-consuming process. To ensure rapid, reliable software upgrades, Software Management automates
the steps associated with upgrade planning, scheduling, downloading, and monitoring.
Setting Up Your Environment
Software Repository
Using Software Management Job Browser
Using Software Management, you can:
Set up your Software Management preferences.

You can specify information such as the directory where images are stored, and the pathname of the
user-supplied script to run before and after each device software upgrade.
You can enable and define the protocol order for Software Management tasks. You can also enable
the Job Based Password option for Software Management tasks.
You can specify if the images on Cisco.com should be included during image recommendation of
the device. Also specify the Cisco.com filters so that only the images that match the filter criteria
are selected.
Analyze software upgrades

You can generate Upgrade Analysis reports that help you determine prerequisites for a new software
deployment.
These reports analyze the proposed images to determine the hardware upgrades (device access, boot
ROM, Flash memory, RAM, and NVRAM and boot Flash, if applicable) required before you can
perform the software upgrade.
See Upgrade Analysis for further details.

OL-25941-01
9-1
Chapter 9
Perform In Service Software Upgrade (ISSU)

LMS supports the In Service Software Upgrade (ISSU) process that allows Cisco IOS software
images to be updated without rebooting the device. This process increases network availability and
reduces downtime caused by planned software upgrades.
See Support for In Service Software Upgrade for further details.
Import images into the software repository

You can determine the images missing from your repository and import them into the software
repository.
You can also keep the repository up-to-date and periodically synchronize the repository with the
images running on your network devices.
You can also schedule an image import for a later, more convenient time.
See Adding Images to the Software Repository for further details.
Distribute software images to groups of devices

Depending on system complexity, you can configure upgrades for groups of devices to the same
software image or to different software images.
You can specify these groups manually, using your groups and search criteria. You can also use some
other selection criterion, such as the current software version or hardware type to specify the groups.
You can run the device upgrades job sequentially or in parallel. After upgrading the devices, you
can also specify the reboot order.
See Software Distribution for further details.
Distribute images as patches to group of devices

Depending on system complexity, you can configure upgrades for groups of devices to the patch
software images.
You can specify these groups manually, using your groups and search criteria. You can also use some
selection criterion, such as the current software version or hardware type.
You can run the device upgrades job sequentially or in parallel. After upgrading the devices, you
can also specify the reboot order.
See Patch Distribution for further details.
Reduce errors by using a recommended image

Software Management checks the current software version, Flash device size, DRAM size, boot
ROM version. Software Management also checks any device type specific software and hardware
requirements for compatibility. Software Management checks and recommends a best-fit image for
a device.
See Understanding Upgrade Recommendations for further details.
Schedule image upgrade jobs

You can schedule image upgrades to occur immediately or at a later, more convenient time.
Optionally, you can integrate software upgrade scheduling into your internal change approval
process.
9-2
OL-25941-01
Chapter 9
After an upgrade, you can:

Undo the upgrade and roll back to the previous image
Software Management tracks the image history of each device so that if you upgrade to a new
image, you have a record of what has been installed on the device. This information allows you
to undo the upgrade and roll back to the previous image, if necessary.
A Change Audit record is logged for this task. You can generate the Standard Change Audit
report. See Reports Management with Cisco Prime LAN Management Solution 4.2 for more
information.
See Undo a Successful Distribution Job for further details.
Retry the upgrade on devices that failed in a previous job
You can also retry a job for devices that failed the upgrade process. For example, you may need
to do this because of a configuration error or a bad network connection.
You can retry the job and include only those devices that were not upgraded previously.
See Retry a Failed Distribution Job for further details.
Track job progress and job history information

Software Management generates detailed job reports. These reports display the status of each
software upgrade and a detailed job log. They also keep track of job and device operations and job
history information.
See Using Software Management Job Browser for further details.
Track software bugs

You can view the known catastrophic or severe bugs in the software running on the devices
supported by Software Management using Locate Device Report (Reports > Cisco.com > Locate
Device Report).
See Reports Management with Cisco Prime LAN Management Solution 4.2 for further details.
Set the debug mode for Software Management application

You can set the debug mode for Software Management application in the Log Level Settings dialog
box (Admin > System > Debug Settings > Config and Image Management Debugging settings).
See Administration of Cisco Prime LAN Management Solution 4.2 for further details.
The supported IOS image version is 11.x and later.
For list of supported devices in the Software Management application, see:
Supported Image Import Features for Software Management

http://www.cisco.com/en/US/products/sw/cscowork/ps2073/
products_device_support_tables_list.html
Supported Image Distribution Features for Software Management

http://www.cisco.com/en/US/products/sw/cscowork/ps2073/

OL-25941-01
9-3
Chapter 9

This section lists all prerequisites for using the Software Management in LMS.
Requirements on LMS Server
Logging Into Cisco.com
Configuring Devices for Upgrades
Requirements on LMS Server

The following are the prerequisites:
Make sure you have a directory or file system location with enough space to store the software
images.
Verify that you have the appropriate privilege level to access Software Management options. You
can view the Permission Report (Reports > System > Users > Permission) to know the various
privilege levels.
If you do not have a user account and password on Cisco.com, contact your channel partner or enter
a request on the main Cisco web site.
If your system is behind a firewall, configure the proxy URL to access the Internet from the installed
system. You can do this using Admin > System > Cisco.com Settings > Proxy Server Setup.
You can enter Cisco.com credentials when you use the Software Management tasks.
See Logging Into Cisco.com for further details.
Mandatory Setup Tasks
Add the device passwords to the Device and Credentials database. You can add these credentials
using Inventory > Device Administration > Add / Import / Manage Devices. Also, see
Configuring Telnet and SSH Access for further details.
Use the Admin > System > System Preferences option to enter the name of your SMTP server. You
have to configure the SMTP server to send e-mails.
from the LMS E-mail ID.
If you plan to enable a remote file copy (RCP) or secure copy server as the active file transfer server,
see Configuring RCP or Configuring SCP for further details.
Set or change your Software Management preferences. See Administration of Cisco Prime LAN
Management Solution 4.2 for further details.
9-4
OL-25941-01
Chapter 9

Optional Setup Tasks
Make a baseline of your network images by importing images from the Software
Management-supported devices in your network into your software image repository.
To do this, go to Configuration > Tools > Software Image Management > Software Repository
and click Add and select Device.
Schedule the Synchronization report to run periodically. This is used to determine whether any
images running on Software Management-supported devices are not in the software image
repository.
To generate the report, go to Configuration > Tools > Software Image Management > Repository
Synchronization.
If you use the Job Approval option to approve or reject jobs, you must create one or more approver
lists and enable Job Approval. See Administration of Cisco Prime LAN Management Solution 4.2 to
enable Job Approval.
Logging Into Cisco.com

Login privileges are required for all Software Management tasks that access Cisco.com.
If you do not have a user account and password on Cisco.com, contact your channel partner or enter a
request on the main Cisco web site.
To download the cryptographic images on Cisco.com through Software Management tasks, you must
have a Cisco.com account with cryptographic access.
To get the access you must have a Cisco.com account. You can register by going to the following URL:
http://tools.cisco.com/RPF/register/register.do
After getting the Cisco.com account:
Step 1
Go to the following URL: http://tools.cisco.com/legal/k9/controller/do/k9Check.x?eind=Y

The Enter Network Password dialog box appears.
Step 2
Log in with your Cisco.com account.

The Encryption Software Export Distribution Authorization Form page appears.
Step 3
Select your software from the list box and click Submit.
The Encryption Software Export Distribution Authorization Form appears.
Step 4
Review and complete the Encryption Software Export Distribution Authorization form and click
Submit.
The Cisco Encryption Software: Crypto Access Granted message appears.
Note
It takes approximately 4 hours to process your application. You cannot download the software until the
entitlement process is complete. You will not receive any notification for this.
On LMS Server, you can enter Cisco.com credentials for Individual user Cisco.com credentials.
You can enter your individual Cisco.com credentials when you perform any Software Management tasks
that need access to the Cisco.com server.

OL-25941-01
9-5
Chapter 9
If your Cisco.com username and password have not been added to the LMS database, enter your
Cisco.com username and password. If you enter Cisco.com credentials in this workflow, the credentials
are valid only for that session.
If your Cisco.com username and password have been added to the LMS database, then Cisco.com login
dialog box appears with the information that is available in the LMS database.
If you are accessing Cisco.com over a proxy server, you must enter the proxy server details in the Proxy
Server Setup dialog box (Admin > System > Cisco.com Settings > Proxy Server Setup).

You can enable Job Approval for Software Management tasks, (Configuration > Job Browsers > Job
Approval), which means all jobs require approval before they can run.
Only users with Approver permissions can approve Software Management jobs. Jobs must be approved
before they can run if Job Approval is enabled on the system.
The following Software Management tasks require approval if you have enabled Job Approval:
Adding images to Software Repository (Configuration > Tools > Software Image Management >
Software Repository > Add) using:
Cisco.com
Device
URL
Network (Use Out-of-sync Report)
Distributing software images (Configuration > Tools > Software Image Management > Software
Distribution) using any one of these methods:
Distributing by Devices [Basic]
Distributing by Devices [Advanced]
Distributing by Images
Remote Staging and Distribution
If you have enabled Approval for Software Management tasks, then in the Job Schedule and Options
dialog box, you get these two options:
Maker CommentsApproval comments for the job approver.
Maker E-MailE-mail ID of the job creator.
See Administration of Cisco Prime LAN Management Solution 4.2 for more details on creating and
editing approver lists, assigning approver lists, setting up Job Approval, and approving and rejecting
jobs.
9-6
OL-25941-01
Chapter 9

Software Repository
Software Repository
The Software Repository Management window displays the images that are available in the Software
Management repository.
Software Repository Synchronization
Scheduling a Synchronization Report
Viewing a Synchronization Report
Removing a Synchronization Report Job
Adding Images to the Software Repository
Synchronizing Software Image Status With Cisco.com
Deleting Images From the Software Repository
Exporting Images from Software Repository
Searching for Images from Software Repository
Software Image Attributes
The Software Repository Management window contains the following fields, buttons, and the entry in
the TOC:
Software Repository Management Window Fields
Software Repository Management Window Buttons and TOC Entry
Table 9-1
Software Repository Management Window Fields
Fields
Description
File Name
File name of the software image.

Click on the File Name to edit the image attributes.
See Editing and Viewing the Image Attributes.
Image Family
Name of the image family.
Image Type
Type of the images (SYSTEM_SW, SUPERVISOR,

SUPERVISOR2_6000, SUPERVISOR6000, BOOT_LOADER,
ATM_WBPVC, etc.).
Version
Software version number.
Size
Image size in megabytes.
Status
Status of the image on Cisco.com.

See Synchronizing Software Image Status With Cisco.com.
Updated at
Date and time the image was checked into the repository.
Comments
Comments, typically used to track the reason for adding the image
to the repository.

OL-25941-01
9-7
Chapter 9
Software Repository
Table 9-2 lists and describes the buttons and TOC entries in the Software Repository Management
Window.
Table 9-2
Software Repository Management Window Buttons and TOC Entry
Buttons and TOC Entry
Description
Software Repository
Synchronization
Keep the software repository up to date.
(TOC entry)
See:
Filter
Filter and search images.
(Button)
See Searching for Images from Software Repository.
Add
Add images to the repository.
(Button)
See Adding Images to the Software Repository.
Delete
Delete images from the repository.
(Button)
See Deleting Images From the Software Repository.
Export
Export images from Repository.
(Button)
See Exporting Images from Software Repository.
Update Status
Update the status of the images.
(Button)
See Synchronizing Software Image Status With Cisco.com.

The Synchronization report shows the Software Management-supported devices that are running
software images not available in the software image repository.
Using this option you can view and schedule the synchronization report.
Note
Select Configuration > Tools > Software Image Management > Software Repository
Synchronization.
The Software Repository Synchronization dialog box that appears contains the following:
Table 9-3
Software Repository Synchronization Dialog Box
Fields/Buttons
Description
Job Id
Next Run
Time and date of the next instance of Synchronization Report job.
9-8
OL-25941-01
Chapter 9

Software Repository
Table 9-3
Software Repository Synchronization Dialog Box (continued)
Fields/Buttons
Description
View Report
You can view the synchronization report. This report displays the
Software Management-supported devices that are running software
images not available in the software image repository.
See Viewing a Synchronization Report for further details.
Schedule
You can schedule a Synchronization report. You can also

reschedule an existing Synchronization report.
See Scheduling a Synchronization Report for further details.
Remove Job
You can remove the scheduled synchronization report job.

See Removing a Synchronization Report Job for further details.

OL-25941-01
9-9
Chapter 9
Software Repository

To schedule or reschedule a Synchronization report:
Step 1
Go to Configuration > Tools > Software Image Management > Software Repository
Synchronization. The Software Repository Synchronization dialog box appears.
Step 2
Click Schedule. The Job Schedule for Out-of-sync Report dialog box appears.
Step 3
Field
Description
Scheduling
Run Time
You can specify when you want to run the Image Out-of-Sync Report job.
complete.
For example, if you have scheduled a daily job at 10:00 a.m. on November 1, the next instance
of this job will run at 10:00 a.m. on November 2 only if the earlier instance of the November
1 job has completed.
If the 10.00 a.m. November 1 job has not been completed before 10:00 a.m. November 2, the
next job will start only at 10:00 a.m. on November 3.
Date
Select the date and time (hours and minutes) to schedule the job.
Job Info
Job Description
The system default job description, SoftwareImages Out Of Synch Report is displayed.
You cannot change this description.
E-mail
Enter e-mail addresses to which the job sends messages at the beginning and at the end of the
job.
e-mail is sent with the LMS E-mail ID as the sender's address.
Step 4
Click Submit.
If the job was scheduled successfully, the notification dialog box is displayed with the Job ID. You can
check the status of your scheduled synchronization job by selecting Configuration > Tools > Software
Image Management > Jobs.
9-10
OL-25941-01
Chapter 9

Software Repository

To view a synchronization report:
Step 1
Synchronization.
The Software Repository Synchronization dialog box appears.
Step 2
Click View Report.

The Image Out-of-sync Report window appears.

To remove a Synchronization Report job:
Step 1
Synchronization.
The Software Repository Synchronization dialog box appears.
Step 2
Click Remove Job.

A confirmation dialog box shows that the synchronization report job is removed successfully.
Step 3
Click OK.
Adding Images to the Software Repository

Your software image repository should contain copies of software images running on all Software
Management-supported devices in your network. Use the following options to populate and maintain
your software repository:
Add Image to Software Repository using the Cisco.com option downloads images for devices in
LMS from Cisco.com to the software repository.
See Adding Images to the Software Repository From Cisco.com.
Add Image to Software Repository using the Device option

Imports images from selected Cisco devices to the software repository.
Imports software from Flash cards on a live device to the software repository.
See Adding Images to the Software Repository From Devices.
Add Image to Software Repository using the File System option imports an image from a directory
accessible from the LMS server.
See Adding Images to the Software Repository From a File System.

OL-25941-01
9-11
Chapter 9
Software Repository
Add Image to Software Repository using the URL option downloads images from the URL you
specify.
See Adding Images to the Software Repository From a URL.
Add Image to Software Repository using the Network option creates a baseline of all Software
Management-supported devices in your network, and imports these images into your software
repository.
See Adding Images to the Software Repository From the Network.
Adding Images to the Software Repository From Cisco.com

Use this option to download software images from Cisco.com into the software image repository.
Contact your channel partner or enter a request on the main Cisco web site. If you do not have a user
account and password on Cisco.com.
See Logging Into Cisco.com.
Note
Access the Cisco.com web site to make sure that the releases for the images you plan to download
are stable.
Determine the approximate number and size of the images you want to download. The number of
images you can download at a time can vary depending on Cisco.com load, image sizes, network
load, and LMS server load.
To add images from Cisco.com:
Step 1
Select Configuration > Tools > Software Image Management > Software Repository.
The Software Repository Management dialog box appears.
Step 2
Click Add. Do not select any images from Software Repository Management window.
The Image Source dialog box appears.
Step 3
Select Cisco.com.
The Cisco.com and Proxy Server Credential Profile dialog box appears.
Enter your Cisco.com username and password. If you enter Cisco.com credentials in this workflow,
these credentials are valid only for that session.
You are also prompted to enter your Proxy Username and Proxy Password only if a Proxy Server
hostname/IP and port are configured in:
Admin > System > Cisco.com Settings > Proxy Server Setup
Step 4
After entering the credential information, Click OK.
Click Next.
9-12
OL-25941-01
Chapter 9

Software Repository
Step 5
Select the device from the Device Selection dialog box, and click Next.
If you do not want to select any devices, click Next.
If you select devices from this list, they identify a subset of device software images. This helps you
narrow your options on subsequent screens.
The Add Images from Cisco.com dialog box appears. This dialog box has several sections from which
you select combinations of device platforms, software release versions, and software subset images.
See Inventory Management with Cisco Prime LAN Management Solution 4.2 for information on how to
use the Device Selector.
Step 6
Select the images to download. Work from left to right and from top to bottom:
a.
From the Select a Device/Platform section, select a device or device family.

If you select an individual device, the device family, Cisco IOS release, and required Flash and
RAM sizes appear.
For IPX/IGX/BPX/MGX devices, the system software release appears.
A list of available software versions for that device appears in the top middle section.
b.
From the Software Versions section, select a software version.

If you are unsure of the subset image you need, see the Release Notes on Cisco.com.
For IPX/IGX/BPX platforms, both switch software and all applicable module firmware images
appear.
For MGX platforms, system releases appear.
A list of available subset images for the selected software version appear in the top right frame.
c.
From the Software Subset Images section, select a subset image.

The subset image is added to the Images to be Added table in the bottom section.
For IPX/IGX/BPX/MGX devices, there are no subset images. Select the item that appears in this
section to complete image selection.
Step 7
Continue adding images to the list.

The images that you have added appear in the Images to be Added table. This table contains the
following information:
Step 8
Devices/PlatformsName of the device or platform.
VersionSoftware version that you have selected.
SubsetSubset image information.
Click Next when the list contains all image combinations to download.
Software Management verifies that the images in the Image list run in the selected devices and displays
the status in the Add Images from Cisco.com dialog box. The Add Images from Cisco.com dialog box
contains:
Field
Description
Device/Platform
Lists the device details that you have selected.
Selected Version and Subset
Displays the image details.
Image Requirements
Displays the required hardware (RAM and Flash) details.

OL-25941-01
9-13
Chapter 9
Software Repository
Field
Description
Download
Select the image you want to download.

By default, the check boxes are selected for the images that
have passed the verification.
You can choose not to add an image by deselecting that
check box.
Pass/Fail
Results of image verification.
PassDevice has the minimum required memory and

Flash memory.
FailDevice does not have enough memory or Flash

memory.
Images that fail verification on one device could work on

another. Therefore, you can download a failed image by
selecting the Download check box.
Step 9
Select the images to add to the image repository in the Add Images from Cisco.com dialog box and click
Next.
The Job Control Information dialog box appears.
Step 10
Field
Enter the following in the Job Control Information dialog box:

Description
Scheduling
Run Type
You can specify when you want to run the Image Import (from Cisco.com) job.
ImmediateRuns this job immediately.
OnceRuns this job once at the specified date and time.
If you have selected Once for Run Type, select the date and time (hours and minutes) to
schedule.
Date
Job Info
Job Description
E-mail
Enter the e-mail address to which the job sends messages at the beginning and at the end of
the job.
e-mail is sent from the LMS E-mail ID.
Comments
Enter additional information about this job.
9-14
OL-25941-01
Chapter 9

Software Repository
Field
Description
Maker E-Mail
Enter the e-mail ID of the job creator. This is a mandatory field.

This field is displayed only if you have enabled Job Approval for Software Management.
Maker Comments

Step 11
Click Next.
The Image Import Work Order dialog box appears with the following information:
Step 12
Field
Description
Job Description
Displays the job description. This is what you entered while scheduling
the job.
Work Order
Displays the details of the device name and image name that you have
selected. It also displays the file size of the image.
Click Finish.
If the job was scheduled successfully, the notification dialog box appears with the Job ID.
To check the status of your scheduled synchronization job, select Configuration > Tools > Software
Adding Images to the Software Repository From Devices

Use this procedure to add software images from Cisco devices to the software repository.
Software Management downloads images from more than one device in parallel. You must ensure that
software repository has enough free space to accommodate at least 20 images.
The image import from device option is not available for all the devices. Find the devices from which
you can download images in the Supported Image Import Features for the Software Management table
on Cisco.com.
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_device_support_tables_list.html
Note
To add images from devices:
Step 1
Step 2
Click Add.
Do not select any images from Software Repository Management window.

OL-25941-01
9-15
Chapter 9
Software Repository
Step 3
Select Device, and click Next.

The Device Selection dialog box appears in the Add Images from Device window.
See Inventory Management with Cisco Prime LAN Management Solution 4.2 for information on how to
use the Device Selector.
Step 4
Select the devices that contain the images to add to the software repository.
Step 5
Click Next.
Software Management retrieves the images, analyzes them according to the selected image type, and
displays a report that contains:
Field
Description
Image
Images available on your device.
Available At
Location where the image is available on your device.
Device
Name of the device as managed by LMS.
Size
Image size in bytes.
Errors
Click on the link for details.
By default, the check boxes of the images that are not in the software repository are selected. You can
choose not to add an image by deselecting the corresponding check box.
Step 6
Click Next.
Step 7
Field
Enter the following in the Job Control Information dialog box:

Description
Scheduling
Run Type
You can specify when you want to run the Image Import (from Device) job.
If you have selected Once for Run Type, select the date and time (hours and minutes) to
schedule.
Date
Job Info
Job Description
E-mail
Enter e-mail addresses to which the job sends messages at the beginning and at the end of the
job.
e-mail is sent from the LMS E-mail ID.
9-16
OL-25941-01
Chapter 9

Software Repository
Field
Description
Comments
Maker E-Mail

Maker Comments

Step 8
Click Next.
Step 9
Field
Description
Job Description
Displays the job description. This description is what you entered while
scheduling the job.
Work Order
selected. The field also displays the file size of the image.
Click Finish.
The notification window appears with the Job ID.
To check the status of your scheduled job select Configuration > Tools > Software Image
Management > Jobs.
Adding Images to the Software Repository From a File System

Use the following procedure to add software images from a file system to the software repository.
You have to know the directory name in which the image files are stored before importing the images
from the File System to the software repository.
Note
To add images from file system:
Step 1
Step 2
Click Add..
Do not select any images from the Software Repository Management window.
The Image Source dialog box appears in the Add Images window.
Step 3
Click File System, and click Next.

The Add Image From Local File System dialog box appears.

OL-25941-01
9-17
Chapter 9
Software Repository
Step 4
Enter the full pathname of the source file or directory.

Or
a.
Click Browse to search for the directory name.

Step 5
b.
Select either the file or the directory on the LMS server.
c.
Click OK.
Click Next.
The Image Attributes dialog box appears with this information:
FilenameFilename as it appears in filesystem directory.

You cannot add an image if a file with the same name already exists in the software repository or if
the minimum required attributes cannot be retrieved.
Image TypeImage type, determined from the filename. If the image type is not correct, select the
correct type from the drop-down list box.
Software Management tries to determine the image type from the filename. If it cannot determine
the image type (for example, if the image has been renamed using a nonstandard name), it labels the
image type as Unknown.
By default, the check boxes of the images that are not in the software repository are selected. You can
Step 6
Click Next.
The Image Attributes window appears with the following information for verification:
Field
Description
Usage Notes
File Name
Filename as it appears in filesystem

directory
You cannot add images if a file with the same name

already exists in the software repository or if the
minimum required attributes cannot be retrieved.
Size
Size of file in bytes.
None.
Image Family
Device family name.
None.
Image Type
Image type, determined from the filename.
Software Management tries to determine the image

type from the filename.
If it cannot determine the image type (for example, if
the image has been renamed to a nonstandard name), it
labels the image type as Unknown.
You must select an image type from an available option
before you can add the file to the repository.
Version
Version of the image
None.
Errors
Click on the link for details.
None.
Step 7
Click Finish.
A pop up window appears for you to enter a description.
9-18
OL-25941-01
Chapter 9

Software Repository
Step 8
Either:
Click OK.
The Software Repository Management window appears with the newly added images. The
description that you have entered appears in the Comments column in the Software Repository
Management window.
Or
Click Cancel.
The Software Repository Management window appears with the newly added images. The
Comments column in the Software Repository Management window will be blank for this task.
Note
The import from File System may take more time if you have selected many images.
Adding Images to the Software Repository From a URL

Use the following procedure to add software images from a URL to the software repository.
Note
To add images from URL:
Step 1
The Software Repository Management window appears.
Step 2
Click Add.
Do not select any images from the Software Repository Management window.
The Image Source dialog box appears in the Add Images window.
Step 3
Click URL, and click Next.

The Add Image From URL dialog box appears.
Step 4
Enter the URL details.

For example: http://servername:portnumber/file_location/
Where,
servername is the name of the server where the image resides.
portnumber is the http port number.
file_location is the image location on the server. The file_location can be swimtemp or htdocs folder.
For example,
If the image is in swimtemp, then the URL is http://servername:portnumber/swimtemp/image_file
If the image is in the htdocs, then the URL is http://servername:portnumber/image_file
The web server must be running on the destination machine. You can use only HTTP URLs. The remote
server should not have any authentication.

OL-25941-01
9-19
Chapter 9
Software Repository
Step 5
Click Next.
Step 6
Field
Enter the following information in the Job Control Information dialog box:
Description
Scheduling
Run Type
You can specify when you want to run the Image Import (from URL) job.
If you have selected Once for Run Type, select the date and time (hours and minutes) to schedule
the job.
Date
Job Info
Job Description
E-mail
You cannot enter multiple e-mail addresses separated by commas.
Comments
Enter the additional information about this job.
Maker E-Mail

Maker Comments

Step 7
Click Next.
Field
Description
Job Description
Displays the job description. This description is what you entered while scheduling the
job.
Work Order
Displays the details of the device name and image name that you have selected. It also
displays the file size of the image.
9-20
OL-25941-01
Chapter 9

Software Repository
Step 8
Click Finish.
To check the status of your scheduled job, select Configuration > Tools > Software Image
Management > Jobs.
Adding Images to the Software Repository From the Network

This option allows you to import running images from all Software Management-supported devices in
your network into the software image repository.
Use this option to create a baseline of the image in your network and populate the software image
repository. Use the Synchronize report option to review the Software Management supported devices are
running images that are not in the Software Repository.
Note
You must locate your device in the Supported Image Import Features for Software Management table on
Cisco.com. This is because the image baseline capabilities might not be available yet for all devices.
To add images from network:
Step 1
Step 2
Click Add. Do not select any images from the Software Repository Management window.
Step 3
Select Network, and click Next.

Software Management checks the devices on your network and the software images running on those
devices.
To run this check faster, select Use generated Out-of-sync Report to find the images that are not in the
Software Images repository.
You should generate an Out-of-sync Report before selecting this option. The running images in the
network that are not in the Software Repository, appear in the Network Baselining dialog box.
If you have not selected the Use generated Out-of-sync Report option, all running images that are not in
the Software Repository appear in the Network Baselining dialog box.

OL-25941-01
9-21
Chapter 9
Software Repository
The Network Baselining dialog box contains the following information:

Field
Description
File Name
Filename as it appears in filesystem directory.

You cannot add an image if a file with the same name already exists in
the software repository or if the minimum required attributes cannot be
retrieved.
Size
Image size in bytes.
Available at
Location where the image is available on your device.
Error
Click on the link to review the details.
By default, the check boxes of the images that are not in the Software Repository are selected. You can
Step 4
Select/deselect the images and click Next.

Step 5
Field
Enter the following information in the Job Control Information dialog box:
Description
Scheduling
Run Type
You can specify when you want to run the Image Import (from Network) job.
If you have selected Once for Run Type, select the date and time (hours and minutes) to schedule
the job.
Date
Job Info
Job Description
E-mail
Comments
Maker E-Mail

Maker Comments

9-22
OL-25941-01
Chapter 9

Software Repository
Step 6
Click Next.
Step 7
Field
Description
Job Description
Displays the job description. This description is what you entered while
scheduling the job.
Work Order
selected. It also displays the file size of the image.
Click Finish.
If the job was scheduled successfully, the notification dialog box appears with the Job ID.
To check the status of your scheduled synchronization job, select Configuration > Tools > Software
Synchronizing Software Image Status With Cisco.com

You can check if the software images that are in your software repository are valid images using the
Update Status button in the Software Repository Management window.
The Status table column is updated with the following status:
Not DeferredDisplayed when this image is a valid image.
DeferredDisplayed when this image is not supported and not available to be downloaded from
Cisco.com.
This image is not recommended by Software Management.
Software Advisory NoticeDisplayed when this image has some issues. You can download this
image from Cisco.com.
This image may be recommended by Software Management. However, you have to read the
Software Advisory Notice before importing or upgrading your device.
UnknownDisplayed when you have added images to the repository for the first time, using any
one of these methods:
Add Images by Devices
Add Images by File system
Add Images by URL
Add Images from Network
Use the Update Status button to update the status field.
Not availableDisplayed when information is not available on Cisco.com.
Read the software release notes on Cisco.com for more details.
Note

OL-25941-01
9-23
Chapter 9
Software Repository
To synchronize Software Image Status with Cisco.com:

Step 1
Step 2
Select the images for which you want to know the status and click Update Status.
The Cisco.com login dialog box appears.
If your Cisco.com username and password have not been added to the LMS database, enter your
Cisco.com username and password, click OK. If you enter Cisco.com credentials in this workflow
then the credentials are valid only for that session.
If your Cisco.com username and password have been added to the LMS database, the Cisco.com
login dialog box appears with the information that is available in the LMS database. Click OK.
A confirmation message appears that Image Status was retrieved from Cisco.com successfully.
Step 3
Click OK.
Review the Status table column in the Software Repository Management window.
Deleting Images From the Software Repository

To delete software images from the software repository:
Note
Step 1
Step 2
Select the images that you want to delete, then click Delete.
A confirmation message appears, The selected images will be deleted.
Step 3
Click OK.
The Software Repository Management window reappears with the selected images deleted.
9-24
OL-25941-01
Chapter 9

Software Repository
Exporting Images from Software Repository

To export software images from the Software Repository:
Step 1
Step 2
Select images that you want to export, then click Export.

A confirmation message appears, The selected images will be exported.
Step 3
Click OK.
The Select directory to export window appears.
Step 4
Click on Browse to select a directory to which you want to export the selected images.
Step 5
Choose the required directory and click OK.

The Image Directory field in the Select directory to export window displays the directory location that
you had selected.
Step 6
Click Next
A progress bar appears indicating the progress of the export of images.
The Export Images Summary Report appears, after the image export is completed with the following
details:
Step 7
Number of Selected Images
Target Directory
Summary
Click Finish.
You have successfully exported the images to the selected directory.

OL-25941-01
9-25
Chapter 9
Software Repository
Searching for Images from Software Repository

To search software images from the software repository:
Note
Step 1
Step 2
Select one of the following from the Filter by drop-down list:
File Name
Image Family
Image Type
Version
Size
Updated At
You cannot use wildcard characters. However, you can filter based on the first character.
For example: If you have images with file names c3640-i-mz.112-24.P.bin,
and cat5000-supg.6-4-10.bin.
c3640-i-mz.112-25.P.bin, cat5000-sup.5-5-18.bin,
If you select File Name as the Filter by option and enter the value as c3. The filter result displays only
c3640-i-mz.112-24.P.bin and c3640-i-mz.112-25.P.bin images.
Step 3
Click Filter.
The Software Repository Management window appears with the filtered image details.

To ensure that Software Management is using the most current information about an image, you should
keep the image attributes up to date. Software Management uses image attribute information to:
Recommend the appropriate image for a given device

When you distribute an image from the software repository to a device, Software Management uses
the image attributes to recommend an image.
Notify you when a Flash memory or DRAM upgrade is required (upgrade analysis)
When you distribute an image from the Software Repository to a device, Software Management
compares the current Flash memory and DRAM attributes with the Flash memory and DRAM
requirements for the new image.
9-26
OL-25941-01
Chapter 9

Software Repository
The following sections contain:
Understanding Software Image Attributes
Understanding Default Attribute Values
Finding Missing Attribute Information
Editing and Viewing the Image Attributes
Understanding Software Image Attributes

To ensure that Software Management is using the most current information about an image, keep the
image attributes updated.
If you do not have all the image attribute information when you add the image to the Software
Repository, you must edit the attributes when the information becomes available.
Note
The auto fill of the Minimum NVRAM, Minimum RAM and Minimum Bootflash image attributes is
applicable only for IOS.
The attributes for software images are:
Table 9-4
Attribute
Description
Usage Notes
Minimum RAM
Minimum RAM required.
Select it from the list of options.
Minimum Flash
Minimum Flash memory required.
Select it from the list of options.
Minimum Boot ROM

Version
Minimum bootstrap version required.
Enter text in standard Cisco IOS format: a.b(c).
Minimum system software Minimum system software version

version
required on the device to upgrade the
microcode image (MICA portware,
Microcom firmware, CIP microcode
only)
Minimum supervisor
version
Minimum software image version

required on supervisor engine module.
Cisco Switches can contain any number
of modules such as, ATM, FDDI/CDDI,
etc.
These modules can run different images.
There are some interdependencies
among the software images that can run
on the supervisor engine module and the
ATM, FDDI/CDDI, and Token Ring
modules residing on the same device
chassis.
Minimum NVRAM
Minimum NVRAM required to run

image on Supervisor Engine III.
Select from list of options.

OL-25941-01
9-27
Chapter 9
Software Repository
Understanding Default Attribute Values

The Unknown attribute option has different meanings for different image attributes.
Attribute
Description
RAM
If you select Unknown, Software Management computes the RAM

value.
Flash Size
If Min.Flash is unknown, it is ignored.

If the image size is unknown, the required Flash size to copy the image
cannot be determined and the image cannot be used for upgrade.
Boot ROM Version
If you select Unknown, no value is stored in this field and the image can
run with any boot ROM image version.
Finding Missing Attribute Information

When you import an image from another filesystem, the image might not contain all the attribute
information that Software Management requires.
You can find the missing attribute information in the following ways:
Read the Release Notes on Cisco.com or the documentation CD-ROM.
Review the image attribute information that is available along with the images, when you download
the images from Cisco.com.
You can update the missing attribute information in the Edit/View Image Attributes dialog box.
See Editing and Viewing the Image Attributes for further details.
Editing and Viewing the Image Attributes

LMS allows you to edit and view image attributes.
Note
To edit the software images attributes:
Step 1
Step 2
Click the File Name.

The Edit/View Image Attributes dialog box displays attributes for the selected image type.
Step 3
Make your changes in the available editable fields.

For editable image attributes, you will get either a drop-down list or text fields that you can edit.
9-28
OL-25941-01
Chapter 9

Step 4
Either:
Click Update, if you have updated the image attributes.

The Software Repository Management dialog box appears after updating the attributes.
Or
Click OK, if you have not updated the image attributes.

The Software Repository Management dialog box appears without updating the attributes.
Software Distribution allows you to distribute images in your network and to analyze and determine the
impact and prerequisites for new software images before distribution.
Upgrade Analysis
Software Distribution Methods
Patch Distribution
Understanding Upgrade Recommendations
Upgrade Analysis
Before planning a software image upgrade, you must determine the prerequisites of the new software
images. You can analyze these by using,
Cisco.com (See Planning an Upgrade From Cisco.com.)
Repository (See Planning an Upgrade From Repository.)
Understanding the Upgrade Analysis Report
Support for In Service Software Upgrade
Planning the Upgrade
Scheduling the Upgrade

OL-25941-01
9-29
Chapter 9
Planning an Upgrade From Cisco.com

Use the Cisco.com Upgrade Analysis option to determine the impact to and prerequisites for a new
software deployment using images that reside in Cisco.com.
This option allows you to identify only images that meet certain criteria. It then analyzes the images to
determine the required hardware upgrades (boot ROM, Flash memory, RAM, and access).
This option helps you answer questions such as:
Note
Does the device have sufficient RAM to hold the new software?
Have the minimum ROM version requirements been met?
Is the Flash memory large enough to hold the new software?
Do I need to add Telnet access information for the device to the Device and Credential Repository?
Have I performed an upgrade path and NVRAM analysis on my Catalyst devices?
Does the module firmware on my IPX/IGX/BPX devices need to be upgraded?
To upgrade from Cisco.com:
Step 1
Select Configuration > Tools > Software Image Management > Upgrade Analysis.
The Select Upgrade Source dialog box appears.
Step 2
Select Cisco.com and click Go.

Step 3
Select the devices to analyze, then click Next.

See Administration of Cisco Prime LAN Management Solution 4.2 for information on how to use the
Device Selector.
a.
Enter your Cisco.com username and password.

If you enter Cisco.com credentials in this workflow, these credentials are valid only for that session.
b.
Click OK after entering the credential information.
The Cisco.com Upgrade Analysis dialog box appears with the following information:
Field
Description
Device
Name of the device
Running Image
Running image of the device
9-30
OL-25941-01
Chapter 9

Field
Description
Image Options
Available images.
Select the Image options from the drop-down list.
Error
Step 4
Click Finish to update the upgrade path information.

The Upgrade Analysis Report appears in a new browser window.
See Understanding the Upgrade Analysis Report for details.
Planning an Upgrade From Repository

Use the Repository Upgrade Analysis option to analyze images in your software repository and
determine the impact to and prerequisites for a new software deployment. The option produces the
Upgrade Analysis report, which shows the required boot ROM, Flash memory, RAM, and access.
This option helps you answer such questions as:
Note
Does the device have sufficient RAM to hold the new software?
Have the minimum ROM version requirements been met?
Is the Flash memory large enough to hold the new software?
Do I need to add Telnet access information for the device to the Device and Credential Repository?
Does the module firmware on my IPX/IGX/BPX devices need to be upgraded?
To upgrade from repository:
Step 1
Select Configuration > Tools > Software Image Management > Upgrade Analysis.
The Select Upgrade Source dialog box appears.
Step 2
Select Repository, then click Go.

The Repository Upgrade Analysis dialog box appears.
Step 3
From the list, select the image to analyze, then select the devices to upgrade, then click Run Report.
The Upgrade Analysis Report window appears.
See Understanding the Upgrade Analysis Report for details.

OL-25941-01
9-31
Chapter 9
Understanding the Upgrade Analysis Report

The Upgrade Analysis report summarizes the impact to and prerequisites for a new software deployment
for the selected devices. It is generated by the Cisco.com Upgrade Analysis (Planning an Upgrade From
Cisco.com) and Repository Upgrade Analysis (Planning an Upgrade From Repository) options.
The information that is shown in this report depends on the device type you have selected. See these
tables to understand the Upgrade Analysis Report, Table 9-5 and Table 9-6.
Locate your device in the Supported Image Import Features for Software Management table on
Cisco.com. For some devices the upgrade analysis option may not be available yet.
Table 9-5
Upgrade Analysis Report Columns
Column
Description
Device Information
Running Image Name, Running Image Version, BootROM Version,

Running Image Feature, and Device Family
Boot ROM Upgrade
Any boot ROM upgrade required
Flash Upgrade
Any Flash upgrade required
RAM Upgrade
Any RAM upgrade required
Telnet Access
Any Telnet information required
Boot Flash Upgrade
Any boot Flash upgrade required
NVRAM Upgrade
Any NVRAM upgrade required
Module Firmware Upgrade
Firmware upgrade requirements for each service module in device.
Firmware Compatibility
Indicates whether the selected firmware image is compatible with the

switch software image running on the device.
:The following table (Table 9-6) maps the Upgrade Analysis Report to the supported device types:
Optical Networking
Routers and Switches
Storage Networking
The Upgrade Analysis from Cisco.com and Repository are not supported for these device types because
the required information for the upgrade analysis is not provided by the device:
Universal Gateways and Access Servers
Content Networking
DSL and Long Reach Ethernet (LRE)
Optical Networking
Security and VPN
Broadband Cable
Voice and Telephony
Network Management
Wireless
Cisco Interfaces and Modules
9-32
OL-25941-01
Chapter 9

Table 9-6
Upgrade Analysis Report Based on Device Type
Upgrade Analysis Report

Columns
Device Type: Routers and

Optical Networking
Device Type: Switches
Device Type: Storage

Networking
Boot ROM Upgrade
Supported
Not supported
Not supported
Flash Upgrade
Supported
Not supported
Not supported
RAM Upgrade
Supported
Supported
Supported
Telnet Access
Supported
Not supported
Supported
Boot Flash Upgrade
Not supported
Supported
Not supported
NVRAM Upgrade
Not supported
Supported
Not supported
Module Firmware Upgrade
Supported.
Supported.
This is applicable for the
following devices:
Not supported
See the Supported Image

Distribution Features for
Software Management table
on Cisco.com for the routers
device list that supports
Module Firmware Upgrade.
IPX/IGX/BPX device
switch
MGX system
http://www.cisco.com/en/US/
products/sw/cscowork/ps207
3/products_device_support_t
ables_list.html
Firmware Compatibility
Not supported
Supported.
This is applicable for the
following devices:
Not supported
IPX/IGX/BPX device firmware

In addition to this information, you can use the Go To drop-down list to navigate to particular device
analysis report.
Button
Description
Export to File
Exports the analysis report in CSV or PDF format.
(Icon)
Print
(Icon)

OL-25941-01
9-33
Chapter 9
Support for In Service Software Upgrade

LMS supports In Service Software Upgrade (ISSU) process. This process allows Cisco IOS software
images to be updated without rebooting the device. This increases network availability and reduces
downtime caused by planned software upgrades.
To perform the image upgrade using this ISSU process, the running image and the upgrade image must
be ISSU capable and should be available in the flash memory.
The ISSU image upgrade process may fail if:
The running or the upgrade image is not available in the flash memory
The running image is deleted because of flash cleanup operation performed while the job is running.
ISSU support is available only for the following devices:
Cisco Catalyst 6000 Series IOS Dual Chassis (VSS) Switches
Cisco Catalyst 6000 Series Dual Supervisor Switches
ISSU process can be applied to the following distribution methods:
By devices [Basic]
By image
Use remote staging
To perform this ISSU image upgrade process:
Select Reboot immediately after downloading in the Job Schedule and Options page of the Device
Distribution flow.
You can also customize the configurations available in the Issuconf.properties file located at:
NMSROOT/MDC/tomcat/webapps/rme/WEB-INF/conf/swim (On Solaris and Soft Appliance)
NMSROOT\MDC\tomcat\webapps\rme\WEB-INF\conf\swim (On Windows)
9-34
OL-25941-01
Chapter 9

You can configure the following properties in the Issuconf.properties file:

Variable
Description
RBTConfig
Configure the rollback timer.

By default, the value of this variable is set as NO.
If you configure the value as Yes, then rollback will happen for the value set in
the variable RollBackTime.
RollBackTime
Enter the rollback timer (value in minutes).

By default, the rollback time is set as 45.
To consider the value for rollback timer you must set the RBTConfig value as
Yes.
IssuSupImgVer
The ISSU supported version of the running image.

For ISSU upgrade support, the value for this variable must be an ISSU capable
image version such as SXI.
This value can either match the version of the running image completely, or
partially. For example, 12.2(33)SXI, or SXI.
The running software image version in the device must match the version configured in the
Issuconf.properties.
If the running image or the upgrade image is not an ISSU capable image, or the version of the image is
wrongly configured for the variable IssuSupImgVer in the Issuconf.properties file, then ISSU upgrade
process will not happen and LMS proceeds with the normal upgrade process.
For example, if the running image version is 12.2(33)SXI, which is ISSU capable, and the version
entered for the variable IssuSupImgVer is 12.2(33)SXH, then ISSU upgrade will not happen and LMS
proceeds with normal upgrade process.
To fix this issue, you must provide the proper version for the variable IssuSupImgVer that is ISSU
capable. For example, 12.2(33)SXI, or SXI.
Software Distribution Methods

You can distribute images to the devices in your network, using any of these options:
Distribute by Devices [Basic]:

This option enables you to select devices and perform software image upgrades to those devices.
Software Management checks the current image on the device and recommends a suitable image and
the appropriate image storage for distribution.
See Distributing by Devices [Basic]
Distribute by Devices [Advanced]:

This option enables you to enter the software image and storage media for the device that you want
to upgrade.
The selected image and storage media is validated and verified for dependencies and requirements
based on the device information that you entered when you added devices to the Device Credentials
Repository.
See Distributing by Devices [Advanced]

OL-25941-01
9-35
Chapter 9
Distribute by Images:
This option enables you to select a software image from the software image repository and use it to
perform an image upgrade on suitable devices in your network. This option is useful when you have
to distribute the same image to multiple devices.
See Distributing by Images.
Remote Staging and Distribution:

This option enables you to select a software image, store it temporarily on a device and then use this
stored image to upgrade suitable devices in your network. This option is helpful when the LMS
server and the devices (including the remote stage device) are distributed across a WAN.
See Remote Staging and Distribution.
You can run the device upgrades job sequentially or in parallel. After the devices upgrade, you can also
specify the reboot order. You can specify these options in the Job Schedule and Options dialog box.
During the image upgrade, Software Management:
Checks the amount of Flash memory on the device. If Flash memory needs to be erased before the
new system image is loaded and erasing is allowed, it erases the Flash memory. Before erasing the
Flash, a warning message appears Flash memory will be erased.
Performs MD5 Checksum check of the image when it is downloaded from Cisco.com directly. It also
performs image size check once the image is copied to a device, to check if there was any network
transfer issue. These are the image consistency checks performed by Software Management.
Provides a running log of the upgrade job.
E-mails a report on the results to the specified addresses after completing the upgrade.
Inserts boot commands to activate the upgraded image.
Reboots the device if the Reboot Schedule option has been set to Reboot Immediately.
RAM value is not checked. Hence, distribution proceeds without any errors even if the RAM value
is unknown.
Min.Flash is ignored, if Min.Flash is unknown.
Image cannot be used for upgrade, if Flash size is unknown.
After you schedule an image upgrade, you can use Software Management Job Browser (Configuration
> Job Browsers > Software Image Management) to review, retry, or cancel a job.
After a successful distribution job, Software Management triggers
An inventory and a configuration collection.
A Change Audit log. You can generate a Change Audit Standard Report in the Report Generator
window (Reports > Audit > Change Audit > Standard).
9-36
OL-25941-01
Chapter 9

Authorizing a Distribution Job
Distributing by Devices [Advanced]]

Planning the upgrade typically involves these phases:
Identifying Possible Changes
Satisfying the Prerequisites
Maintaining Your Software Image Repository
Testing the New Images
Identifying Possible Changes
Identifying which devices at your site might require software upgrades consists of these phases:
Determine whether an upgrade is required

You can learn about new features or fixes in different ways.
You use the Browse Bugs option (Reports > Cisco.com > Bug Summary) to summarize the
software image bugs for the devices in your network.
You can schedule a Browse Bugs job to run at regular intervals. This will help you determine any
bugs related to current running images on the devices.
If you find a bug in your software, call the Technical Assistance Center (TAC) to know the status of
the bug.
Your sales engineer or channel partner notifies you of new features that might be appropriate for
your site.
You check Cisco.com periodically to review new release notes, bug-fix documentation, and
marketing bulletins.
Retrieve information about the upgrade

Go to Cisco.com to read the most recent product Release Notes or bug-fix documentation. This
information will help you determine the software image version you need.
Determine whether the upgrade is really necessary

After you determine the version you need, you can list the current software version numbers for your
managed devices.
You can generate this using (Reports > Inventory > Software)
Satisfying the Prerequisites
Run Cisco.com Upgrade Analysis or Repository Upgrade Analysis to determine the prerequisites for a
new software deployment. See Upgrade Analysis for further details.

OL-25941-01
9-37
Chapter 9
In addition, you need to answer questions such as:
Have you supplied the minimum requirements such as the minimum device configuration
requirements for each device? See Meeting Minimum Device Requirements for further details.
Is the device running from Flash (RFF)?
Does the device have multiple Flash partitions?
Does the Supervisor board require a new software image?
Have you satisfied the additional requirements for the devices?

See Configuring Devices for Upgrades for further details.
Maintaining Your Software Image Repository
Use the Adding Images to the Repository > Network option to import running images from all
Software Management-supported devices in your network into the repository.
See Adding Images to the Software Repository From the Network for further details.
Since you can download new images to a device without using Software Management, eventually
the software image repository might not reflect the images that are running on your network devices.
To keep the repository current:
Review all software images in the repository.
See Software Repository for further details.

Schedule the Synchronization report to run periodically.
See Scheduling a Synchronization Report for further details.

Retrieve additional images from Cisco.com, another device, or a file system on your server.
See Adding Images to the Software Repository for further details.
Download Cisco images from Cisco.com during a scheduled distribution job.
Testing the New Images
To confirm the stability of your network after upgrades, test the new software images before you perform
a full-scale deployment.
You cannot roll back software upgrades for supervisor modules on Catalyst 5000 series switches.
Therefore, test the new images for these devices thoroughly before deploying them on your network.

This section lists all the required tasks that have to be performed on Cisco devices. This section also
captures the following information:
Meeting Minimum Device Requirements
Meeting Additional Device Requirements
Additional SFB Checks
Configuring Telnet and SSH Access
Configuring SCP
9-38
OL-25941-01
Chapter 9

Configuring RCP
Configuring TFTP
Configuring HTTP
Meeting Microcode and Modem Firmware Requirements
Meeting Minimum Device Requirements

Before you can upgrade software images, you must meet the following requirements:
Category
Requirements
Device configuration
Device must be configured with SNMP read-write community string.

There should not be any access list on the device that will disable TFTP
transfers from the workstation.
IOS and ONS devices
For the device to be rebooted using the SNMP protocol, you must
configure the snmp-server system-shutdown command on the device.
SFB devices
See Additional SFB Checks for further details.
RSP 7000 or 7500 devices running Cisco IOS

version 11.x or later
See Additional SFB Checks for further details.
Microcode images
See Meeting Microcode and Modem Firmware Requirements for further

details.
Inventory
SNMP read-write community string must be in Device and Credentials

database (Inventory > Device Administration > Add / Import / Manage
Devices).
tftpboot directory space
Must have enough space for all concurrent jobs, which could include
image distribution, image import, config file scan, and so on.
Meeting Additional Device Requirements

Before you upgrade, you must meet the following additional device requirements:
Make sure you have Telnet access to upgrade the devices. Before you upgrade, add the Enable mode
password (see Configuring Telnet and SSH Access) and access information for each device to the
Device and Credential Repository.
See the Software Management Functional Supported Device tables on Cisco.com for the devices list
that requires Telnet access.
http://www.cisco.com/en/US/products/sw/cscowork/ps2073/products_device_support_tables_list.h
tml
To perform the upgrade, the device must be rebooted to RxBoot mode using SNMP. Do this even if
you have selected the Do not reboot option when scheduling the upgrade. This procedure is
applicable only to RFF devices.

OL-25941-01
9-39
Chapter 9
Configure PIX Firewall for SNMP and telnet access. For LMS to manage these devices, you must
enter these commands on the device, in the config mode:
1.
config terminal
2.
snmp -server host
3.
snmp -server community
4.
telnet
5.
write mem
hostname
community name
ip 255.255.253.255 inside interface
Additional SFB Checks

Software Management validates the image upgrades at the time the job is scheduled. For SFB devices,
Software Management also verifies that:
IP routing is enabled on the device.
The ethernet interface that connects LMS to the device has an IP address assigned to it and is routing
IP protocol.
If the device is configured with Frame Relay subinterfaces, the device software version is 11.1 or
higher.
The ROM monitor code version is 5.2 or higher.
Configuring Telnet and SSH Access

Before you schedule the upgrade, use the Device and Credentials (Inventory > Device Administration
> Add / Import / Manage Devices) option to add or change passwords and access information.
When you select the SSH protocol for the Software Management, the underlying transport mechanism
checks whether the device is running SSHv2.
If so, it tries to connect to the device using SSHv2.
If the device does not run SSHv2 and runs only SSHv1 then it connects to the device through SSHv1.
If the device runs both SSHv2 and SSHv1, then it connects to the device using SSHv2.
If a problem occurs while connecting to the device using SSHv2, then it does not fall back to SSHv1 for
the device that is being accessed.
See the Software Management Functional Supported Device tables on Cisco.com for the devices list that
requires Telnet and SSH access.
Telnet password
If the Telnet password is configured on your device, you might need this password for basic login
access.
Enter the Telnet password in the Primary Credential Password field in the Add Credential Template
dialog box (Inventory > Device Administration > Add / Import / Manage Devices).
Local user name

If the device is configured with the local username and password, you must enter this information
when you log in. In Telnet mode, for catalyst devices, the local user name is not applicable, so you
must leave this field blank. In secure shell (SSH) mode, for catalyst devices, you must enter this
information.
9-40
OL-25941-01
Chapter 9

Enter the Local User name in the Primary Credential Username field in the Add Credential
Template dialog box (Inventory > Device Administration > Add / Import / Manage Devices).
Local user password

If the device is configured with the local username and password, you must enter this information
when you log in.
If TACACS is configured, the application uses the TACACS information.
If the parent TACACS server is down and the local username and password are present, the
application uses this information instead.
Enter the Local user password in the Primary Credential Password field in the Add Credential
TACACS username and password

If the device is configured for TACACS, you must enter the TACACS username and password. The
application will try to use this information first for login access.
Enter the TACACS username and password in the Primary Credential Username and Primary
Credential Password fields in the Add Credential Template dialog box (Inventory > Device
Administration > Add / Import / Manage Devices).
Enable secret password

The enable secret password takes precedence over the enable password in Cisco IOS Release 11.x
and later. Use this password to make changes when running in regular Cisco IOS mode. If the service
password-encryption is enabled, enable secret passwords are more secure than enable passwords.
Enter the Enable password in the Primary Credential Enable Password field in the Add Credential
Enable password
Since some versions of BOOT ROM mode do not recognize the enable secret password or if enable
secret is not configured on the device, you must use the enable password to load Flash memory.
Enter the Enable password in the Primary Credential Enable Password field in the Add Credential
Enable TACACS
Sometimes the device is configured for enable TACACS. In this case, you must provide the
TACACS user name and password information for enable access.
Note
The TACACS user name and password must be same as the Local user name and password.
You cannot configure different user names and passwords for user mode and enable mode
for the device.

OL-25941-01
9-41
Chapter 9
Some useful URLs on configuring SSHv2 are:
Configuring Secure Shell on Routers and Switches Running Cisco IOS:

http://www.cisco.com/warp/public/707/ssh.shtml
How to Configure SSH on Catalyst Switches Running Catalyst OS:

http://www.cisco.com/en/US/tech/tk583/tk617/technologies_tech_note09186a0080094314.shtml
Configuring the Secure Shell Daemon Protocol on CSS:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v
8.20/configuration/security/guide/sshd.html
Configuration Examples and TechNotes:

http://www.cisco.com/en/US/tech/tk583/tk617/tech_configuration_examples_list.html
Configuring SCP
You can use the SCP protocol to transfer the software images. While using SCP protocol, the LMS server
acts like a client and the device acts like a server.
To configure the LMS server as an SCP client, you must enter the SSH credentials. See Configuring
Telnet and SSH Access for further details.
For Cisco Catalyst 2900XL, 2970, 2960, 3550, 3560, 3750, and 3750E switches, if you are upgrading
the .tar images using SCP protocol, you must configure the SCP username and password.
The minimum supported version of the running image should be 12.2(25) SEC and should have the SCP
protocol support.
In this case, LMS server acts like a SCP server and the device acts like a client.
9-42
OL-25941-01
Chapter 9

To configure SCP username and password:

Step 1
Go to Admin > System > System Preferences.

The System Preferences dialog box appears.
Step 2

Field
Description
SCP User
Enter the user name.

For Solaris and Soft Appliance:
You must specify a user name that has SSH authorization. SCP uses
this authorization for transferring the images.
For Windows:
The username you have entered here is taken for transferring images
using SCP protocol.
SCP Password
Enter the password.

For Solaris and Soft Appliance:
You must specify a password that has SSH authentication. SCP uses
this authentication for transferring the images.
For Windows:
The password you have entered here is used for authentication while
transferring images using SCP protocol.
SCP Verify Password
Re-enter the password to verify.
Step 3
Click Apply after making the changes.
Step 4
To cancel the changes, click Cancel.
Configuring RCP
You can use the RCP protocol to transfer the software images. The LMS server acts like a RCP server
and the device acts like a client.
Configuring RCP involves the following:
Configuring RCP on Solaris and Soft Appliance
Configuring RCP on Windows
Selecting RCP as the Active File Transfer Method on Solaris and Soft Appliance and Windows
Configuring Cisco IOS Software Devices to Allow RCP Transactions
Configuring RCP on Solaris and Soft Appliance
Configuring RCP on Solaris and Soft Appliance, involves the following:
Creating the RCP Remote User Account
Enabling the RCP Daemon

OL-25941-01
9-43
Chapter 9
Creating the RCP Remote User Account
To use RCP, you must create a user account on the system to act as the remote user to authenticate the
RCP commands issued by devices. This user account must own an empty.rhosts file in its home directory
to which the user, casuser has write access.
You can choose the name of this user account because you can configure the LMS server to use any user
account.
The default user account name is cwuser. The examples in this procedure use the default name cwuser.
If you choose to use a different name, substitute that name for cwuser.
To create and configure the RCP remote user account, follow these steps while logged in as root:
Step 1
To add a user account named cwuser to the system, enter:

# useradd -m -c user account to authenticate remote copy operations \ cwuser
Step 2
Navigate to the cwuser home directory.
Step 3
Create the .rhosts file, by entering:

# touch .rhosts
Step 4
Change the owner of the .rhosts file, by entering:

# chown cwuser:casusers .rhosts
Step 5
Change the permissions of the .rhosts file, by entering:

# chmod 0664 .rhosts
If you did not use the default user name cwuser, use the user account that you created as the RCP remote
user account.
a.
Login to the server as admin.
b.
Select Admin > System > System Preferences.

The View / Edit System Preferences dialog box appears.
c.
Enter the name of the user account that you created in the RCP User field, then click Apply.
Enabling the RCP Daemon
To add and configure standard Solaris and Soft Appliance RCP server software:
Step 1
Log in as superuser.
Step 2
Edit the /etc/inetd.conf file using a text editor.
Look in the file /etc/inetd.conf for the line that invokes rshd. If the line begins with a pound sign
(#), remove the pound sign with a text editor. Depending on your system, the line that invokes the
rshd server might look similar to:
shell
stream
tcp
nowait
root
/usr/sbin/in.rshd
in.rshd
Save the changes to the edited file and exit the text editor.
9-44
OL-25941-01
Chapter 9

Step 3
Go to the UNIX prompt, enter the following to display the process identification number for the inetd
configuration:
# /usr/bin/ps -ef | grep -v grep | grep inetd
The system response is similar to:

root
119
12:56:14 ?
0:00 /usr/bin/inetd -s
The first number in the output (119) is the process identification number of the inetd configuration.
Step 4
Enable your system to read the edited /etc/inetd.conf file, enter:

# kill -HUP
119
where 119 is the process identification number identified in Step 3.

Step 5
Verify that rshd is enabled by entering:

# netstat -a | grep shell
which should return output similar to:

*.shell
*.*
0 0 0 0 LISTEN
Configuring RCP on Windows
During LMS installation, the RCP server is configured.

Selecting RCP as the Active File Transfer Method on Solaris and Soft Appliance and Windows
Step 1
Select Admin > Network > Software Image Management > View/Edit Preferences.
The View/Edit Preferences dialog box appears.
Step 2
Select the Protocol Order.
Step 3
Click Apply.
Configuring Cisco IOS Software Devices to Allow RCP Transactions
Given here is a basic configuration in a router that can handle RCP transactions from the LMS server.
calvi# show running configuration
Building configuration...
Current configuration:
!
version 11.3 service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname calvi
!
boot system c2500-is-l.113-11a.T1.bin 255.255.255.255
enable password 7 1106170043130700
!
username cwuser password 7 000C1C0A05

OL-25941-01
9-45
Chapter 9
ip rcmd rcp-enable
ip rcmd remote-host cwuser 172.17.246.221 cwuser enable
ip rcmd remote-username cwuser
!
!
process-max-time 200
!
interface Loopback0
ip address 5.5.5.5 255.255.255.255
no ip directed-broadcast
!
interface Ethernet0
description Connection to Backbone
ip address 172.17.246.4 255.255.255.0
no ip mroute-cache
!
interface Serial0
no ip address
no ip mroute-cache shutdown
no cdp enable
!
interface Serial1
no ip address
no ip mroute-cache shutdown
no cdp enable
!
interface Async1
no ip address
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.17.246.1
!
logging monitor informational
snmp-server community private RW
snmp-server community public RO
snmp-server enable traps snmp
snmp-server host 172.17.246.117 traps public
!
line con 0
exec-timeout 0 0
password 7 0504080A754D4205
login
line 1 8
exec-timeout 0 0
9-46
OL-25941-01
Chapter 9

login
transport input all
line aux 0
password 7 06090124184F0515
login
line vty 0 4
exec-timeout 0 0
password 7 06090124184F0515
login
!
end
where:
username cwuser password 7 000C1C0A05
creates the username cwuser on the router. You must
choose a password for this user.

enables RCP service on the device.
ip rcmd rcp-enable
ip remote-host cwuser 172.17.246.221 cwuser enable
ip rcmd remote-username cwuser configures use of the remote user name at the request of a remote
The remote system where you install

LMS has the IP address 172.17.246.221 and the local definition of the user, cwuser. This command
allows cwuser to issue the copy command on the network device.
copy. At the initiation of the remote copy operation in the network device, for example, in Add
Images to Library, the device uses the cwuser name to authenticate against the LMS server.
Configuring TFTP
You can use the Trivial File Transfer Protocol (TFTP) protocol to transfer the software images. The LMS
server acts like a TFTP server and the device acts like a client.
Configuring TFTP on Windows
During LMS installation, the tftpboot directory is created under the directory in which LMS is installed
(the default is SystemDrive:\Program Files\CSCOpx).
Configuring TFTP on Solaris and Soft Appliance
A file transfer server must be installed on your system. You must enable a TFTP server because it is the
default file transfer server type.
During Software Management installation, if the installation tool cannot find a TFTP server, it tries to
add one. If the installation tool cannot find or create a TFTP server, you must install and enable the TFTP
server. Verify that a /tftpboot directory exists, as explained in the following sections.
Enabling the TFTP Daemon
Creating the /tftpboot Directory

OL-25941-01
9-47
Chapter 9
Enabling the TFTP Daemon
If you are using standard Solaris and Soft Appliance software, you can add and configure the TFTP
server (TFTPD).
Step 1
Log in as superuser.
Step 2
Edit the /etc/inetd.conf file using a text editor.
Look in the file /etc/inetd.conf for the line that invokes TFTPD. If the line begins with a pound sign
(#), remove the pound sign with your text editor. Depending on your system, the line that invokes
the TFTP server might look similar to:
tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot
Step 3
Save the changes to the edited file and exit your text editor.
Go to the UNIX prompt, enter the following command to display the process identification number for
the inetd configuration:
# /usr/bin/ps -ef | grep -v grep | grep inetd
The system response is similar to:

root
119
12:56:14 ?
0:00 /usr/bin/inetd -s
The first number in the output (119) is the process identification number of the inetd configuration.
Step 4
Enable your system to read the edited /etc/inetd.conf file, enter:

# kill -HUP
119
where 119 is the process identification number identified in Step 3.

Step 5
Verify that TFTP is enabled by entering either:

# netstat -a
or
# grep tftp
which should return output similar to:

*.tftp Idle
or enter:
# /opt/CSCOpx/bin/mping -s tftp
localhost_machine_name
which returns the number of modules sent and received, for example:
sent:5 recvd:5 . ..
If the output shows that zero modules were received, TFTP is not enabled. Repeat these steps, beginning
with Step 1, to make sure you have enabled TFTP.
Creating the /tftpboot Directory
LMS uses the /tftpboot directory when transferring files between the LMS server and network devices.
The files are removed after the transfer is complete. However, multiple jobs (for example, image
distribution, image import, or config file scan) could be running at the same time.
Each of these jobs requires its own space. Software image sizes, for example, can be up to 20 MB. To
ensure that jobs run successfully, make sure there is sufficient space available in the /tftpboot directory.
9-48
OL-25941-01
Chapter 9

If the /tftpboot directory does not exist on your system, you must create it:
Step 1
Enter:
# mkdir /tftpboot
Step 2
Make sure all users have read, write, and execute permissions to the /tftpboot directory by entering:
# chmod 777 /tftpboot
The /tftpboot directory now exists and has the correct permissions.
Configuring HTTP
No configuration on device is required for this protocol.
Meeting Microcode and Modem Firmware Requirements

The following minimum system software versions are required to support microcode and modem
firmware upgrades. However, different versions of these image types might require different versions of
system software.
Software Management does not check for compatibility and dependence between each microcode
version and system software version. It merely warns the user to check this information by consulting a
technical representative or the compatibility matrix published on Cisco.com.
MICA Portware Image Types
Device
Minimum System Software Version
AS5200
Cisco IOS version 11.3(2)T

Bootloader version 11.2(11)P
AS5300
Cisco IOS version 11.2(9)XA
3640
Cisco IOS version 11.2(12)P
Microcom Firmware Image Types
Device
Minimum System Software Version
AS5200
Cisco IOS version 11.2(10a)P

Bootloader version 11.2(11)P
AS5300
Cisco IOS version 11.1(14)AA
CIP Microcode Image Types
Supported for Cisco IOS versions 11.x and later.

OL-25941-01
9-49
Chapter 9

Scheduling an upgrade consists of:
Selecting the devices to upgrade

Use Software Management's scheduling features to schedule the upgrade for one device or a series
of devices.
Software Management downloads images from more than one device in parallel. You must ensure
that the tftpboot directory (NMSROOT/tftpboot (On Solaris and Soft Appliance), and
NMSROOT\tftpboot (On Windows)) has enough free space to accommodate at least 20 images.
Determining any limitations or requirements for the selected devices

For example, SFB devices have several upgrade requirements and limitations.
Updating the inventory

Since Software Management uses the inventory to make image and Flash memory
recommendations, be sure that your current inventory reflects the correct device information.
For some devices such as 6400 NRP1, 801, and 802, etc., Software Management contacts devices
to get the Flash information.
Configuring file transfer protocol order

Before scheduling a software upgrade job, set the protocol order for configuration file transfer.
For fetching configuration from device, the protocol settings of Configuration Management are
used. Software Management uses the same protocol for fetch and download of configurations. You
can set the Configuration Management protocol order using Admin > Collection Settings > Config
> Config Collection Settings.
For better performance, set tftp as the first protocol.
Determining the upgrade and execution order

Based on your network topology and to minimize the impact on your network, you can schedule the
upgrades job either sequentially or in parallel.
For example, if devices A, B, and C are networked sequentially, then you must upgrade device C
first, then device B, then device A. If you upgrade device B first, you might no longer have access
to device C.
Determining the upgrade schedule

For most devices, you can schedule the software to:
Distribute the software to the device and reload the device immediately.
Distribute the software only. You will perform the reloads manually.
The following devices are always rebooted immediately after the software is downloaded:
Single Flash bank devices
FDDI/CDDI, ATM, and Token Ring modules on Catalyst switches
Checking the Work Order report

The Work Order report contains such information as the state of the software running on the device
and the new software, the operations that will be performed during the upgrade procedure, and any
important notes that you should be aware of before the upgrade begins.
9-50
OL-25941-01
Chapter 9

Authorizing a Distribution Job

The Job Approval approval option allows you to require job upgrade approvals before running a
scheduled job. It enforces the approval process by sending job requests through e-mail to people on the
approver list.
To set up the authorization process:
Select the appropriate Job Approval options.
Make sure one or more approver lists exist.
Make sure the upgrade job identifies an approver list.
Make sure the approver is a member of that approver list.
See Administration of Cisco Prime LAN Management Solution 4.2 for more details on creating and
editing approver lists, assigning approver lists, setting up Job Approval, and approving and rejecting
jobs.

You can use the Distribute by Devices option to schedule device-centric upgrade jobs.
Software Management recommends any software images available on LMS server and Cisco.com, if this
option is selected by you (Admin > Network > Software Image Management > View/Edit
Preferences).
To do this, select the devices first and distribute suitable images to them. After the distribution job is
complete, you can use the Software Management Job Browser window to:
Note
Undo an upgrade and roll back to the previous image
Retry devices that failed a previous upgrade
Before You Begin

Before you begin distributing the images, you should have:
Prepared for this upgrade. You should have met all of the prerequisites for loading the software on
the device and also verified whether the necessary software images are present in the software image
repository.
You can also download the images from Cisco.com. You must ensure that you have the access to
download the images from Cisco.com.
Considered the effect of the upgrade on your network and your network users.
Supplied the information required by Software Management for each device.
To distribute the images by device in Basic mode:

Step 1
Select Configuration > Tools > Software Image Management > Software Distribution.
The Distribution Method dialog box appears.
Step 2
Select By device [Basic] and click Go. The Select Devices dialog box appears.

OL-25941-01
9-51
Chapter 9
Step 3
Select the devices, then click Next.

a.
Enter your Cisco.com username and password.

If you enter Cisco.com credentials in this workflow, these credentials are valid only for that session.
Click OK after entering the credential information.
The software management analyzes the required images that are available in your software repository
and on Cisco.com. It then recommends the appropriate image for distribution.
See Understanding Upgrade Recommendations for details on how Software Management recommends
image for various Cisco device types.
The Distribute By Devices dialog box appears with the following information:
Field
Description
Device Information
Name of the device.

Module Information
Image type, chassis model, and software version on device.
Image Options
Details of the recommended image.
Storage Options
Details of recommended image storage information.
Errors
Click on the underlined Error message to review the details.
Notation Descriptions
Step 4
An asterisk (*) at the beginning of the field indicates the recommended image or partition by
Software Management. If there is no asterisk at the beginning of the field, it indicates that an
appropriate image or partition could not be found but the displayed selections might work.
A '^' means that the image resides in Cisco.com but not in your software image repository. When
you select an image in Cisco.com to distribute to a network device, the image is first added to the
image repository, then downloaded to the device.
A superscript '1' refers to read-only Flash memory.
A superscript '2' refers to the Flash partition that holds the running image when a device is running
from Flash (RFF).
Select the devices to which you want to distribute images and click Next.
The Distribute By Devices window appears with these details:
Field
Description
Device
Name of the device
Selected Module
Module information that you have selected.
Selected Image
Image information that you have selected.
9-52
OL-25941-01
Chapter 9

Step 5
Field
Description
Selected Slot
Image storage information that you have selected.
Verification Result
Click Next.
Step 6
Field

Description
Scheduling
Run Type
You can specify when you want to run the Image Distribution (by device [Basic]) job.
Date
Job Info
Job Description
E-mail
Comments
Maker E-Mail

Maker Comments

Job Options
Reboot immediately
after download
Choose not to reboot (and reboot manually later) or to reboot immediately after download.
You cannot select this option, if you have selected the Do not insert new boot commands into the
configuration file option.
Note the following about this option:
Does not apply to Cisco IOS SFB 2500/1600/5200 devices. These devices always reboot
immediately.
Line cards reboot automatically.
Does not apply to PIX devices managed through Auto Update Server (AUS).

OL-25941-01
9-53
Chapter 9
Field
Description
Perform distribution in
Non-Installed mode
This option is available only if the selected devices have IOS Software Modularity images running.
This option allows you to choose whether you want to install the images in Installed or
Non-Installed mode. By default Software Management distributes images in Installed mode.
Do not insert new boot

commands into
configuration file
Do not insert boot commands into configuration file to reboot with new image.
You cannot select this option, if you have selected the Reboot immediately after download option.
Does not apply to Cisco IOS SFB 2500/1600/5200 devices. Configuration file for these is always
updated.
Use current running

image as tftp fallback
image
If the running image is in the repository, select this option to place a copy in the TFTP server
directory. Uses this copy of image if reboot with new image fails.
Option is subject to your platform restrictions to boot over connection to server. Check your
platform documentation.
Backup image is not deleted after upgrade. It remains in TFTP server directory so that the
device can find it any time it reboots
Backup current running Select to back up the running image in software image repository before upgrading.
image
Line cards do not support upload.
On error, halt
processing of
subsequent devices
Select to stop the job if a download or reboot error on a device or a module occurs. The default is
to continue to the next device.
For sequential execution, if you do not select this option, upgrade for the next device begins.
For parallel execution, upgrade occurs in batches. On completion of the ongoing batch, subsequent
devices are not processed.
See the Job Summary page for details.
Enable Job Password
Enter the password for the distribution job. This password is used to connect to the devices using
Telnet at the time of distribution.
The credentials that you enter here are used for this particular Software Management job.
The credentials that you have entered in the Device and Credentials database (Inventory > Device
Administration > Add / Import / Manage Devices) are ignored.
Execution
Select the job execution order for the devices. This can be either Parallel or Sequential:
SequentialJob runs on the devices, sequentially. You can define this sequence.
ParallelJob runs on a batch of 15 devices at the same time.
If you have selected Sequential:

1.
Click Execution Order.

The Execution Order dialog box appears.
2.
Use the Up and Down arrows to order your device list.
3.
Click Done.
9-54
OL-25941-01
Chapter 9

Field
Description
Reboot
Select the reboot order for the devices. This can be either Parallel or Sequential.
1.
Click Boot Order.

The Boot Order dialog box appears.
Step 7
2.
Use the Up and Down arrows to order your devices list.
3.
Click Done.
Click Next after you finish entering the job information details.
The Software Distribution Work Order dialog box appears with these details:
Step 8
Summary of the job information.
State of the running image on the device.
Image selected for the upgrade.
Job Approval information.
Whether Flash memory will be erased before the new image is loaded.
Operations that will be performed during the upgrade procedure.
Whether the bootloader will be upgraded. (For a bootloader upgrade)
Information you should know before the upgrade begins. For instance, if the Image Subset feature
has changed on the device, you might need to reconfigure the device.
Verification warnings generated during image distribution (if applicable).
Click Finish.
Management > Jobs.

You can use the Distribute by Devices option to schedule device-centric upgrade jobs.
The selected image and storage media is validated and verified for dependencies and requirements based
on the device information that you have provided at the time of adding devices to the Device and
Credential Repository and the device data that is collected by the inventory.
The images that you want to distribute must be available in the Software repository.
You can use this method to upgrade the System software on all Software Management supported devices.
You can also upgrade module software on those modules which have a management IP address.
The modules/interfaces that do not have a management IP address cannot be upgraded using this method.

OL-25941-01
9-55
Chapter 9
The input file that contains the details of the device and image must be available at this location:
/var/adm/CSCOpx/files/rme/swim/advdistinput
On Windows:
NMSROOT\files\rme\swim\advdistinput
Where NMSROOT is the LMS installed directory.
After the distribution job is complete, you can use the Software Management Job Browser window to:
Note
Before You Begin

the device. You should have verified whether the necessary software images are present in the image
repository.
To distribute the images by device in Advance mode:

Step 1
Step 2
Select By device [Advanced], then click Go.

The Expert Distribution dialog box appears.
Step 3
Click Browse.
Step 4
Select the file and click OK.

The input file that contains the details must be available at this location:
/var/adm/CSCOpx/files/rme/swim/advdistinput
On Windows:
NMSROOT\files\rme\swim\advdistinput
The selected file must contain the information in CSV format and all the fields are mandatory:
device-display-name,image-in-repository,storagedestination,moduleidentifier
device-display-nameName of the device as entered in Device and Credential Repository.
image-in-repositoryImage name as in the software image repository.
9-56
OL-25941-01
Chapter 9

storagedestinationImage storage destination
moduleidentifierModule identifier number. This is applicable only for Catalyst devices. For other
devices, you must enter 0.
You can identify the device module number using Inventory Detailed Device Report (Reports >
Inventory > Detailed Device). In the Detailed Device Report, the Slot Number column in the
Module Information table provides you the Module Identifier Number.
For example, for a Cisco Router:

Rtr1750,c1700-sy56i-mz.121-24.bin,flash:1,0
For a Cisco Catalyst device:

cat5500-10.100.38.17,cat5000-supg.6-4-10.bin,bootflash:,1
Step 5
Check the Skip Verification checkbox if you want to postpone the verification to the job execution
stage.
If you have checked the Skip Verification checkbox, go to Step 7.
Or
Click Verify if you want the verification to take place during the job scheduling stage itself.
If you have clicked Verify, go to Step 6.
Step 6
Step 7
When you click Verify, the Expert Distribution window is updated with the following device details:
Field
Description
Device
Name of the device as specified in the input file.
Image
Name of the image as specified in the input file.
Storage Destination
Image storage information as specified in the input file.
Module Number
Module identifier number as specified in the input file.
Result
Click Next.
Step 8
Field
Enter the following information in the Job Schedule and Options dialog box:
Description
Scheduling
Run Type
You can specify when you want to run the Image Distribution (by device [Advanced]) job.
Date

OL-25941-01
9-57
Chapter 9
Field
Description
Job Info
Job Description
E-mail
Comments
Maker E-Mail

Maker Comments

Job Options
Reboot immediately
after download
Non-Installed mode
Does not apply to Cisco IOS SFB 2500/1600/5200 devices. These devices always reboot immediately.
Applies to Supervisor Engine I, II, and III only. Line cards reboot automatically.
This option is available only if the selected devices have IOS Software Modularity images running.
This option allows you to choose whether you want to install the images in Installed or Non-Installed mode. By default Software Management distributes images in Installed mode.
Do not insert new boot Do not insert boot commands into configuration file to reboot with new image.
commands into configu- You cannot select this option, if you have selected the Reboot immediately after download option.
ration file
Use current running

image
Does not apply to Cisco IOS SFB 2500/1600/5200 devices. Configuration file for these is
always updated.
Applies to Supervisor Engine III only.
If the running image is in the repository, select this option to place a copy in the TFTP server directory. Uses this copy of image if reboot with new image fails.
Applies to Supervisor Engine I, II, and III only.
Option is subject to your platform restrictions to boot over connection to server. Check your
platform documentation.
Backup image is not deleted after upgrade. It remains in TFTP server directory so that the
device can find it any time it reboots
9-58
OL-25941-01
Chapter 9

Field
Description
Back up current running Select to back up the running image in software image repository before upgrading.
image
Applies to Supervisor Engine I, II, and III only. Line cards do not support upload.
On error, halt processing of subsequent
devices
Enable Job Password
Enter the password for the distribution job. This password is used to Telnet to the devices at the
time of distribution.
Execution

1.

Reboot
2.
Use the Up and Down arrows to order your the device list.
3.
Click Done.
1.
Click Boot Order.

Step 9
2.
3.
Click Done.
Whether the bootloader will be upgraded. (For a bootloader upgrade.)

OL-25941-01
9-59
Chapter 9
Step 10
Click Finish.
Management > Jobs.
You can use the Distribute by Images option to schedule image-centric upgrade jobs. To do this, you
must first select an image and then distribute it to applicable devices.
After the distribution job is complete, you can use the Job Details report to:
Note
You cannot use this procedure to upgrade:
MICA portware
Microcom firmware
CIP microcode
Bootloader for IOS
Catalyst modules other than the Supervisor module
Before You Begin

the device. You should have verified whether the necessary software images are in the image
repository.
See Planning the Upgrade for further details.
See Scheduling the Upgrade for further details.

See Configuring Devices for Upgrades for further details.
9-60
OL-25941-01
Chapter 9

To distribute images by image:

Step 1
Step 2
Select By image, then click Go.

The Select Image And Devices dialog box appears.
Step 3
Step 4
Select:
a.
An image from the software image repository.
b.
Devices that need upgrading
Click Next.
The Device Recommendation dialog box appears with the following information:
Field
Description
Device Information
Name of the device.

Module Information
Recommended Storage
Error
Notation Descriptions
Step 5
An asterisk (*) at the beginning of the field indicates the recommended partition by Software
Management. If there is no asterisk at the beginning of the field indicates, an appropriate partition
could not be found but the displayed selections might work.
A superscript '1' refers to read-only Flash memory.
Select the devices you want to upgrade, then click Next.

The Image Centric Distribution Verification window appears. This window displays the following
information:
Field
Description
Device
Name of the device
Selected Module
Selected Slot
Verification Result
Software management recommends the Flash partition with the maximum free space in each device. You
can override the recommendation and select another partition from the drop-down box.
Step 6
Click Next.

OL-25941-01
9-61
Chapter 9
Step 7
Field

Description
Scheduling
Run Type
You can specify when you want to run the Image Distribution (by image) job.
Date
9-62
OL-25941-01
Chapter 9

Field
Description
Job Info
Job Description
E-mail
Comments
Maker E-Mail

Maker Comments

Job Options
Reboot immediately
after download
immediately.
Non-Installed mode
This option is only available if the selected devices have IOS Software Modularity images running.

commands into
configuration file
updated.
Use current running

image
If running image is in repository, select option to place a copy in the TFTP server directory. Uses
this copy if reboot with new image fails.
Note the following:
This option is subject to your platform restrictions to boot over connection to server. Check
your platform documentation.
Backup image is not deleted after upgrade. It remains in TFTP server directory so that device
can find it any time it reboots
Back up current running Select to back up running image in software image repository before upgrading.
image

OL-25941-01
9-63
Chapter 9
Field
Description
On error, halt
processing of
subsequent devices
to continue to next device.
For sequential execution, if you do not select this option, upgrade for next device begins.
Enable Job Password
Execution

1.

Reboot
2.
3.
Click Done.
1.
Click Boot Order.

Step 8
2.
3.
Click Done.
9-64
OL-25941-01
Chapter 9

Step 9
Click Finish.
To check the status of your job, select Configuration > Tools > Software Image Management > Jobs.
Support for IOS Software Modularity

Software Management provides support for Cisco IOS Software Modularity Images. The Cisco IOS
Software Modularity Images combine subsystems into individual processes and enhances the memory
architecture in order to provide the process level fault isolation and subsystem In-Service Software
Upgrade (ISSU) capability.
Traditionally, IOS Software images are distributed by:
Copying the image to disk.
Updating boot commands and rebooted.
The IOS Software Modularity images can be run in this mode as well. This is called Cisco IOS Software
Modular non-install mode (also known as binary mode).
Software Management supports distribution of Patches and Maintenance Packs. This distribution is
accomplished by the use of Cisco IOS Software Modularity Images. Software Modularity enhances the
IOS infrastructure to allow selective system maintenance through individual patch upgrades. See Patch
Distribution for more details.
Patches
A patch is a single fix that may affect one or more subsystems. Patches can only be installed to a search
root, where a base image exists. Patches are released for a particular base image version and device
platform.
Maintenance Pack
A Maintenance Pack includes one or more patches. This pack is applied like a Patch. Maintenance Packs
are released for a particular base image version and device platform.
Note
Software Management does not support downloading Patches/Maintenance Packs from Cisco.com. The
reason is that these images are available in an external URL. You have to manually download patches
from the external URL and add the same to Software Repository.

OL-25941-01
9-65
Chapter 9
Modes of Distribution
There are two modes of distribution of Software Modularity images to devices:
Non Installed Mode

This process involves the distribution of images by copying of the IOS Software Modularity images
to the hard disk of the device, updating the boot commands and rebooting the OS on the device. You
can run the Cisco IOS Software Modularity Images in this mode and so it is also called IOS Software
Modularity non-install mode. It is also known as binary mode.
Installed Mode
According to this mode the IOS Software Modularity image is extracted/uncompressed to a compact
Flash with a well defined directory structure. The installed mode provides the advantage of
accomodating the point fix capabilities of Software Modularity.
Note
Software Management checks the current image on the device and recommends a suitable image and the
appropriate image storage for distribution. Software Management only recommends Maintenance Pack
Images for devices. It does not recommend patches for devices.
Cisco IOS Software Modularity base images support:
Import of Image from Cisco.com
Import of Image from device
Import of Image form File System
Import of Image from Network
Cisco.comUpgrade Analysis
Distribution of Images
Support for Import of Image from device, Import of Image from Network and Software Repository
Synchronization is applicable only for devices running IOS Software Modularity images in non-installed
mode.
The population of Flash files on Cisco-Flash-MIB is not done on the devices running IOS Software
Modularity image versions 12.2(18)SXF4 and 12.2(18)SXF5 and so these image versions are not
supported by Software Management. The minimum IOS Software Modularity image version supported
by Software Management is 12.2(18)SXF6.
9-66
OL-25941-01
Chapter 9

Patch Distribution
You can distribute patches simultaneously to applicable devices. Patch distribution does not require
reboot of the entire OS on a device. You can install a patches only to a search root where a base image
exists. Patches, once installed, must be activated to come to effect on the running system.
Note
You can apply Patches or Maintenance Packs to a device only if the device is running IOS Software
Modularity Images in installed mode.
Software Management verifies:
Patches against the base image and device platform to ensure compatibility. If the patches are
incompatible then those patches are rejected.
Whether the target patch already exists on the device.
Patch Distribution Methods
You can distribute patch images to the devices in your network, using any of these methods:
Distribute by Devices
This method enables you to select devices and perform patch upgrades to those devices.
See Patch Distribution - by Devices.
Distribute by Patch
This method enables you to select a patch image from the Software Repository and use it to perform
a patch upgrade on suitable devices in your network. This option is useful when you have to
distribute the same patch image to multiple devices.
See Patch Distribution - by Patch.
Patch Distribution - by Devices

You can use the Distribute by Devices option to schedule device-centric patch upgrade jobs.
Software Management recommends any Maintenance Pack software images available in the Repository.
Note
Currently Software Management does not support importing of patch images from Cisco.com. You need
to import patch images into local filesystem and then import into repository by using Import from file
system. See Adding Images to the Software Repository From a File System for more details.
Before You Begin

Before you begin distributing the patch images, you should have:
repository.

OL-25941-01
9-67
Chapter 9
To distribute the patch images by device:

Step 1
Select Configuration > Tools > Software Image Management > Patch Distribution.
The Patch Distribution Method dialog box appears.
Step 2
Select By devices and click Proceed.

The Patch Distribute by Devices dialog box appears. The Device Selector lists all the available devices.
Step 3
Select the devices, then click Next.

If any of the selected device is not in install mode, an error message is displayed:
Device is not in installed mode or not patchable
Unselect the device that is not in installed mode and continue.

The software management analyzes the required patch images that are available in your software
repository and lists the applicable patch images for each device selected. You can select one or more
required patches from the list for each device by using the Ctrl key.
You should select at least one patch for each selected device. If you do not select a patch for a device,
an error message is displayed.
You should select atleast one patch image for each selected device.
Ensure that you select at least one patch for each selected device and continue.
The Patch Distribute By Devices dialog box appears with the following information:
Field
Description
Device Information
Name of the device.

Step 4
Module Information
Patch type, chassis model, and software version on device.
Patches Options
Details of the patch.
Storage Location
Details of the storage location of the selected patch image.
Errors
Select the devices as well as the patch images you wish to distribute to the selected devices and click
Next.
The Patch Distribute By Devices window appears with these details:
Step 5
Field
Description
Device
Name of the device
Selected Module
Selected Patch
Patch information that you have selected.
Selected Slot
Image storage information from where the current base image is

running.
Verification Result
Click Next. The Job Schedule and Options dialog box appears.
9-68
OL-25941-01
Chapter 9

Step 6
Field

Description
Scheduling
Run Type
You can specify when you want to run the Patch Distribution (by device [Basic]) job.
Date

OL-25941-01
9-69
Chapter 9
Field
Description
Job Info
Job Description
E-mail
Comments
Job Options
Activate Patches
Select if you want to activate the patches immediately after download.
Reboot if it needs.
Select if the patch activation requires a reboot. Unselect if the patch activation does not require a
reboot.
On error, stop
processing subsequent
devices
Enable Job Password
This option is checked, when the user name, password and enable password are provided for the
job.
User Name
Enter the username for the distribution job. The credentials that you enter here are used for this
particular Software Management job.
Password
Enter the password for the distribution job. The credentials that you enter here are used for this
Enable Password
Re-enter the password for confirmation purpose.
Execution

1.

2.
3.
Click Done.
9-70
OL-25941-01
Chapter 9

Field
Description
Reboot
1.
Click Boot Order.

Step 7
2.
3.
Click Done.
Step 8
Patches selected for the upgrade.
Verify warnings generated during patch distribution (if applicable).
Click Finish.
Management > Jobs.
Patch Distribution - by Patch

You can use the Distribute by Patch option to schedule patch upgrade jobs.
Note
Currently Software Management does not support importing of patch images from Cisco.com. You need
to import patch images into local filesystem and then import into repository by using Import from file
system. See Adding Images to the Software Repository From a File System for more details.

OL-25941-01
9-71
Chapter 9
Before You Begin

Before you begin distributing the patch images, you should have:
repository.
To distribute the patch images by device:

Step 1
Select Configuration > Tools > Software Image Management > Patch Distribution.
The Patch Distribution Method dialog box appears.
Step 2
Select By Patch and click Proceed.

The Distribute by Patch dialog box appears.
Step 3
Select a patch from the Image Selection pane and devices from the Device Selection pane, and click
Next.
The Distribute By Patch - Recommendations dialog box appears with the following information:
Field
Description
Device Information
Name of the device.

Step 4
Module Information
Storage Options
Details of the storage location of the selected patch image.
Errors
Select the devices as well as the patch images you wish to distribute to the selected devices and click
Next.
The Distribute By Patch - Verification window appears with these details:
Step 5
Field
Description
Device
Name of the device
Selected Module
Selected Slot
Image storage information from where the current base image is

running.
Verification Result
Click Next.
9-72
OL-25941-01
Chapter 9

Step 6
Field
Description
Scheduling
Run Type
You can specify when you want to run the Patch Distribution (by device [Basic]) job.
Date
Job Info
Job Description
E-mail
Comments
Job Options
Activate Patches
Select if you want to activate the patches immediately after download.
Reboot if it needs
Select if the patch activation requires a reboot. Unselect if the patch activation does not require a
reboot.
On error, stop
processing subsequent
devices
Enable Job Password
This option is checked, when the user name, password and enable password are provided for the
job.
User Name
Enter the username for the distribution job. The credentials that you enter here are used for this
Password
Enter the password for the distribution job. The credentials that you enter here are used for this
Enable Password
Re-enter the password for confirmation purpose.

OL-25941-01
9-73
Chapter 9
Field
Description
Execution

1.

Reboot
2.
3.
Click Done.
1.
Click Boot Order.

Step 7
2.
3.
Click Done.
Step 8
Patches selected for the upgrade.
Verify warnings generated during patch distribution (if applicable).
Click Finish.
Management > Jobs.
9-74
OL-25941-01
Chapter 9


The Remote Staging and Distribution option helps you to upgrade multiple devices over a WAN.
You can perform remote staging and distribution by any one of the methods:
External FTP server
External TFTP server
Remote Staging Device
In this workflow, a managed device or external TFTP server or FTP server is used to stage an image
temporarily. The staged image is then used to upgrade devices that are connected by LAN to the Remote
Stage device or external TFTP server or FTP server. If you use this method, you do not have to copy a
similar image, multiple times across the WAN.
After the image distribution job is completed using a managed device as a remote stage device, the
configuration changes made to the Remote Stage device are automatically reversed and the staged image
is deleted from the Remote Stage device.
After the distribution job is complete, you can use the Software Image Management Job Browser to:
Note
Using External FTP Server
Using External TFTP Server
Using Remote Stage Device
Supported Remote Stage Devices
The device that is used as the Remote Stage must have enough free Flash space to copy the selected
image.
See the Supported Image Distribution Features for Software Management table on Cisco.com for
Remote Staging devices list.
Before You Begin

Before you begin distributing the images, you should:
Prepare for this upgrade. You should have met all of the prerequisites for loading the software on
the device or external TFTP server or FTP server. You should also verified whether the necessary
software images are in the image repository.
Manually copy the software image to the External TFTP server or FTP server. This is if you are
using the External TFTP/FTP server as the Staging Server.
Consider the effect of the upgrade on your network and your network users.
Supply the necessary information required by Software Management for each device.
Decide on the device or external TFTP server or FTP server that you will use as the Remote Stage
device or server.

OL-25941-01
9-75
Chapter 9
Note
Ensure that the Telnet or SSH protocols are functioning properly if you are planning to distribute
the images to devices using a External FTP server. The connection protocol for running FTP
commands on the device can be either Telnet or SSH.
For the devices that supports remote staging using external FTP Server, see Supported Devices for FTP.
To distribute images using Remote Staging:
Step 1
Step 2
Select Use remote staging and click Go.

The Remote Staging and Distribution dialog box appears.
Step 3
Using External FTP Server to use an external FTP server as the staging server.
For more information, see Using External FTP Server.
Using External TFTP Server to use an external TFTP server as the staging server.
For more information, see Using External TFTP Server.
Using Remote Stage Device to use a device as the remote staging device.
For more information, see Using Remote Stage Device.
Using External FTP Server

LMS Software Management uses the External FTP server option to upgrade software images in one or
more devices. When you select this option, you must enter the FTP credentials and image location.
The FTP copy command is arrived at based on the FTP credentials that you enter. Software Management
uses Telnet or SSH protocol to connect to the devices and deploy the FTP copy command. This command
gets the software images from the specified location in the FTP server.
Only WLSE and NAM devices support image distribution using External FTP server.
For more information, see Supported Devices for FTP.
If you have selected Using External FTP server option:
Step 1
Enter the following FTP credentials in their applicable text boxes:
Field
Description
FTP Server Name
Name of the FTP server
FTP User Name
FTP Username to access the External FTP server.
FTP Password
FTP Password to access the External FTP server.
Image Location
Location of the image in the FTP server directory. These

images will be used by Software Management to upgrade the
software images on the selected devices.
9-76
OL-25941-01
Chapter 9

Software Management will validate the FTP credentials and image location only while the job is
running; not while the job is being scheduled.
If you have selected Using External TFTP server option, proceed to the TFTP Wizard.
Step 2
Click Next.
Step 3
Select:
a.
An image from the Image Selection pane.
b.
Click on Select Applicable Devices button to automatically select the applicable devices
Or
Manually select the devices that need an upgrade from the Devices to be Upgraded pane.
For more information on the unsupported images for Remote Staging and Distribution, see Unsupported
Software Images.
Step 4
Click Next.
The External FTP Server Details dialog box appears with the following details:
Step 5
Field
Description
IP Address
IP Address of the External FTP server.
Selected Image
Image name that you have selected for distribution.
Errors
Error information.
Click Next.
The Device Recommendation dialog box appears with the following details:
Field
Description
Device Information
Name of the device.

Step 6
Module Information
Storage Options
Errors
Error information.
Click Next.
The Remote Devices Verification dialog box appears with the following details:
Field
Description
Device
Name of the device
Selected Module

OL-25941-01
9-77
Chapter 9
Step 7
Field
Description
Selected Slot
Verification Result
Click Next.
Step 8
Field
Enter the following information. If you have selected Using External TFTP server option, proceed to the
TFTP Wizard.
Description
Scheduling
Run Type
You can specify when you want to run the Image Distribution (using remote staging) job.
Date
Select the date and time (hours and minutes) to schedule.
Job Info
Job Description
E-mail
Comments
Maker E-Mail

Maker Comments

Job Options
Reboot immediately
after download
immediately.
9-78
OL-25941-01
Chapter 9

Field
Description
Non-Installed mode

commands into
configuration file
updated.
Use current running

image
If running image is in repository, select option to place a copy in the FTP server directory. Uses this
copy if reboot with new image fails.
Note the following:
Backup image is not deleted after upgrade. It remains in FTP server directory so that device
image
On error, halt
processing of
subsequent devices
Enable Job Password
You are allowed to provide a password in this field only if you have selected the Enable Job Based
Password in the View / Edit Preferences dialog box. See Administration of Cisco Prime LAN
Management Solution 4.2 for more details.

OL-25941-01
9-79
Chapter 9
Field
Description
Execution

1.

Reboot
2.
3.
Click Done.
1.
Click Boot Order.

Step 9
2.
Use the Up and the Down arrows to order your devices list.
3.
Click Done.
Click Next after you finish entering the job information details. If you have selected Using External
TFTP server option, proceed to the TFTP Wizard.
Step 10
Details of the Remote Stage device or the External FTP server.
Click Finish.
Management > Jobs.
9-80
OL-25941-01
Chapter 9

Supported Devices for FTP

Table 9-7
Device Family
Device
SysObject ID
NAM
NAM X6380
1.3.6.1.4.1.9.5.1.3.1.1.2.223
NAM1
1.3.6.1.4.1.9.5.1.3.1.1.2.914
NAM2
1.3.6.1.4.1.9.5.1.3.1.1.2.291
NM NAM
1.3.6.1.4.1.9.1.562
NME NAM
1.3.6.1.4.1.9.1.826
WLSE
1.3.6.1.4.1.9.1.459
WLSE
1.3.6.1.4.1.9.1.630
WLSE
1.3.6.1.4.1.9.1.631
WLSE 1153
1.3.6.1.4.1.9.1.752
CatalystIOS37XXStack
1.3.6.1.4.1.9.1.516
Catalyst3750ME
1.3.6.1.4.1.9.1.574
WS.C3750G.12S.SD
1.3.6.1.4.1.9.1.688
WS.C3750E.24TD
1.3.6.1.4.1.9.1.789
WS.C3750E.48TD
1.3.6.1.4.1.9.1.790
WS.C3750E.48PD
1.3.6.1.4.1.9.1.791
WS.C3750E.24PD
1.3.6.1.4.1.9.1.792
catalyst375024
1.3.6.1.4.1.9.1.511
catalyst375048
1.3.6.1.4.1.9.1.512
catalyst375024TS
1.3.6.1.4.1.9.1.513
catalyst375024T
1.3.6.1.4.1.9.1.514
catalyst375048PS
1.3.6.1.4.1.9.1.535
catalyst3750G24PS
1.3.6.1.4.1.9.1.602
catalyst3750G48PS
1.3.6.1.4.1.9.1.603
catalyst3750G48TS
1.3.6.1.4.1.9.1.604
catalyst3750G24TS1U
1.3.6.1.4.1.9.1.624
catalyst375024FS
1.3.6.1.4.1.9.1.656
ciscoIGESM
1.3.6.1.4.1.9.1.592
ciscoIGESMSFP
1.3.6.1.4.1.9.1.660
WLSE
Cisco Catalyst 3750 Series Switches
Cisco Intelligent Gigabit Ethernet

Switch Module (IEGSM)

OL-25941-01
9-81
Chapter 9
Table 9-7
Device Family
Device
SysObject ID
Cisco Catalyst 3560,C3560E Series

Switches
CatalystIOS3560G.24PS
1.3.6.1.4.1.9.1.614
CatalystIOS3560G.24TS
1.3.6.1.4.1.9.1.615
CatalystIOS3560G.48PS
1.3.6.1.4.1.9.1.616
CatalystIOS3560G.48TS
1.3.6.1.4.1.9.1.617
CatalystIOS3560.24PS.S
1.3.6.1.4.1.9.1.563
CatalystIOS3560.48PS
1.3.6.1.4.1.9.1.564
CatalystIOS3560.24TS
1.3.6.1.4.1.9.1.633
CatalystIOS3560.48TS
1.3.6.1.4.1.9.1.634
WS.C3560E.24TD
1.3.6.1.4.1.9.1.793
WS.C3560E.48TD
1.3.6.1.4.1.9.1.794
WS.C3560E.24PD
1.3.6.1.4.1.9.1.795
WS.C3560E.48PD
1.3.6.1.4.1.9.1.796
WS.C3560.8PC
1.3.6.1.4.1.9.1.797
WS-C3560E-12D-S
1.3.6.1.4.1.9.1.930
WS-C3560E-12SD-E
1.3.6.1.4.1.9.1.956
WS-C3560-12PC-S
1.3.6.1.4.1.9.1.1015
CBS3030Del
1.3.6.1.4.1.9.1.749
CBS3020
1.3.6.1.4.1.9.1.748
CBS3040
1.3.6.1.4.1.9.1.784
CBS1100
1.3.6.1.4.1.9.1.946
CBS3110
1.3.6.1.4.1.9.1.947
CBS3120
1.3.6.1.4.1.9.1.948
CBS3130
1.3.6.1.4.1.9.1.949
CBS3012
1.3.6.1.4.1.9.1.999
CBS3012I
1.3.6.1.4.1.9.1.1000
CBS3132
1.3.6.1.4.1.9.1.920
CBS3110G-S
1.3.6.1.4.1.9.1.909
CBS3110X-S
1.3.6.1.4.1.9.1.910
CBS3110G-S-I
1.3.6.1.4.1.9.1.911
CBS3110X-S-I
1.3.6.1.4.1.9.1.912
CBS3125G-S
1.3.6.1.4.1.9.1.1001
CBS3120G-S
1.3.6.1.4.1.9.1.918
CBS3125X-S
1.3.6.1.4.1.9.1.1002
CBS3120X-S
1.3.6.1.4.1.9.1.919
CBS3130G-S
1.3.6.1.4.1.9.1.921
CBS3130X-S
1.3.6.1.4.1.9.1.922
Cisco Blade Switches (CBS)
9-82
OL-25941-01
Chapter 9

Table 9-7
Device Family
Device
SysObject ID
Catalyst296024
1.3.6.1.4.1.9.1.694
Catalyst296048
1.3.6.1.4.1.9.1.695
Catalyst2960G24
1.3.6.1.4.1.9.1.696
WS-C2960G-48TC-L
1.3.6.1.4.1.9.1.697
Catalyst296024TT
1.3.6.1.4.1.9.1.716
Catalyst296048TT
1.3.6.1.4.1.9.1.717
Catalyst29608TC
1.3.6.1.4.1.9.1.798
Catalyst2960G8TC
1.3.6.1.4.1.9.1.799
C2960-24-S
1.3.6.1.4.1.9.1.929
C2960-24TC-S
1.3.6.1.4.1.9.1.928
C2960-48TC-S
1.3.6.1.4.1.9.1.927
C2960-24PC-L
1.3.6.1.4.1.9.1.950
C2960-24LT-L
1.3.6.1.4.1.9.1.951
C2960PD-8TT-L
1.3.6.1.4.1.9.1.952
C2960P
1.3.6.1.4.1.9.1.1006
C2960
1.3.6.1.4.1.9.1.1005
Catalyst355012T
1.3.6.1.4.1.9.1.368
Catalyst355024switch
1.3.6.1.4.1.9.1.366
Catalyst355048switch
1.3.6.1.4.1.9.1.367
Catalyst355012G
1.3.6.1.4.1.9.1.431
Catalyst355024DC
1.3.6.1.4.1.9.1.452
Catalyst355024FX
1.3.6.1.4.1.9.1.453
Catalyst355024PWR
1.3.6.1.4.1.9.1.485
PIX 535
1.3.6.1.4.1.9.1.675
PIX 525
1.3.6.1.4.1.9.1.676
PIX 515
1.3.6.1.4.1.9.1.678
PIX 515E
1.3.6.1.4.1.9.1.451
PIX 515EFirewall
1.3.6.1.4.1.9.1.677
Cisco PIX Series Security Appliances

OL-25941-01
9-83
Chapter 9
Table 9-7
Device Family
Device
SysObject ID
Cisco Adaptive Security Appliances

(ASA)
ASA5510
1.3.6.1.4.1.9.1.773
ASA5520
1.3.6.1.4.1.9.1.671
ASA5520
1.3.6.1.4.1.9.1.670
ASA5510
1.3.6.1.4.1.9.1.669
ASA5505
1.3.6.1.4.1.9.1.745
ASA5550
1.3.6.1.4.1.9.1.763
ASA5540
1.3.6.1.4.1.9.1.673
ASA5580
1.3.6.1.4.1.9.1.672
ASA5550
1.3.6.1.4.1.9.1.753
ASA5540
1.3.6.1.4.1.9.1.914
ASA5580
1.3.6.1.4.1.9.1.915
Using External TFTP Server

If you have selected Using External TFTP server option:
Step 1
Enter the external TFTP server IP address in the Enter TFTP IP Address text box.
Step 2
Click Next.
Step 3
Select:
a.
b.
Click on Select Applicable Devices button to automatically select the applicable devices
Or
Software Images.
Step 4
Click Next.
The External TFTP Server Details dialog box appears with the following details:
Step 5
Field
Description
IP Address
IP Address of the External TFTP server.
Selected Image
Errors
Error information.
Click Next.
The Device Recommendation dialog box appears with the following details:
9-84
OL-25941-01
Chapter 9

Field
Description
Device Information
Name of the device.

Step 6
Module Information
Storage Options
Errors
Error information.
Click Next.
Step 7
Field
Description
Device
Name of the device
Selected Module
Selected Slot
Verification Result
Click Next.
Step 8
Field

Description
Scheduling
Run Type
Date
Job Info
Job Description
E-mail
Comments

OL-25941-01
9-85
Chapter 9
Field
Description
Maker E-Mail

Maker Comments

Job Options
Reboot immediately
after download
immediately.
Non-Installed mode

commands into
configuration file
updated.
Use current running

image
Note the following:
image
On error, halt
processing of
subsequent devices
9-86
OL-25941-01
Chapter 9

Field
Description
Enable Job Password
Execution

1.

Reboot
2.
3.
Click Done.
1.
Click Boot Order.

Step 9
2.
3.
Click Done.
Click Next after you finish entering the job information details
Details of the Remote Stage device or the External TFTP/FTPserver.

OL-25941-01
9-87
Chapter 9
Step 10
Click Finish.
Management > Jobs.
Using Remote Stage Device

If you have selected Remote Stage device option:
Step 1
Go to the Select Remote Stage Device pane, select a device that you want to use as the remote stage
device. Ensure that you select a device that supports remote staging.
If you select a device that does not support remote staging, an error message is displayed.
Step 2
Click Next.
Step 3
Select:
a.
b.
Click Select Applicable Devices to automatically select the applicable devices

or
Software Images.
Step 4
Click Next.
The Remote Stage and Image Upgrade Details dialog box appears with the following details:
Step 5
Field
Description
Remote Stage Name
Name of the remote stage device that you want to use as a remote
stage.
Selected Image
Storage Options
Image storage information
Click Next.
If the Remote Stage verification fails, check if the Remote Stage device has enough free space and restart
the software distribution from the beginning.
9-88
OL-25941-01
Chapter 9

The Device Recommendation dialog box appears. This displays the following details:
Field
Description
Device Information
Name of the device.

Step 6
Module Information
Storage Options
Click Next.
Step 7
Field
Description
Device
Name of the device
Selected Module
Selected Slot
Verification Result
Click Next.
Step 8
Field

Description
Scheduling
Run Type
Date
Job Info
Job Description
E-mail
Comments

OL-25941-01
9-89
Chapter 9
Field
Description
Maker E-Mail

Maker Comments

Job Options
Reboot immediately
after download
immediately.
Non-Installed mode

commands into
configuration file
updated.
Use current running

image
Note the following:
image
On error, halt
processing of
subsequent devices
9-90
OL-25941-01
Chapter 9

Field
Description
Enable Job Password
Execution

1.

Reboot
2.
3.
Click Done.
1.
Click Boot Order.

Step 9
2.
3.
Click Done.
Click Next after you finish entering the job information details
Details of the Remote Stage device or the External TFTP server.

OL-25941-01
9-91
Chapter 9
Step 10
Click Finish.
Management > Jobs.
Unsupported Software Images

During remote staging, there maybe software images running on the devices selected for remote staging,
but some of them may not get listed as available images. This is because, some software images do not
support Remote Staging and Distribution.
The following below lists the software images that do not support Remote Staging and Distribution:
CSS_SW FDDI_CDDI
ATM_WTALL
ATM_WBPVC
CIP
CSS_11000_SW
C6KMODULE_MWAM_SW
PATCH_SW
ONS15530
TOKENRING
ATM_WBLANE
BOOT_LOADER
C6KMODULE_MWAM_SW
CSS_11500_SW
CSS_11000_SW
C2500
C1600
BLADERUNNER
ATM_WTOKEN
MICA MICROCOM
NAM_APPL_SW
SPA_FPD_SW
CSS_11500_SW
ONS15540
9-92
OL-25941-01
Chapter 9

Understanding Upgrade Recommendations

This section describes how Software Management recommends image for the various Cisco device
types:
Upgrade Recommendation for Cisco IOS Devices
Upgrade Recommendation for Catalyst Devices
Upgrade Recommendation for VPN 3000 Series
Upgrade Recommendation for Catalyst 1900/2820
Upgrade Recommendation for Other Device Types
Upgrade Recommendation for Cisco IOS Devices

To determine the recommended software images for Cisco IOS devices, Software Management:
1.
Lists all images in the software repository that can run on the device. For example, C7000 images
run on 7000 and 7010 devices, IGS images run on 25xx devices, and so on.
2.
Removes all listed images that require:

More RAM or Flash memory than is available on the device.
A newer boot ROM than the one on the device.
If RAM is UNKNOWN, it is not considered in any comparison operation (image filtering).

However, you are warned during the subsequent task.
3.
Recommends an image whose feature subset matches the image running on the device.
Any images that support all current features and include some additional ones, take precedence
over images that match exactly.

If more than one image is either a superset or an exact match of the running image, the latest
version takes precedence over earlier versions.

4.
Removes the images from recommendation if the images Min.Flash size requirement is not met by
the device.
If Min.Flash required is UNKNOWN, it is not considered in any comparison operation (image
filtering).
If Flash Size is UNKNOWN, the image cannot be used for upgrade.
See the IOS Software Release documentation on Cisco.com to know the Min.Flash size.
5.
Depending on the image feature list, Software Management recommends an image whose image
version is lower than the current running image version.
6.
Recommends to filter out the images that are larger in size than the flash available on the device.
7.
Recommends Flash partitions on the device along with the storage details, if you are upgrading the
Boot Loader image.
This algorithm might recommend images that are older than the one running on the device.
To ensure that only newer images are recommended, select Admin > Network > Software Image
Management > View/Edit Preferences. In the View/Edit Preferences dialog box, select the Include
images higher than running image checkbox, then click Apply.

OL-25941-01
9-93
Chapter 9
Upgrade Recommendation for Catalyst Devices

For Catalyst device upgrades, Software Management typically recommends the latest version images in
the software repository.
For default RAM requirements for Supervisor Engine I and Supervisor Engine III, however, Software
Management uses:
Module Type and Version
Default RAM (MB)
Supervisor Engine III
32
Supervisor version 2.1 up to (but not including) 3.1
Supervisor version 3.1.1 and later
16
Maintenance release versions 3.1 and 3.2 with Sup8M in filename
For supervisor versions 3.1 to 3.2, when the image repository or Cisco.com has both 8 MB of RAM and
regular images available, Software Management also checks the device RAM:
1.
If the RAM can be determined and the available RAM is greater than 16 MB:
a.
Software Management recommends the latest regular supervisor image where the RAM requirement
is less than the available RAM.
b.
If no regular image with matching RAM requirements is available, it recommends the latest version
of the 8-MB images.
c.
If there is still no matching image, it recommends the latest image version that has no RAM
requirements (where the RAM requirement is set to DEFAULT_SIZE).
2.
If the RAM can be determined and the available RAM is less than 16 MB:
a.
Software Management recommends the highest image version for which the RAM requirement is
less than 16 MB.
b.
3.
If the RAM cannot be determined:
a.
Software Management recommends the latest regular image.
b.
If no regular image is available, it recommends the latest 8-MB image.
c.
The minimum RAM in the image attributes file supersedes these guidelines.
For example, if a supervisor engine module is running the version 3.1 maintenance release (8 MB RAM)
but the RAM in the image attributes was changed to 16 MB, Software Management uses the value in the
attributes file.
9-94
OL-25941-01
Chapter 9

Upgrade Recommendation for VPN 3000 Series

Software Management recommends the latest version of the image in the software image repository. If
the device is a VPN 3005 Concentrator, it recommends the VPN 3005 System software images in the
repository.
Upgrade Recommendation for Catalyst 1900/2820

For Catalyst 1900/2820 Enterprise version device upgrades, Software Management typically
recommends the latest version of images in the software repository.
Note
For Catalyst 1900/2820 Series devices, Software Management recommends images with version
numbers greater than 8.0(0) because the older versions do not support the Command Line Interface.
Non-Enterprise versions of the Catalyst 1900/2820 are not supported in Software Management.
Upgrade Recommendation for Other Device Types

For the following device types, Software Management recommends the latest version of the image in the
software image repository:
PIX Firewall Devices

If you are running PIX image version 7.0 or later, while recommending the image, Software
Management will also recommend the storage details of the device.
Content Service Switches
Aironet AP Series
Optical Switch Series
Network Analysis Module Series
Content Engines

Using this window you can view all your scheduled Software Management jobs.
The Software Management Job Browser contains the following fields and buttons:
Software Management Job Browser Fields
Software Management Job Browser Buttons
Changing the Schedule of a Job
Retry a Failed Distribution Job
Undo a Successful Distribution Job
Stopping a Job
Deleting Jobs

OL-25941-01
9-95
Chapter 9
The Software Management Job Browser displays the following details for a job:
Table 9-8
Software Management Job Browser Fields
Field
Description
Job ID

Click to display a summary of job details and schedule options.
See Understanding the Software Management Job Summary for further details.
Job Type
Type of job such as Import Images, Distribute Images.
Status
Job states:
SuccessfulJob completed successfully
FailedFailed job. Click on the Job ID to view the job details.

The number, within brackets, next to Failed status indicates the count of the devices that had
failed for that job. This count is displayed only if the status is Failed.
For example, If the status displays Failed(5), then the count of devices that had failed is 5.
RunningJob still running.
PendingJob scheduled to run.
StoppedRunning job stopped by you.
Missed StartJob could not run for some reason at the scheduled time.
For example, if the system was down when the job was scheduled to start, when the system
comes up again, the job does not run.
This is because the scheduled time for the job has elapsed. The status for the specified job
will be displayed as Missed Start.
ApprovedJob approved by an approver
RejectedJob rejected by an approver. Click on the Job ID to view the rejection details.
Waiting for ApprovalJob waiting for approval.
Description
Job description as entered at the time of creation.
Owner
Scheduled At
Start time of the scheduled job.
Completed At
End time of the scheduled job.
Schedule Type
Type of the scheduled job:
Immediate
Once
9-96
OL-25941-01
Chapter 9

Table 9-9
Software Management Job Browser Buttons
Buttons
Description
Edit
Reschedules the job.

You can change the schedule only for jobs that are in the Pending, Waiting for
Approval or the Approved status.
See Changing the Schedule of a Job.
Retry
Retry the failed job.

You can retry only failed distribution jobs.
See Retry a Failed Distribution Job.
Undo
Undo a successful job.

You can undo only successful distribution jobs.
See Undo a Successful Distribution Job.
However, you cannot undo a successful software distribution job scheduled for
NAM devices. If you still try to Undo this job, an error message is displayed
indicating that the Undo operation is not supported for NAM devices.
Stop
Stops a scheduled job.

You can Stop only jobs that are either in the Pending or the Running status.
See Stopping a Job.
Delete
Delete the jobs.

See Deleting Jobs.
Refresh
Click on this icon to refresh the Software Management Job Browser Window.
(Icon)
Changing the Schedule of a Job

You can change the schedule only for jobs that are either in the Pending, Waiting for Approval or the
Approved status.
Note
To change the schedule of a job:
Step 1
Select Configuration > Tools > Software Image Management > Jobs.
The Software Management Job Browser dialog box appears.
Step 2
Select either a pending or an approved job.
Step 3
Click Edit.
The Change Job Schedule dialog box appears.

OL-25941-01
9-97
Chapter 9
Step 4
Change the schedule.
Step 5
Click Submit.
Retry a Failed Distribution Job

You can retry only failed distribution jobs.
Note
To retry a Job:
Step 1
Step 2
Select a failed distribution job.
Step 3
Click Retry.
The Retry Upgrade dialog box appears with the following information:
Step 4
Field
Description
Device Information
Name of the device
Module
Device module
Pre-upgrade Image
Image name that was running before the upgrade.
Selected Image
Image name that is selected for distribution.
Running Image
Image name that is currently running on the device.
Errors
Click Next.
Continue entering the information for this job as you would for a new distribution depending on your
previous distribution selection:
9-98
OL-25941-01
Chapter 9

Undo a Successful Distribution Job

You can undo only successful Distribution jobs.
Note
To undo a job:
Step 1
Step 2
Select a successful distribution job.
Step 3
Click Undo.
The Undo Upgrade dialog box appears with the following information:
Step 4
Field
Description
Device
Name of the device
Module
Device module
Pre-upgrade Image
Image name which was running before the upgrade.
Post-upgrade Image
Image name after completing the upgrade.
Running Image
Image name that is currently running on the image.
Errors
Click on the underlined Error message to review the

details.
Click Next.
Continue entering the information for this job as you would for a new distribution. This depend on what
you selected earlier in the Distribution Method window:

OL-25941-01
9-99
Chapter 9
Stopping a Job
You can stop only jobs that are either in the Pending or the Running status.
The job stops only after the current task is complete. During this time, the Software Management Job
Browser window displays the job status as Running.
Note
To stop a job:
Step 1
Step 2
Select either a pending or a running job.
Step 3
Click Stop.
A confirmation box shows that the selected job will be stopped.
Step 4
Click OK.
A message appears that the selected job has been stopped.
After the job is stopped, the Pending job status changes to Stopped. The Running job status changes
temporarily to Stop Initiated and then to Stopped.
Deleting Jobs
To delete jobs:
Note
Step 1
Step 2
Select the jobs.
Step 3
Click Delete.
A confirmation box shows that the selected jobs will be deleted.
Step 4
Click OK.
9-100
OL-25941-01
Chapter 9

Understanding the Software Management Job Summary

From the Software Management Job Browser, you can learn more about one job by viewing its details.
You can view this details by clicking the Job ID on the Software Management Job Browser window.
Note
The Software Management Job Details window contains the following information:
Page/Folder
Description
Work Order
Select a device to view the summary of the job:
Job Results
If there is more than one device, the software distribution order.
The state of the running image on the device.
The image selected for the upgrade.
For a bootloader upgrade, whether the bootloader will be upgraded.
The Job Approval information.
Information you should know before the upgrade begins. For instance, if the Image Subset feature has
changed on the device, you might need to reconfigure the device.
Details of the Remote Stage device (if applicable).
Select a device to view the complete job result. It displays information on:
The job status, start time and end time.
The job completion status on the devices you have selected. For example, number of successful
devices where the job is executed successfully.
The import/upgrade mode (parallel or sequential)
The protocol order used for image transfer and configuration tasks.
How the job was processed.
Summary[On Job Displays the summary of the completed job

Complete]
For software distribution jobs, the summary contains details about the device, image type, running image
name, upgrade image name, upgrade storage location, and image distribution status.
For software import jobs, the summary contains details about device, image name, storage location, and
import status of the image.
The Job Summary is not generated for Image Out-Of-Sync Report job.

OL-25941-01
9-101
Chapter 9

User-supplied scripts are run before and after each device upgrade, for example:
The preupgrade script can check whether the device is accessible.
The preupgrade script can check whether any users are connected to the access server. If the script
finds that some users are connected, it can decide whether to disable the connections before
upgrading.
The post-upgrade script can check whether the upgrade was successful. Depending on the return
value, Software Management either halts or continues with the rest of the upgrade.
The following sections contain:
Script Requirements
Script Parameters
Sample Script
Script Requirements
In the Edit Preferences dialog box (Admin > Network > Software Image Management >
View/Edit Preferences), enter:
Enter the shell scripts (*.sh) on UNIX and batch files (*.bat) on Windows.
On UNIX, the scripts should have read, write, and execute permissions for the owner (casuser)
and read and execute permissions for group casusers. That is, the script should have 750
permission.
On Windows, the script should have read, write, and execute permissions for
casuser/Administrator.
The other users should have only read permission. You must ensure that the scripts contained
in the file has permissions to execute from within the casuser account.
The script files must be available at this location:

/var/adm/CSCOpx/files/scripts/swim
On Windows:
NMSROOT\files\scripts\swim
User script timeout
Software Management waits for the time specified before concluding that the script has failed.
Software Management verifies that:

The script has write and execute permissions for the user casuser.
Only users logged in as Administrator, root, or casuser have write and execute permissions.
Caution
The script should not write output to the system console. The script can write the output to a file. Writing
the script output to the system console can cause the Software Management job to hang.
9-102
OL-25941-01
Chapter 9

Script Parameters
Software Management passes a parameter indicating whether the script is running before or after the
upgrade. If the script does not intend to perform any pre-upgrade check, the script can return an exit
value of zero and perform checks in the post-upgrade. See the Sample Script for reference.
The parameters provided to the script by Software Management are in the form of environment
variables.
The server environment variables such as PATH, SystemRoot, etc., are not passed on to the script by
Software Management. You have to set the relevant environment variables within the script. See the
Sample Script for reference.
See Adding Devices to the Device and Credential Repository section in the Inventory Management with
Cisco Prime LAN Management Solution 4.2 for further information on device hostname, device name
(device name), SNMP v2 community strings, etc.
The different parameters are described in the table below:
Variable
Description
CRM_SCRIPT_CONTEXT
This variable is used to determine if the script has to be invoked before or

after image upgrade. If you set the variable to,
PRE-DOWNLOADScript is invoked by Software Management

prior to image upgrade.
POST-DOWNLOADScript is invoked by Software Management

post image upgrade.
NMSROOT
LMS installed directory.
TMPDIR
Directory provided to LMS to create temporary files.
CRM_DEV_NAME
Name of Device Name as entered in Device and Credential Repository.
CRM_SNMP_V2_RWCOMMUNITY
SNMP version 2 read-write community string.
CRM_SNMP_V2_ROCOMMUNITY
SNMP version 2 read only community string.
CRM_SNMP_V3_ENGINE_ID
SNMP version 3 Engine ID
CRM_SNMP_V3_USER_ID
User ID configured for SNMP version 3 protocol access on the device.
CRM_SNMP_V3_PASSWORD
SNMP version 3 password for the user ID.
CRM_ENABLE_PASSWORD
Enable password.
CRM_PRIMARY_USERNAME
Primary user name configured on the device.
CRM_PRIMARY_PASSWORD
Primary password configured on the device.
CRM_DEV_MGMT_IP_ADDR
IP address provided in Device and Credential Repository for management.

OL-25941-01
9-103
Chapter 9
Sample Script
The sample script illustrates how to use this option before the upgrade to see if the device is accessible
and after the upgrade to see whether it was successful.
The sample.bat file contains:
c:\progra~1\cscopx\bin\perl c:\progra~1\cscopx\files\scripts\swim\samplescript.pl
The samplescript.pl file contains:

#!/usr/bin/perl
BEGIN
{
use lib "$ENV{NMSROOT}/objects/perl5/lib/Net";
}
use Net::Telnet;
#my $output="";
## The following Environment variables are not passed on by Software Image Management
## Need to set these variables for the script to work as expected
$ENV{'Path'}="C:\\PROGRA~1\\CSCOpx\\MDC\\tomcat\\bin;C:\\PROGRA~1\\CSCOpx\\MDC\\Apache;C:\\PROGRA~1\\CSCOpx\\
MDC\\jre\\bin;C:\\PROGRA~1\\CSCOpx\\MDC\\bin;C:\\PROGRA~1\\CSCOpx\\lib\\jre\\bin\\server;C:\\PROGRA~1\\CSCOpx
\\objects\\db\\win32;C:\\PROGRA~1\\CSCOpx\\bin;c:\\cscopx\\lib\\jre\\bin\\server;c:\\cscopx\\lib\\jre141\\bin
\\server;C:\\WINNT\\system32;C:\\WINNT;C:\\WINNT\\System32\\Wbem;C:\\Program Files\\Common Files\\Adaptec
Shared\\System;c:\\progra~1\\cscopx;c:\\progra~1\\cscopx\\bin;";
$ENV{'TEMP'}=$ENV{'TMPDIR'};
$ENV{'TMP'}=$ENV{'TMPDIR'};
$ENV{'SystemRoot'}="C:\\WINNT";
###### Required Environment variables are set #########
my $prmptchar = '/\>/i';
$filename = $ENV{'CRM_DEV_NAME'} . '.txt';
if ($ENV{'CRM_SCRIPT_CONTEXT'} eq 'PRE-DOWNLOAD') {
open OUTFILE, "> $filename" or die "Can't open file";
print OUTFILE %ENV;
my $host = $ENV{'CRM_DEV_MGMT_IP_ADDR'};
my $pwd = $ENV{'CRM_PRIMARY_PASSWORD'};
print OUTFILE $host;
print OUTFILE $pwd;
$telnet = new Net::Telnet(Input_Log=>"inp.txt");
$prev = $telnet->host($host);
print OUTFILE $prev;
print OUTFILE "Conntecting to Host....";
$telnet->open($host);
print OUTFILE "Connected ...";
$telnet->dump_log("dmp.txt");
$telnet->waitfor('/Username: $/i');
$telnet->print($ENV{'CRM_PRIMARY_USERNAME'});
$telnet->waitfor('/Password: $/i');
$telnet->print($pwd);
print OUTFILE "Password send";
($output) = $telnet->waitfor('/#$/i');
print OUTFILE "Returned after waitfor";
print OUTFILE $output;
$telnet->print('terminal length 0');
$telnet->waitfor('/#$/i');
$telnet->print('sh ver');
($output) = $telnet->waitfor('/#$/i');
print OUTFILE $output;
### If the device is not running the expected Image, return 1
### so that Software Image Management application does not proceed.
if ($output =~ m/Version 12.2$27$/) {
print OUTFILE "Required Software running on Device, Allow to proceed with Upgrade\n"
9-104
OL-25941-01
Chapter 9

}
else
{
print OUTFILE "Upgrade stopped, Device not running desired Image";
close OUTFILE;
exit(1);
}
close OUTFILE;
## A return vale of zero(0) allows the Software Image Management application to proceed
exit(0);
}
if ($ENV{'CRM_SCRIPT_CONTEXT'} eq "POST-DOWNLOAD") {
my $hostnew = $ENV{'CRM_DEV_MGMT_IP_ADDR'};
my $pwdnew = $ENV{'CRM_PRIMARY_PASSWORD'};
open OUTFILE, ">>$filename" or die "Can't open file";
print OUTFILE "====== POST DOWNLOAD RESULTS ========";
$telnet = new Net::Telnet(Input_Log=>"inp1.txt");
$telnet->dump_log("dmpo.txt");
$telnet->open($hostnew);
$telnet->waitfor('/Username: $/i');
$telnet->print($ENV{'CRM_PRIMARY_USERNAME'});
$telnet->waitfor('/Password: $/i');
$telnet->print($pwdnew);
($opt) = $telnet->waitfor('/#$/i');
$telnet->print('terminal length 0');
$telnet->waitfor('/#$/i');
$telnet->print('sh ver');
($opt) = $telnet->waitfor('/#$/i');
if ($opt =~ m/Version 12.3$10a$/) {
print OUTFILE "Required Software running on Device, Upgrade Successful\n";
}
print OUTFILE $opt;
close OUTFILE;
exit(0);
}

This table shows the locations of some of the Software Management directories and log files that
describe what is happening in the system.
Contents
Operating System
Location
Software Management User

Solaris and Soft Appliance /var/adm/CSCOpx/log/swim_debug.log
Interface/job creation debug log Windows
NMSROOT\log\swim_debug.log
file
Software Management job
execution debug log files.
Solaris and Soft Appliance /var/adm/CSCOpx/files/rme/jobs/swim/job-id/swim_debug.l

og
You can set the debug mode for Windows

Software Management
application in the Log Level
Settings dialog box (Admin >
System > Debug Settings >
Config and Image Management
Debugging Settings)
NMSROOT\files\rme\jobs\swim\job-id\swim_debug.log

OL-25941-01
9-105
Chapter 9
9-106
OL-25941-01
CH A P T E R
10

Virtual Switching technology is the process of combining two standalone distribution switches found in
the local distribution layer into a single management point.
The Virtual Switching System functions and appears as a single switch to the wiring closet and the core
layer. You can also create Virtual Switching Systems with a pair of standalone switches available in the
core layer.
After the conversion of two distribution switches into one Virtual Switching System, the wiring closet
switch creates a port bundle to the Virtual Switching System.
Creating a port bundle allows you to manage Standalone switches, easily because the port bundle has to
manage only a single virtual port to the Virtual Switching System.
This Virtual Switching technology is implemented in LAN Management Solutions (LMS) by providing
a Virtual Switching System Configuration Tool.
This GUI based conversion tool allows you to select two compatible standalone switches and guides you
in converting those standalone switches into one Virtual Switching System.
During the conversion process, the Virtual Switching System Configuration tool generates the required
CLI commands, based on your inputs. The process then pushes this configuration to the devices using
the protocol order provided in Admin > Collection Settings > Config > Config Transport Settings.
Note
Virtual Switching System Configuration Process
Support for Virtual Switching Systems
Only VSS-capable standalone Cisco Catalyst 6000 switches can be converted into a Virtual Switching
System.

OL-25941-01
10-1
Chapter 10

Before you convert Standalone switches to a Virtual Switching System, you must ensure that:
Candidate devices that are to be converted to a Virtual Switching System are managed by LMS so
that they can use this conversion tool.
Fresh Inventory and Config Collection has been carried out.
Only VSS-capable IOS Software Modularity images are running on the Standalone switches.

Two Standalone distribution switches can be converted into a single Virtual Switching System by using
the Virtual Switching System Configuration Tool available in LMS. This process of converting to Virtual
Switching Systems can also be done for core layer switches.
Before proceeding with conversion, ensure that the prerequisites are met.
For more information, see Prerequisites for Conversion.
To convert standalone switches to a Virtual Switching System:
1.
Select Devices for VSS Configuration
2.
Perform Hardware Checks on the Devices
3.
Perform Software Compatibility Checks on the Two Devices
4.
Generate Compliance Report
5.
Define Configuration Parameters
6.
Deploy Commands on the Two Switches to Enable VSS Mode
Select Devices for VSS Configuration
You need to select two switches and convert them into one Virtual Switching System. Only VSS-capable
Standalone devices can be converted to Virtual Switching System.
The Virtual Switching System Configuration Tool consists of a customized device selector. This device
selector displays only VSS-capable devices with their sysObjectIDs.
Perform Hardware Checks on the Devices
After you select two devices, sequential hardware checks are carried out by the Virtual Switching System
Configuration tool on these two devices to ensure hardware compliance.
The hardware checks carried out are:
RAM size check

The RAM sizes in MB of both the devices are compared.
If you try to convert one device with 450 MB RAM and another device with 512 MB RAM into a
Virtual Switching System, a warning message is displayed. However, you are allowed to proceed
with the conversion.
Supervisor Type check

The Supervisor types of both the devices are compared. You cannot convert one device with
Supervisor4 and another device with Supervisor3 into a Virtual Switching System. Only
Supervisor4 is supported for VSS Configuration.
10-2
OL-25941-01
Chapter 10

Modules not supported in VSS mode

Ideally, all modules available in the two devices must support VSS mode. Modules in the two
devices that do not supprt VSS mode are displayed here.
Physical Connectivity check

Both devices should have physical connectivity. This connectivity enables you to convert them to
the Virtual Switching System mode.
Perform Software Compatibility Checks on the Two Devices
After the hardware compatibility check is done, the selected devices undergo a software compatibility
check.
The software compatibility checks are:
Switch mode check

Check whether both devices are in standalone non-VSS modes.
You cannot convert a Standalone switch and a Virtual-mode configured switch into a Virtual
Switching System.
IOS Software Modularity Image check

Both devices must be running VSS-capable IOS Software Modularity images in native IOS mode.
An image is considered VSS-capable if it has SXH as the last three characters of the image name.
Example
The image, 12.2(99)SXH is considered VSS-capable because it has SXH as the last three charaters
of the image name.
Generate Compliance Report
After the hardware and software compatibility checks have been completed, a Compliance report is
generated. This report indicates the various attributes considered for the checks and the status of the
checks.
If there are any instances of non-compliance, you need to restart the conversion process to address these
non-compliances.
You are allowed to proceed to the next step only if both hardware and software compatibility checks are
successful.
For example:
If the devices do not comply with the minimum IOS software image version, you need to upgrade the
software images in the two devices to the minimum recommended version.
A link is provided to the software image upgrade page along with the compliance report, if the minimum
software requirement is not met. You can use this link to upgrade the software images in the devices to
the minimum IOS software image version.
When the devices are made compliant with the hardware and software compability checks, you need to
define configuration parameters for both the devices.
The configuration definition includes:
Specifying the Domain number for the Virtual Switching System configuration
Assigning one switch as the Active switch and the other as the Standby switch
Entering the Switch Priority value for both switches

OL-25941-01
10-3
Chapter 10
Entering the Port Channel numbers for both switches
Selecting 10 Gigabit Ethernet Interfaces for both switches.
Deploy Commands on the Two Switches to Enable VSS Mode
After you have defined the configuration parameters, the Conversion Work Order page is displayed. This
page lists the various CLI commands that you must download to the two devices. The CLI commands
convert the switches into a Virtual Switching System.
These CLI commands are generated by the Virtual Switching System Configuration tool. You need to
deploy the CLI commands on the devices.
LMS uses various protocols such as Telnet, SSH, RCP, SCP, and TFTP to deploy the commands on the
devices. The protocols are tried out in the order specified in LMS. If the first protocol in sequence cannot
log into the device, the next protocol in the order is tried out, until a suitable protocol is found.
For more information on how to change the protocol order, see Administration of Cisco Prime LAN
Management Solution 4.2.
The devices reboot after the CLI commands have been deployed on them. One switch is transformed to
function as an Active switch and the other as a Standby switch.
After successful conversion, the running configuration of the VSS setup is copied to its startup
configuration. The individual switches are then moved to the Suspended state in LMS.
The new Virtual Switching System is added to Device Credentials Repository (DCR) with the device
name, same as the IP Address of the Active switch followed by _VSS.
Note
After conversion, irrespective of whether an Active or Standby switch boots up first, the conversion to
Virtual Switching System takes place successfully. The IP address of the Active device is added to DCR.
10-4
OL-25941-01
Chapter 10

Converting Switches from Standalone to VSS Mode

LAN Management Solution (LMS) provides support for Virtual Switching Systems.
You can use the Virtual Switching System Configuration Tool to convert VSS-capable Standalone
switches to a Virtual Switching System. This GUI-based tool is a wizard that guides you through the
conversion process.
Before you start converting Standalone switches to a Virtual Switching System, you need to ensure that
the prerequisites are met.
For more information, see Prerequisites for Conversion.
To convert Standalone switches to a Virtual Switching System:
Step 1
Select Configuration > Workflows > Virtual Switching System > VSS Conversion.
The Virtual Switching System Mode Conversion dialog box appears.
Step 2
Select two Standalone switches that are VSS-compliant from the Device Selector to convert to a Virtual
Switching System.
The device selector is customized to display only Standalone switches that are VSS-compliant.
Step 3
Click Convert to VSS Mode.
If the switches are compatible, the Checking the Hardware and Software Requirements dialog box
appears.
If the switches are not compatible, an error message is displayed and the conversion is terminated.
In this case, you must restart the conversion after making the switches hardware and software
compatible.
For more information on the hardware and software checks, see Table 10-1.
Table 10-1
Hardware and Software Check
Properties
Device 1
Device 2
RAM Size
The RAM size in MB for Device 1.
The RAM size in MB for Device 2.
Supervisor Type
The Supervisor type for Device 1.
The Supervisor type for Device 2.
Modules not supported in

VSS mode
Names of modules in Device 1 that do not Names of modules in Device 2 that do not
support VSS mode.
support VSS mode.
Physical Connectivity
The IP Address through which Device 1 is The IP Address through which Device 2 is
connected.
connected.
Result
Status of hardware check.
Hardware Checks
Software Checks
Properties
Device 1
Device 2
VSS Mode
The current mode of Device 1.
The current mode of Device 2.
Image Version
The software image version in Device 1
The software image version in Device 2.
Result
Status of software check.

OL-25941-01
10-5
Chapter 10
When the RAM size of both the devices are not equal, a warning message is displayed. However, you
will be allowed to continue with the conversion.
Step 4
Click Next.
The Define Configuration Parameters dialog box appears.
Step 5
Table 10-2
Enter the required information as shown in Table 10-2
Field
Description
Virtual Switching System Configuration
Enter Domain Number
Domain number to be used by the Virtual Switching System, which

can be any number between 1 to 255.
This domain number is common for both the switches.
Device Name: 1
Select Switch Number
Either
Check Switch No.1 if you want to assign Device 1 as Switch No.

1.
Or

2.
You cannot assign both Device1 and Device 2 as Switch No.1. If

Device 1 is assigned Switch No.1 then Device 2 should be assigned
as Switch No.2.
The configuration of the switch designated as No. 2 is overwritten by
the configuration of the switch designated as No. 1.
The first switch becomes the Active Switch and the second switch
becomes the Standby Switch.
Enter Switch Priority
Switch Priority number to be used by the Virtual Switching System,

which can be any number between 1 and 255.
The switch with the higher value becomes the Active Switch and the
other switch becomes the Standby Switch.
The priority value should not be the same for both switches.
Enter Port Channel Number
Port Channel for Device 1.

Enter a number between 1 and 255. The Port channel number must
be different for each switch.
10-6
OL-25941-01
Chapter 10

Table 10-2
Field
Description
Select Interface
Interface for Device 1.

Select the interface for the device from the list box that displays the
10 Gigabit Ethernet interfaces.
A minimum of one interface must be selected for the device. Use the
Control Key to select more than one interface.
Only VSS-capable 10 Gigabit line cards are displayed.
Interface modules for Supervisor 4, 6708 10 Gigabit and 6716 10
Gigabit interfaces are available for selection.
For 6716 10 Gigabit type cards, only four interfaces are displayed for
selection.
For example, if there is a 6716 10 Gigabit card in the device, only
the following four interfaces (1, 5, 9, 13) are displayed:
TenGigabitEthernet <module number>/1
Where <module number> is the module number of the Gigabit card.

For example, TenGigabitEthernet 6/1, where 6 is the module and 1
is the interface.
The number of interfaces selected must be the same for both devices.
Device Name: 2
Select Switch Number
Either:

1.
Or

2.
You cannot assign both Device1 and Device 2 as Switch No.1. If

Device 1 is assigned Switch No.1 then Device 2 should be assigned
as Switch No.2.
The configuration of the switch designated as No. 2 is overwritten by
the configuration of the switch designated as No. 1.
The first switch becomes the Active Switch and the second switch
becomes the Standby Switch.
Enter Switch Priority
Switch Priority number to be used by the Virtual Switching System,

which can be any number between 1 and 255.
The switch with higher value becomes the Active Switch and the
second switch becomes the Standby Switch.
The priority value should not be the same for both switches.

OL-25941-01
10-7
Chapter 10
Table 10-2
Field
Description
Enter Port Channel Number
The Port channel for Device 2.

Enter a port channel number for the switch between 1 and 255. The
Port channel number must be different for each switch.
Select Interface
The Interface for Device 2.

This list box lists the 10 Gigabit Ethernet interfaces. Select the
interface for the device from the list box.
At least one interface must be selected for the device. Use the
Control Key to select more than one interface.
Only VSS capable 10 Gigabit line cards are displayed.
Interface modules for Supervisor 4, 6708 10 Gigabit and 6716 10
Gigabit cards are available for selection.
For 6716 10 Gigabit type cards, only four interfaces are displayed for
selection.
For example, if there is a 6716 10 Gigabit card in the device, only
the following four interfaces (1, 5, 9, 13) are displayed:
Where <module number> is the module number of the Gigabit card.

For example, TenGigabitEthernet 6/1, where 6 is the module and 1
is the interface.
The number of interfaces selected must be the same for both devices.
Step 6
Click Next.
The Work Order page appears with the CLI commands that need to be downloaded to each of the
switches so that they can be converted into one Virtual Switching System.
Step 7
Note
Click Finish.
If the conversion was completed, a message is displayed that the two switches have been converted
to a single Virtual Switching System.
If the conversion failed, an error message is displayed indicating the reason for failure. The reason
could be that the CLI commands were not properly deployed on the devices.
You cannot set priorities for the two Standalone switches that are considered for VSS conversion. Both
the Standalone switches have equal priority by default.
10-8
OL-25941-01
Chapter 10


The various applications in LMS such as Syslog, Inventory Management, Reporting, Software
Management, and Configuration Management provide support for Virtual Switching Systems.
The implication of Virtual Switching System support for these applications is discussed below:
Syslog
Software Management - Software Distribution
The Virtual Switching System is considered as a single switch by Inventory. However Inventory
collection happens for both switches.
You can generate a Detailed Device Report for the Virtual Switching System. The output of this report
consists of information on both the Active and the Standby switches.
For more information on how to generate a Detailed Device Report, see Reports Management with Cisco
Prime LAN Management Solution 4.2.
After the conversion, the Virtual Switching System will have a single unified configuration.
Configuration management provides support for Virtual Switching Systems by managing the
configuration of the switch.
You can use Configuration Management to:
Archive the device configurations
Determine out-of-sync configuration files
View the configuration version tree
Compare the revisions of configurations
Compare the archived configuration with a baseline template
Deploy a version of configuration on the device
For more information on Configuration Management, see Archiving Configurations and Managing them
using Configuration Archive.
You can also use NetConfig and Config Editor to configure Interfaces on a VSS device.
For more information on using NetConfig and Config Editor, see:

OL-25941-01
10-9
Chapter 10
Syslog
The Syslog messages are sent from the Active switch of the Virtual Switching System to the LMS server.
These messages are treated like any other Syslog message from any other device type. Syslog reports
can be generated for the Syslogs received from the Active switch of the Virtual Switching System.
For information on Syslogs, see Administration of Cisco Prime LAN Management Solution 4.2.
Software Management - Software Distribution

Software Management is enhanced to support distribution of software images to a Virtual Switching
System. Software Management uses Master Chassis - Active Supervisor for software distribution.
Software Distribution through LMS Software Management varies based on the software image or Patch
image considered for distribution.
Distribution of the Base Image

Distributing the software Base image consists of:
a. Copying the new software image to the Master switch, Flash storage partition.
b. Copying the same software image to the corresponding slave switch Flash storage partition.
If Master Flash storage is disk0 the software image will be copied to slave-disk0 Flash storage
of the Slave switch.
c. Loading the Active switch.
d. Loading the Slave switch.
e. Activating the software image on both the Flash storages.
f. Rebooting the Master switch.
Distribution of Patch image

Distribution of software base image consists of:
a. Copying of the new patch image to the Master switch, Flash storage partition.
b. Copying the same Patch image to the corresponding Slave switch, Flash storage partition.
If Master Flash storage is disk0, the Patch image will be copied to slavedisk0 Flash storage
of the Slave switch.
c. Loading the Active switch.
d. Loading the Slave switch.
e. Activating the Patch image on both the Flash storages.
You are allowed to reload the device to activate the Patch images, only if you have selected
Reload if required option while scheduling the Patch distribution job.
When you reload, the standby Route Processor(RP) on the Slave switch is reset.
The device reboots as soon as the installed code starts running.
A manual switchover to the redundant supervisor engine for a dual processor redundant system
takes place.
10-10
OL-25941-01
Chapter 10

Note
You can only distribute Patch images to a Virtual Switching System running VSS-capable IOS Software
Modularity image in Install mode.
For more information on Software Distribution, see Software Distribution.

Scheduling a Software Management distribution job for Virtual Switching Systems is almost similar to
that of any Standalone switch. In addition to the verifications performed by Software management, there
are a few verifications that are carried out for Virtual Switching Systems.
Software management verifies:
If VSS-capable IOS Software Modularity images are running on the devices.

The prerequisite for VSS is that the devices should have VSS-capable IOS Software Modularity
images running on them. So if you select an image that is not a VSS-capable IOS Software
Modularity image, the software distribution job cannot be performed.
If the RAM space available on the two devices are compatible.

RAM checks are carried out only for Master switch supervisors and not for Slave switch supervisors.
If there is an identical Slave switch storage partition with enough space for the selected Master
switch storage partition.
For more information on Software Distribution, see:
Patch Distribution

Virtual Switching System refers to the conceptual switch that is created by converting two VSS-capable
standalone switches into one switch. You can also convert Virtual Switching Systems back to Standalone
switches.
To convert Virtual Switching Systems into Standalone switches:
Step 1
Locate the original configurations of the two switches.

These configurations maybe available as files on your server. If not, locate them from the Configuration
Archive of LMS.
For more information on locating the configurations, see Using the Configuration Version Tree.
You can continue with this procedure even if the original configuration files are not available. You can
manually reconfigure the individual switches, if required.

OL-25941-01
10-11
Chapter 10
Step 2
Back up the current VSS setup configuration.

This configuration may be required for future conversions.
Step 3
Connect to the VSS setup using Telnet and:

a.
Remove all the loop back interfaces on the VSS.

Run the command no loopback for each loop back address on the switch.
This removes the loop back addresses from the switch.
b.
Go to the running configuration of the VSS setup and configure the IP address on the physical
interface of the Standby switch.
This IP address must be in a subnet that is not the physical interface of the Active switch.
After the IP address is configured on the physical interface, the Standby chassis is accessible
through the management IP address.
c.
Save this configuration change by running the write mem command.

The configuration is saved to the NVRAM of the corresponding device.
d.
Run the command switch convert mode stand-alone in Enable mode.

This command will reload the Active switch and release the switch from VSS setup.
Step 4
Connect to the VSS setup using Telnet. You must use the IP address configured in Step 3b.
Step 5
Run the command switch convert mode stand-alone in Enable mode.

The switches are now in Standalone mode. You can access them using their own management addresses.
Step 6
Either:
Add the two devices to the DCR of LMS, if they do not exist there. To do this select Inventory >
Device Administration > Add / Import / Manage Devices.
Or
Note
Change the device states if the devices are in Suspended state. This change allows the two devices
to be managed again by LMS.
Alternatively, you can refer to the VSS Reverse Conversion wizard for the procedures for converting
Virtual Switching Systems to Standalone switches. To access the wizard, go to Configuration >
Workflows > Virtual Switching System > VSS Reverse Conversion.
10-12
OL-25941-01
Chapter 10

Use Case: Converting Standalone Switches into a Virtual Switching System
Use Case: Converting Standalone Switches into a Virtual

Switching System
Case:
You are a network administrator and you want to convert two standalone switches into a Virtual
Switching System by using the Virtual Switching System Configuration Tool available in LMS.
Solution:
To convert Standalone switches to a Virtual Switching System:

Step 1
Select Configuration > Workflows > Virtual Switching System > VSS Conversion.
The Virtual Switching System Configuration dialog box appears.
Step 2
Select 10.77.118.242 and 10.77.118.242_alias, two Standalone switches that are VSS-compliant, from
the Device Selector to convert to a Virtual Switching System.
Step 3
Click Convert to VSS Mode.

You can view the hardware and software check results.
Step 4
Click Next.
The Define Configuration Parameters dialog box appears.
Step 5
Enter the required information in the Define Configuration Parameters dialog box.
Step 6
Click Next.
The Work Order page appears with the CLI commands that need to be downloaded to each of the
switches so that they can be converted into one Virtual Switching System.
Step 7
Click Finish.
A message is displayed that the two switches have been converted to a single Virtual Switching System.
After successful conversion, the running configuration of the VSS setup is copied to its startup
configuration. The individual switches are then moved to the Suspended state in LMS.
The new VSS switch is added to the Device Credentials Repository (DCR) with the display name, same
as the IP address of the Active switch followed by _VS
So, the IP address of the Virtual Switching System is 10.77.118.242_VSS

OL-25941-01
10-13
CH A P T E R
11
Configuring VLAN
LMS collects data about devices so that you can configure and manage Virtual Local Area Network
(VLAN) in your network. You must set up your LMS server properly to ensure that Data Collection is
successfully performed in your network.
The configuration module in LMS helps you to manage your VLANs. You can configure and manage
VLAN, Private VLAN (PVLAN), Trunk, and also assign ports to VLANs.
Understanding Virtual LAN (VLAN)
Using VLANs
Configuring VLANs
Configuring Token Ring VLANs
Understanding Private VLAN
Using Private VLAN
Using Inter-VLAN Routing
VLAN Trunking Protocol
Understanding Trunking
EtherChannel
VLAN Port Assignment
Usage Scenarios for Managing VLANs

OL-25941-01
11-1
Chapter 11
Configuring VLAN

A VLAN allows you to create logical broadcast domains that can span across a single switch or multiple
switches, regardless of physical positioning. A VLAN contains a group of devices on one or more LANs.
These devices are configured in such a way that they can communicate as if they were all on the same
network segment. VLANs are based on logical connections instead of physical connections, and hence
they are extremely flexible.
VLAN allows you to group ports on a switch to limit unicast, multicast, and broadcast traffic flooding.
Flooded traffic originating from a particular VLAN is only flooded out to other ports belonging to that
VLAN.
This helps to reduce the size of broadcast domains and it allows groups or users to be logically grouped
without being physically located in the same place.
The following topics are covered in this section:
Advantages of VLANs
VLAN Components
Using VLANs
Advantages of VLANs
VLANs provide the following advantages:
Controlled Broadcast Activity
Workgroup and Network Security

Adds, moves, and changes are some of the greatest expenses in managing a network. Many moves
require re-cabling and almost all moves require new station addressing and hub and router
re-configuration.
VLANs simplify adds, moves, and changes. VLAN users can share the same network address space
regardless of their location.
If a group of VLAN users move but remain in the same VLAN connected to a switch port, their network
addresses do not change.
If a user moves from one location to another but stays in the same VLAN, the router configuration does
not need to be modified.
Controlled Broadcast Activity

Broadcast traffic occurs in every network. Broadcasts can seriously degrade network performance or
even bring down an entire network, if the network is not properly managed.
Broadcast traffic in a particular VLAN is not transmitted outside that VLAN. This substantially reduces
overall broadcast traffic, frees bandwidth for real user traffic, and lowers the vulnerability of the network
to broadcast storms.
11-2
OL-25941-01
Chapter 11
Configuring VLAN
You can control the size of broadcast domains by regulating the size of their associated VLANs and by
restricting both the number of switch ports in a VLAN and the number of people using the ports.
You can also assign VLANs based on the application type and the amount of application broadcasts. You
can place users sharing a broadcast-intensive application in the same VLAN group and distribute the
application across the network.
Workgroup and Network Security

You can use VLANs to provide security Firewalls, restrict individual user access, flag any unwanted
network intrusion, and control the size and composition of the broadcast domain.
You can:
Increase security by segmenting the network into distinct broadcast groups.
Restrict the number of users in a VLAN.
Configure all unused ports to a default low-service VLAN.
VLAN Components
The VLAN components are:
Switches that logically segment the end stations connected to it.

Switches are the entry point for end-station devices into the switched domain and provide the
intelligence to group users, ports, or logical addresses into common communities of interest. LAN
switches also increase performance and dedicated bandwidth across the network.
You can group ports and users into communities using a single switch or connected switches. By
grouping ports and users across multiple switches, VLANs can span single-building infrastructures,
interconnected buildings, or campus networks.
Each switch can make filtering and forwarding decisions by packet and communicate this
information to other switches and routers within the network.
Routers that extend VLAN communication between workgroups.

Routers provide policy-based control, broadcast management, and route processing and distribution.
They also provide the communication between VLANs and VLAN access to shared resources such
as servers and hosts.
Routers connect to other parts of the network that are either logically segmented into subnets or
require access to remote sites across wide area links.
Transport protocols that carry VLAN traffic across shared LAN.

The VLAN transport enables information exchange between interconnected switches and routers on
the corporate backbone. This backbone acts as the aggregation point for large volume of traffic.
It also carries end-user VLAN information and identification between switches, routers, and directly
attached servers. Within the backbone, high-capacity links with high-bandwidth carry the traffic
throughout the enterprise.

OL-25941-01
11-3
Chapter 11
Configuring VLAN
Using VLANs
Using VLANs
You can use Configuration Management functionality in LMS to create, modify, and delete VLANs. You
can use the Topology Services to create Ethernet VLANs.
LMS allows you to modify most of the VLAN characteristics that were entered when you created the
VLAN, such as purpose, description, and LANE services.
The following sections brief on the types of VLANs supported by Topology Services:
Ethernet VLAN (See Ethernet VLANs)
Private VLANs (See Understanding Private VLAN)
Configuring VLANs
You can configure VLANs using VLAN Configuration wizard.
Creating VLAN
To create VLANs, the VLAN Configuration wizard directs you through:

1.
Selecting Devices or Entities
2.
Creating VLANs
3.
Assigning Ports to VLANs
4.
Disallowing VLAN on Trunks
5.
Understanding VLAN Creation Summary
Deleting VLAN
To delete VLANs, the VLAN Configuration wizard directs you through:

1.
Deleting VLANs
2.
Moving Affected Ports to New VLAN
3.
Understanding VLAN Deletion Summary
11-4
OL-25941-01
Chapter 11
Configuring VLAN
Configuring VLANs
Selecting Devices or Entities

You must select the devices or entities to be included in the VLAN. Domain Selector helps you to select
devices in Switch Clouds and VTP Domains.
To select devices or entities for a VLAN:
Step 1
Select Configuration > Workflows > VLAN > Configure VLAN.

The VLAN Configuration page appears.
Step 2
Select the devices using the Device Selector or the Domain Selector from the VLAN Configuration
dialog box.See Table 11-1
Table 11-1
VLAN Configuration Field Description
Field
Description
Device Selector
Lists all the devices in your network.

Click the radio button to select the Device Selector.
Domain Selector
Lists the Switch Clouds and VTP Domains in your

network.
Click the radio button to select the Domain Selector.
Step 3
All
Click All to view all the devices in the network. Check the
checkboxes to select the devices.
Selection
Displays the devices that you have selected in the All pane.
Either:
a.
Click Create to create VLANs.

The Create VLAN page appears.
b.
Go to Creating VLANs.
Or
a.
Click Delete to delete the VLANs.

The Select VLAN to Delete page appears.
b.
Go to Deleting VLANs.

OL-25941-01
11-5
Chapter 11
Configuring VLAN
Configuring VLANs
Creating VLANs
After you select devices using the Device Selector or the Domain Selector and click Create in the VLAN
Configuration page, the Create VLAN page appears. For more details, see Selecting Devices or Entities.
You must enter the details as described in the Table 11-2.
Table 11-2
Create VLAN Field Description
Field
Description
VLAN Name
Enter a name for the new VLAN.
VLAN Index
Enter a number to identify the VLAN. You can enter a number within the
range:
2 to 1001
1025 to 4094
You cannot enter 1 or a number in the range 1002 to 1024, as the VLAN
Index. These are reserved numbers.
Create on all transparent
switches
Check the checkbox to include all switches that are VTP transparent.
VTP transparent switches do not send VTP updates and do not act on
VTP updates received from other switches.
This checkbox is available only for VTP domain based VLAN creation.
For more details on this, see Creating VLANs on Transparent Devices.
Copy running to start-up

config
Check the checkbox to copy the running configuration to the start-up

configuration.
Click any of the following:
Next to continue.
The Assign Ports to VLAN page appears. For details, see Assigning Ports to VLANs.
Assigning ports to VLANs cannot be done for more than 100 devices at a time, since it results in
memory issues. If you have selected more than 100 devices, click Finish to save VLAN creation. Do
VLAN port assignment for 100 devices at a time.
Cancel to exit.
Finish to save changes.

VLANs are created on the specified devices and the initial VLAN Configuration page appears.
11-6
OL-25941-01
Chapter 11
Configuring VLAN
Configuring VLANs
Creating VLANs on Transparent Devices
When you create VLANS without checking the Create On All Transparent Switches option in the VLAN
creation page, the following is the behavior:
Device Selected
VTPv2 Server
VTPv3 Primary Server
VTPv2 or VTPv3
Transparent device
Access and Trunk ports listed

in the VLAN Creation flow
VLAN created on
VTPv2 Server
VTPv2 Client
VTPv3 Server
VTPv3 Client
Selected Transparent device
Device that has VTPv3 in Off Selected Off Mode device

Mode
VTPv2Server
Selected Transparent device

Selected Off Mode device
When you create VLANS with the Create On All Transparent Switches option in the VLAN creation
page, the following is the behavior:
Device Selected
VTPv2 Server
VTPv2 or VTPv3
Transparent device
Device that has VTPv3 in Off
Mode
Access and Trunk ports listed

in the VLAN Creation flow
VLAN created on
VTPv2 Server
VTPv2Server
VTPv2 Client
VTPv2 Transparent
VTPv2 Transparent
device
VTPv3 Server
VTPv3 Client
VTPv3 Transparent device
VTPv3 Off Mode device
VTPv3 Transparent
device
VTPv2 or VTPv3
Transparent device
VTPv2 or VTPv3 Transparent

device
VTPv3 Transparent
device
VTPv3 Transparent device
In the above tables, VTPv2 refers to VTP version 2 and VTP v3 refers to VTP version 3.

OL-25941-01
11-7
Chapter 11
Configuring VLAN
Configuring VLANs
Assigning Ports to VLANs

A VLAN created in a management domain remains unused until you assign one or more switch ports to
the VLAN.
The Assign VLANs to Port page appears after you create the VLAN name and index.
To assign ports to VLANs:
Step 1

Step 2
Select device or domain from the VLAN Configuration page.
Step 3
Click Create.
Step 4
Enter VLAN Name and VLAN Index in the Create VLAN page and click Next.
The Assign Ports to VLAN page appears.
Step 5
Select the ports and click Next.

Table 11-3 describes the entries in the Assign Ports to VLAN page.
Table 11-3
Assign Ports to VLAN Page Field Description
Field
Description
VLAN
Displays the name of the new VLAN.
Filter
Select any of the following criteria based on which you want to filter the list:
Link
Port
Device Name
Device Address
Port Status
VLAN Index
VLAN Name
Association type
Or enter * or leave the field blank and click Filter to get all the records.
Advanced Filter
Click Advanced Filter to open Advanced Filter dialog box. Advanced filtering
allows you to search ports using more search criteria.
For more details on Advanced Filter, see Advanced Filter.
Column
Link
Shows whether the port is connected to a switch or not. The value can either be
True or False.
Port
Name of the port.
Device Name
Name of the device to which the port belongs to.
Device Address
IP address of the device to which the port belongs to.
Port Status
Status of the port. Shows whether the port is active or down.
11-8
OL-25941-01
Chapter 11
Configuring VLAN
Configuring VLANs
Table 11-3
Step 6
Assign Ports to VLAN Page Field Description (continued)
Field
Description
VLAN Index
Index number for the VLAN to which the port belongs to.
VLAN Name
Name of the VLAN to which the port belongs to.
Association Type
Type of VLAN association.
Next to continue.
The Disallow VLAN on Trunks page appears.
Back to modify the Create VLAN page.
Cancel to exit.

VLANs are created on the specified devices, selected ports are assigned to new VLAN and the initial
VLAN Configuration page appears.
For more details, see Disallowing VLAN on Trunks.
Advanced Filter
The Advanced Filter allows you to filter and choose the ports using various parameters and criteria, for
assigning the ports to the VLAN. Table 11-4 describes the fields in the Filter Ports Window, when you
click Advanced Filter from the Assign Ports to VLAN Window.
Table 11-4
Filter Ports Field Description
Field
Description
Match All
Select the radio button to filter the ports that match all the selected parameters.
Match Any
Select the radio button to filter the ports that match any of the selected parameter.

OL-25941-01
11-9
Chapter 11
Configuring VLAN
Configuring VLANs
Table 11-4
Filter Ports Field Description (continued)
Field
Description
Parameter
Select a parameter for which you want to filter the ports. Parameter is the attribute
of a port.
The values displayed for Assigning ports to VLANs are:
Device Name
Device Address
Link
Port
Port Status
Port Description
VLAN Index
VLAN Name
Association Type
The values displayed for Configuring Promiscuous ports are:
Criteria
Value
Link
Port
Device Name
Device Address
VLAN Name
Port Mode
Select the right criterion with respect to the parameter. The values are:
contains
begins with
ends with
is
Enter a value corresponding to the parameter that you have selected.
More to add filter.
Fewer to remove filter from the existing filters.

You can add or remove only one filter at a time.
Filter to filter the ports based on the values for the Parameters.
11-10
OL-25941-01
Chapter 11
Configuring VLAN
Configuring VLANs
Disallowing VLAN on Trunks

You can select the links on which you do not want to allow Trunking in the newly created VLAN. After
you Assign the ports to the VLAN (See Assigning Ports to VLANs), the End-to end VLAN wizard
directs you to Disallow VLAN on Trunks page.
To disallow trunking on the links in your VLAN, check the checkboxes corresponding to those links,
and click Next. The VLAN Creation Summary page appears.
Clicking Back takes you to the Assign Ports to VLAN page, where you can modify the port assignment.
Clicking Finish saves the changes and takes you to the initial VLAN Configuration page.
For more details, see Understanding VLAN Creation Summary.
Table 11-5 describes the fields in the Disallow VLAN on Trunks page.
Table 11-5
Disallowing VLAN on Trunks Page Field Description
Field
Description
VLAN
Name of the VLAN.
Port1
Port on the first device linked to the VLAN.
Device1
Name of the first device in the link.
Device1 Address
IP Address of the first device in the link.
Domain1
Domain to which the device belongs to.
Port2
Port on the second device linked to the VLAN.
Device2
Name of the second device in the link.
Device2 Address
IP Address of the second device in the link.
Domain 2
Domain to which the device belongs to.
Understanding VLAN Creation Summary

The VLAN Creation Summary page summarizes the operations that you performed through the VLAN
Configuration wizard. The Summary provides the following information:
VTP DomainLists the VTP domains.
SummaryLists different parameters that you have entered.

VLAN Creation ParametersLists the VLAN name and index, and the value of the parameters
Create on all transparent switches and Copy running-config to startup-config.

VLAN Port Assignment ParametersLists the VLAN name and index, and ports to which the
VLAN is assigned.
VLAN Trunk Configuration ParametersLists the Trunks on which the VLAN is allowed or
disallowed.

OL-25941-01
11-11
Chapter 11
Configuring VLAN
Configuring VLANs
Example:
VLAN Creation Parameters
VLAN Name: Test
VLAN Index: 912
Create on all transparent switches
: true
Copy running-config to startup-config : true
----------------------------------------VLAN Port Assignment Parameters
VLAN Name: Test
VLAN Index: 912
Operation: Assign the VLAN to selected port(s)
Port : Fa4/28
Device: 10.77.209.43
Device Address: 10.77.209.43
-----------------------------------------VLAN Trunk Configuration Parameters
VLAN Name: Test
VLAN Index: 912
Operation: Disallow VLAN on selected Trunk(s)
Trunk: 10.77.209.52:2/1 => 10.77.209.61:2/25
Trunk: 10.77.210.211#2:Gi0/2 => 10.77.210.204:Gi1/0/24
Review the Summary, and click Finish to create the new VLAN, or click Back to modify the Disallow
VLAN on Trunks page, or click Cancel to exit.
Deleting VLANs
You can delete the VLANs configured on the devices in your network. The VLAN Configuration wizard
directs you to delete a VLAN.
Step 1
Select Configuration > Workflows > VLAN > Delete VLAN.

Step 2
Select devices or entities from the VLAN Configuration page.

For more details on selecting the devices, see Selecting Devices or Entities.
11-12
OL-25941-01
Chapter 11
Configuring VLAN
Configuring VLANs
Step 3
Click Delete.
Table 11-6 describes the fields in the Select a VLAN to Delete dialog box.
Table 11-6
Select a VLAN to Delete Page Field Description
Field
Description
Copy Running Config to Start-up Check the checkbox to copy the running configuration to start-up
Config
configuration.
Delete on all Transparent
Switches
Check the checkbox to delete VLANs on all transparent switches.
Filter Source
Select the Filter type of the source:
If you have created VLANs by checking Create on all transparent

switches, it is mandatory that you check Delete on all Transparent
Switches option to delete the VLANs created in VTP Domains.
VLAN
VLAN Name
Domain Name
Or enter * or leave the field blank and click Filter to get all the
records.
Step 4
Select
Select the radio button corresponding to the VLAN you want to

delete.
VLAN ID
Index of the VLAN.
VLAN Name
Name of the VLAN.
Domain Name
Name of the domain in which the VLAN belongs to.
Next to continue.
The Move Affected Ports to New VLAN page appears. For more details, see Moving Affected Ports
to New VLAN.
Cancel to exit.
The VLAN configuration appears.

The selected VLANs are deleted from the devices. The ports in the deleted VLAN are automatically
assigned to the default VLAN. The VLAN configuration page appears.

OL-25941-01
11-13
Chapter 11
Configuring VLAN
Configuring VLANs
Moving Affected Ports to New VLAN

When you delete a VLAN, any port assigned to that VLAN becomes inactive. Such ports remain
associated with the VLAN (and thus inactive), until you assign them to a new VLAN. You can move
affected ports to a new VLAN using LMS.
You can move the ports in the VLAN you want to delete, to a new VLAN, only after you select the
VLAN you want to delete. For more details on selecting a VLAN to delete, see Deleting VLANs.
To move affected ports to a new VLAN:
Step 1

Step 2
Select devices or entities from the VLAN Configuration page.

For more details on selecting the devices, see Selecting Devices or Entities.
Step 3
Click Delete.
Step 4
Select the radio button corresponding to the VLAN you want to delete and click Next.
The Move Affected Ports to New VLAN appears.
Table 11-7 describes the fields in the Move Affected Ports to new VLAN page.
Table 11-7
Step 5
Move Affected Ports to New VLAN Page Field Description
Field
Description
Port
Affected port in the VLAN.
Device Name
Device Address
IP address of the device.
Port Status
Status of the port.
Connected To
End Host, Network Device
Select the new VLAN from the Move affected ports to new VLAN drop-down menu.
If you do not select any VLAN, the affected ports are moved to the default VLANVLAN 1.
Step 6
Next to continue.
The VLAN Deletion Summary page appears. For more details, see Understanding VLAN Deletion
Summary.
Back to modify the Select VLAN to Delete page.
Cancel to exit.
The VLAN configuration appears.

The selected VLANs are deleted from the devices. The ports in the deleted VLAN are assigned to
the VLANs selected by you. The VLAN configuration appears.
11-14
OL-25941-01
Chapter 11
Configuring VLAN
Understanding VLAN Deletion Summary

The VLAN Deletion Summary page summarizes the operations that you performed through the VLAN
Configuration wizard to delete the VLAN. The Summary provides the following information:
VLAN DeletionLists the domain name, name of the VLAN that is deleted, and the VLAN ID.
Operation: Move the affected Ports to another VLANLists the name and ID of the new VLAN
to which the ports have been moved, and lists the details of the ports including the name and IP
address of the device.
Example:
VLAN Deletion:
===================
VLAN Domain
VLAN Deleted
VLANId
:DMZ_10.77.209.43(T)
:VLAN0002
: 2
-----------------------------------------Operation: Move the affected Ports to another VLAN

New VLAN Name :internal VLAN 4
New VLAN Id
:4
Port:Gi1/6
Device :172.20.118.182
Device Address :172.20.118.182
-------------------------------------------
Review the Summary and click Finish to delete the VLAN, or click Back to modify the Select VLAN
to Delete page, or click Cancel to exit.

You can use Topology Services to create Ethernet VLANs (which is the typical VLAN design). For
details, see Ethernet VLANs.
Ethernet VLANs
An Ethernet VLAN is the typical VLAN design. This consists of a logical group of end-stations,
independent of physical location on an Ethernet network. Catalyst switches support a port-centric or
static VLAN configuration.
All end stations that are connected to ports that belong to the same VLAN, are assigned to the same
Ethernet VLAN. For further details see Creating Ethernet VLANs.

OL-25941-01
11-15
Chapter 11
Configuring VLAN

Before you create Ethernet VLANs, you must create a VTP domain in your network.
Your login determines whether you can use this option.
To create Ethernet VLANs in your network:
Step 1
Either:
Select Configuration > Topology.
Or
Select Monitor > Monitoring Tools > Topology Services.
The Topology Services Main Window appears.

Step 2
Select a VTP domain from the Tree View.
Step 3
Select Tools > VLAN Management > Create > Ethernet from the menu.
The VLAN Creation wizard appears. For more details, see Creating VLANs.

A Token Ring VLAN is a set of rings interconnected through a bridging function. There are two Token
Ring VLAN types defined in VTP version 2:
Token Ring Bridge Relay Function (trBRF)Domain of interconnected rings formed, using an
internal multiport bridge function.
Token Ring Concentrator Relay Function (trCRF)Logical ring domains formed by defining
groups of ports that have the same ring number.
You can create Token Ring Bridge Relay Function (trBRF) VLANs and Token Ring Concentrator Relay
Function (trCRF) VLANs. Multiple trCRFs can be interconnected using a single trBRF.
A trBRF VLAN is a domain of interconnected rings formed using an internal multiport bridge function.
A trCRF VLAN is a logical ring domain formed by defining groups of ports that have the same ring
number.
Understanding trBRF VLANs
Creating trBRF VLANs
Understanding trCRF VLANs
Creating trCRF VLANs
Deleting trBRF and trCRF VLANs
11-16
OL-25941-01
Chapter 11
Configuring VLAN
Understanding trBRF VLANs

A Token Ring Bridge Relay Function (trBRF) is a logical grouping of trCRFs. The trBRF is used to join
different trCRFs. In addition, the trBRF can be extended across a network of switches through
high-speed uplinks between the switches to join trCRFs contained in different switches.
A trBRF has two global parameters: a bridge number and a bridge type. The bridge number is used to
identify the logical distributed source-route bridge (SRB), which interconnects all logical rings that have
the same parent trBRF.
Creating trBRF VLANs

To create Token Ring Bridge Relay Function (trBRF) VLANs in your network.
Step 1
Select a VTP domain from the Tree View.
Step 2
Select Tools > VLAN Management > Create > Token Ring BRF from the menu.
See Table 11-8 for details.
Table 11-8
Creating trBRF VLANs Field Descriptions
Field
Description
VTP Domain
Name of VTP domain in which this VLAN will be

created.
VLAN Name
Enter a name for the trBRF.
VLAN Index
Topology Services automatically assigns a VLAN

index. This number is incremented each time you
create a VLAN in this VTP domain.
If you want to change the VLAN index, enter a number
between 1 and 1024 to identify the VLAN.
Purpose
Enter a word or phrase that describes the purpose of the

VLAN.
Description
Describe the contents of the VLAN.
Create VLAN on all

Transparent Switches
Check this box to include this VLAN on switches

configured as VTP transparent.
BRF Parameters
Step 3
Bridge Number
Integer in hexadecimal format. The default is 0xF.
STP Type
Spanning Tree protocol used in the network.
Click Apply.

OL-25941-01
11-17
Chapter 11
Configuring VLAN
Understanding trCRF VLANs

A Token Ring Concentrator Relay Function (trCRF) is a logical grouping of ports. Each trCRF is
contained in only one trBRF, which is called its parent. When a port is assigned to the trCRF, only ports
on that switch can belong to that trCRF.
As a rule, a trCRF cannot span different switches. This type of trCRF is called an undistributed trCRF.
However, if your switches are connected through Inter-Switch Link (ISL), the Cisco Duplicate Ring
Protocol (DRiP) allows two types of trCRFs in which the ports of a single trCRF can be on different
switches.
These types of trCRFs are the default and the backup trCRF:
Default trCRF
The default trCRF can contain ports that are located on multiple switches. The default trCRF is
associated with the default trBRF, which can span switches through ISL.
Since the default trCRF is the only trCRF that can be associated with the default trBRF, the default
trBRF does not perform any bridging functions, but uses source-route switching to forward traffic
between the ports of the default trCRF.
Backup trCRF
The backup trCRF allows you to configure an alternate route for traffic between undistributed
trCRFs located on separate switches that are connected by a trBRF. The backup trCRF is only used
if the ISL connection between the switches becomes inactive.
Creating trCRF VLANs

You must configure a Token Ring Bridge Relay Function (trBRF) VLAN before creating the trCRFs that
you want associated with the trBRF.
To create Token Ring Concentrator Relay Function (trCRF) VLANs in your network:
Step 1
Select a trBRF from the Tree View.
Step 2
Select Tools > VLAN Management > Create > Token Ring CRF from the menu.
For more information, see Table 11-9.
Table 11-9
Creating trCRF VLANs Field Descriptions
Field
Description
VTP Domain
Name of VTP domain in which this VLAN will be

created.
trBRF
Name of trBRF to which this trCRF belongs.
Name
Enter a name for the VLAN.
VLAN Index
Topology Services automatically assigns a VLAN

index. This number is incremented each time you create
a VLAN in this VTP domain.
If you want to change the VLAN index, enter a number
between 1 and 1024 to identify the VLAN.
11-18
OL-25941-01
Chapter 11
Configuring VLAN
Table 11-9
Step 3
Creating trCRF VLANs Field Descriptions (continued)
Field
Description
Purpose
Enter a word or phrase that describes the purpose of the

VLAN.
Description
Describe the contents of the VLAN.
Create VLAN on all

Transparent Switches
Check this box to include this VLAN on switches

configured as VTP transparent.
Ring Number
Enter an integer between 1 and 0FFFH, or accept the

ring number Topology Services creates.
VLAN Bridge Type
Select a bridging mode for this trCRF.
ARE (All Routes

Explorer) Hop Count
Enter the ARE hop count. Valid numbers are 1 to 13,

and 7 is the default.
STE (Spanning Tree

Explorer) Hop Count
Enter the STE hop count. Valid numbers are 1 to 13, and
7 is the default.
Backup CRF
Check this option if this trCRF is going to be the backup

trCRF. A backup trCRF will replace the trBRF if the
trBRF fails.
Click Apply.
The LANE Services option is active.
To configure LANE in your network, click LANE Services.
Step 4
Click OK.
Your changes are saved and the window closes.
Deleting trBRF and trCRF VLANs

You can delete VLANs in your network. If you delete a VLAN with active ports, it disables the active
ports in that VLAN.
You can use VLAN Port Assignment application to move any port to another VLAN.
You can delete a token ring Bridge Relay Function (trBRF) only if all token ring Concentrator Relay
Functions (trCRFs) within it have been deleted, or if they do not contain any ports.
Deleting a VLAN with an associated ATM-VLAN does not delete the ATM-VLAN. The ATM-VLAN
remains intact and appears in the Standalone ATM-VLANs folder for the ATM domain to which it
belongs.
Your login determines whether you can use this option.
To delete a VLAN:
Step 1
Select Config > Topology Services.

Step 2
Select a VLAN that you want to delete, from the Tree View under Managed Domains.

OL-25941-01
11-19
Chapter 11
Configuring VLAN
Step 3
Select Tools > VLAN Management > Delete.

The domain window appears with a message:
The selected VLAN will be deleted if no ports are associated with this VLAN. Do you want
to continue?
Step 4
Check the check box Delete on all Transparent Switches, if required.
Step 5
Click Yes to delete the VLAN or click No to exit.

Displaying VLAN Reports
Interpreting VLAN Reports
To display summary information about the VLANs in your network:

From Tree View in Topology Services, open a VTP domain and select a VLAN. The Summary
information is displayed in the right pane of the Topology services window. See Table 11-10 to interpret
this information.
Note
Information on Bridge Number and Ring Number are not applicable to Ethernet VLANs.
Table 11-10
VLAN Field Description
Field
Description
Ports
Number of ports in the domain.
Up Ports
Number of active ports in the domain.
ISL Index
Inter-Switch Link (ISL) index of the VLAN.
Port List
Link
A lightning bolt indicates a port that is connected to a switch.
PortDescription
Description about the port.
PortName
Name of the port.
Device Name
Name of device to which the port belongs.
Device Address
IP address of device to which the port belongs.
Port Status
Whether the port is active, down, dormant, or testing.
isTrunk
If checked, the port is configured as a VLAN trunk.
Association Type
Type of VLAN.
Port Mode
Displays mode of port. For example, PVLAN-Host, Promiscuous, or non

PVLAN.
11-20
OL-25941-01
Chapter 11
Configuring VLAN
Displaying VLAN Reports

LMS allows you to generate VLAN reports for devices, switch clouds, or VTP domains.
Step 1
Select Reports > Technology > VLAN.

The Report Generator page appears.
The left drop-down list displays LMS Reports.
Step 2
Select VLAN from Select a Report drop-down list.

The VLAN page appears with the following information. See Table 11-11:
Table 11-11
Field
VLAN Page Field Description
Description
Scheduling
Run Type
Select a run type from the drop-down list.

The following run types are available: Immediate, Once, Daily, Weekly,
Monthly.
If you select Immediate, the Job Info fields and Scheduling Date will be
dimmed.
Note
Date
Launching immediate VLAN reports for more than 500 devices

results in an error. You can schedule reports to run for all devices
or launch immediate reports for less than 500 devices.
Select the date and time at which you need to generate the report.
Format: 20 Apr 2005 at 01 20

OL-25941-01
11-21
Chapter 11
Configuring VLAN
Table 11-11
VLAN Page Field Description (continued)
Field
Description
Job Info
Job Description
Enter a description for this report.
E-mail
Enter the e-mail id to which the report has to be sent.
Report Publish Path
Use the Default Path check box to publish the report at a specific location.
If you check the Default Path check box, it publishes the report in the
default directory path. If you uncheck the Default Path check box, it
allows you to specify a directory path to which the report is published. If
the directory path is not specified, then the report will be published to:
For Windows: C:\Progra~1\CSCOpx\VLAN
For Solaris and Soft Appliance: /opt/CSCOpx/VLAN
A PDF format of the report (along with HTML and CSV formats) is
published to the specified location.
Attachment Option
Check this check box to attach the report as a CSV file. By default a CSV
file is sent to the e-mail address specified in the E-Mail ID field. If you
check Add Full Report check box, instead of CSV a PDF format of the
report will be sent as an attachment to the specified e-mail id.
You need to enable the e-mail Attachment check box and specify the
Maximum Attachment size in the System Preferences dialog box (Admin
> System > System Preferences) to send the report as an e-mail.
If the file size exceeds the Maximum Attachment size, the URL link of
the report is sent as an e-mail. You can click the URL link to view the
report.
Step 3
Click Submit to generate the report. The VLAN reports window appears.
Or
Click Reset to change the settings.
You can open VLAN reports page from Topology Services.

To open VLAN reports from Topology Services:
Step 1
Either:
Or

Step 2
Select a view that contains the device, switch cloud, or the VTP Domain for which you want to view the
report.
This view is in the Tree View in the Topology Services Main Window.
11-22
OL-25941-01
Chapter 11
Configuring VLAN
Step 3
Select Reports > VLAN Report from the menu.

or
Right-click the VTP Domain or the device, and select Display View.
The Network Topology window appears.
Step 4
Select the device or the switch cloud.
Step 5
Right-click and select VLAN Report from the popup menu.

or
Select Reports > VLAN Report.
The VLAN Report window appears.
Interpreting VLAN Reports

The following information is displayed at the top of the report:
Device Name
Device IP
Device Type
Domain
Table 11-12 describes the fields in VLAN Report.

Table 11-12
VLAN Report Field Description
Field
Description
VLAN ID
VLAN index.
VLAN Name
Name of the VLAN to which the device belongs.
Status
Status of device can be operational or suspended.
VLAN Type
Types of VLANs to which the device is associated. The VLANs can be

normal, primary, isolated, community, or two-way community VLANs.
Associated Primary
VLAN ID of the associated primary VLAN.
MTU Size
MTU size for the corresponding VLAN on that device.
Media Type
Explains in which media type the device operates. Device can be in

ethernet, FDDI, or inactive.

OL-25941-01
11-23
Chapter 11
Configuring VLAN

A Private VLAN (PVLAN) is a VLAN that isolates devices at Layer 2 (L2), from other ports within the
same broadcast domain or subnet. PVLAN segregates traffic at L2 and converts a broadcast segment into
a non-broadcast multi-access segment.
PVLANs can stop L2 connectivity between end stations on a switch without distributing them into
different IP subnets, thus preventing wastage of IP addresses.
You can also assign a specific set of ports within a PVLAN, and thus control the connectivity among
them. You can configure PVLANs and normal VLANs on the same switch.
This topic contains Types of Private VLAN Ports
Types of Private VLAN Ports

The ports in a private VLAN are categorized as:
Promiscuous Ports
PVLAN Host Ports
PVLAN Trunk Ports
Promiscuous Ports
Promiscuous port communicates with all other interfaces and ports within a PVLAN. Such ports are used
to communicate with external routers, local directories, network management devices, backup servers,
administrative workstations, etc.
Ports to the routing module in some switches are promiscuous in nature (for example, MSFC).
PVLAN Host Ports

A PVLAN host port is a port connected to a server or an end host that requires Layer 2 (L2) isolation.
A host port exists in the PortFast mode and the BPDU Guard feature is enabled on these ports. These
ports can be further classified into:
Isolated Ports
Community Ports
This depends on the secondary VLAN to which the ports belong.

Isolated Ports
Isolated ports are completely isolated in L2, from other ports in the same PVLAN. These ports cannot
receive the broadcasts from other ports within the same PVLAN, but receive broadcasts from
promiscuous ports.
Privacy for the VLAN is ensured at L2 level by blocking the traffic to all isolated ports, except the
promiscuous ports. Broadcasts from an isolated port is always forwarded to all promiscuous ports.
Community Ports
Community ports communicate among themselves and with their promiscuous ports. These ports are
isolated at L2 from all other ports in other communities, or isolated ports within their private VLAN.
Broadcasts propagate only between associated community ports and the promiscuous port.
11-24
OL-25941-01
Chapter 11
Configuring VLAN
Using Private VLAN
PVLAN Trunk Ports

Private VLAN Trunk ports are similar to Host ports that can carry multiple VLANs. A Trunk port carries
the primary VLAN and the secondary VLANs to the neighboring switch. The Trunk port is unaware of
PVLAN and will carry PVLAN traffic without any special action.
Using Private VLAN

A Private VLAN has four distinct parts:
Primary VLAN
Manages the incoming traffic from the promiscuous port to isolated, community, two-way
community ports, and all other promiscuous ports, in the same primary VLAN.
Isolated VLAN
Isolated ports use this VLAN to communicate to the promiscuous ports. The traffic from an isolated
port is blocked from reaching all adjacent ports within its private VLAN, except for its promiscuous
ports.
Community VLAN
A group of community ports use this unidirectional VLAN to communicate among themselves and
to manage the outgoing traffic through the designated promiscuous ports from the private VLAN.
Two-way community VLAN

A group of community ports use this VLAN to communicate among themselves. This bidirectional
VLAN manages the incoming and outgoing traffic for community ports and Multilayer Switch
Feature Cards (MSFC).
Isolated and community VLANs are called secondary VLANs.

This section explains:
Creating PVLAN
Configuring Promiscuous Ports
Deleting PVLAN
While creating private VLANs, you:
Must set VTP to Transparent or Off modes, for VTP version 2.
Can create PVLAN on primary server, Transparent and Off modes for VTP version 3.
LMS enables you to:
Create primary Private VLAN.
Create isolated, community or two-way community VLANs.
Associate secondary VLANs to primary VLANs.
Assign ports to secondary VLANs.
Configure promiscuous ports.

OL-25941-01
11-25
Chapter 11
Configuring VLAN
Using Private VLAN
Creating PVLAN
To create a Private VLAN, you must designate one VLAN as primary and another as either isolated,
community, or two-way community VLAN. Then, you can assign additional VLANs as secondary
VLANs.
After creating primary and secondary VLANs you must associate the secondary VLANs to the
respective primary VLANs.
Creating a private VLAN involves the following steps:
Creating Primary VLAN
Associating Ports to Secondary VLAN
Creating Primary VLAN

You must create primary VLAN before creating any other secondary VLAN.
To create Primary VLANs:
Step 1
Either
Select Configuration > Workflows > VLAN > Create Private VLAN.
The Create PVLAN page appears.
Or
Or

Select a VTP domain from the VTP Tree View, under the Managed Domain or Network View.
Select Tools > PVLAN Management > Create.

Step 2
Select the devices using the Device Selector or the Domain Selector.
For more details, see Step 2 of Selecting Devices or Entities.
Step 3
Select Primary from the Private VLAN Type drop-down list.

The Get Primary VLANs tab and the Associated Primary VLAN field is disabled.
Step 4
Enter a name for the VLAN in the VLAN Name field.
Step 5
Enter the VLAN index number for the new Primary VLAN, in the VLAN Index field.
11-26
OL-25941-01
Chapter 11
Configuring VLAN
Using Private VLAN
Step 6
Check the check boxes as required:
To create private VLAN on all transparent switches.
To copy Running to Startup config for IOS switches.

The check box for creating private VLANs on all transparent switches, is enabled only when the
VLAN contains a device in transparent mode.
Step 7
Note
Click Create to create primary PVLAN.
You must create primary VLAN before creating any other secondary VLAN.

After creating a primary VLAN, you can create secondary VLANs. Once you create a secondary VLAN,
you must associate that to a primary VLAN.
To do this:
Step 1
Either:
Select Configuration > Workflows > VLAN > Create Private VLAN.
Or
Or

Select a VTP domain from the VTP Tree View, under the Managed Domain or Network View.
Select Tools > PVLAN Management > Create.
Step 2
Step 3
Select one of the following options from the Private VLAN Type drop-down list:
Isolated
Community
Two-Way Community
Select the Associated Primary VLAN.

You can associate a secondary VLAN that you have created to a primary VLAN.
VTP Domain field displays the domain you have chosen.
You may enter the Private VLAN Name that you want to assign.
Step 4
Select the Private VLAN Index.

OL-25941-01
11-27
Chapter 11
Configuring VLAN
Using Private VLAN
Step 5
Check the check boxes as required:
To create private VLAN on all transparent switches.
To copy Running to Startup config for IOS switches.

The check box for creating private VLANs on all transparent switches, is enabled only when the
VLAN contains a device in transparent mode.
Step 6
Click Apply to create PVLAN or click Cancel to exit.
Associating Ports to Secondary VLAN

You must associate ports to the secondary VLAN that you have created. You can assign ports to a
secondary VLAN as you assign for normal VLANs. For assigning ports to VLANs, see Using
Configuring Promiscuous Ports

You must associate the promiscuous ports to the PVLANs you have created, to receive traffic from
outside the PVLAN.
You can configure only the ports on which Trunking is not enabled.
To configure a Promiscuous Port:
Step 1
Select Configuration > Workflows > VLAN > Configure Promiscuous Ports.
The Configure Promiscuous Ports page appears.
Step 2
Select a device or entities from the list using Device Selector or Domain Selector.
Step 3
Click List Ports.

The Port List displays the list of ports on the selected devices.
You can filter the list using the Filter or Advanced Filter.
Step 4
Select the ports from the ports listed in the table.
Step 5
Click Configure.
The Configure Promiscuous Port window appears.
The Port Details table displays:
Step 6
Device Name
Port Name
Device IP Address
IfName
Select the VLANs from the list of Available PVLANs.
11-28
OL-25941-01
Chapter 11
Configuring VLAN
Using Private VLAN
Step 7
Click Add to add to list of Mapped VLANs.

Or
Click Remove to remove the VLANs from the Map VLANs table.
You can select the Copy Running to Start-up config check-box to copy the running configuration to the
start-up configuration.
Step 8
Click Apply to configure.
Deleting PVLAN
To delete PVLAN:
Step 1
Select Configuration > Workflows > VLAN > Delete Private VLAN.
The Delete PVLAN page appears.
Step 2
Select a device or entities from the list using Device Selector or Domain Selector.
Step 3
Click List PVLANs to see a list of PVLANs. See Table 11-13.

Table 11-13
Fields in PVLAN List
Field
Description
PVLAN List
Filter
You can select any of the following filter criteria:
PVLAN Index
PVLAN Name
PVLAN Type
Associated Primary
Domain
Enter the filter string, then click Filter.
Step 4
PVLAN Index
Index value of the PVLAN.
PVLAN Name
Name of the PVLAN.
PVLAN Type
Type of PVLAN. Values are: Primary, Secondary, Community
Associated Primary
Name of the Associated Primary VLAN.
Domain
Domain to which the VLAN belongs to.
Select the check box corresponding to the PVLAN you want to delete.
To select all, select the check-box in the table heading.
Step 5
Click Delete.

OL-25941-01
11-29
Chapter 11
Configuring VLAN

Inter-VLAN Routing enables to route the traffic between different VLANs. This feature is required when
an end station wants to communicate with another end station in a different VLAN. Devices within a
VLAN can communicate with one another without the help of a router.
On the contrary, devices in separate VLANs require a routing device to communicate with one another.
Network devices in different VLANs cannot communicate with one another without a router to route the
traffic between the VLANs.
In most of the network environments, VLANs will be associated with individual networks or
subnetworks. In a switched network, VLANs segregate devices into different collision domains and
Layer 3 (L3) subnets.
Configuring VLANs for inter-VLAN routing helps to control the size of the broadcast domain and to
keep local traffic local. You can configure one or more routers to route traffic in the network.
Layer 2 switches require a L3 routing device (either external to the switch or in another module on the
same chassis).
The new L3 Switches accommodate routing capabilities. The router or the switch receives a packet,
determines the VLAN to which it belongs, and sends the packet to the appropriate port on the other
VLAN.

Configuring Inter-VLAN Routing
LMS supports Inter-VLAN Routing configuration on devices like MSFC, RSM, and external routers
with IPv4.
Prerequisite for configuring Inter-VLAN Routing
Configuration Functionality in LMS is a prerequisite for configuring Inter-VLAN Routing.

If you want to configure Inter-VLAN Routing on a device:
LMS must manage the devices.
The device must have the same device name when managed by LMS.
See Inventory Management with Cisco Prime LAN Management Solution 4.2 for more details on how to
manage devices.
Configuring Inter-VLAN Routing on External Routers
11-30
OL-25941-01
Chapter 11
Configuring VLAN

To configure Inter-VLAN Routing on a VLAN interface:
Step 1
Either:
Or

Step 2
Select a device from the Topology Services Tree View, under the Network Views.
Step 3
Right-click the device and select Config Inter-VLAN Routing from the popup menu.
The Configure Inter-VLAN Routing window appears. This window displays the Device Name and the
Device IP of the selected device.
Step 4
Select a device interface from Device interface configuration list.
Step 5
Click Edit to edit an existing VLAN configuration.

Or
Click New to configure Inter-VLAN Routing for a new VLAN interface.
You can edit IP Address, Admin Status, and Subnet Mask. See Table 11-14.
Table 11-14
Configuring Inter-VLAN Routing Field Descriptions
Field
VLAN Interface
Description
1
Enter the VLAN interface.
IP Address
Enter the IP address for the interface
Subnet Mask
Enter the subnet mask address.
Admin Status
Select the Admin status:
Up
Down
1. You can enter the VLAN interface name to create a new interface. You cannot edit an existing VLAN interface.
You can also delete a Device Interface from the list of Interfaces for which you do not want to configure
Inter-VLAN Routing.

OL-25941-01
11-31
Chapter 11
Configuring VLAN
Step 6
Click Move to Interface Set.

If you want to edit the configuration details again:
Step 7
a.
Select the VLAN interface from the Interface Set.
b.
Click Delete from Interface Set
c.
Repeat the steps from Step 4.
Click Apply.
You can configure Inter-VLAN Routing for more than one VLAN interface, at a time.
Inter-VLAN Routing is configured for all the VLAN interfaces in Interface Set.
Configuring Inter-VLAN Routing on External Routers

To configure Inter-VLAN Routing on a VLAN interface of an external router:
Step 1
Either:
Or

Step 2
Select a device from the Topology Services Tree View, under the Network Views.
Step 3
Right-click the device and select Config Inter-VLAN Routing from the popup menu.
The Configure Inter-VLAN Routing window appears.
Step 4
Select a device interface from Device interface configuration list.
Step 5
Click Edit to edit an existing VLAN configuration.

Or
Click New to configure Inter-VLAN Routing for a new VLAN interface.
You can edit IP Address, Admin Status, Encapsulation, and Subnet Mask. See Table 11-15
Table 11-15
Configuring Inter-VLAN Routing Field Descriptions
Field
VLAN Interface
Description
1
Enter the VLAN interface.
IP Address
Enter the IP address for the interface.
Sub-Interface ID
Enter the ID for the sub-interface.
Admin Status
Select the Admin status:
Up
Down
11-32
OL-25941-01
Chapter 11
Configuring VLAN
Table 11-15
Configuring Inter-VLAN Routing Field Descriptions (continued)
Field
Description
Encapsulation
Select the encapsulation:
Subnet Mask
dot1Q
ISL
Enter the subnet mask address.
1. You can enter the VLAN interface name to create a new interface. You cannot edit an existing
VLAN interface.
You can also delete a device interface from the list of interfaces for which you do not want to configure
Inter-VLAN Routing.
Step 6
Click Move to Interface Set.

If you want to edit the configuration details again:
Step 7
a.
Select the VLAN interface from the Interface Set.
b.
Click Delete from Interface Set
c.
Repeat the steps from Step 2.
Click Apply.
You can configure Inter-VLAN Routing for more than one VLAN interface, at a time.
Inter-VLAN Routing is configured for all VLAN interfaces in the Interface Set.

VLAN Trunking Protocol (VTP) is a Layer 2 multicast messaging protocol that maps VLANs across all
media types and VLAN tagging methods between switches. In this way it maintains the VLAN
configuration consistency throughout a network.
VTP reduces the effort in adding, deleting, or renaming a VLAN at each switch, when the VLAN extends
to other switches in the network.
VTP minimizes misconfigurations and configuration inconsistencies that can result in a number of
problems, such as duplicate VLAN names, incorrect VLAN-type specifications, and security violations.
With VTP, you can make configuration changes centrally on one switch and have those changes
automatically communicated to all the other switches in the network.
The major function of VTP is to distribute VLAN information. You must configure VTP before you
configure any VLAN.
Using VTP, each switch in server mode displays the following:
Management domain on the Trunk ports
Configuration revision number
VLANs and their specific parameters.
For more details on VLAN, see Understanding Virtual LAN (VLAN), and for VTP Domains, seeVTP
Domains.

OL-25941-01
11-33
Chapter 11
Configuring VLAN
This topic contains:
VTP Domains
Using VLAN Trunking Protocol (VTP)
Using VTP Views
VTP Domains
A VTP domain is made up of one or more interconnected devices that share the same VTP domain name.
A switch can be configured to be in only one VTP domain, and each VLAN has a name that is unique
within a management domain.
Typically, you use a VTP domain to ease administrative control of your network or to account for
physical boundaries within your network. However, you can set up as many or as few VTP domains as
are appropriate for your administrative needs.
Consider that VTP is transmitted on all Trunk connections, including ISL, IEEE 802.1Q, 802.10, and
LANE.
VTP Domains display and monitor the details of the VLANs in your network. Sometimes includes
special cases labeled NULL or NO_VTP.
NULLLists devices that are in transparent mode and that support VTP, but do not have configured
domain names. Each of these devices is identified in the list by its IP address.
NO_VTPLists devices that do not support VTP. Each of these devices is identified in the list by
its IP address.
However, devices which do not support VTP but support VLANs (for example, Catalyst 2900XL
Standard Edition switches) are placed in the NO_VTP domain.
The devices that do not support VLANs and VTP (for example, Catalyst 1900 Standard Edition
switches) are placed in the domain category of the neighbor device.
Components of VTP Domains

Within a VTP domain, you can configure switches as follows:
ServerVTP servers advertise their VLAN configuration to other switches in the same VTP domain
and synchronize their VLAN configuration with other switches based on advertisements received
over Trunk links. VTP server is the default mode.
ClientVTP clients operate in the same way as VTP servers. However, you cannot create, change,
or delete VLANs on a VTP client. VTP clients also do not broadcast VTP advertisements like the
VTP servers do.
TransparentVTP transparent switches do not participate in VTP. A VTP transparent switch does
not display its VLAN configuration and does not synchronize its VLAN configuration based on
received advertisements.
Your VTP domain structure influences the behavior of Topology Services.
11-34
OL-25941-01
Chapter 11
Configuring VLAN

VTP version 3 can distribute a list of opaque databases over an administrative domain.
VTP version 3 provides these enhancements to the previous VTP versions:
Support for extended VLANs.
Support for creating and advertising private VLANs.
Support for VLAN instances and MST mapping propagation instances.
Allows improved server authentication.
Prevents you from adding the wrong database to a VTP domain.
Allows interaction with VTP version 1 and VTP version 2.
Support for configuring VTP version 3 on a per-port basis.
Enables the network to propagate the VLAN database and other databases.
VTP version 3 is a collection of protocol instances. Each instance handles one database, which is
associated with a given feature. VTP version 3 runs multiple instances of the protocol by which it
handles the configuration propagation of multiple databases that are independent of one another.
For further details see Support for VTP Version 3.
Support for VTP Version 3

LMS supports the version 3 of VTP. Following are the major features supported in this release:
Displays Primary server as a subfolder under the parent VTP domain:

If your network contains devices running VTP version 3, the primary server is displayed as a
subfolder under the parent Domain in the VTP Domains. Under Primary server folder, you can find
all the server and client modes.
Supports devices with VTP set to Off mode:

The devices which are set to Off mode are supported as for the transparent mode devices. The Tree
View displays the Off mode devices in subfolder under the parent domain.
Provides VTP filters:

Topology Filters contains a filter for devices running VTP version 3 in the Network Topology view
for the VTP Domains and VTP Views.
You can enable the filters to view the primary, server, client, transparent, and Off mode devices. The
Off mode devices in VTP version 2 and version 3 domains, are displayed under different subfolders
of the parent domain, in the Tree View.
When you change the configuration through LMS, the Off mode devices are considered similar to
the Transparent mode devices.
For more details, see Figure 11-1.

OL-25941-01
11-35
Chapter 11
Configuring VLAN
Figure 11-1
VTP Filters
Menu
Filter on for VTP devices
Toolbar
Check box dimmed for the filter
Topology map
Topology filter results
Filtered devices
10 Check box enabled for VTP Transparent

devices
Filter collapsed
11 Expand icon for the filter
Filter dimmed
Supports creating Private VLANs in VTP version 3 environment.

You can create a VLAN or PVLAN using a primary server domain or the parent domain. You can
create a VLAN or PVLAN only on the Primary server, Transparent and Off mode devices, in a VTP
version 3 environment.
11-36
OL-25941-01
Chapter 11
Configuring VLAN
Notes on creating VLAN or PVLAN in VTP version 3 domain using LMS
You must select the parent VTP domain folder under the VTP domain Tree to create VLAN or
PVLAN.
To create VLAN or PVLAN on all transparent switches in the domain, you can check the check box
Create VLAN on all transparent switches in the Creating VLAN or PVLAN windows.
For more details, see Creating Ethernet VLANs and Creating PVLAN.
You must select the primary domain subfolder under the VTP domain, while creating VLAN and
PVLAN on the Primary server mode devices that has clients and secondary servers.
You must select Transparent or Off mode subfolders under the parent VTP domain to create VLAN
or PVLAN on a single Transparent or Off mode device respectively.
Using VLAN Trunking Protocol (VTP)

Using VLAN Trunking Protocol (VTP), each switch in server mode advertises its management domain
on its Trunk ports, its configuration revision number, and its known VLANs and their specific
parameters.
Therefore, a new VLAN must be configured on only one device in the management domain, and the
information is automatically learned by all other devices (not in VTP transparent mode) in the same
management domain.
After a device learns about a VLAN, it receives all frames on that VLAN from any Trunk port and, if
appropriate, forwards them to each of its other Trunk ports.
Displaying VTP Reports
Using VTP Views
Displaying VTP Reports

To display a VTP report for the VTP domains in your network.
Step 1
Either:
Or

Step 2
Select a VTP domain under the VTP views for which you want to view the report. This view is in the
Tree View in the Topology Services Main Window.
The VTP Report, which is the Summary view, appears.

OL-25941-01
11-37
Chapter 11
Configuring VLAN
Interpreting VTP Reports

See Table 11-16 to interpret the fields shown in the VT Reports Summary view.
Table 11-16
Field Description for VTP Report
Field
Description
Link
A lightning bolt indicates a port that is linked to a switch.
Port
Number of ports in the domain.
IfName
Interface Name.
Device Name
Name of the device to which the port belongs.
Device Address
Address of the device to which the port belongs.
PortStatus
Displays the status of the port, whether the port is active or dormant.
isTrunk
If the box is checked, the port is configured as a VLAN Trunk.
VLAN
Name of the VLAN.
Association Type
Type of VLAN
Port Mode
Displays the mode of the port. For example, PVLAN-Host, Promiscuous, or

a non-PVLAN.
11-38
OL-25941-01
Chapter 11
Configuring VLAN
Using VTP Views

VTP Views shows devices that participate in VTP domains. VTP Views also shows the non-VTP devices
connected directly to the VTP domain. See Figure 11-2
Figure 11-2
VTP Tree View
VTP domain in the Topology Tree View
VLANs under the Transparent switch mode
Parent VTP domain
VTP Views under the Network View
Switch in Transparent mode
Parent VTP domain under VTP views
Use the VTP views to:
Display Device Attributes
Display Port Attributes
Display Link Attributes
Display information about multi-layer switching (MLS) devices in your network.

OL-25941-01
11-39
Chapter 11
Configuring VLAN
A Trunk is a point-to-point link carrying traffic for several VLANs, and are typically used to connect
switches. Instead of configuring several access links to carry multi-VLAN traffic, its economical to do
it with a single trunk link.
Trunking is hence a type of configuration on an interface which allows VLANs to span the entire
network, instead of just one switch. The Trunked interface that connects to another network device is
allowed to pass traffic for multiple VLANs, instead of only one VLAN as in a non-Trunked interface on
a switch.
Trunking Considerations
Trunk Encapsulation
Trunk Characteristics
Encapsulation Types
Creating Trunk
Modifying Trunk Attributes
Trunking Considerations
While using a Trunk, consider the following:
VLANs are local database of a switch. VLAN information is not passed between switches.
Trunk links provide VLAN identification for frames traveling between switches.
You can use either of the two Ethernet Trunking mechanisms: ISL and IEEE 802.1Q.
Trunks carry traffic from all VLANs to and from the switch by default. However, they can be
configured to carry only specified VLAN traffic too.
Trunk links must be configured to allow Trunking on each end of the link.

Dynamic Trunking Protocol (DTP) is a Cisco proprietary protocol. Trunk negotiation is managed by the
DTP on a link between two devices. DTP is also used for negotiating the type of Trunking encapsulation
to be used.
Dynamic Trunking is the ability to negotiate the Trunking method with the other device, and DTP is a
point-to-point protocol that supports auto-negotiation of both ISL and 802.1Q Trunks. DTP sends the
VTP domain name in a DTP packet.
Therefore, if you use DTP, and if the two ends of a link belong to a different VTP domain, the Trunk will
not function.
The Catalyst operating system options of auto, desirable, and on, and the IOS options of dynamic auto,
dynamic desirable, and trunk, configure a Trunk link using DTP. If one side of the link is configured
to Trunk and sends DTP signals, the other side of the link will dynamically begin to Trunk, if the options
match correctly.
11-40
OL-25941-01
Chapter 11
Configuring VLAN
To enable Trunking and not send any DTP signaling, you can use the option nonegotiate for switches
that support that function. If you want to disable Trunking completely, you can use the off option for a
Catalyst operating system switch or the no switchport mode trunk command on an IOS switch.
DTP is a second generation Dynamic Inter-Switch Link Protocol (DISL) and allows the Cisco Catalyst
devices to negotiate whether to use 802.1Q encapsulation. DISL and DTP do not negotiate Trunking in
case of EtherChannelthey only negotiate whether to enable Trunking.
Trunk Encapsulation
The following Trunking encapsulations are available on all Ethernet interfaces:
Inter-Switch Link (ISL)A Cisco-proprietary Trunking encapsulation.
802.1QAn industry-standard Trunking encapsulation.
Trunk Characteristics
Table 11-17 shows the DTP signaling and the characteristics of each mode.
Table 11-17
Trunking Mode Characteristics
Trunking
Mode
Frames
Sent
on
YES,
periodic
Description
Final state (local port)
Trunking is active. The interfaces sends DTP

Trunking,
signals that actively attempt to convert the link to unconditionally.
a Trunk link.
The interface becomes a Trunk interface if the
neighboring interface is set to on, auto or
desirable, and is running DTP. A port that is in on
mode always tags frames sent out from the port.
auto
YES,
periodic
These links will only become Trunk links if they

receive a DTP signal from a link that is already
Trunking or desires to trunk.
This will only form a Trunk if the neighboring
interface is set to on or desirable. This is the
default mode for Catalyst operating system
switches.
desirable
YES,
periodic
The port will end up in

Trunking state only if
the neighboring
interface wants to.
If the port detects that

the neighboring
interface is able to
Trunk (remote in on,
desirable or auto
This will form a Trunk if the neighboring interface
mode), it will end up
is set to on, auto, or desirable and is running
in Trunking state.
DTP. This is the default mode for all Ethernet
Otherwise, it will stay
interfaces.
non-Trunking.
These links would like to become Trunk links and
send DTP signals that attempt to initiate a Trunk.
They will only become Trunk links if the other
side responds to the DTP signal.

OL-25941-01
11-41
Chapter 11
Configuring VLAN
Table 11-17
Trunking Mode Characteristics (continued)
Trunking
Mode
Frames
Sent
nonegotiate
off
Description
Final state (local port)
NO
Sets Trunking on and disables DTP. These will

only become Trunks with ports in on or
nonegotiate mode.
Trunking,
unconditionally.
YES
This option sets Trunking and DTP capabilities

off. This is usually the recommended setting for
any access port since it prevents any dynamic
establishments of Trunk links.
Non Trunking,
unconditionally.
Encapsulation Types
The encapsulation type allows you to specify whether ISL or 802.1q should be used for Trunking. The
parameter is only relevant if the module you are using is able to use both types of encapsulation. The
parameter can have three different values as shown in table below.
Encapsulation Type
Description and Trunking
ISL
Sets the port encapsulation to ISL.
802.1Q
Sets the port encapsulation to 802.1q.
negotiate
Only available in auto or desirable Trunking modes:
If the neighboring interface has encapsulation type

set to negotiate, the Trunk will eventually be set up
with ISL.
If the interface is configured for ISL or 802.1q or

only able to use ISL or 802.1q, the Trunking
encapsulation used will be the same as the
neighboring interface.
Creating Trunk
To create trunk for a port:
Step 1
Select Configuration > Workflows > VLAN > Create Trunk.

The Create Trunk page appears.
Step 2
Select the device or domain from the list, and click Show Links.
The Available Links pane displays the links for each device that you have selected. Table 11-18
describes the fields in the Available Links pane.
11-42
OL-25941-01
Chapter 11
Configuring VLAN
Table 11-18
Available Links Field Description
Field
Description
Filter
Select the filter type and then enter the string. Leave the field blank to display
all.
You can filter the list based on the Port1, Device1, Port2, or Device2.
For example, if you want to see only the trunks on the selected devices which
starts with IP address 10.77, select Device1 from the Filter type, then enter
10.77.* in the filter field and click Filter.
Port 1
Port of the first device in the link.
Device 1
IP Address (IPv4 or IPv6 Address) of the device to which the port1 belongs to.
Port 2
Port of the second device in the link.
Device 2
Step 3
Click the radio button corresponding to the link to select link for which you want to create trunk.
Step 4
Click Create Trunk.

Or
From Topology Map, right-click the link for which you want to create trunk, and select Create Trunk
from the popup menu.
The Create Trunk window appears.
Table 11-19 describes the fields in the Create Trunk page.
Table 11-19
Create Trunk Page Field Description
Field
Description
Device Information
Device
IP addresses of the devices forming the link.
Port
Port numbers of the devices forming the link.
Trunk Settings
Encapsulation
Select the Encapsulation type for the trunk. LMS supports: Dot1Q,
ISL, Negotiate.
Mode
Trunking mode of the port is set to Desirable. LMS supports only

the Desirable mode.
Configure VLANs on Trunk
Allow Active VLANs
Disallow Active VLANs
Lists only the active VLANs.

1.
Select the VLANs for which you do not want to configure

Trunk.
2.
Click Add to move the VLANs to Disallowed VLANs list.
1.
Select the VLAN IDs of the VLANs, which must pass through
the Trunk.
2.
Click Remove to move the VLANs to the list of Allowed

VLANs.

OL-25941-01
11-43
Chapter 11
Configuring VLAN
Table 11-19
Create Trunk Page Field Description (continued)
Field
Description
Configure VLANSs on Trunk Using Ranges
Allow VLANs
Enter VLAN IDs of the VLANs, which must pass through the Trunk
in the range of 1 to 1005 and 1025 to 4094. The other VLANs are
not supported for Trunking.
Disallow VLANs
Enter VLAN IDs of the VLANs, which must not pass through the
Trunk, in the range of 1 and 4096.
If you enter numbers into both fields, the VLAN indexes that you
are disallowing will take precedence over VLAN indexes that you
are allowing.
For example, if you allow 1-1024 and disallow 1-100, VLANs with
ISL indexes of 101-1024 will be allowed.
To copy the running configuration to start-up configuration, select Copy Running to Start-up Config
check-box .
Step 5
Click Create to create the Trunk or click Close to exit.

After you click Create, it will be idle for 2 minutes to see if the device goes down on setting the port to
trunking mode. After 2 minutes, if the creation of trunk is successful, Data Collection for these devices
is triggered.
Only after the completion of Data Collection, you can see the newly configured trunk ports in the Modify
Trunk Attributes page.
Note
If the trunk link is configured in a port that flaps between blocking and non-blocking states due
to STP, then the port will be listed in both Create Trunk page and Modify Trunk Attributes page.
To know whether the port is trunking or not, enable logging in the device and see the log
messages.
Modifying Trunk Attributes

To modify trunk attributes:
Step 1
Select Configuration > Workflows > VLAN > Modify Trunk Attributes.
The Modify Trunk Attributes page appears.
Step 2
Select devices from the device list, and click Show Trunks.
The trunks configured on the devices are listed in the Trunk List. See Table 11-20.
11-44
OL-25941-01
Chapter 11
Configuring VLAN
Table 11-20
Trunk List Field Description
Field
Description
Filter
Select the filter type and then enter the string. Leave the field blank to display all.
You can filter the list based on the Port1, Device1, Port2, or Device2.
For example, if you want to see only the trunks on the selected devices which starts
with IP address 10.77, select Device1 from the Filter type, then enter 10.77.* in the
filter field and click Filter.
Step 3
Port 1
Port number of the port of the device at one side in the link that is configured for
Trunking.
Device1
Port2
Port number of the port of the device at the other end of the link that is configured
for Trunking.
Device2
Select the radio-buttons corresponding the trunk you want to modify, and click Modify Trunk.
The Modify Trunk window appears.
The Device Information pane displays the device IP address and the port number of all the devices you
have selected.
Step 4
Select the Trunk Settings

a.
Select Encapsulation:
Dot1Q
ISL
Negotiate
b.
Step 5
Mode
Configure VLANs on Trunk.
Allow VLAN(s)Enter VLAN IDs of the VLANs, which must pass through the Trunk, in a range
between 1 to 1005 and 1025 to 4094. The other VLANs are not supported for Trunking. * indicates
that the VLANs were previously disallowed.
Disallow VLAN(s)Enter VLAN IDs of the VLANs, which must not pass through the Trunk, in a
range between 1 and 4096.
Use the Add or Remove buttons to allow or disallow VLANs.

To copy the running configuration to start-up configuration, select Copy Running to Start-up Config
check-box.
Step 6
Click Modify.

OL-25941-01
11-45
Chapter 11
Configuring VLAN
EtherChannel
EtherChannel
EtherChannel is a technology that bundles individual Fast Ethernet and Gigabit Ethernet links into a
single logical link that would provide higher bandwidth. EtherChannels thus enable you to aggregate up
to Gigabit Ethernet connections, providing up to 16 Gbps of bandwidth (in full duplex mode).
The channel is treated as a single logical connection between two switches. If one of the connections
fails in the EtherChannel, the other connections will be operating so that the connection is not down.
Understanding EtherChannel
Using EtherChannel
Understanding EtherChannel
EtherChannel provides incremental Trunk speeds between Fast Ethernet (FE) and Gigabit Ethernet (GE)
by grouping multiple equalspeed ports into a logical port channel. EtherChannel combines multiple FEs
up to 800 Mbps or GEs up to 8 Gbps, providing fault-tolerant, high-speed links between switches,
routers, and servers.
LMS supports only PAgP, the aggregation protocol. When a user selects a port or link for configuring
EtherChannel, the user is prompted with all available ports that can participate in the channel (Ports that
are directly connected between devices).
Admin Group ID attribute for each port is also provided under group attribute. User can change them
accordingly to choose which ports need to aggregate into a channel.
All ports that have same group value will participate in channel. LMS supports only the Desirable mode
for EtherChannel configuration.
LMS does not support EtherChannel configuration between a switch and router.
Using EtherChannel
LMS allows you to:
Aggregate multiple links between switches into one or more EtherChannels.
Configure frame distribution parameters for EtherChannel load balancing.
Configuring EtherChannel
To configure EtherChannel:
Step 1
Either:
Or

Step 2
Select a view that contains the devices for which you want to configure EtherChannel.
11-46
OL-25941-01
Chapter 11
Configuring VLAN
This view is in the Tree View in the Topology Services Main Window.
Step 3
Right-click the view and select Display View from the popup menu.
The Network Topology View window appears.
Step 4
From the Network Topology View select the link on which you want to configure EtherChannel.
Step 5
Right-click the link and select Configure EtherChannel.

The EtherChannel Configuration window appears.
Protocol field displays PAgP. Port Aggregation Protocol (PAgP) is the Protocol that is supported for
configuring EtherChannel.
Step 6
Select one of the Distribution Protocols from the drop-down menu:
ip
mac
port
leave default
Select leave default when you do not want to configure distribution protocols.
The Channel Mode field displays the mode of the port.

LMS supports only the Desirable mode for EtherChannel configuration.
Step 7
Select one of these Distribution Address Types from the drop-down menu:
source
destination
both
leave default
Select leave default when you do not want to configure distribution address type.
Step 8
Select the link for which you want to configure EtherChannel.
Step 9
Click Copy Running to StartUp config for IOS switches, if required.
Step 10
Click Apply to continue or click Close to exit.

VLAN Port Assignment is an application that displays device, port, and related VLAN information for
an associated VTP domain in a tabular format and helps you manage ports on your network's VLANs.
Use VLAN Port Assignment to:
Assign or move ports to a VLAN.
View port, device, and Trunk attributes.
View and find port information in a VTP domain.
Configure VLANs on a Trunk.
Show and highlight a selected device or VLAN on a selected VTP domain.

OL-25941-01
11-47
Chapter 11
Configuring VLAN
Note
Assigning ports to VLANs cannot be done for more than 100 devices at a time, since it results in memory
issues. Do VLAN port assignment for 100 devices at a time.
This topic contains the following sections:
Understanding VLAN Port Assignment
Starting VLAN Port Assignment
Prior to using VLAN Port Assignment, you should understand the concepts of VLANs and VTP
domains. For more details on this, see:
VTP Domains
Understanding VLAN Port Assignment

To enable end-user ports to participate in a specific VLAN, you must first assign the ports. You assign
ports to specified VLANs. The VLANs allow the ports to share the same broadcasts.
Ports that are not assigned to the VLAN cannot share these broadcasts. For more information about
VLANs, see Understanding Virtual LAN (VLAN).
For VLAN Port Assignment to work correctly, LMS must discover the network. LMS requires a
properly configured network to complete network discovery.
VLAN Port Assignment queries the ANI database based on criteria you enter.
After you submit the query, VLAN Port Assignment displays the device, port, and related VLAN
information for an associated VTP domain. This is displayed in a tabular format.
You can use VLAN Port Assignment to:
View and find port information in a VTP domain
View port, device, and Trunk Attributes
Show and highlight a selected device or VLAN in the VTP domain view
Starting VLAN Port Assignment

To start VLAN Port Assignment:
Step 1
Verify that your network is set up properly.
Step 2
Verify that the LMS server is set up properly and running.
Step 3
Select Configuration > Workflows > VLAN > Configure Port Assignment.
If you are prompted to install the Java plug-in, you can download and install the plug-in using the
displayed installation screens. The next time you start the application, it will automatically use the
plug-in.
11-48
OL-25941-01
Chapter 11
Configuring VLAN

This section provides information to assign ports to VLAN.
To assign ports to a VLAN:
Step 1
Select Configuration > Workflows > VLAN > Configure Port Assignment.
The VLAN Port Assignment page appears.
Step 2
Select device or domain from the list using Device Selector or Domain Selector.
Step 3
Click List Ports.

A list of ports in the selected devices or entities appears under the Port List. See Table 11-21 for the Port
List :
Table 11-21
Port List Field Description
Field
Filter
Description
Device Name
Device Address
Link
Port
Port Status
Port Description
VLAN Name
VLAN Index
Association Type
Enter the filter string, and click Filter to filter the list based on the inputs.
Leave this field blank to list all ports.
Advanced Filter
Click Advanced Filter to open Advanced Filter dialog box. Advanced

filtering allows you to search ports using more search criteria.
For more details on Advanced Filter, see Advanced Filter.
Columns
Link
Shows whether the port is connected to a switch or not. The value can either
be True or False.
Port
Name of the port.
Device Name
Device Address
IP address of the device to which the port belongs to.
VLAN Name
Name of the VLAN to which the port belongs to.
Port Status
Status of the port. Shows whether the port is active or down.
Port Description
Description for the port.

Example: Intra-area 0.2.0.0 Resilient link
VLAN Index
Index number of the VLAN to which the port belongs to.
Association Type
Type of Association.

OL-25941-01
11-49
Chapter 11
Configuring VLAN
Step 4
Select a VLAN from the VLAN drop-down list.

To copy the running configuration to the start-up configuration, select Copy running to start-up config
check-box.
Step 5
Click Assign.

You can use the following scenarios to manage your network using LMS.
Configuring PVLANs in External Demilitarized Zone

Scenario
Web servers and Domain Name Servers (DNS) are connected to a Demilitarized Zone (DMZ) switch.
The DMZ switch is configured with the VTP domain name, DMZ, where the switch is in transparent
mode running VTP version 2. The servers belong to the same broadcast domain or VLAN.
Understanding the Scenario
This scenario would help you to isolate Layer 2 devices using PVLAN, and ensure that the DMZ servers
do not send data across them, while internal and external hosts access these servers.
DMZ servers must be accessible from external clients as well as from the internal network. DMZ servers
eventually needs access to some internal resources, and the servers must not send data across. The
servers must not initiate traffic from the DMZ switch to the Internet. The DMZ servers reply only to the
traffic from the internal resources.
Understanding Concepts
LMS provides an end-to end solution for configuring Private VLANs, the security feature which LMS
provides for managing LANs. You can configure PVLANs using LMS.
You can configure PVLANs in scenarios where Demilitarized Zone (DMZ) switches are configured
without adhering to the right policies, leading to potential intrusions into your network.
Demilitarized Zone
Demilitarized Zone is a small subnetwork, which lies between a secure internal network, such as a
corporate private LAN, and a non secure external network, such as the public Internet. DMZ contains
devices like Web servers, FTP servers, SMTP servers and DNS that are accessible to the Internet traffic.
DMZ servers process incoming requests from the Internet, and initiate connections to certain internal
servers or other DMZ segments, such as database servers.
DMZ servers must not send data or initiate any connection to the external networks. This shows that the
necessary traffic flows on the basis of a trust model; but the model is not adequately enforced in many
networks.
Prerequisites
Reproducing Scenario
Verifying Configuration
11-50
OL-25941-01
Chapter 11
Configuring VLAN
Prerequisites
In this scenario, you need the following applications and tools in LMS.
Topology Services
PVLAN configuration user interface
Promiscuous port configuration user interface
VLAN report
Reproducing Scenario
To set up the scenario you must configure secondary VLAN on the servers, with isolated ports and
community ports. The Firewall, the only device within the primary VLAN, must be defined in a primary
VLAN with a promiscuous port.
Step 1
Create a primary VLAN: VLAN 100.

Enter VLAN 100 in the Private VLAN Name field to name the primary VLAN. For more details on
creating primary VLAN, see Creating Primary VLAN.
Step 2
Create a community VLAN: VLAN 50.

a.
Enter VLAN 50 in the Private VLAN Name field.
b.
Associate VLAN 50 to the primary VLAN, VLAN 100.
For more details on creating secondary VLAN, see Creating Secondary VLAN and Associating to
Primary VLAN.
Step 3
Create an isolated VLAN: VLAN 60.

a.
Enter VLAN 60 in the Private VLAN Name field to name the isolated VLAN
b.
Associate VLAN 60 to the primary VLAN, VLAN 100.
For more details on creating secondary VLAN, see Creating Secondary VLAN and Associating to
Primary VLAN.
Step 4
Assign ports, which are connected to the Web servers, to the community VLAN 50.
Step 5
Assign ports, which are connected to the DNS servers, to the isolated VLAN 60.
Step 6
Configure the port that connects to the Firewall as a promiscuous port and map the secondary VLAN 50
and VLAN 60 to this promiscuous port. For more details, see Configuring Promiscuous Ports.
After you configure the promiscuous port, the secondary VLANs appear in the Mapped VLANs table.
You have configured promiscuous port and mapped both secondary VLANs to the primary VLAN 100.
If you want to map only the community VLAN 60, you must check the configurations, and map the other
isolated VLANs.
Check the Select to Unmap check box and click Apply to unmap the isolated VLAN from primary
VLAN. Community VLAN 60 is unmapped from the primary VLAN.

OL-25941-01
11-51
Chapter 11
Configuring VLAN
Verifying Configuration
To verify the configuration for this scenario:
Step 1
Either:
Or

Step 2
From the Tree View in the Topology Services Main window, verify whether the new PVLANs are listed
under DMZ VTP domain in transparent mode.
Primary VLAN 100 is listed as a subfolder under the DMZ domain and the secondary VLAN under the
Primary VLAN subfolder. Note that the icon for PVLANs is different from the icon for normal VLANs.
Step 3
Generate VLAN Report for DMZ domain.
Step 4
Verify whether the new primary VLAN and secondary VLANs are listed. The associated primary VLAN
is also listed for the secondary VLANs.
Step 5
To confirm that the PVLAN configuration is functioning, you can:

a.
Run a trace between the Web servers. The resultant traces must be successful.
b.
Run a trace between any Web server and the DNS. The resultant trace must fail.
c.
Run a trace between the DNS servers.
11-52
OL-25941-01
CH A P T E R
12

Using LMS, you can perform end-to-end VRF configurations in an enterprise network. You can perform
the VRF Configurations using the following configuration workflows:
Configuring VRF
Editing VRF
Extend VRF
Deleting VRF
You can assign multiple VLANs to a single VRF instance using Edge VLAN Configuration workflow.
To view and manage VRF configuration jobs, see Using VRF Lite Job Browser.
This section also details the following:
Scalability Limits
Pre-requisites
Scalability Limits
In an Enterprise network, LMS is tested to support the configuration of 32 VRFs with VRF configuration
supported in 550 devices in your network. However, at a given time, you can select up to 20 devices and
configure VRF using the Create, Edit and Extend VRF workflow.
Pre-requisites
The pre-requisites to perform VRF configurations are:

1.
The device must be managed by LMS.
2.
The device must either be L2/L3 or an L3 device
3.
The device must have the necessary hardware support. For more information on hardware support,
see http://www.cisco.com/en/US/products/sw/cscowork/ps563/
If the device hardware is not supported then the device will be classified as Other devices
4.
If a device does not support MPLS VPN MIB, it is classified as a Capable device.
5.
VTP Server must be support MPLS VPN MIB. If the VTP Server does not support MPLS VPN MIB,
LMS will not manage VTP Clients.

OL-25941-01
12-1
Chapter 12
Configuring VRF
Configuring VRF
VRF configurations comprises workflows used to create, edit, extend, delete and assign Edge VLAN to
VRF. The VRF Create wizard enables you to create new VRF instances on the selected devices.
To navigate through the Configuration workflows, click Back or Next. To exit the Configuration
workflow, click Cancel.
This section explains the Device Selector.
Device Selector
To configure VRF on the devices, the devices are selected using the Device Selector. The Device
Selector in all the configuration workflows displays the devices that satisfy the following condition:
Layer2/Layer3 devices
Layer3 devices
To create VRF, the VRF Creation wizard directs you through:

1.
Create VRF
2.
Interface Mapping to VRF
3.
Routing Protocol Configuration
4.
Summary of VRFs to be Configured
Create VRF
In the Create VRF workflow, you can select the Layer2/Layer3 or Layer 3 devices from the Distribution
Layer or the Core Layer. At a given time, you can select up to 20 devices and configure VRF on the
selected devices.
After selecting the devices, you can provide following details of VRF: VRF Name, Route Distinguisher
and description of VRF that helps you identify the VRF that you have created.
In order to understand the workflows while configuring VRF, consider the topology as shown in
Figure 12-1 to demonstrate various stages involved in the VRF creation process. The topology includes
devices from Distribution Layer and Core Layer.
12-2
OL-25941-01
Chapter 12

Configuring VRF
Figure 12-1
LMS Topology
cmx-saturn
Fa0/1.11
Fa0/0.20
10.77.241.8
10.77.241.5
Fa0/1.3
Fa4/0
Gig 12/43
Gig 1/9
10.77.241.4
Gig 1/3 Trunk
cmx-mercury
10.77.241.9
Gi2/39.1
Gig 4/7
Gig 4/9
Gig 4/9
10.77.241.6
10.77.241.7
Gig 4/3
Gi1/1 Gig 1/2
Gig 4/5
Gig 4/2
Gi1/1
Gig 1/4
Fa0/1
Gig 2/1
10.77.241.2
Gig 1/3
10.77.241.3
Routed link
Trunk link
Router on Stick
10.77.241.11
274925
cmx-uranus
Here, the devices selected are 10.77.241.2 and 10.77.241.4. The interface connecting the two devices is
a routed interface.
If you select only one device, the VRF creation prompts you to exit the Create VRF wizard, without
mapping any interface to the VRF created on the selected device.
To provide end-to-end virtualization for the selected devices, you must virtualize the interfaces
connecting devices selected. An interface can be mapped to a VRF in the Interface Mapping to VRF
workflow.
To map an interface to the VRF created (virtualize an interface), you must select at least two devices in
the VRF creation wizard.
Only users with Network Administrator privileges can create VRFs.

OL-25941-01
12-3
Chapter 12
Configuring VRF
To create VRF:
Step 1
Select Configuration > Workflows > VRF-lite > Create VRF.

The Create VRF page appears.
Step 2
Enter the details as mentioned below:

Table 12-1
Settings in Create VRF
Window Element
Description
Device Selector
Device Selector
The Device Selector displays the devices under the following groups:
All Devices - Represents VRF Supported devices managed by LMS.
Device Type Groups - Represents the devices that are grouped as Routers,
Switches and Hubs, and Unknown Device Type.
User Defined Groups - Represents the devices that are in the user-defined
groups.
The Device Selector enables you to search and select the devices on which VRF
is to be configured.
Select the devices using the Device Selector.
Check the checkbox to select the device in the groups listed and click Select.
If you select only one device, the VRF creation wizard is completed without
mapping any interface to the VRF created on the selected device.
To map an interface to the VRF created, you must select at least two devices in
the VRF creation wizard.
See Inventory Management with Cisco Prime LAN Management Solution 4.2 for
VRF Details
VRF Name
Name of the VRF to be created. Valid values are alphanumeric characters. This
field is mandatory.
Route Distinguisher Value used to distinguish routes configured in a VRF. Valid values are numeric
(RD)
characters in the format X:Y.
The valid values for X are autonomous numbers. X can take values from 1 to
65535 or an IP Address.
The valid values for Y are numeric values. Y can take values from 1 to 65535.
For example X:Y is in the form 32:66 or 10.10.10.10:22.
Note: You must enter a unique value for each VRF that is configured.
Description
Description of VRF to be created. Valid values are alphanumeric characters.

With no entry, the default description provided by LMS is VRF Created by
LMS
Finish
Click Finish to create VRF on the selected devices without interface mapping.
12-4
OL-25941-01
Chapter 12

Configuring VRF
Step 3
Click Next.
The Interface Mapping to VRF window appears. For information on Interface Mapping to VRF, see
Interface Mapping to VRF.

The Interface Mapping to VRF window displays the Source and the Destination devices selected using
Device Selector. The page also displays a list of links in the form of rows.
Current Mode
Preferred Virtual Interfaces
Native VLAN
The Interface Mapping to VRF window is used to map an interface to a VRF. The links displayed are the
interfaces connecting a Source device to the Destination device. The mapping is performed from the
devices in the Distribution Layer and Core Layer.
Current Mode
The current mode is the existing mode of an interface connecting any two selected devices. The current
mode of an interface can be either a Switched or Routed mode.
In the Interface Mapping to VRF page, while you are assigning an interface to a VRF, you are prompted
to create preferred virtual interfaces on the device. LMS suggests a preferred virtual interface, in
scenarios where the current mode cannot be considered for configuring VRF.
The preferred virtual interfaces decide the type of virtual interface to be created, to virtualize an interface
that connects the selected devices while you create VRF. The preferred virtual interfaces are based on
the family of the selected devices.
The preferred virtual interface type is a part of the metadata XML file. The metadata XML file is used
as a repository to store information on the device types and their associated metadata while creating
VRF.
LMS has defined the following preferred virtual interfaces for the devices belonging to:
Cat3k and Cat4k family, SVI is the preferred virtual interface
Cat 6k and Router category, Sub-interface is the preferred virtual interface
Consider an example where two devices are selected. The virtual interfaces are created based on the
current mode.
Note
The interfaces that are virtualized using VRF-lite must be Layer 3 interfaces.
In the Interface Mapping to VRF page, an interface is virtualized based on the current mode of the
interface.

OL-25941-01
12-5
Chapter 12
Configuring VRF
The Interface Configuration modes are mentioned in the Table 12-2.

Table 12-2
IInterface Configuration Modes
Current Mode
Trunk is configured
Preferred Mode
LMS Configures
Switched
Yes
SVI
SVI
Switched
Yes
SI
SVI
Switched
No
SVI
Trunk, SVI
Switched
No
SI
Trunk, SVI
Routed
N/A
SVI
Trunk, SVI
Routed
N/A
SI
SI
Routed with
Sub-interface
configured
N/A
SI
SI. LMS configures with

current mode
Routed with
Sub-interface
configured
N/A
SVI
SI.LMS configures with

current mode
1. Interface is in Routed mode and the Sub-interface is not configured.

2. Interface is in Routed mode and the Sub-interface is not configured.
Native VLAN
In the Interface mapping to VRF page, when you configure the VRF details on an interface, the VRF
configurations might affect the global configurations in some scenarios. Therefore, Native VLANs are
used for the global configuration traffic.
Consider the source device as 10.77.241.4 with source interface as Gi 1/1 and the destination device as
10.77.241.2 with destination interface as Gi 1/1 as shown in Figure 12-2.
12-6
OL-25941-01
Chapter 12

Configuring VRF
Figure 12-2
Native VLAN Configuration
cmx-saturn
Fa0/1.11
Fa0/0.20
10.77.241.8
10.77.241.5
Fa0/1.3
Fa4/0
Gig 12/43
Gig 1/9
cmx-mercury
10.77.241.9
Gi2/39.1
cmx-uranus
10.77.241.4
Gig 1/3 Trunk
Gig 4/7
Gig 4/9
Gig 4/9
10.77.241.6
10.77.241.7
Gig 4/3
Gi1/1 Gig 1/2
Gig 4/5
Gig 4/2
Gi1/1
Gig 1/4
Fa0/1
Gig 1/3
10.77.241.3
10.77.241.2
Routed link
Trunk link
Router on Stick
10.77.241.11
274925
Gig 2/1
Scenario 1: If both source and destination interfaces are in routed mode, Trunk cannot be configured on
the interfaces. To configure Trunk, LMS converts the routed port of the destination interface to switch
port. If a free VLAN exists, VNM converts the free VLAN to Native VLAN.
Table 12-3
Source
Interface
IP
with port
mode
Scenario 1
Destination
Preferred Sub-interface Interface IP
Is Trunk Mode
configured
with port mode Is Trunk
10.77.241. False
4, Routed
Note
SI
Yes
10.77.241.2,
Routed
False
Preferred Sub-interface
Mode
configured
SVI
No
The IP Address provided for the source and the destination interface must be within the same network.
For example: If the source interface IP Address is 10.10.10.2, then the destination interface IP Address
must be configured as 10.10.10.3.

OL-25941-01
12-7
Chapter 12
Configuring VRF
Step 1
In the Interface Mapping to VRF window, enter the details as in Table 12-4:
Table 12-4
Interface Mapping to VRF Settings
Window Element
Description
VRF Details
VRF Name
Name of the VRF to be created.
Source
Source Device
Name
Displays the Source Device name as in Device Credentials and Repository (DCR).
Click the arrow icon to view or hide details of the interfaces that are a part of the
Source device.
Checkbox
To assign a link to a VRF, check the check box against the interfaces listed under
the device name to which they are connected.
Interface
Interface connecting the Source device.
IP Address
Source interface IP Address. Valid IP values are the IPv4 Addresses.

This field is blank if the source physical interface is not configured with an IP
Address.
If you newly configure an IP Address, the corresponding network IP Address must
be advertised. You must advertise the IP Address by manually updating the
Commands field in the Routing Protocol Configuration page.
Destination
Device Name
Displays the Destination Device name as entered in Device Credentials and

Repository (DCR).
Interface
Interface connecting the Destination device.
IP Address
Destination interface IP Address. Valid IP values are the IPv4 Addresses.

If the destination physical interface is not configured with an IP Address, this field
is blank.
If you newly configure an IP Address, the corresponding network IP Address must
be advertised. You must advertise the IP Address by manually updating the
Commands field in the Routing Protocol Configuration page.
Subnet Mask
Subnet mask of the interface
is Trunk
Provides the status of the Trunk configuration on the associated physical interface.
The following status is displayed:
Not Applicable In some scenarios, Trunk configuration is not required to

configure VRF
True Trunk is configured on the associated physical interface
Create Trunk is not configured on the associated physical interface.
Click Create to create a Trunk.

VLAN ID
VLAN ID on which VRF is configured. VLAN ID is auto-generated.

The allowed range is from 1 to 4095. You can edit VLAN ID.
12-8
OL-25941-01
Chapter 12

Configuring VRF
Table 12-4
Step 2
Interface Mapping to VRF Settings (continued)
Window Element
Description
VLAN Name
VLAN Name on which VRF is configured.VLAN Name is auto-generated. You can

edit VLAN Name
Finish
Click Finish to create VRF on the devices selected and maps the interfaces
(connected to the devices) to VRF without deploying the routing protocol
configuration details.
Click Next.
The Routing Protocol Configuration window appears.
For information on Routing Protocol Configuration, see Routing Protocol Configuration.
Warning Messages
In the Create VRF workflow, when you assign an interface to a VRF, in the following scenarios, the
Warning messages displayed are:
Table 12-5
Information on Warning Messages
Warning Message
Scenario
One link is not configured as

Trunk
Trunk is not configured on the selected physical interfaces displayed in

the Interface Mapping to VRF window. You cannot assign VRF to the
non-trunk interfaces.
Some of the selected devices

are isolated
Reasons for warning about isolated devices are:
Devices selected are not in series:

At least one or more devices selected are not connected in series,
so the unconnected devices get isolated. You can view these device
details in Topology (Layer 2 View).
or
Devices with no physical connection:

At least one or more selected devices is not physically connected.
These devices are isolated device. You can view these device
details in Topology (Unconnected View).
You cannot assign VRF to interfaces for isolated devices.

The Routing Protocol Configuration window is used to configure the Routing protocol to the selected
devices on which VRF is configured.
By default, the Routing Protocol information from the global configuration for OSPF and EIGRP
protocols is displayed.

OL-25941-01
12-9
Chapter 12
Configuring VRF
Static Route Configuration
LMS currently supports the following Routing Protocols: OSPF and EIGRP. You can enter the static
route configuration using the Configuration Icon in the Routing Protocol Configuration page.
Command Syntax
ip route vrf
vrfname Destination IP Address Subnet Mask Router IP Address
For example:
ip route vrf Red 172.16.30.0 255.255.255.0 172.16.20.2
To configure static route directly using a device, you must enter the command as mentioned in the
Command Syntax in the configuration mode.
Step 1
In the Routing Protocol Configuration window, enter the details as given in Table 12-6:
Table 12-6
Routing Protocol Configuration Settings
Window Element
Description
Device Name
Device name to which routing protocol is associated.
IP Address
IP Address of the device.
Routing Protocol
Routing Protocol
You can configure the routing protocols on the VRF-configured devices.

The drop-down list displays the routing protocols running on the selected
device. LMS supports following routing protocols:
OSPF
EIGRP
Routing Protocols listed are the protocols present in global Configuration

details.
View Global
Displays the VRF configuration and the global configuration details of the
device name.
You cannot edit these details.
Commands
Commands
Displays the commands used to configure routing protocol configuration on

the VRF to be created.
Configuration Icon
Enables you to edit the commands displayed in the Commands field.
Restore Default
Restores Protocol configuration and clear edited Commands details to default

global configuration values.
Finish
Enables you to finish the Create VRF workflow without viewing the
commands used to deploy the VRF Configurations in the Summary page.
Upon clicking finish, a job is created to deploy the VRF Configuration details
to the selected devices.
Step 2
Click Next
The Summary page appears. For information on Summary, see Summary of VRFs to be Configured.
12-10
OL-25941-01
Chapter 12

Configuring VRF
Summary of VRFs to be Configured

The Summary page summarizes the VRF and the Protocol configuration details to be deployed on the
devices selected.
Note
Sample Summary
Upon successful completion of Create VRF workflow, LMS triggers the Data Collection process. After
the Data Collection process is complete, LMS initiates the VRF Collection process.
The Sample Summary summarizes the VRF configuration details on the devices 10.77.241.2 and
10.77.241.4, connected by an interface Gi1/1. For more information, see Figure 12-2.
A sample of the summary is displayed below.
Sample Summary
Device:10.77.241.2
ip vrf Green
description Green VRF
rd 60:70
vlan 4
name Vlan_4
vlan 3000
name VLANforGreenVRF
interface Vlan4
ip address 20.20.20.1 255.255.255.252
no shutdown
interface Gi1/1
switchport trunk native vlan 4
switchport trunk allowed vlan add 4
no shutdown
interface VLAN3000
ip vrf forwarding GreenVRF
ip address 20.20.20.1 255.255.255.252
no shutdown
router eigrp 10
address-family ipv4 vrf GreenVRF
autonomous-system 10
network 10.0.0.0
network 20.0.0.0
auto-summary
eigrp router-id 10.77.241.2
eigrp stub connected summary
exit-address-family
Device:10.77.241.4
ip vrf GreenVRF
rd 60:70
interface Gi1/1
no switchport
interface Gi1/1.1

OL-25941-01
12-11
Chapter 12
Configuring VRF
encapsulation dot1Q 3000

ip address 20.20.20.2 255.255.255.252
no shutdown
router eigrp 10
network 10.0.0.0
network 20.0.0.0
auto-summary
exit-address-family

The following VRF configuration details are deployed on the selected devices and corresponding
interfaces. The description of the VRF configuration details is given in Table 12-7.
Table 12-7
Create VRF Configuration
Command
Purpose
Device
device name
Name of the selected device
ip vrf
vrf-name
Allows you to enter VRF configuration mode and assigns

a VRF name
description
rd
vrf-name
Provides description of the VRF created
route-distinguisher
interface
Creates a VPN route distinguisher
interface-id
encapsulation dot1Q
Allows you to enter the interface configuration mode and

specify the Layer 3 interface to be associated with the
VRF. The interface can be a routed port or SVI.
vlan-identifier
Allows you to define the encapsulation format as IEEE

802.1Q and specify the VLAN identifier.
The VLAN identifier takes values ranging from 1 to 4095.
ip vrf forwarding
ip address
Step 1
vrf-name
ip-address mask
Associates a VRF with an interface or sub-interface

Configure IP Address on an interface or sub-interface.
no shutdown
Enables an interface.
no switchport
Converts Layer 2 switch port interface to a Layer 3 routed

physical interface
Click Finish
A job is created to deploy the VRF configuration details to the selected devices. A confirmation message
appears with the Job ID in the Information dialog box.
For example, if you create VRF Red, the message appears, Successfully created job for
confirmation deployment 1051
Step 2
Click Job ID to check status of the Create VRF Configuration Job in the Information dialog box.
12-12
OL-25941-01
Chapter 12

Editing VRF
Step 3
Click OK in the Info dialog box.

To view the VRF configuration job status, go to Configuration > Job Browsers > VRF Lite. See Using
VRF Lite Job Browser.
Note
To exit the VRF Create wizard without deploying the VRF details on the devices selected, click Cancel.
Editing VRF
Edit VRF enables you to edit the VRF details on the devices participating in a VRF.
The Edit VRF workflow is used to edit the following details:
IP Address of the interface connecting the devices that are a part of the selected VRF
VLAN ID and VLAN Name
Exclude an interface that is a part of the selected VRF
Only users with Network Administrator privileges can edit VRF details.
To edit VRF details of the VRF configured devices, the VRF Edit wizard directs you through:
1.
Interface Mapping to VRF in Edit VRF
2.
Routing Protocol Configuration in Edit VRF
3.
Summary of Edit VRF
To edit VRF:
Step 1
Select Configuration > Workflows > VRF-lite > Edit VRF.

The Edit VRF page appears. Table 12-8 describes the fields on the Edit VRF page.
Table 12-8
Edit VRF Settings
Window Element
Description
VRF Details
VRF Name
Shows the list of VRFs as a drop-down list.

You can edit the VRF by selecting the VRF from the drop-down list.
Route Distinguisher (RD) Display only. Shows the RD value of the selected VRF in the format X:Y.
For more information on RD, see Route Distinguisher (RD).
Description
Display only. Description of the selected VRF. You cannot edit the
description.
Device Selector

OL-25941-01
12-13
Chapter 12
Editing VRF
Table 12-8
Edit VRF Settings
Window Element
Description
Device Selector
Device Selector displays pre-selected devices, participating in the selected

VRF.
All Devices - Represents VRF Configured devices
Device Type Groups - Represents the devices that are grouped as

Routers, Switches and Hubs, and Unknown Device Type
User-defined Groups - Represents the devices that are in the

user-defined groups.
The Device Selector enables you to search and select the devices on which
VRF must be configured to edit the VRF functionality.
Select the checkbox to select the device in the groups listed and click
Select.
You must select at least two devices to edit the virtualization of the link
connecting devices participating in the selected VRF.
For more information on the devices listed, see Device Selector.
Note
Step 2
The Device Selector does not display the devices that are not managed by LMS.
Click Next
The Interface Mapping to VRF window appears.
For information on Interface Mapping to VRF, see Interface Mapping to VRF in Edit VRF.
Consider the devices selected for Edit VRF workflow are: source device 10.77.241.4 with source
interface as Gi 1/1 and the destination device as 10.77.241.2 with destination interface as Gi 1/1 as
shown in Figure 12-2.
Interface Mapping to VRF in Edit VRF

The Interface Mapping to VRF window displays a list of links connecting the devices that are selected
in the Edit VRF page and are participating in the VRFs to be edited.
The link details are:
The links displayed, can either be virtualized with the selected VRF or unvirtualized. You can use
the Interface checkbox to deselect a link. This unvirtualizes a virtualized link.
The corresponding negate command is displayed in the Summary of Edit VRF page indicating that
the SI or SVI has been removed. You must manually update the negate command for the routing
protocols in the Commands in Edit VRF workflow.
If both interfaces on either side of a link, are virtualized with a VRF, the Interface Mapping to VRF
page displays the values of VLAN,Switch Virtual Interfaces (SVIs) or Sub-Interface (SIs) IP address
and so on.
12-14
OL-25941-01
Chapter 12

Editing VRF
If a link is virtualized only on one side of the interface, the same VLAN is used to virtualize the
interface on the other end of the link. LMS application will not use a new VLAN. You can edit the
VLAN details in this page.
The Interface Mapping to VRF window is used to map an interface to a VRF. The mapping is performed
from the Distribution layer to the Core layer. It also provides information on the Source and the
Destination devices associated with a link.
In the Interface Mapping to VRF in Edit VRF page, while assigning an interface to a VRF, LMS suggests
preferred virtual interfaces to be created on the device. For more information, see Preferred Virtual
Interfaces.
Step 1
In the Interface Mapping to VRF window, enter the details as given in Table 12-9:
Table 12-9
Settings in Interface Mapping to VRF in Edit VRF
Window Element
Description
VRF Details
VRF Name
Display only. Name of the VRF selected.
Source
Source Device
Name
Displays the Source Device name as entered in Device Credentials and Repository
(DCR).
Click the arrow icon to view or hide SIs or SVIs that are a part of the source device,
participating in the VRF selected.
Checkbox
To assign an SI or SVI to a VRF, check the check box against the SVIs or SIs listed
under the device name to which they are connected.
When you uncheck the checkbox to deselect a link to unvirtualize a virtualized
link, the corresponding Negate command appears in the Summary of Edit VRF
page.
You must manually update the negate command for the routing protocols in the
Commands in Edit VRF workflow.
Interface
Display only. Shows the SVIs or SIs name in the Source device.
IP Address
If the interface is virtualized with a configured IP Address, it displays an SI or SVI.

You can edit the IP Address. Valid IP values are the IPv4 Addresses.
This field will be empty if the source physical interface is not configured. If you
configure an IP Address newly, you must advertise the corresponding network IP
Address by manually updating the Commands in Edit VRF field.
Destination
Device Name
Display only. Shows the Destination Device name as it appears in the Device
Credentials and Repository (DCR).
Interface
Display only. Shows the name of the SVIs or SIs in the Destination device.
IP Address
If the interface is virtualized with a configured IP Address, it displays an SI or SVI.

You can edit the IP Address. Valid IP values are the IPv4 Addresses.
This field will be empty if the source physical interface is not configured. If you
configure an IP Address newly, you must advertise the corresponding network IP
Address by manually updating the Commands in Edit VRF field.
Subnet Mask
Displays the subnet mask of the IP Address of SVI or SI.

OL-25941-01
12-15
Chapter 12
Editing VRF
Table 12-9
Step 2
Settings in Interface Mapping to VRF in Edit VRF
Window Element
Description
is Trunk
Provides the status of the Trunk configuration on the associated physical interface.
The following status appears:
True Trunk is configured on the associated physical interface
Create Trunk is not configured on the associated physical interface.

To configure a Trunk, click Create hyperlink. A message appears if the Trunk
creation fails.
VLAN Name
VLAN Name on which VRF is configured. VLAN Name is auto-generated.
VLAN ID
VLAN ID on which VRF is configured. VLAN ID is auto-generated. You can edit

VLAN ID.
Click Next
For information on Routing Protocol Configuration, see Routing Protocol Configuration in Edit VRF.
Routing Protocol Configuration in Edit VRF

The Routing Protocol Configuration window displays details of the configured Routing protocols. These
protocols are associated to the individual devices that you have selected. VRF is configured on these
devices.
The details of the routing protocol running in the global configuration are also displayed.
Step 1
In the Routing Protocol Configuration window, enter the details as given in Table 12-10.
Table 12-10
Window Element
Description
Usage Notes
Device Name
Device name to which routing protocol is

associated.
Display only.
IP Address
Display only.
Routing Protocol
12-16
OL-25941-01
Chapter 12

Editing VRF
Table 12-10
Routing Protocol Configuration Settings (continued)
Window Element
Description
Routing Protocol You can configure the Routing protocols

on VRF-configured devices.
Usage Notes
You can choose the desired routing
protocol.
The drop-down list displays the routing

protocols running on the selected device.
LMS supports following routing
protocols:
OSPF
EIGRP
Routing Protocols listed are the protocols

in global configuration details.
View Global
Displays the global routing protocol

configuration details of the device name.
Click View Global to view the global

configuration details.

OL-25941-01
12-17
Chapter 12
Editing VRF
Table 12-10
Window Element
Description
Usage Notes
Commands in Edit VRF
Commands
Displays the commands used to configure You cannot enter a value in this field.
routing protocol configuration on the VRF To edit the command details:
to be edited.
Click Configuration Icon
The newly configured IP Address for
SIs or SVIs entered in the Interface
Mapping to VRF in Edit VRF page,
must be advertised using this field.
To edit the command details:
Configuration
Icon
Enables you to edit the commands

displayed in the Commands field.
1.
Click Configuration Icon and

enter the IP Address to be
advertised. Valid IP values are
the IPv4 Addresses.
2.
Click the tick mark to save the

changes.
3.
Click the close mark to close

without saving the changes.
Click Configuration Icon to edit the

Commands field details.
Or
To enter Static Route Configuration,
click Configuration Icon, delete the
commands displayed in the
commands field and enter the
commands mentioned in the
Command Syntax.
Restore Default
Step 2
Restores the edited Routing Protocol

configuration details to the configuration
values computed in the Edit VRF
workflow.
Click Restore Default to restore

VRF Configuration details to default
Global values.
Click Next
The Summary page appears.
For information on Summary, see Summary of Edit VRF.
12-18
OL-25941-01
Chapter 12

Editing VRF
Summary of Edit VRF

The Summary page provisions you with the VRF and the Protocol configuration details to be deployed
to the selected devices.
This section contains Sample Summary for Edit VRF.
Note
Upon successful completion of Edit VRF workflow, LMS triggers the Data Collection process. After the
Data Collection process is complete, LMS initiates the VRF Collection process.
10.77.241.4, connected by an interface Gi1/1. For more information, see Figure 12-2.
Sample Summary for Edit VRF
Device:10.77.241.2
ip vrf Green
rd 60:70
vlan 4
name Vlan_4
vlan 3000
name VLANforGreenVRF
interface Vlan4
ip address 20.20.20.1 255.255.255.252
no shutdown
interface Gi1/1
switchport trunk native vlan 4
no shutdown
interface VLAN3000
ip address 20.20.20.1 255.255.255.252
no shutdown
router eigrp 10
network 10.0.0.0
network 20.0.0.0
auto-summary
exit-address-family
Device:10.77.241.4
ip vrf GreenVRF
rd 60:70
interface Gi1/1
no switchport
interface Gi1/1.1
encapsulation dot1Q 3000
ip address 20.20.20.2 255.255.255.252
no shutdown

OL-25941-01
12-19
Chapter 12
Extend VRF
router eigrp 10
network 10.0.0.0
network 20.0.0.0
auto-summary
exit-address-family
Understanding VRF Configurations for Edit VRF
The VRF configuration details edited are deployed on the selected devices and corresponding interfaces.
To understand the VRF configuration details edited, see Understanding VRF Configurations for Create
VRF.
Step 1
Click Finish
A job is created to deploy the edited VRF configurations details to the selected devices. A confirmation
message appears with the Job ID in the Information dialog box.
For example, if you edit VRF Red, the message appears, Successfully created job for confirmation
deployment. 1053
Step 2
Click Job ID to check status of the Job in the Info dialog box.
Step 3
Click OK in the Info dialog box.

Extend VRF
Extend VRF enables you to extend the VRF functionality across the network. You can extend VRF
configuration details by selecting the neighbor devices of the VRF-configured devices in a network.
Only the following users have privileges to extend VRF details: Network Administrator, System
Administrator and Super Admin.
To extend VRF functionality to other devices, the VRF Extend wizard directs you through:
1.
Extend VRF
2.
Interface Mapping to VRF in Extend VRF
3.
Routing Protocol Configuration in Extend VRF
4.
Summary of Extend VRF
12-20
OL-25941-01
Chapter 12

Extend VRF
To extend VRF:
Step 1
Select Configuration > Workflows > VRF-lite > Extend VRF.

The Extend VRF page appears. Table 12-11 describes the Extend VRF page.
Table 12-11
Settings in Extend VRF
Window Element
Description
Usage Notes
VRF Name
Name of the VRF selected.
You can select the VRF from the

VRF Name drop-down list.
Route
Distinguisher
(RD)
Displays the RD value of the VRF entered Displays the RD value of the VRF
selected in the format X:Y.
while creating a VRF.
VRF Details
Note: You must enter a unique value for

each VRF that is configured.
For more information on RD, see Route
Distinguisher (RD).
Description
Displays the description of the VRF

entered while creating a VRF.
You can edit the RD value. The

edited RD value is applied only to the
new devices that were added while
extending the VRF.
Displays the description of the VRF
selected. You can edit the
description.
The edited description is applied
only to the new devices that were
added while extending the VRF.

OL-25941-01
12-21
Chapter 12
Extend VRF
Table 12-11
Settings in Extend VRF (continued)
Window Element
Description
Usage Notes
Device Selector displays all the devices,

except the devices participating in the
selected VRF. It does not display any
device that is configured with the VRF
selected.
Select the devices using the Device

Selector.
Device Selector
Device Selector
Click the checkbox to select the

device in the groups listed and click
Select.
The Device Selector also displays the

devices under the following groups:
All DevicesDevices which are not

participating in the selected VRF
Device Type GroupsDevices that

are grouped as Routers, Switches and
Hubs, and Unknown Device Type
User-defined GroupsRepresents the

devices that are in the user-defined
groups.
The Device Selector enables you to search

and select the devices on which VRF must
be configured to extend the VRF
functionality.
See Inventory Management with Cisco
Prime LAN Management Solution 4.2 for
information on how to use the Device
Selector.
Note
Step 2
The Device Selector does not display the devices that are not managed by LMS.
Click Next.
The Interface Mapping to VRF window appears.
For information on Interface Mapping to VRF, see Interface Mapping to VRF in Extend VRF.
In Extend VRF, consider the devices selected are 10.77.241.4 and 10.77.241.6. For more information,
see Figure 12-3.
12-22
OL-25941-01
Chapter 12

Extend VRF
Figure 12-3
Extend VRF workflow
cmx-saturn
Fa0/1.11
Fa0/0.20
10.77.241.8
10.77.241.5
Fa0/1.3
Fa4/0
Gig 12/43
Gig 1/9
10.77.241.4
Gig 1/3 Trunk
cmx-mercury
10.77.241.9
Gi2/39.1
Gig 4/7
Gig 4/9
Gig 4/9
10.77.241.6
10.77.241.7
Gig 4/3
Gi1/1 Gig 1/2
Gig 4/5
Gig 4/2
Gi1/1
Gig 1/4
Fa0/1
Gig 2/1
Gig 1/3
10.77.241.3
10.77.241.2
Routed link
Trunk link
Router on Stick
10.77.241.11
274925
cmx-uranus
Interface Mapping to VRF in Extend VRF

The Interface Mapping to VRF window displays a list of links that connect the devices. These are the
devices that you have selected using Device Selector in the Extend VRF window.
The links displayed are:
Links that connect the devices selected in Device Selector (in Extend VRF page)
Links that connect the devices selected in Device Selector (in Extend VRF page) and the L2
neighboring VRF-configured device that is not selected in Device Selector (in Extend VRF page)
If the links associated with the L2 neighboring device are configured with the selected VRF,
only the link is displayed.

If the neighbor device is not configured with the selected VRF and it is not selected in Device
Selector, the device is not displayed in the Interface Mapping to VRF page.
Note the following about links:
If both interfaces on either side of a link are not virtualized with a VRF, the Interface Mapping to
VRF page displays the values of VLAN, SI or SVI, IP address configured.

OL-25941-01
12-23
Chapter 12
Extend VRF
If a link is virtualized using a VLAN on one side of the interface, the same VLAN is used to
virtualize the interface on the other side of the link. LMS will not use a new VLAN. You can edit
the VLAN details in this page.
While running you cannot exit the extend VRF workflow by clicking Finish in the Interface Mapping
to VRF window.
The Interface Mapping to VRF window is used to map an interface to a VRF. The mapping is performed
from the Distribution layer to the Core layer. It also provides information on the Source and the
Destination devices associated with a link.
In the Interface Mapping to VRF in Extend VRF page, while assigning an interface to a VRF, LMS
suggests preferred virtual interfaces to be created on the device. For more information, see Preferred
Virtual Interfaces.
Step 1
In the Interface Mapping to VRF window, enter the details as given in Table 12-12:
Table 12-12
Settings in Interface Mapping to VRF in Extend VRF
Window Element
Description
Usage Notes
You cannot edit this field.
Source Device
Name
Displays the Source Device name as

entered in Device Credentials and
Repository (DCR).
Click the arrow icon to view or hide

details of the SIs or SVIs that are a
part of the source device and
participating in the VRF selected.
Checkbox
Allows you to select or deselect an SVI or

SI that must be assigned to a VRF.
VRF Details
VRF Name
Source
To select, check against the SVIs

or SIs listed under the device
name to which they are
connected.
Or
To deselect, uncheck against the

SVIs or SIs listed under the
device name to which they are
connected.
Interface
Switch Virtual Interfaces (SVIs) or

Sub-Interface (SIs) name in the source
device.
Display only.
IP Address
If the interface is virtualized, with IP

Address configured, it displays an SI or
SVI. You can edit the IP Address.
Enter the IP Address. Valid IP values

are the IPv4 Addresses.
This field is empty if the source physical

interface is not configured.
If you newly configure an IP Address, the
corresponding network IP Address must be
advertised. You must advertise the IP
Address by manually updating the
Commands in Extend VRF field.
12-24
OL-25941-01
Chapter 12

Extend VRF
Table 12-12
Settings in Interface Mapping to VRF in Extend VRF
Window Element
Description
Usage Notes
Device Name
Displays the Destination Device name as

entered in Device Credentials and
Repository (DCR).
Display only.
Interface
Switch Virtual Interfaces (SVIs) or

Sub-Interface (SIs) name in the
Destination device.
Display only.
IP Address
If the interface is virtualized, with IP

Address configured, it displays an SI or
SVI. You can edit the IP Address.
Enter the IP Address. Enter the IP

Address of the
Destination
This field is empty if the source physical

interface is not configured.
If you newly configure an IP Address, the
corresponding network IP Address must be
advertised. You must advertise the IP
Address by manually updating the
Commands in Extend VRF field.
Step 2
Subnet Mask
Subnet mask of IP Address of SVI or SI
Enter the subnet mask
is Trunk
Provides the status of the Trunk

configuration on the associated physical
interface. The following status is
displayed:
To configure Trunk, click Create

hyperlink.
True Trunk is configured on the

associated physical interface
Create Trunk is not configured on

the associated physical interface.
After clicking Create, Trunk is

created.
You can edit VLAN Name.
VLAN Name
VLAN Name on which VRF is

configured.VLAN Name is
auto-generated.
VLAN ID
VLAN ID on which VRF is

You can edit VLAN ID.
configured.VLAN ID is auto-generated or
configured.
Click Next.
For information on Routing Protocol Configuration, see Routing Protocol Configuration in Extend VRF.

OL-25941-01
12-25
Chapter 12
Extend VRF
Routing Protocol Configuration in Extend VRF

The Routing Protocol Configuration window displays details of the configured Routing protocols. These
protocols are associated to the individual devices that you selected. VRF is configured on these devices.
Details about the Routing protocol running in the global configuration table are also displayed.
Step 1
In the Routing Protocol Configuration window, enter the details as given in Table 12-6:
Table 12-13
Window Element
Description
Usage Notes
Device Name
Device name to which routing protocol is

associated.
Display only.
IP Address
Display only.
Routing Protocol
Routing Protocol You can configure the routing protocols on You can choose the Routing protocol
that you want.
VRF-configured devices.
The drop-down list displays the routing
protocols running on the device selected.
LMS supports following routing protocols:
OSPF
EIGRP
Routing Protocols listed are the protocols

present in global configuration details.
View Global
Displays the VRF configuration and the

global configuration details of the device
name.
Click View Global to view the

Global Configuration details.

Commands in Extend VRF
Commands
Displays the commands used to configure You cannot enter a value in this field.
routing protocol configuration on the VRF To edit the command details:
to be extended.
The newly configured IP Address for
SIs or SVIs entered in the Interface
Mapping to VRF in Extend VRF
page, must be advertised using this
field. Valid IP values are the IPv4
Addresses
To edit the command details, Click
Configuration Icon and enter the IP
Address to be advertised. After
entering the details, click the tick
mark to save the changes.
Click Configuration Icon and click
the tick mark to save the changes.
12-26
OL-25941-01
Chapter 12

Extend VRF
Table 12-13
Window Element
Description
Usage Notes
Configuration
Icon
Enables you to edit the commands

displayed in the Commands field.
Click Configuration Icon to edit the

Commands field details.
Or
To enter Static Route Configuration,
click Configuration Icon, delete the
commands displayed in the
commands field and enter the
commands mentioned in the
Command Syntax.
Restore Default
Step 2
Restores Protocol configuration and clears Click Restore Default to restore

edited Commands details to default Global VRF Configuration details to default
Configuration values.
Global values.
Click Next.
The Summary window appears.
For information on Summary, see Summary of Extend VRF.
Summary of Extend VRF

The Summary window displays the VRF and the Protocol configuration details to be deployed on the
selected devices.
Note
Sample Summary for Extend VRF
Understanding VRF Configurations for Extend VRF
Upon successful completion of Extend VRF workflow, LMS triggers the Data Collection process. After
the Data Collection process is complete, LMS initiates the VRF Collection process.
10.77.241.6. For more information, see Figure 12-3.
Sample Summary for Extend VRF
Device:10.77.241.4
vlan 5
name Vlan_5
interface Gi1/3
interface Vlan5
ip address 5.5.5.1 255.255.255.252
no shutdown

OL-25941-01
12-27
Chapter 12
Extend VRF
router eigrp 10
network 5.0.0.0
auto-summary
exit-address-family
Device:10.77.241.6
ip vrf GreenVRF
rd 70:80
vlan 5
name Vlan_5
interface Gi4/9
interface Vlan5
ip address 5.5.5.2 255.255.255.252
no shutdown
router eigrp 10
network 5.0.0.0
auto-summary
exit-address-family
Understanding VRF Configurations for Extend VRF
To extend VRFs to selected devices and corresponding interfaces, the VRF configuration details are
deployed on the selected devices and corresponding interfaces. To understand the VRF configuration
details edited, see Understanding VRF Configurations for Create VRF.
Step 1
Click Finish.
A job is created to deploy the VRF configurations details to the selected devices. A confirmation
For example, if you extend VRF Red, the message appears, Successfully created job for
confirmation deployment.1052
Step 2
Click Job ID to check status of the Job in the Info dialog box.
Step 3
Click OK in the Information dialog box.

12-28
OL-25941-01
Chapter 12

Deleting VRF
Deleting VRF
Delete VRF workflow is used to delete the VRFs present on your network.
The Delete VRF workflow enables you to:
Delete VRF from the selected devices
Delete virtual interfaces that are virtualized by the VRF of the selected device
Delete virtualized virtual interfaces from the devices, at the other end of the physical interface that
connects the selected device.
For example, Device A with virtual interface (Gig5/1.1) is connected to Device B with virtual
interface (Gig4/1.1). (Assume that the virtual interfaces of both devices are virtualized with the
selected VRF.)
If you select Device A using Device Selector, Device B will be on the other end of the physical
interface that is connected to Device A. In this case, the virtual interface(Gig5/1.1) on Device A,
and virtual interface(Gig4/1.1) on Device B will be deleted.
You cannot delete Layer2 VLANs using the Delete VRF feature.
Delete internal VLANs created for Sub-Interfaces (SIs)
The following users have the privilege to delete VRF: Network Administrator and Super Admin. The
user privileges mentioned is applicable for local mode only.
To delete VRF:
Step 1
Select Configuration > Workflows > VRF-lite > Delete VRF.

The Delete VRF: VRF and Device Selection page appears. Table 12-14 details the Delete VRF: VRF and
Device Selection page.
Table 12-14
Delete VRF: VRF and Device Selection
Window Element
Description
VRF Details
VRF Name

You can delete the VRF by selecting the VRF from the drop-down list.
Route
Distinguisher
(RD)
Display only. Shows the RD value of the selected VRF in the format X:Y.
Description
Display only. Description of the selected VRF. You cannot edit the description.
Device Selector

OL-25941-01
12-29
Chapter 12
Deleting VRF
Table 12-14
Delete VRF: VRF and Device Selection
Window Element
Description
Device Selector
Device Selector displays VRF-configured devices with selected VRF.

Switches and Hubs, and Unknown Device Type
User-defined Groups - Represents the devices that are in the user-defined

groups.
The Device Selector enables you to search and select the devices on which VRF
functionality must be deleted.
Select the checkbox to select the device in the groups listed.
Step 2
Click Next.
The Summary window appears.
For information on Summary, see Delete VRF - Summary.
Delete VRF - Summary

The Summary window summarizes the commands that will be deployed on the devices to withdraw
participation in a VRF.
Note
Sample Summary for Delete VRF
Understanding VRF Configurations for Delete VRF
Upon successful completion of Delete VRF workflow, LMS triggers the Data Collection process. After
the Data Collection process is complete, LMS initiates the VRF Collection process. The VRF Collection
process initiated depends on the settings provided in Admin. See Administration of Cisco Prime LAN
Management Solution 4.2 for more information.
10.77.241.6. For more information, see Figure 12-3.
12-30
OL-25941-01
Chapter 12

Sample Summary for Delete VRF

Device:10.77.241.4
no interface Vlan5
no ip vrf GreenVRF
Device:10.77.241.6
no interface Vlan5
no ip vrf GreenVRF
Understanding VRF Configurations for Delete VRF
The VRF configuration details pushed in the devices is explained in Table 12-15.
Table 12-15
Delete VRF Configuration details
Command
Device
Purpose
device name
no interface
no ip vrf
Name of the device
interface-id
Removes the interface_id from device name. For example,

vlan 5 will be removed from device IP 10.77.241.6.
vrf-name
Deletes the VRF from the device
To delete VRF, present on the selected devices, Click Finish in the Summary page.
A job is created to delete the VRF configurations details from the selected devices. A confirmation

In an Enterprise network, end-to-end virtualization is achieved by associating a VRF instance with an
SVI to map VLANs to different logical or physical VPN connections.
The Edge VLAN Configuration workflow allows you to map the Access VLANs to a VRF instance there
by providing end-to-end virtualization. The Access VLANs are mapped to single VRF instance by
assigning it to existing Switch Virtual Interface (SVI) or new SVIs created at the Distribution Layer.
A VRF instance is associated with an Switch Virtual Interface (SVI) to map VLANs to different logical
or physical VPN connections.
Note
You can associate at most one SVI with a VLAN.

The following users have the privilege to assign Edge VLAN to VRF: Network Administrator and Super
Admin. These user privileges apply only to the local mode.
The Edge VLAN Configuration wizard directs you through:
5.
VLAN to VRF Mapping
6.

OL-25941-01
12-31
Chapter 12
To perform Edge VLAN Configuration:

Step 1
Select Configuration > Workflows > VRF-lite > Edge VLAN Configuration.
The Edge VLAN Configuration: VRF and Device Selection page appears. Table 12-16 details the Edge
VLAN Configuration: VRF and Device Selection page.
Table 12-16
Edge VLAN Configuration: VRF and Device Selection
Window Element
Description
VRF Details
VRF Name

Select the VRF from the drop-down list.
Route
Distinguisher
(RD)
Display only. Shows the RD value of the selected VRF in the format X:Y.
Description
Display only. Description of the selected VRF. You cannot edit the description.
Device Selector
Device Selector
Device Selector displays VRF-configured devices with selected VRF.

Switches and Hubs, and Unknown Device Type
User-defined Groups - Represents the devices that are in the user-defined

groups.
The Device Selector enables you to search and select the devices. Select the
checkbox to select the device in the groups listed.
Step 2
Click Next
The Edge VLAN Configuration: VLAN to VRF Mapping page appears.
For information on VLAN to VRF Mapping, see VLAN to VRF Mapping.
12-32
OL-25941-01
Chapter 12

VLAN to VRF Mapping

The Edge VLAN Configuration: VLAN to VRF Mapping page is used to map the Access VLANs to a
VRF instance thereby providing an end-to-end virtualization. You can assign Edge VLAN to a VRF by
associating it to a Switch Virtual Interface (SVI).
The Edge VLAN Configuration: VLAN to VRF Mapping page is used to:
1.
Configure SVI for new or already existing VLANs in the Distribution Layer
2.
Allow VLANs in available trunk in Access Layer
3.
Configure Layer 3 features
The devices selected in Edge VLAN Configuration: Select Devices page are the devices from the
Distribution Layer.
The Edge VLAN Configuration: VLAN to VRF Mapping page displays a list of Switch Virtual
Interfaces (SVIs) that are
Virtualized with the VRF selected
Unfertilized
Trunk Configuration
Layer 3 Features
The Edge VLAN Configuration: VLAN to VRF Mapping page includes the following icons:
Existing VLAN icon: Used to display existing VLANs (VLAN Name) on the device.
Configurations icon: Used to perform Trunk and Layer 3 feature configuration.

Upon clicking the Configurations icon, the Trunk Configuration tab is selected by default and the
Available Trunks page appears.
Step 1
The Edge VLAN Configuration: VLAN to VRF Mapping window appears. The window displays the
name of the selected VRF in the Edge VLAN Configuration: Select Devices page. In this window, enter
the details as given in Table 12-17.
Table 12-17
Details of VLAN to VRF Mapping
Window Element
Description
Usage Notes
Display only.
Represents the device selected in the

Device Selector.
Click the arrow icon to view or hide

details of the SVIs that are a part of
the device name.
VRF Details
VRF Name :
Selected VRF
Device Details
Device Name
(Hyperlink)
Device name of the device is displayed as

If you right-click the Device name
a hyperlink.
hyperlink, it displays Add SVI
option. Click Add SVI option to add
an SVI

OL-25941-01
12-33
Chapter 12
Table 12-17
Details of VLAN to VRF Mapping
Window Element
Description
Usage Notes
Name
Represents a Switch Virtual Interface that Enter the SVI value. Valid
is the logical Layer 3 interface on a switch.
values of SVI ranges from 2 to
It displays the multiple VLANs that are
4096.
carried by the physical interface. The
Or
corresponding VLAN ID and VLAN
Select existing VLANs on your
Name is populated in this page.
network by clicking the icon.
You can view the status of the interface. It
If the existing VLAN Name is
displays a tick mark if the status is up and
displayed in this field, you can
cross mark if the status is down.
edit this field.
Edited entries will overwrite the
existing VLAN Name.
If the VLAN value entered is not in
your network, LMS creates VLAN.
Checkbox
Existing VLAN
icon
Allows you to virtualize or un-virtualize

SVIs using the selected VRF.
When you click this icon, the Existing

VLAN Selector page appears. This page
displays the existing VLANs on the
device.
You can also search existing VLANs by
entering the VLAN Name in the Search
field.
To virtualize an interface, check

against the SVIs listed under the
Device Name
To un-virtualize, un-check an
interface that is already
virtualized with a VRF
Select the desired VLAN. Upon

selecting the VLAN, the
corresponding VLAN Name and
VLAN ID is populated in the VLAN
ID and VLAN Name field.
The VLANs displayed do not have an

SVI/SI in the selected device.
IP Address
IP Address of the SVI.
Enter the IP Address. Valid IP values

are the IPv4 Addresses
Subnet Mask
Subnet mask of the SVI.
Enter the Subnet mask
VLAN ID
VLAN ID to be assigned to a VRF.
Enter the VLAN ID. You cannot edit

this field.
Valid values of VLAN ID ranges from 1 to

4094.
VLAN Name
VLAN Name to be assigned to a VRF.
Enter the VLAN Name.
Configurations
Enables you to perform the following

configurations to be associated to the
corresponding SVI: Trunk and Layer 3
feature configuration.
Click the Edge Interface

Configuration icon to configure
Trunk and Layer 3 features.
For more information, see Trunk
Configuration and Layer 3 Features.
12-34
OL-25941-01
Chapter 12

Trunk Configuration
The Available Trunks page displays the trunks available in the selected device. It also displays the device
that are neighbors to the selected device. If no trunk is available in the selected device, the Available
Trunks page is blank.
The VLANs in any corresponding, existing or newly created SVIs will be allowed on all the trunk
interfaces, that are selected in the Trunk Configuration page. The values displayed in the Trunk
Configuration page are not fetched from the selected devices.
Step 2
In the Trunk Configuration page, enter the details as given in Table 12-18.
Table 12-18
Settings of Trunk Configuration
Window Element
Description
Usage Notes
Interface Name
Interface name on which Trunk exist.
Display only.
Neighbor Name
Neighbor device to the selected device.
Select the desired trunk in which

VLAN needs to be allowed and click
Apply. The Trunk configuration
details entered are saved.
Available Trunks
The VLANs in the corresponding

SVI will be allowed on all the trunk
interfaces that are selected in the
Trunk Configuration page.
Layer 3 Features
Upon clicking the Layer 3 Features tab, the Layer 3 Feature page appears which enables you to configure
the following Protocols and DHCP Server details for any corresponding, existing or newly created SVIs.
The values displayed under Layer 3 Features tab are not fetched from the selected devices.
Note
Step 3
HSRP : Hot Standby Router Protocol
VRRP : Virtual Router Redundancy Protocol
GLBP: Gateway Load Balancing Protocol
The layer 3 features details are not fetched from the devices.
In the Layer 3 Feature Configuration page, enter the details as given in Table 12-18
Table 12-19
Settings of Layer 3 Feature Configuration
Window Element
Description
Usage Notes
Layer 3 Redundancy Protocol
Select Type
Represents the Redundancy protocol

types.
Select the desired Redundancy

protocol Type.
HSRP : Hot Standby Router Protocol

VRRP : Virtual Router Redundancy
Protocol
GLBP: Gateway Load Balancing Protocol

OL-25941-01
12-35
Chapter 12
Table 12-19
Settings of Layer 3 Feature Configuration (continued)
Window Element
Description
Usage Notes
Group Number
Represents the group number of the

protocol.
Enter the Standby Group Number.
A valid group number is an integer. Valid

range values for corresponding
Redundancy Protocols is as follows:
HSRP : 0 - 4095
VRRP : 1 - 255
GLBP : 0 - 1023
Virtual Router IP IP Address of the Virtual Router at the

Address
edge.
Enter the Virtual Router IP Address.

Valid IP values are the IPv4
Addresses.
DHCP Server IP
Address
Enter the DHCP Server IP Address

and click Apply. Valid IP values are
the IPv4 Addresses.
IP Address of the DHCP Server
After applying the Layer 3 Features

configuration details, the values are
saved. Click Close.
The Edge VLAN Configuration:
VLAN to VRF Mapping page
appears.
After entering the Trunk and Layer 3 Features, a new row is added on the Edge VLAN Configuration:
VLAN to VRF Mapping page appears. You can enter the details in the new row to create an SVI for
newly created VLAN.
Step 4
Click Next
The Edge VLAN Configuration: Summary page appears.
For information on Summary, see Edge VLAN Configuration Summary.

The Edge VLAN Configuration: Summary page summarizes the VRF configuration details to be
deployed to the selected devices.
Note
Sample Summary for Edge VLAN Configuration
Understanding Edge VLAN Configuration Details
Upon successful completion of Edge VLAN Configuration workflow, LMS triggers the Data Collection
process. After the Data Collection process is complete, LMS initiates the VRF Collection process.
12-36
OL-25941-01
Chapter 12

The Sample Summary summarizes the VRF configuration details on the device 10.77.241.2. For more
information, see Figure 12-2.
Sample Summary for Edge VLAN Configuration
Device:10.77.241.4
vlan 3
name VLAN0003
interface VLAN3
ip address 10.77.22.3 255.255.255.2
no shutdown
glbp 1 ip 10.77.22.23
ip helper-address 255.255.255.0
Understanding Edge VLAN Configuration Details
The following VRF configuration details are pushed in the selected devices. The description of the Edge
VLAN Configuration details is given in Table 12-20.
Table 12-20
Edge VLAN Configuration details
Command
Purpose
ip vrf forwarding
description
ip address
vrf-name
vrf-name
vrf-name
Enters VRF configuration mode and assigns a VRF name

Provides description of the VRF created
Associates a VRF with an interface or sub-interface
no shutdown
Converts Layer 2 switch port interface to a Layer 3 routed

physical interface
glbp
Enables IEEE 802.1Q encapsulation of traffic on a

specified sub- interface in virtual LANs. IEEE 802.1 Q is
a standard protocol for interconnecting multiple switches
and routers, and for defining VLAN topologies.
ip helper-address
Used to enable an interface
To assign VLANs on the selected interfaces, to a VRF, click Finish in the Edge VLAN Configuration:
Summary page.
A job is created to assign edge VLAN to the selected VRF. A confirmation message appears with the Job
ID in the Information dialog box.

OL-25941-01
12-37
Chapter 12

The VRF Lite Configuration Jobs browser enables you to view the status of all VRF configuration Jobs.
VRF configuration jobs are the jobs that are created for the VRF configuration workflows like Create,
edit, extend and delete VRF as well as Edge VLAN Configuration jobs.
The job details like the job ID, the job type, the job description, the job owner, the time the job is
scheduled to run at, the time of job completion, the schedule type, the job status, run status can be viewed
here. Table 12-21 describes the fields in the VRF Lite Configuration Jobs browser.
To access the VRF Lite Configuration Jobs browser, select Configuration > Job Browsers > VRF Lite.
The VRF Lite Configuration Jobs browser page appears.
You can manage the VRF configuration jobs using the VRF Lite Configuration Jobs browser.
Note
The VRF Lite Configuration Jobs browser is used to perform the following:
ViewUsed to launch reports. See View.
StopStop a scheduled or running job. See Stop Job.
RetryRetry a job. See Retry Job.
DeleteDelete a job. See Delete Job.
Table 12-21
VRF Lite Configuration Jobs Browser
Field
Description
Job ID
Unique ID assigned to the VRF configuration job when it is created.

Clicking the Job ID hyperlink provides a report page with the job details of the job.
Job Type
Type of VRF configuration job such as Create VRF, Edit VRF, Extend VRF, Delete VRF and
Edge VLAN Configuration.
Description
Description of the job provided by the job creator.
Owner
Scheduled At
Date and time the job was scheduled at.
Completed At
Date and time the job was completed at.
12-38
OL-25941-01
Chapter 12

Table 12-21
VRF Lite Configuration Jobs Browser
Field
Description
Run Status
Job states include:
Schedule Type
Running
Waiting for approval
Scheduled (pending)
Succeeded
Succeeded with Info
Failed
Crashed
Cancelled
Suspended
Rejected
Missed Start
Failed at Start
Status
OnceRuns once at the specified date and time.
ImmediateRuns immediately.
Provides the status of the current jobs. The status of the current jobs is displayed as succeded or
failed.
View
Use to launch the respective report of the VRF configuration job selected in the VRF Lite Configuration
Jobs Browser page.
Stop Job
You can stop a scheduled or running job from the VRF Lite Configuration Jobs Browser.
Select the job and click Stop. You are prompted for a confirmation before the job is stopped. You can
select only one job to stop at a given time.

OL-25941-01
12-39
Chapter 12
Delete Job
You can delete a VRF configuration job from the VRF Lite Configuration Jobs Browser.
Select the job and click Delete. You are prompted for a confirmation before the job is deleted. You can
select more than one job to delete.
Retry Job
You can retry a VRF configuration job related to VRF configuration from the VRF Lite Configuration
Jobs Browser. You can retrieve only failed jobs.Select the job and click Retry. You are prompted for a
confirmation before retrying the job. You can select only one job to be retried at a given time.
12-40
OL-25941-01
CH A P T E R
13
Viewing Topology Services

Topology Services is an application that enables you to view and monitor your network including the
links and the ports of each link.
Topology Services display the network topology of the devices discovered by LMS through Topology
Maps. Besides these Maps, the application includes numerous reports that helps you to view the physical
and logical connectivity in details.
To launch Topology Services, either:
Select Configuration > Topology from the menu.
Or
Select Monitor > Monitoring Tools > Topology Services from the menu.
You must install the Java plug-in to access Topology Services from a client. If you are prompted to install
the Java plug-in, download and install it using the installation screens.
See Monitoring and Troubleshooting with Cisco Prime LAN Management Solution 4.2 for more
information.

OL-25941-01
13-1
A P P E N D I X
CLI Utilities
LMS provides Command Line Interface (CLI) support. The CLI utilities that are supported by LMS are:
CWCLI
Performance Tuning Tool
Software Management CLI Utility
CWCLI
CiscoWorks Command Line Framework (CWCLI) is the interface or framework through which
application functionality is provided.
The following are the cwcli applications:
is the configuration command-line tool. cwcli netconfig command lets you use
NetConfig from the command line.
cwcli config
cwcli export is a command line tool that also provides servlet access to inventory, configuration
and change audit data.
This can be used for generating inventory, configuration archive, and change audit data for devices
in LMS.
cwcli inventory is a Device Management application command line tool. This tool can be used
for checking the device credentials, exporting the device credentials. You can also view the devices
and delete the devices.
cwcli invreport is a CiscoWorks command line tool which allows you to run previously created
Inventory Custom Reports and also system reports. The output is displayed in the Comma Separated
Value (CSV) format.
cwcli netshow is a comand line tool that lets you use NetShow features from the command line.
You can use the cwcli netshow commands to view, browse, create, delete, and cancel NetShow jobs
and Command Sets.
This appendix contains the following sections:
Overview: CLI Framework (cwcli)
Overview: cwcli config Command
Overview: cwcli netconfig Command
Overview: cwcli export Command

OL-25941-01
A-1
Appendix A
CLI Utilities
CWCLI
Overview: cwcli inventory Command
Overview: cwcli invreport Command
Overview: cwcli netshow Command
You can set the debug mode for CLIFramework and ConfigCLI in the Log Level Settings dialog box
(Admin > System Preferences > Loglevel Settings).
Overview: CLI Framework (cwcli)

CLI Framework (cwcli) is a Command-Line Interface. This interface provides application-related
functionality.
The CLI Framework supports the following tasks:
Parsing the command line for the applications.
Easy logging and messaging capabilities
Authentication and authorization for individual applications
Remote access support.
cwcli Global Arguments
Remote Access
SYNOPSIS
The command line syntax is as follows:

cwcli
application command GlobalArgs AppSpecificArguments
application specifies one or more LMS applications that use the framework. For example, config,
export, inventory, invreport, and netconfig.
command specifies which core operations are to be performed for a particular service.
GlobalArgs specifies arguments common for all CLI. For example, username, password, log, debug,
etc.
AppSpecificArguments are the additional parameters required for each core command.
You should enter the application name immediately after cwcli and the command name, after the
application name. All other GlobalArgs arguments can be specified in any order.
Apart from the applications, Global args (-u user, -p password, -l logfile, -m email, -d debuglevel)
framework also supports two generic commands. They are:
-vVersion
-helpAll
of the CLI interface.
the applications that can be invoked using the framework.
SYNTAX
cwcli
cwcli
v
help
A-2
OL-25941-01
Appendix A
CLI Utilities
CWCLI
cwcli Global Arguments

The following table shows the cwcli config command arguments you can specify with all commands.
cwcli arguments
Description
-u
userid
User ID. Field is required.
-p
password
It is the password for the specified User ID.

If you enter the password at the command line, a message appears:
* Warning * The -p option is highly insecure and *not* recommended. See -u
option for more details.
If the password is not specified in the command line, framework searches for the password
in the file pointed to by the CWCLIFILE environment variable. If the variable is not set, you
are prompted to enter the password.
* Warning * CWCLIFILE Environment variable not set. Enter your password
See Setting CWCLIFILE Environment Variable for more details.

devicename or
device_list
-device
Device Name of the device added into DCR. You can use comma separated displaynames
and wild card character %.
For example, if there are two devices with names Rtr12 and Rtr13, Rtr% will display both
the devices.
To use all the devices, use -device %.
-view
view_list
If the data needs to be generated for all the devices in a specific group, you can use the
argument. You can use this argument to generate data for devices in all device views
including system-defined groups and user-defined groups.
-view
You can enter multiple group name separated using a comma.

For view name, you have to enter the fully qualified path as in the Group Administration
window. To separate the path you must use forward slash only.
For example, -view /RME@ciscoworks_servername/All Devices
-ipaddress
address
Device IP4 address as entered in the Device and Credential Repository. You can enter
multiple IP address with comma separated.
You cannot use this option with -device, -view , or -input. Also, you cannot specify
wildcard characters.
-l
logfile
Must be a relative name. By default ConfigCLI.log and cli.log files are used, located at:
NMSROOT\log (On Windows)
/var/adm/CSCOpx/log (On Solaris and Soft Appliance)
If the relative name is specified then the log messages are logged into the file specified. The
file is created under the log directory, mentioned above.
For example, cwcli config export -u alpha -p beta -device % -l export.log. In this case,
export.log is created under the log directory mentioned above.
-m
email
Email address to mail the command output to. You can enter single or comma separated
email IDs.
-d
debuglevel
Enables debugging to command-line tool. Specifies debugging verbosity. Default is least

verbose.

OL-25941-01
A-3
Appendix A
CLI Utilities
CWCLI
cwcli arguments
Description
-help
Displays usage information.
-input
Text file containing arguments for each device.
Note
-d and -l arguments are supported for backward compatibility. Select Admin > System > Debug
Settings > Config and Image Management Debugging settings > CLI Framework to set debug
levels.
When using wildcards, you must use the percent sign (%), not an asterisk (*), as shown in the following
examples:
%device (lists all devices that end with the suffix device)
dev% (lists all devices that start with the prefix dev)
% (lists all devices LMS manages)
Remote Access
CLI framework (cwcli) offers remote access facilities to allow you to invoke cwcli commands from the
client in the same way as they run on the LMS server.
The name of the servlet is /rme/cwcli.
The following is the servlet to be invoked to run any command:
For post-request,
http://lms-server:lms-port/rme/cwcli
payload XML file
For get request,

http://lms-server:lms-port/rme/cwcli?command=cwcli config commandname -u user -p BAse64
encoded pwd -args1 arg1value...
Note
Use <arg> and <argval> tags when the argument is a file.

The contents of the payload xml file is as follows.
<payload>
<command>
cwcli config export -u admin -p <Base64Enoced pwd> -device 1.1.1.1 -xml
</command>
<arg>
</arg>
<arg-val>
</arg-val>
</payload>
For example to run the cwcli config import comand payload.xml is as follows:
<payload>
<command>
cwcli config import -u admin -p <Base64Enoced pwd> -device 10.77.240.106
A-4
OL-25941-01
Appendix A
CLI Utilities
CWCLI
<arg>
-f
</arg>
<arg-val>
tempfile
</arg-val>
</command>
</payload>
The Remote Access servlet creates a temporary file with the contents specified between the arg-val tags
for the import command. On the server the command is run as
cwcli config import -u admin -p Base64Enoced pwd -device 10.77.240.106 -f tempfile
Here, the tempfile contains the configuration of the device that you want to import.
For example,
perl samplescript.pl http(s)://lms-server:lms-port/rme/cwcli
payloadXML
To invoke the servlet using a script, see the Sample Script to Invoke the Servlet.
The script and the payload file should be residing in the client machine.
Note
For the secure mode (HTTPS) the port number is 443. The default port for LMS server in HTTP mode
is 1741.
Sample Script to Invoke the Servlet

#!/opt/CSCOpx/bin/perl
use LWP::UserAgent;
$temp = $ARGV[0] ;
$fname = $ARGV[1] ;
print "\n argv[0} = $ARGV[0] , fname = $fname \n";
open (FILE,"$fname") || die "File open Failed $!";
while ( <FILE> )
{
$str .= $_ ;
}
#print $str ;
url_call($temp);
#-- Activate a CGI:
sub url_call
{
my ($url) = @_;
my $ua = new LWP::UserAgent;
$ua->timeout(1000);
# you can set timeout value depending on number of devices
my $hdr = new HTTP::Headers 'Content-Type' => 'text/html';
my $req = new HTTP::Request ('GET', $url, $hdr);
$req->content($str);
print "It comes here \n";

OL-25941-01
A-5
Appendix A
CLI Utilities
CWCLI
my $res = $ua->request ($req);

my $result;
#
print "It comes here too \n";
if ($res->is_error)
{
print "ERROR : ", $res->code, " : ", $res->message, "\n";
$result = '';
if ($res->message =~ /read timeout/)
{
print "ERROR:Timeout has occured. Increase the timeout value in samplescript.pl.\nFor
example, if the devices managed in network is more than 1K, increase the timeout value
to 5000.";
}
}
else {
$result = $res->content;
if($result =~ /Authorization error/)
{
print "Authorization error\n";

}
else {
print "\n $result" ;
}
}
}
Setting CWCLIFILE Environment Variable

You can store your username and password in a file and set a variable CWCLIFILE that points to the file.
This helps you to avoid the -p argument, which will reveal the password in clear text in CLI.
You should maintain this file and control access permissions to prevent unauthorized access.
If CWCLIFILE is set only to filename instead of full path, cwcli framework looks for the current working
directory.
If you use the -p argument, even after setting the CWCLIFILE variable, the password is taken from the
command line instead of CWCLIFILE. This is not secure and usage of this argument is not recommended.
The password must be provided in the file in the following format:
username password
where username and password are the LMS login credentials. The delimiter between the username and
password is a single space.
You must enter comma as the delimiter if the password is blank. Otherwise, cwcli framework will fail
to validate the password.
Example to run the cwcli command with the CWCLIFILE file:
On Windows, at the command prompt enter:
C:\Program Files\CSCOpx\bin>set CWCLIFILE=D:\ciscoworks\password.txt
C:\Program Files\CSCOpx\bin>cwcli export changeaudit -u
admin -view
"/RME@ciscoworksservername/Normal Devices"
A-6
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Where the file, password.txt contains the username and password for LMS server.
Overview: cwcli config Command

The cwcli config command-line tool performs the following core functions on one or more devices and
the configuration archive:
Moves configuration files from the configuration archive to one or more devices.
Transfers the configuration files from devices to the archive if the configuration running on a device
is different from the latest archived version
Imports configuration files from the file system and pushes them to one or more devices, which
updates the configuration archive
Merges the startup configuration files with the running configuration files
Copies the running configuration files to the startup configuration files
Copies a configuration file to the startup configuration files
Copies the difference between a configuration file and the running configuration to the running
configuration files. This makes the configuration in the file available on the running configuration.
Reboots running devices to load a running configuration with its startup configuration
In addition, cwcli config performs the following core functions on the configuration archive:
Exports configurations from the archive to the filesystem
Compares any two configuration files in the archive based on version or date
Deletes configurations older than a specified date from the configuration archive
Getting Started With cwcli config
Uses of cwcli config
Remote Access
Running cwcli config
cwcli config Command Parameters
Parameters For All cwcli config Commands
cwcli config Syntax Examples
cwcli config Core Arguments
Examples of cwcli config
cwcli config Command Man Page
Arguments
cwcli config Subcommand Man Pages

In addition to using the graphical-based device configuration functions, you can use the cwcli config
command-line utility to perform batch processing tasks on the configuration archive, devices, or on both.

OL-25941-01
A-7
Appendix A
CLI Utilities
CWCLI
For more details see these sections:
On platforms other than Windows 2000, all files created by cwcli config are owned by casuser. They
belong to the same group as the user (casuser) who created the files, and have read-write access for both
casuser and the group.
Note
Your login determines whether you can use this argument.
Getting Started With cwcli config

is a command-line tool. This tool is like an interface between the user and the device and
the configuration archive.
cwcli config
Generally, the configuration archive automatically registers modifications to the device's configuration
in archived, version-based files. Over time, multiple configurations of a device accumulate in the
archive. Typically, the latest version is the configuration running on the device.
Uses of cwcli config

With cwcli config, you can:
Device and Archive Updates

Modify a device's running configuration. You can allow personnel of your organization to modify
the device's configuration without explicitly providing them with Telnet access to the device.
Deleting Configurations
Delete unwanted versions of the configuration file from the archive. This is a command-line variant
of the UI purge feature.
Generate 'diffs' of different configuration versions of the same device to find out what modifications
were made. This is a command-line counterpart for GUI-based reports.
Device and Archive Updates

Whenever you use cwcli config to update the running configuration of the device, the tool also archives
the newly written configuration to the archive, bypassing the auto-detection mechanism.
Getting a Version of the Device Configuration

To obtain a version of the device's configuration from the device, modify it, and then write it back to the
device. You use two features of cwcli config to do this.
1.
Use the export command to obtain a copy of the desired configuration version file.
2.
Edit and deploy it on the device using the import function. If the update succeeds, import also
archives the configuration in the archive as the latest version.
A-8
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Example:
cwcli config export -u
user -p pass -device zebra.domain.com -version 3 -f zebraconf
version 3 of device zebra's configuration has been obtained from the device. It is available in the file
zebraconf. You must edit the file and make the necessary modifications.
cwcli config import -u user -p pass -device zebra.domain.com -f zebraconf
The edited file is written back to the device and archive. If there were five configurations originally, a
sixth one is now added.
If you want to update the running config on the device, and are certain that the latest archived version is
the same as the running config, then you can obtain the latest version as follows:
user -p pass -device zebra.domain.com -f zebraconf
the latest version is copied to file zebraconf.

After writing the edited configuration to the device, you might want to reboot the device. You can do
this automatically from cwcli config by using the -reboot argument to the import command:
user -p pass -device zebra.domain.com -f zebraconf -reboot
In addition, you might want to write file zebraconf to both the running as well as the startup
configuration. To do this, enter the following command:
user -p pass -device zebra.domain.com -f zebraconf -save
Reverting to Earlier Configuration Version

For running configuration, use either compare or export to decide, which version to revert to.
For VLAN configuration, look into the Configuration Version Report for the device to find the versions
for which VLAN configuration is also archived. Then use put to deploy the desired version.
The put function gets the requested version from the archive, writes it to the device. For Running
configuration, it archives it as the latest version of that device.
Example:
cwcli config put -u
user -p pass -device zebra.domain.com -version 3
version 3 of device zebra's configuration is extracted from the archive and written to the device. It is also
stored in the archive as the latest version.
Example:
cwcli config put -u
user -p pass -device zebra.domain.com -version 3 -filetype vlan
version 3 of device zebra's vlan configuration is extracted from the archive and written to the device.
Like import, the put function allows you to reboot the device using the -reboot argument, and to update
the startup configuration using the -save argument.
Writing Startup Configuration to Running Configuration

To write the startup configuration of the device to its running configuration. Use the start2run function
of cwcli config to retrieve the startup configuration from the device, and then write it back to the
device's running configuration. The new running configuration is archived as the latest version.
Example:
cwcli config start2run -u
user -p pass -device zebra.domain.com
To ensure that the running configuration on the device is stored in the archive, that is, synchronize the
archive with the device. Use the get function to do so.

OL-25941-01
A-9
Appendix A
CLI Utilities
CWCLI
Example:
cwcli config get -u
admin -p admin -device zebra.domain.com
The running configuration of device zebra is retrieved from the device and archived as the latest version,
only if there is a need to do so. However, if the running configuration does not differ from the latest
archived version, then the archival does not take place.
Configuration updates can be performed on multiple devices at once. For more details see Running
cwcli config on Multiple Devices section on page A-11.
Deleting Configurations
Use the delete function of cwcli config to delete unwanted versions from the archive, to conserve disk
space, and to reduce visual clutter on reports.
Example:
cwcli config delete -u
user -p pass -device zebra.domain.com -version 2 5
All versions between and including 2 and 5 are removed from the archive. There is also a time-stamp
based variant.
Use the compare function to compare any two versions of the archived configuration files of one or more
devices. The compare function also lists down the entire configuration changes based on the timestamp.
Example:
cwcli config compare -u
user -p pass -device zebra.domain.com -version 2 5
cwcli config can only compare the archived configuration files. The compliance report is stored in the
job directories.
Remote Access
cwcli config
cwcli config
uses remote access facilities offered by the CLI framework to allow you to invoke the
commands from the client in the same manner they would run them on the LMS server.

All the command can be run remotely.
Note
For the secure mode (HTTPS) the port number is 443. The default port for LMS server in HTTP mode
is 1741.

The cwcli config command is located in the following directories, where install_dir is the directory in
which LMS is installed:
On Solaris and Soft Appliance systems, NMSROOT/bin. The default directory is /opt/CSCOpx
On Windows systems, NMSROOT\bin

The default install directory is C:\Program Files.
A-10
OL-25941-01
Appendix A
CLI Utilities
CWCLI
If you install LMS on Windows on an NTFS partition, only users in the administrator or casuser group
can access cwcli config.
Users with read-write access to the CSCOpx\files\archive directory and the directories under that can
also use cwcli config.
Running cwcli config on Multiple Devices

You can run cwcli config simultaneously on multiple devices. Details vary from command to
command. This section describes how to apply import on multiple devices. Details of multiple-device
syntax for other commands are described under the DESCRIPTION in the man page.
The commands, such as put, import, write2run and write2start accept only one device on the
command line. If you want to apply the command to multiple devices, enter the names of those devices
and any arguments in a text file.
For example, assume that you want to deliver the configuration file serviceconf to devices, antelope and
rhino. Also assume that you want to reboot rhino. The command line of cwcli config is as follows:
cwcli config import -u
admin -p admin -input device-list -m root@netcontrol.domain.com
You do not want the output of the command to go to stdout. Instead, you want it to be mailed to the
superuser at host netcontrol.
Device-list is a text with the following contents:
# comments start with a leading hash symbol. Write serviceconf to rhino and # antelope.
reboot antelope.
-device rhino.domain.com -f serviceconf
-device antelope.domain.com -f serviceconf -reboot
# end of input file device-list
Additional Information
The examples in this man page are not comprehensive. There are many other scenarios in which cwcli
config can be used.
For example, if you want to modify the running configuration on the device, without using the latest
archived version, considering the latest may not be the same as the running configuration. You can apply
the get command and then export and import. Various combinations of the features can be used.
You can also use cwcli config in UNIX cron jobs to schedule config updates in advance.
Also, the output generated by cwcli config can be logged to a file and sent to any recipient through
email. A host of additional arguments can be applied on other commands.
cwcli config Command Parameters

Using the cwcli config commands you can manipulate, deploy and archive your device configuration
files.
Using the Compare Command
Using the Delete Command

OL-25941-01
A-11
Appendix A
CLI Utilities
CWCLI
Using the Compare Command

When you specify the compare command, both -version and -date are optional.
If you do not specify -version or -date, the latest configuration is compared with the previous
version.
If you do specify -version or -date, and the value you enter is the latest version or date, that
configuration is compared with the previous version.
A-12
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Using the Delete Command

When you specify the -date command, you must specify -version or -date.
If you specify only one date, all versions archived up and including that date are deleted.
To delete a version archived on a particular date, specify two dates that are the same date as the archived
version date. The latest two versions of configuration can never be deleted from the archive. Be careful
while using the delete command.

The -d and -l arguments are supported for backward compatibility.
In LMS, select Admin > System > Debug Settings > Config and Image Management Debugging
settings > ConfigCLI to set debug levels.
When using wildcards, you must use the percent sign (%), not an asterisk (*), as shown in the following
examples:
%device
dev%
%device%
The following table lists the cwcli config command-specific arguments and which commands you can
use the arguments with:
cwcli config arguments
Applicable Commands
Description
-baseline
createdeployparamfile,
Specifies the name of the Baseline template for which the

parameter file has to be created.
directbaselinedeploy
-date
compare, delete
Compare
If you specify one date, the latest configuration version
is compared with the most recently archived version on

that particular date.
If you specify two dates, the most recently archived
version of the first date is compared with the most

recently archived version of the second date.
Delete
If you specify one date, all versions archived up to this
date are deleted.

If you specify two dates, all versions archived between
and on those dates are deleted.

-enable_pass
import, put, write2run,
Specifies execution mode Base64 encoded Password for

connecting to device.
write2start, run2start,
start2run,
deploycomplianceresults,
compareanddeploy, reload

OL-25941-01
A-13
Appendix A
CLI Utilities
CWCLI

-f
filename
Applicable Commands
Description
export, import
Specifies fully qualified pathname of configuration file to

import to or export from.
If you do not specify this argument, the current working

directory is assumed.
If you do not specify this argument when importing or

exporting a single device configuration, default filename,
devicename.cfg, in the current working directory is
assumed.
The -f argument applies only to single devices. To perform the

operation on multiple devices, you must specify the -input
argument.
-input
inputlist
Applicable to all commands

except compareanddeploy,
deploycomplianceresults, and
directbaselinedeploy,
You must enter -input inputlist to run commands, such as put

and import, on multiple devices.
The parameter, inputlist is a text file containing arguments for
each device. A line starting with # is treated as a comment.
For example, an input list file might look like this:
#comment line
-version version [-save] [-reboot] device_name
-version version [-save] [-reboot] device_name
-jobid
createdeployparamfile
Used to specify the job identifier of the previously run

comparewithbaseline job.
-l
Specifies the file to log the results of the command.
-listonly
write2run
Displays difference between the latest running configuration for

device in configuration archive and new configuration that is
generated, without downloading changes.
-m
Specifies an email address to send the results of the command.
primary_pass
Specifies primary user name for connecting to device.
start2run,
-primary_user
Specifies primary user name for connecting to device.
start2run,
-reboot
import, put
After successfully pushing a configuration to a device, device

reboots. By default the device does not reboot.
For IOS devices, you must also specify -save to avoid losing
configuration changes when rebooting.
-save
import, put
Applies to Cisco IOS devices only. Performs a write memory

after pushing the configuration. The default is no write memory.
A-14
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Applicable Commands
Description
-timeout
Specifies the duration of the interval in seconds between two

successive polling cycles. Configuration Archive is polled
according to the interval specified to retrieve and display the job
results.
start2run,
comparewithbaseline,
compareanddeploy, get, reload
-version
version
compare, delete, export, put
For put and export, you can specify one version of the
configuration in the archive.
For compare, you can specify two versions, which are

compared with each other.
If you specify only one version, that is compared with latest
archived version.
For delete, if you specify one version, that version is

deleted.
If you specify two versions, all versions in between and
including those version are deleted.

The following examples demonstrate the cwcli config command syntax. Square brackets ([ ]) indicate
arguments. A pipe (|) acts as a delimiter. This means that only one of the listed entries can be specified.
Note
Make sure you first use the cwcli config command in a test environment before running the command
in production. This is to avoid any loss of data when a device is rebooted or a configuration is
overwritten.
The following command extracts the running configurations from all devices:
cwcli config get -u user -p password -device %
The following command exports the configuration of all the devices from the archive and puts the
configuration into the file, devicename.cfg. This is the default file name because -f is not specified:
cwcli config export -u user -p password -device %
If there is more than one device in the default view All, you see an error message because the export
command does not accept multiple device names on the command line. You must specify the -input
argument to run the export command on more than one device.

OL-25941-01
A-15
Appendix A
CLI Utilities
CWCLI
The following table shows more syntax examples:

Argument
Syntax
no arguments
cwcli config -u
Notes
user -p password [-v
-help]
If you do not specify arguments, cwcli config

shows command usage (-help)
compare
cwcli config compare -u userid -p

password [-d debuglevel] [-m email] [-l
logfile] { -device list | -view name |
-device list -view name |-ipaddress list } {
-version version1 [version2] | -date date1
[date2] }
Specify versions to compare using -version or

-date argument. When specifying a date, use
format mm/dd/yyyy. If you do not specify a date
or a version, the latest two archived
configurations are compared.
compareanddeploy
cwcli config compareanddeploy -u userid
Creates a job that compares the given Baseline

template with the latest version of the
configuration for a device and downloads the
configuration to the device if there is
non-compliance.
password [-d debuglevel] [-m email][-l

logfile] {-device list | -view name | -device
list -view name |-ipaddress list }{
-baseline baselinefile }[ -timeout
seconds] [-input argumentFile]
[-primary_user primary user name]
[-primary_pass Base64 encoded primary
password] [-enable_pass Base64 encoded
enable password]
-p
comparewithbaseline
cwcli config comparewithbaseline -u
userid -p password [-d debuglevel] [-m

email][-l logfile] { -device list | -view
name | -device list -view name |-ipaddress
list }{ -baseline baselinefile }[ -timeout
seconds] [-input argumentFile]
cwcli config delete -u userid -p
-device list -view name |-ipaddress list } {
-version version1 [version2] | -date date1
[date2] }
delete
Creates a job that compares the given Baseline

template with the latest version of the
configuration for a device. In case of
non-compliance, the non-compliant commands
are displayed.
Deletes the specified device configuration from
the archive. Use -date or -version argument to
specify configurations to delete.
If you specify two dates, all configurations
archived between those dates are deleted.
If you specify two versions, all configurations
between and including the versions are deleted.
deploycomplianceresult
s
export
cwcli config deploycomplianceresults
Creates a job that uses the previously executed

job to get the
non-compliance commands and create a job.
userid -p password [-d debuglevel] [-m

email][-l logfile] { -substitute datafile }
{-jobid jobID}[ -timeout
seconds][-primary_user primary user
name] [-primary_pass Base64 encoded
primary password] [-enable_pass Base64
encoded enable password]
comparewithbaseline
cwcli config export -u userid -p

-device displayName -view name |
-ipaddress list } [-f filename] [-version
number] [-xml] [-input argumentFile]
Retrieves a configuration version for a device

from the archive and writes it to a file. Exported
configurations are named devicename.cfg if -f
argument is not used.
-u
It replaces the parameters in the non-compliant

commands with the values from the data file.
The commands are then downloaded to ensure
compliance with the baseline configuration.
A-16
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Argument
Syntax
Notes
get
-u userid -p password Creates a job that fetches the configuration from

the device and stores it in the archive.
[-d debuglevel] [-m email] [-l
logfile][-timeout seconds] [-filetype
running|startup|runningstartup] { -device
list | -view name | -device list -view name
|-ipaddress list }
import
cwcli config import -u userid -p

logfile][-timeout seconds] { -device
displayName |-ipaddress address } [-f
filename] [-save [-reboot]][-input
argumentFile]
cwcli config get
Creates a job that retrieves the configuration

from a file and transfers it to the device.
The job is added to the device running
configuration. It then polls Configuration
Archive at periodic intervals to get the job results
and display it.
Specify -input to operate on more than one
device. You cannot specify wildcards or more
than one device.
listversions
cwcli config listversions -u userid -p

-device displayName -viewname |
-ipaddress list} -baseline
Lists the versions of the configuration archived

for a device on the main branch or the Baseline
templates applicable to a device.
put
userid -p password
[-d debuglevel] [-m email] [-l logfile] {
-device displayName |-ipaddress address
-version number}[-config 1|2][-save
[-reboot]] [-input
argumentFile][-timeout seconds]
[-filetype vlan|running][-primary_user
primary user name] [-primary_pass Base64
encoded primary password] [-enable_pass
Base64 encoded enable password]]
Creates a job that retrieves the configuration

from the configuration archive and pushes it to
the device.
cwcli config put -u
Specify -input to operate against more than one

device. You cannot specify wildcards or more
than one device.
You must specify a version.
reload
cwcli config reload -u userid -p

-device list -view name |-ipaddress list
}[-input argumentFile][-timeout
Creates a job that reboots devices. The

configuration loaded runs with the startup
configuration.
run2start
cwcli config run2start -u userid -p

logfile]{ -device list | -view name | -device
list -view name | -ipaddress list}[-config
1|2] [-input argumentFile][-timeout
Creates a job that overwrites the startup

configuration of device with running
configuration.
Specify multiple devices with -device argument
by separating each device name with comma or
with -input argument, which takes filename
containing the multiple devices as an argument.

OL-25941-01
A-17
Appendix A
CLI Utilities
CWCLI
Argument
Syntax
Notes
start2run
cwcli config start2run -u userid -p

-device list -view name | -ipaddress list }
[-config 1|2] [-input
argumentFile][-timeout seconds]
[-primary_user primary user name]
[-primary_pass Base64 encoded primary
password] [-enable_pass Base64 encoded
enable password]
Creates a job that merges the startup

configuration with running configuration.
cwcli config write2run -u userid -p

password [-d debuglevel][-m email][-l
logfile] { -device displayName |
-ipaddress address } -f filename [-config
1|2][-listonly][-input
argumentFile][-timeout
name][-primary_pass Base64 encoded
primary password][-enable_pass Base64
Creates a job that downloads the differences

between the specified file and the latest version in
the archive for the specified device.
cwcli config write2start -u userid -p

logfile] { -device displayName |-ipaddress
address -f filename} [-config 1|2][-input
argumentFile][-timeout
name][-primary_pass Base64 encoded
Creates a job that erases contents of device

startup configuration and writes contents of given
file as new startup configuration.
write2run
write2start
Specify multiple devices with -device argument

by separating each device name with comma or
with -input argument, which takes filename
containing the multiple devices as an argument.
If you specify -listonly, difference is displayed

but no changes are downloaded.
To run command on multiple devices, use -input
argument, which takes a filename as an argument.
You must specify a filename. To run a command

against multiple devices, use -input argument.
A-18
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Argument
Syntax
Notes
collectiondate
cwcli config collectiondate -u userid -p

logfile] [-filetype running|startup|vlan]
[-input argumentFile] { -device list -view
name |-ipaddress list }
Displays the last config collection date for the

devices.
You can specify a filename by using the -input
argument.
The input file should be of this format:
-device
1.1.1.1,2.2.2.2,3.3.3.3 -filetype vlan
or
-filetype
vlan -device 1.1.1.1,2.2.2.2,3.3.3.3
The -filetype should be either vlan, running or

startup.
If -filetype is not specified, then running will
be taken as the default filetype value.
The output contains device name, time of last
config collection, and the filetype separated by
comma.
accessdate
cwcli config accessdate -u userid -p

logfile] [-filetype running|startup|vlan]
[-input argumentFile] { -device list -view
name |-ipaddress list }
Displays the last config collection attempt date

for the devices.
You can specify a filename by using the -input
argument.
-device
1.1.1.1,2.2.2.2,3.3.3.3 -filetype vlan
or
-filetype
vlan -device 1.1.1.1,2.2.2.2,3.3.3.3
The -filetype should be either vlan, running or

startup.
If -filetype is not specified, then running will
be taken as the default filetype value.
The output contains device name, time of last
attempt, and the filetype separated by comma.

cwcli config Argument
Description
compare
Compares last two configurations in archive, specific configuration versions, or configuration

changes based on a specified date.
To run this command on multiple devices, specify -device argument or -input argument.
delete
Deletes configurations older than specified date or version from archive.

export
Retrieves latest configuration from archive and writes it to specified file.

To run this command on multiple devices, specify -input argument.

OL-25941-01
A-19
Appendix A
CLI Utilities
CWCLI
cwcli config Argument
Description
get
Pulls configuration from device to configuration archive if configuration is different from latest
archived configuration.
Imports configuration from specified file and pushes it to devices.
import

Pushes configuration files from the configuration archive to device based on version.
put

Reboots devices to reload running configuration with startup configuration.
reload
Overwrites startup configuration with running configuration.
run2start
Merges startup configuration with running configuration.
start2run
Downloads difference between latest running configuration for the device in configuration
archive with configuration in file specified by -f argument.
write2run

write2start
Erases the contents of the device's startup configuration and writes the contents of the given file
as the device's new startup configuration.
collectiondate
Displays the last config collection date for the devices.

accessdate
Displays the last config collection attempt date for the devices.

The following cwcli config command retrieves configurations for all devices in the LMS home_routers
domain and stores the configurations in Sybase:
cwcli config get -u adam -p max -view home_routers
where home_routers is a device view.

The following cwcli config command reads inputfile and, for each device listed, pushes the appropriate
configuration to that device:
cwcli config import -U adam -P max -input /tmp/inputfile
cwcli config Command Man Page

This man page is also accessible from the command line of a LMS server installed on a UNIX system.
To view the man page, add the path install_dir/CSCOpx/man to the MANPATH variable. Then you can
enter the command man cwcli config from any directory.
A-20
OL-25941-01
Appendix A
CLI Utilities
CWCLI
You can also access man pages for each cwcli config command by entering the command man
cwc-command, where command is the command name (for example, export).
The man pages for each subcommand are also available in this help system.
NAME
cwcli config
LMS command line interface for the device configuration archive
SYNOPSIS
cwcli config
command {-arg1 [arg1Value] -arg2 [arg2Value] -argN [argNValue]}
cwcli config -help
DESCRIPTION
is a LMS command line tool that allows you to access the configuration archive or
configurations on devices. You can use cwcli config to update, export, and import configurations on
devices and in the archive. You can also compare configurations and delete old configurations.
cwcli config
To get a list of supported commands, run the command

cwcli config -help
or
cwcli config?
Help on each command can be obtained in the following manner:

cwcli config
command -help
For example:
cwcli config export -help
Additionally, man pages are available on UNIX installations for individual commands. To view the man
page for any command, enter:
man cwc-command
For example:
man cwc-export

OL-25941-01
A-21
Appendix A
CLI Utilities
CWCLI
Arguments
Many of the arguments are common across all commands. These arguments can be broadly classified as
those that are expected by every command (function independent) and those that are specific to the
context of a command.
Mandatory Arguments
Function-independent Arguments
Function-dependant Arguments
Function-specific Arguments
Common Arguments
Command Arguments
Mandatory Arguments
You must use the following arguments with all commands.
-u
userid
Specifies the LMS username. You must define an environment variable cwcli CWCLIFILE with value set
to a filename, which will contain the corresponding password.
The file has to be maintained by you. You can control the access permissions of this file to prevent
un-authorized access. cwcli config looks for current working directory if cwcli CWCLIFILE is set to
only file name instead of full path.
If -u argument is used along with -p argument, the password is taken from the command line instead of
cwcli CWCLIFILE. This is not secure and usage of this argument is not recommended.
username password
Where username is the LMS user name given in command line. The delimiter between username and
password is single blank space. You must provide the delimiter if the password is blank
Otherwise, cwcli config will not validate the password. The password file can contain multiple entries
with different user names. The password of the first match is considered in case of duplicate entries.
Function-independent Arguments
You can use the following arguments without any commands:
-help
When run with the -help argument, cwcli config displays a list of all supported commands and a
one-line description of the command.
-v
When run with the -v argument, cwcli config displays cwcli config version information.
Function-dependant Arguments
You can use the following arguments only with commands:
-p
password
Specifies the password for the LMS username.
A-22
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Warning
SECURITY WARNING: If -p password is used, the password is read from the command line instead of
cwcli CWCLIFILE. This is highly insecure and *not* recommended. See -u argument for more details.
-d
debuglevel
Sets the debug level based on which debug information is printed. debuglevel is a numeric value between
1 and 5.
-f
filename
Specifies the name of the file to which the retrieved configuration is written. If not specified,
devicename.cfg is assumed.
-l
logfile
Logs the results of the cwcli config command to the specified log filename.
-m
mailbox
Mails the results of the cwcli config command to the specified email address.
Function-specific Arguments
You can use the following arguments only with specific commands:
-baseline
Used with the compareanddeploy, deploycomplianceresults, listversions,

or comparewithbaseline function, specifies the
name of the Baseline template that is compared with the latest configuration version of the device.
createdeployparamfile, directbaselinedeploy,
If there are commands in the baseline configuration file that are not compliant with the latest
configuration of the device in the archive, they are downloaded to the device.
Note
The Baseline template must not contain any parameters for the command to succeed.
-date
date1 date2
Used with the compare or delete command, specifies the configuration date(s) to compare or delete.
Use the format mm/dd/yyyy.
-device
name
Used with the export, import, or put function, specifies the name of the device. You can specify a
wildcard, %, in the device name to match any device(s) that have the same textual pattern.
-device
list
Used with the get, start2run, compare, compareanddeploy, comparewithbaseline,

deploycomplianceresults, listversions, put, run2start, start2run, write2run
or delete
commands
Specifies the list of device names separated by commas. You can specify a wildcard, %, in the device
list to match device(s) that have the same textual pattern.
- ipaddress list
Used with the get, start2run, compare, compareanddeploy, comparewithbaseline,
deploycomplianceresults, listversions, put, run2start, start2run, write2run
or delete
commands.

OL-25941-01
A-23
Appendix A
CLI Utilities
CWCLI
Specifies IP4 address as entered in the Device and Credential Repository. You can enter multiple IP
address with comma separated.
You cannot use this option with -device, -view, or -input. Also, you cannot specify wildcard characters.
-filetype
type
Used with the put function, specifies the type of the configuration (running/vlan) that should be written
to the device.
-f
filename
Used with the directbaselinedeploy, export, import, write2run or write2start function,

specifies the name of the file to which the configuration from archive should be exported to. Used with
the import function, specifies the name of the file that contains the configuration to import.
Note
argument must not be specified when -view or -device % is used. If used, the given file will be
overwritten with the configuration retrieved for other devices.
-f
-input
listfile
Used with the export, import, compareanddeploy, comparewithbaseline,

or put function, specifies the name of the file containing the arguments for
multiple devices.
deploycomplianceresults
The contents of the file must be similar to those described in the Input List File Format section later in
this man page.
-listonly
Used with the write2run function, lists the differences between the running configuration and the
specified configuration file.
-reboot
Used with the import or put function, reboots the device after the configuration has been written to the
device.
-save
Used with the import or put function, saves the configuration written to the device to the device's
memory.
-timeout
Used with the compareanddeploy, deploycomplianceresults, import, put, run2start,

or comparewithbaseline function, specifies the duration of the interval in
seconds between two successive polling cycles.
start2run, write2run
-version number
Used with the export function, specifies the configuration version to retrieve from the archive. Used
with the put function, specifies the configuration version to load from the archive and push to the device.
-version
version1 version2
Used with the compare, or delete function, specifies the configuration version(s) to compare or delete.
-view
name
Specifies the device view where the device name specified with -device argument is located. If -device
argument is not specified, performs the operation on all devices in the view. More details are described
in the -view Argument Usage section later in this man page.
-xml
Creates an XML file with the name of the device containing the configuration retrieved.
A-24
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Input List File Format

For commands that do not accept multiple device names on the command line, such as put, import, and
export, you can create an input list file that contains a list of devices to perform the operation on.
The contents of the input list file are a sequence of lines. Each line specifies a device name and the
arguments to apply to that device. The arguments must be specific to the function. You cannot include
view names in the input list file. You must specify view names on the command line. You can include
comments in the input list file by starting the each commented line with #.
Input List File Example:
For the command

cwcli config put -u
userid -p password -view myView -input ~/todo_list
An example of the input list file ~/todo_list is # Comment line.

-version 3 -reboot -device enm-2501.cisco.com
-version 2 -save -device enm-4500.cisco.com
-view Argument Usage

If both -device and -view are specified, the devices in that view and the devices specified against
-device are considered.
For example, assume that -view has two devices D1 and D2 and D3 is specified against -device, then
all the three devices D1, D2 and D3 are considered.
-view
Argument Usage Examples:
Search for a device in a specified view:

admin -p admin -view myView -device myDevice
cwcli config Subcommand Man Pages

Each cwcli config command has a man page. You can access these man pages from the command line
of a LMS server installed on a UNIX system.
To view the man pages, add the path:
install_dir/CSCOpx/man
to the MANPATH variable.
Then you can enter the command

command
man cwc-
where command is the command name. For example, export.

This topic contains the man pages for the following cwcli config subcommands:
compare
comparewithbaseline
compareanddeploy
delete
export
get

OL-25941-01
A-25
Appendix A
CLI Utilities
CWCLI
import
put
reload
run2start
start2run
write2run
write2start
listversions
collectiondate
accessdate
compare
Name
cwcli config compare
Syntax
cwcli config
CiscoWorks cwcli config compare function
compare -u userid -p password [-d debuglevel] [-m email] [-l logfile] { -device list |
name | -device list -view name | -ipaddress list } { -version version1 [version2] | -date date1
[date2] }
-view
cwcli config compare -help
Description
compare lists the differences between versions of a device configuration. You can specify the versions to
be compared by using the -version argument or the -date argument.
If you specify the -version argument with only one version number, that version is compared with
the latest archived configuration of the device.
If you specify the -date argument with only one date, the configuration version with that date is
compared with the latest archived configuration. When specifying a date, use the format
mm/dd/yyyy.
If you do not specify either a date or a version, the latest two archived configurations are compared.
You can specify multiple devices by separating each device name with a comma.
The output of the Compare function can be interpreted as follows:
Lines preceded by '+' sign signify those occurring only in the first version but not in the latter.
Lines preceded by '-' sign signify those occurring only in the latter version but not in the first.
Lines preceded by '<' and '>' connote those which are present in both files but differ from each
other.
A-26
OL-25941-01
Appendix A
CLI Utilities
CWCLI
compareanddeploy
Name
cwcli config compareanddeploy
CiscoWorks compare and download configuration with Baseline
template function.
Syntax
userid -p password [-d debuglevel] [-m email][-l logfile] {

list | -view name | -device list -view name |-ipaddress list }{ -baseline baselinefile }[
-timeout seconds] [-input argumentFile] [-primary_user primary user name] [-primary_pass Base64
encoded primary password] [-enable_pass Base64 encoded enable password]
cwcli config compareanddeploy -u
-device
cwcli config compareanddeploy -help
Description
compareanddeploy creates a job that compares the given Baseline template with the latest version of the
configuration for a device and downloads the configuration to the device if there is non-compliance.
If you specify -baseline argument, the name of the Baseline template is compared with the latest
configuration version of the device and later downloaded to the device if there are any commands in the
baseline config file which are not compliant with the latest configuration of the device in the archive.
The Baseline template must not have any parameters for the command to succeed.
comparewithbaseline
Name
cwcli config comparewithbaseline
- CiscoWorks compare configuration with Baseline template
function.
Syntax

list | -view name | -device list -view name |-ipaddress list }{ -baseline baselinefile }[
-timeout seconds] [-input argumentFile]
cwcli config comparewithbaseline -u
-device
cwcli config comparewithbaseline -help
Description
creates a job that compares the given Baseline template with the latest version of
the configuration for a device.
comparewithbaseline
If you use the -baseline argument, the name of the Baseline template is compared with the latest
configuration version of the device.
delete
Name
cwcli config delete
CiscoWorks cwcli config delete function
Syntax
userid -p password [-d debuglevel] [-m email] [-l logfile] { -device list |
name | -device list -view name | -ipaddress list } { -version version1 [version2] | -date date1
[date2] }
cwcli config delete -u
-view
cwcli config delete -help
Description
deletes the specified device configuration from the archive. You can use the -date argument or
the -version argument to specify which configurations to delete.
delete
If you specify two dates, all configurations archived between those two dates are deleted.
If you specify only one date, all configurations up to and including the configuration archived on
that date are deleted.
If you specify two versions, all configurations between and including the two versions are deleted.
If you specify only one version, the configuration corresponding to that version is deleted.

OL-25941-01
A-27
Appendix A
CLI Utilities
CWCLI
Name
cwcli config deploycomplianceresults
- CiscoWorks deploy command with baseline function.
Syntax
cwcli config deploycomplianceresults -u userid -p password [-d debuglevel] [-m email][-l logfile]
{ -substitute datafile } {-jobid jobID}[ -timeout seconds][-primary_user primary user name]
[-primary_pass Base64 encoded primary password] [-enable_pass Base64 encoded enable password]
cwcli config deploycomplianceresults -help
Description
deploycomplianceresults uses the previously run comparewithbaseline job to get the non-compliance
commands and creates a job after replacing the parameters if any in the non-compliance commands with
the values from the data file and then downloads those commands to ensure the compliance with the
baseline config.
If you specify the -baseline argument, the name of the Baseline template which will be compared with
the latest configuration version of the device.
export
Name
cwcli config export
CiscoWorks cwcli config's export function.
Syntax
userid -p password [-d debuglevel] [-m email] [-l logfile] { -device name |
name | -device name -view name |-ipaddress list } [-f filename] [-version number] [-xml]
[-input argumentFile]
-view
cwcli config export -help
Description
export
retrieves the configuration specified by the -version argument, for the device specified by
and/or -view argument, from the archive and writes it to the file specified by the -f argument.
-device
If you do not specify a version number, the latest configuration of the device from the archive is
retrieved.
If you do not specify a file name, a file named devicename.cfg is created. To run this command
against multiple devices, you must specify the -input argument, which takes a file name as an
argument. The contents of the file must be similar to those described in the Input List File Format
section of the cwcli config man page.
get
Name
cwcli config get
CiscoWorks cwcli config get function
Syntax
cwcli config get -u userid -p password [-d debuglevel] [-m email] [-l logfile] -filetype
running|startup|runningstartup -device list | -view name | -device list -view name | -ipaddress list }
cwcli config get -help
Description
retrieves the running configuration from the device(s), specified by the -device and/or -view
argument, and pushes it to the configuration archive if the running configuration is different than the
latest version in the archive.
get
For devices that support vlan configuration like CatIOS devices, the vlan configuration is also fetched
and archived along with running-configuration.
However, if a new version of the running configuration is not archived, the vlan configuration fetched,
overwrites the previously archived vlan configuration for the latest version of running configuration in
the archive. You can run the get function against multiple devices by separating each device name with
a comma.
A-28
OL-25941-01
Appendix A
CLI Utilities
CWCLI
import
Name
cwcli config import
Syntax
cwcli config import -u

-device
CiscoWorks cwcli config import function
userid -p password [-d debuglevel] [-m email] [-l logfile][-timeout time] {

name |-ipaddress address} [-f filename] [-save [-reboot]][-input argumentFile ]
cwcli config import -help
Description
retrieves the configuration from a file specified by the -f argument, and pushes it to the device
specified by the -device and/or the -view argument, adding to the device's running configuration.
import
If you do not specify a file name, a file named device name.cfg is used. You can specify the -save
and -reboot arguments, which operate the same as for the put argument.
To run the import argument against more than one device, you must specify the -input argument, which
takes a file name as an argument. The contents of the file must be similar to those described in the Input
List File Format section of cwcli config(1).
The configuration archive might be updated after you specify the import argument if the loaded
configuration is different from the latest configuration in the archive.
put
Name
cwcli config put
CiscoWorks cwcli config put function
Syntax
cwcli config put -u userid -p password [-d debuglevel] [-m email] [-l logfile] { -device name
|-ipaddress address -version number}[-config 1|2][-save [-reboot]] [-input
argumentFile][-timeout seconds] [-filetype vlan|running][-primary_user primary user name]
[-primary_pass Base64 encoded primary password] [-enable_pass Base64 encoded enable password]]
cwcli config put -help
Description
put retrieves the configuration specified by -version from the configuration archive and pushes it to the
device specified by the -device and/or -view argument
The -filetype can be used to specify the type of configuration viz running/vlan configuration. By
default, the running configuration is considered
In case of running configuration, the archived running configuration is merged with the running
configuration on the device unless you specify -save, in which case, the archived configuration is
also written to the device's memory.
In case of vlan configuration, the archived vlan configuration overwrites that on the device. The vlan
configuration will not come into effect until the device is rebooted. You can specify -reboot to
reboot the device after the configuration (running/vlan) is pushed to the device.
To run the put command on more than one device at a time, you must use the -input argument, which
takes a file name as an argument. The contents of the file must be similar to those described in the Input
List File Format section of cwcli config(1).

OL-25941-01
A-29
Appendix A
CLI Utilities
CWCLI
reload
Name
cwcli config reload
CiscoWorks cwcli config reload function
Syntax
cwcli config reload -u userid -p password [-d debuglevel] [-m email][-l logfile] { -device list | -view
name | -device list -view name|-ipaddress list }[-input argumentFile][-timeout
seconds][-primary_user primary user name] [-primary_pass Base64 encoded primary password]
[-enable_pass Base64 encoded enable password]
cwcli config reload -help
Description
reboots the device(s), specified by the -device and/or -view argument, resulting in the running
configuration being loaded with its startup configuration. You can specify multiple devices with the
-device argument by separating each device name with a comma.
reload
run2start
Name
cwcli config run2start
Syntax
cwcli config run2start -u
CiscoWorks cwcli config run2start function

userid -p password [-d debuglevel] [-m email][-l logfile]{ -device list |
-view name | -device list -view name | -ipaddress list}[-config 1|2] [-input argumentFile][-timeout
seconds][-primary_user primary user name] [-primary_pass Base64 encoded primary password]

cwcli config run2start -help
Description
run2start overwrites the startup configuration of any device(s), specified by the -device and/or -view
argument, with its running configuration. You can specify multiple devices with the -device argument
by separating each device name with a comma or with the -input argument, which takes a file name as
an argument.
The contents of the file must be similar to those described in the Input List File Format section of cwcli
config(1).
start2run
Name
cwcli config start2run
Syntax
cwcli config start2run -u
CiscoWorks cwcli config start2run function

userid -p password [-d debuglevel] [-m email][-l logfile] { -device list |
-view name | -device list -view name |-ipaddress list } [-config 1|2] [-input argumentFile][-timeout
seconds] [-primary_user primary user name] [-primary_pass Base64 encoded primary password]
cwcli config start2run -help
Description
start2run merges the running configuration of any device(s), specified by the -device and/or -view
arguments, with its startup configuration to give a new running configuration. You can specify multiple
devices with the start2run argument by separating each device name with a comma or with the -input
argument, which takes a file name as an argument.
config(1).
A-30
OL-25941-01
Appendix A
CLI Utilities
CWCLI
write2run
Name
cwcli config write2run
CiscoWorks cwcli config write2run function
Syntax
cwcli config write2run -u userid -p password [-d debuglevel][-m email][-l logfile] { -device name
| -ipaddress address} -f filename [-config 1|2][-listonly][-input argumentFile][-timeout
seconds][-primary_user primary user name][-primary_pass Base64 encoded primary
password][-enable_pass Base64 encoded enable password]
cwcli config write2run -help
Description
compares the latest running configuration for the device in the configuration archive with the
configuration in the file specified by the -f argument to generate a new configuration that is downloaded
to the device, so that the end result is that the configuration specified in the file is available on the running
write2run
If -listonly is specified, the difference between the latest running configuration for the device in the
configuration archive and the new configuration that is generated is listed on the display, but no
configuration is downloaded to the device.
To run this command against multiple devices, specify the -input argument, which takes a file name as
an argument.
config(1).
CAVEAT
This command is not 100% reliable in that it may not successfully overwrite the running configuration.
This is due to the dependency on the underlying Diff API, which generates the configuration difference
to be downloaded to the device to make the running configuration on the device same as the one specified
in the file (by the -f argument).
write2start
Name
cwcli config write2start
Syntax
cwcli config write2start -u
CiscoWorks cwcli config write2start function
userid -p password [-d debuglevel] [-m email][-l logfile] { -device

name -f filename |-ipaddress address} [-config 1|2][-input argumentFile][-timeout
seconds][-primary_user primary user name][-primary_pass Base64 encoded primary password]
cwcli config write2start -help
Description
erases the contents of the device's startup configuration and then writes the contents of the
given file as the device's new startup configuration. If you do not specify a file name, it prints an error
message and exits.
write2start
To run this command against multiple devices, you must specify the -input argument, which takes a file
name as its argument.
config(1).

OL-25941-01
A-31
Appendix A
CLI Utilities
CWCLI
listversions
Name
cwcli config listversions
CiscoWorks cwcli config listversions function
Syntax
cwcli config listversions -u userid -p password [-d debuglevel] [-m email][-l logfile]{ -device name
| -view name | -device name -view name | -ipaddress list} [-baseline][-input argumentFile]
cwcli config listversions -help
Description
Listversions (specified by "listversions") lists the different versions of configuration files archived in the
archival system. If you use the -baseline argument, only the names of the Baseline templates are displayed.
You can choose a template and use it inline with the comparewithbaseline and compareanddeploy
commands.
Name
cwcli config createdeployparamfile - CiscoWorks cwcli config createdeployparamfile
Syntax
cwcli config createdeployparamfile -u
function.
userid -p password [-d debuglevel] [-m email][-l

logfile][-jobid comparewithbaseline jobid] [ -baseline baselinefile ] [-f parameterfile]
cwcli config createdeployparamfile -help
Description
creates a parameter file if the Baseline template containing the parameters is

specified. You can use the -jobid argument to specify the job identifier of the previously executed
comparewithbaseline job. You can choose a template with the -baseline argument and specify the
name of the Baseline template for which the parameter file has to be created.
Name
cwcli config directbaselinedeploy
- CiscoWorks cwcli config directbaselinedeploy function
Syntax

baselinefile } {-substitute parameterfile}[ -timeout seconds] [-primary_user primary
user name] [-primary_pass Base64 encoded primary password] [-enable_pass Base64 encoded enable
password]
cwcli config directbaselinedeploy -u
-baseline
cwcli config directbaselinedeploy -help
Description
creates a job that downloads the given Baseline template after retrieving the
values of the parameters in the template from the given parameter file. You can use the -timeout
argument to specify the duration of the interval in seconds between the two successive polling cycles.
You can use the -baseline to specify the name of the Baseline template which will be compared with
the latest configuration version of the device and later downloaded to the device if there are any
commands in the baseline config file which are not compliant with the latest configuration of the device
in the archive. You can use the -substitute to substitute the values from the XML parameter file for the
parameters specified in the template.
A-32
OL-25941-01
Appendix A
CLI Utilities
CWCLI
collectiondate
- CiscoWorks cwcli config collectiondate function
Name
cwcli config collectiondate
Syntax
cwcli config collectiondate -u userid -p password [-d debuglevel] [-m email] [-l logfile] [-filetype
running|startup|vlan] [-input argumentFile] { -device list -view name |-ipaddress list }
cwcli config collectiondate -help
Description
collectiondate
displays the last config collection date for the devices.
The output contains device name, time of last config collection, and the filetype separated by comma.
accessdate
Name
cwcli config accessdate
- CiscoWorks cwcli config accessdate function
Syntax
cwcli config accessdate -u
userid -p password [-d debuglevel] [-m email] [-l logfile] [-filetype

running|startup|vlan] [-input argumentFile] { -device list -view name |-ipaddress list }
cwcli config accessdate -help
Description
accessdate
displays the last config collection attempt date for the devices.
The output contains device name, time of last attempt, and the filetype separated by comma.
Overview: cwcli netconfig Command

The cwcli netconfig command lets you use NetConfig from the command line.
This section contains cwcli netconfig Remote Access.
Caution
The cwcli netconfig command does not validate the command arguments you use or the configuration
commands that you run using it. If you enter incorrect commands you can misconfigure or disable the
devices on which the job runs.
Running the cwcli netconfig Command
To use the cwcli netconfig command, you must be able to run the cwcli command, and you must have
permissions to use the Adhoc system-defined task. For more details see topic in the section.
The command syntax is:
cwcli netconfig
Sub_command Common_arguments Command_arguments
The subcommands and arguments are described in the following sections:
Subcommands (see Subcommands)
Common Arguments (see Common Arguments)
Command Arguments (see Command Arguments)

OL-25941-01
A-33
Appendix A
CLI Utilities
CWCLI
Subcommands
Subcommands specify the action the command performs. Valid values for the subcommands are:
Sub Command
Description
createjob
Creates job.
deletejob
Deletes jobs.
canceljob
Cancels jobs.
jobdetails
Lists job details.
jobresults
Lists job results.
listjobs
Lists jobs.
import
Imports user-defined tasks in XML format.
export
Exports user-defined tasks in XML format.
listtasks
Lists the NetConfig user-defined tasks.
Common Arguments
Common arguments specify parameters that apply to all subcommands. Valid values for
common_arguments are:
Command Argument
Description
Usage Notes
-u
user
Enter valid CiscoWorks username.
None
-p
password
Enter password for username.
None
You can also specify the password in a file. See

Setting CWCLIFILE Environment Variable for
more details.
Command Arguments
Command arguments specify parameters that apply only to specific subcommands.

The conventions followed are:
Arguments in [ ] are optional. For optional arguments, if you do not specify a value the default value
that has been set by the administrator using the NetConfig UI, will become applicable.
Arguments in { } denote that you must provide one argument from each group of arguments in curly
braces ({}) that is separated by vertical bars (|).
Arguments suffixed with + denote that you can enter multiple values separated with spaces.
Values that contain spaces need to be entered within . For example, the job description that you
provide when you use a the createjob command should be entered within .
Valid values for command_arguments are described in the following table:
A-34
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Sub Command
Command Argument
{-device
comma_separated_device_na
Allows you to
mes | -devicefile
create a NetConfig
devicelist_filename | -view
job.
device_view_name}
createjob
Description
Usage Notes
Defines devices to be configured.
Jobs can run only one device

category (IOS, Catalyst, Content
Engine (CE), or Content Service
Switch (CSS)). Do not enter
devices of multiple categories.
comma_separated_device_names
is list of device names.
devicelist_filename is path to
device list file. Can be full
pathname or filename in the local
directory.
The devicelist file should be of this
format:
-device
1.1.1.1,2.2.2.2,3.3.3.3
or
-device
1.1.1.1
-device
2.2.2.2
-device
3.3.3.3
device_view_name is name of the

device view.
{[{-commandfile
commandlist_filename
Defines configuration commands

to be used.
-mode {config | enable}}
You can specify the command file

path, the command mode, the
rollback file and the name of the
user-defined task.
[-rollbackfile
rollback_cmdlist_filename]]
[-taskname : "User defined
task name"]}
commandlist_filename is path to
command file. Can be a full
pathname or filename in local
directory.
specifies the command

mode.{config | enable} are the
Specify the user-defined task name command mode arguments. By
default, -mode value is set to
within quotes.
config.
-mode
This is not valid for jobs that

configure Catalyst devices. For
jobs on IOS, CE, or CSS devices,
config is default.
rollback_cmdlist_filename defines
the rollback configuration
commands for the job.
It can be a full pathname to the file
or a filename in the local directory.
User defined task name is the name
that you specify for the
user-defined task.
{-description :
"job_description "}
Enter the description for the job

you are creating.
"job_description" is the
description you specify, for the job
that you are creating. Enter this
value within quotes.

OL-25941-01
A-35
Appendix A
CLI Utilities
CWCLI
Sub Command
Command Argument
Description
[{-schedule :
MM/dd/yyyy:HH:mm:ss
-schedule
-schedule_type: once|
weekly| monthly|
lastDayOfMonth}]
Usage Notes
MM is month (01 to 12). DD is day

of month (01 to 31). YYYY is year
If you have enabled Job Approval, (Example: 2004).
and later if you create the job
HH is hours, mm is minutes, and ss
without using the -schedule
is seconds in 24-hour time.
argument, the job will
If you do not specify the schedule
automatically be scheduled to run type, the job will be an immediate
after 5 minutes of the job creation job.
time.
defines time and date
job will run.
You should approve this job within

5 minutes of creating the job.
If you want to schedule the job to
run at any other time, use the
-schedule argument.
If not specified, job will run
immediately.
-schedule_type
defines the type
of job schedule.
[ -policyfile
policy_filename ]
Defines job policies using a job

policy file.
You can specify job policies using
combination of -policyfile
argument and other optional
arguments,
policy_filename is path to job

policy file. Can be a full pathname
or filename in local directory.
However, you can specify each

argument only once in command.
[-makercomments : maker
comments ]
Comments from the job creator, to Enter your comments within

the job approvers, if job approval is quotes.
enabled for the job.
[-mkemail : maker email id ]
E-mail ID of the job creator, for

approval notifications, if approval
is enabled for the job.
None
[-execution:
Configures the job execution

property, whether the jobs should
be run sequentially or in parallel.
None.
Select to cause the configuration

job to write the running
configuration to the startup
configuration on each device after
configuration changes are made
successfully.
None.
Sequential|Parallel
[-startup ]: Copy running

config to startup policy
A-36
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Sub Command
Command Argument
Description
Usage Notes
[-version] : Fail on
Select to cause the job to be
mismatch of Config Versions. considered a failure when the most
recent configuration version in the
Configuration Archive is not the
same as the configuration that was
running when you created the job.
-sync
[-email : Job Notification

email ids ]
Specify the email addresses to

which the configuration job will
send status notices.
Separate multiple addresses with

commas.
[-sync ] : Synch
configuration archive before
deploy
Select to cause the job to archive

the running configuration before
making configuration changes.
None.
[-failure: Stop on
Select what the job should do if it

fails to run on a device.
Ensure that you place your selected

value within quotes.
Primary username for connecting

to the device.
Enter the primary password within

quotes.
failure | Ignore
argument should be
provided if this policy is selected.
This argument causes the job to
archive the running configuration
before making configuration
changes.
failure and continue |

Rollback device and
stop | Rollback device
and continue | Rollback
job on failure]
[{-primary_user : Primary
User name -primary_pass :
Primary password }]
Primary password for connecting

to the device.
[ -enable_pass : Execution Password for running commands in Enter the execution mode
mode Password}]
the execution mode, on the device. password within quotes.
deletejob
-id job_id+
This subcommand
allows you to
delete one or more
NetConfig jobs.
canceljob
You can specify multiple job IDs

separated by spaces or commas.
-id job_id
This subcommand
allows you to
cancel a NetConfig
job from the
command line.
jobdetails
Allows you to view
details of one or
more NetConfig
jobs from the
command line.
job_id+ specifies the ID of the job

on which to act.
[ -id job_id+ ]
job_id specifies ID of job on which

to act.
Specifies ID of job on which to act. You can specify multiple job ID


OL-25941-01
A-37
Appendix A
CLI Utilities
CWCLI
Sub Command
Command Argument
Description
jobresults
[ -id job_id+ ]
Specifies ID of job on which to act. You can specify multiple job ID

Allows you to view

[ -details ]
results of one or
more NetConfig
jobs from the
command line.
[ -status {A(ll) |
listjobs
Specifies full details of job results Not specifying details will display
to be displayed.
only the summary of job execution
result.
Specifies status of jobs to list.
R(unning) | C(ompleted) |
Allows you to list

all NetConfig jobs P(ending)} ]
from the command
line.
import
Allows you to
import user
defined task in xml
format to to
netconfig from the
command line.
{-taskfile User-defined
task file }
Usage Notes
If status is not specified, all

registered jobs are listed.
User-defined task filename in

XML format.
{ -task+ User-defined task

name }
Allows you to
export one or more {-dest file export location }
user defined tasks
created in
netconfig to xml
files from the
command line.
Name of the user-defined task to be You can specify multiple tasks

exported.
listtask
Lists the NetConfig user-defined

tasks.
export
Path of the destination location to

which the exported user-defined
task file is to be copied.
Command Examples
Example 1
The command
cwcli netconfig createjob -u username -p password -devicefile devicefile -commandfile
command.file -failure Ignore failure and Continue -startup
creates a NetConfig job with the following characteristics:
Devices mentioned in devicefile will be configured.
Commands in file command.file will run.
Job will continue if it fails to successfully configure a device.
Each device's running configuration will be copied to startup as soon as the device is successfully
configured.
Job will run immediately because the -schedule argument is not specified.
A-38
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Example 2
The command
cwcli netconfig createjob -u username -p password -devicefile devicefile -commandfile
command.file -policyfile policyfile
creates a NetConfig job with the following characteristics:
Devices listed in the file devicefile will be configured.
Commands in the file command.file will run.
The file policyfile contains job policy arguments that determine the job policy.
Understanding cwcli netconfig Input Files

Several types of text files are available for you to use as input for the cwcli netconfig command and
the -createjob subcommand. You can also use the command list type as input for user-defined tasks.
File Type
Description
Usage Notes
Device list
Lists devices on which job will run. It

lists one device on each line.
Use with -devicefile argument.

Job can run only one device category (IOS, or Catalyst). Do
not list devices of multiple categories.
Command list
Lists configuration commands that job

will run; one command per line.
Use with -commandfile argument, or to add commands to a

user-defined task.
Job policy
Lists of job policy arguments; one

argument per line.
Use with -policyfile argument.
Examples
Device List File
-device device_display_name1
Command List File

command1
command2
command3
command4
Job Policy File

This file configures the job to stop running if the job fails on a device, to write the running configuration
to startup after configuration changes are made.
-failure Stop on Failure
-sync

OL-25941-01
A-39
Appendix A
CLI Utilities
CWCLI
cwcli netconfig Man Page Examples

On UNIX, you can view the complete man pages by setting the MANPATH to /opt/CSCOpx/man
The following are some examples from the NetConfig man page:
Examples
Device List File Example

For the command
cwcli netconfig createjob -u
userid -p password -devicefile c7000.dev -commandfile
command.file
-description
"cwcli netconfig job" -mode config
An example of the device list file c7000.dev is

enm-7000-1.cisco.com
Command List File Example
For the command

cwcli netconfig createjob -u
userid -p password -devicelist c7000-1,c7000-2 -commandfile
command.file
-description
An example of the command file command.file is

snmp-server community public ro
snmp-server community private rw
Policy File Example
For the command

cwcli netconfig createjob -u userid -p password -devicefile c7000.dev -commandfile
command.file -policyfile policy.in
-description
An example of the policy file policy.in is

-failure
"Stop on failure"
-sync
-execution Parallel
User-defined Task XML file Example

<?xml version="1.0" encoding="UTF-8"?>
<Task name="SampleTASK">
<Template mode="1" name="iproute" parameterized="false">
<Commands>
<cli>ip route 0.0.0.1 0.0.0.0 Ethernet0/0</cli>
A-40
OL-25941-01
Appendix A
CLI Utilities
CWCLI

</Commands>
<RollbackCommands>
<cli>no ip route 0.0.0.4 0.0.0.0 Ethernet0/0</cli>
<cli>no ip route 0.0.0.5 0.0.0.0 Ethernet0/0</cli>
</RollbackCommands>
<MDFIds>268438030,273153536,272819655</MDFIds>
</Template>
</Task>
cwcli netconfig Remote Access

You can also perform the cwcli netconfig tasks using the servlet. You will have to upload a payload
XML file, which contains the cwcli netconfig command arguments and LMS user credentials.
You have to write your own script to invoke the servlet with a payload of this XML file and the servlet
returns the output either on the console or in the specified output file, if the credentials are correct and
arguments are valid.
For post request,
perl
samplepost.pl http://lms-server:lms-port/rme/cwcli payload_XML_file
The default port for LMS server in HTTP mode is 1741.

If you have enabled SSL on LMS server, you can also use https protocol for secured connection.
perl
samplepost.pl https://lms-server:lms-port/rme/cwcli payload_XML_file
The default port for LMS server in HTTPS mode is 443.

The schema for creating the payload file in XML format is:
<payload>
<command>
cwcli inventory commandname -u user -p BAse64 encoded pwd -args1 arg1value...
</command>
</payload>
To invoke the servlet using a script, see the Overview: cwcli invreport Command.
For get request,
http://<rme-server>:<rme-port>/rme/cwcli?command=cwcli netconfig
commandname -u user -p
BAse64 encoded pwd -args1 arg1value...

https://lms-server:lms-port/rme/cwcli?command=cwcli netconfig

OL-25941-01
A-41
Appendix A
CLI Utilities
CWCLI

The BAse64 encoded for admin is YWRtaW4=.
The URL encode for,
Double quotes () is %22
Percentage sign (%) is %25
Overview: cwcli export Command

is a command line tool that also provides servlet access to inventory, configuration and
change audit data.
cwcli export
This can be used for generating inventory, configuration archive, and change audit data for devices in
LMS.
Note
Using the cwcli export Command
Running cwcli export changeaudit
Running cwcli export config
Running cwcli export inventory Command
XML Schema for cwcli export inventory Data
You cannot run this command for the devices that are in Conflicting or Suspended state.
This tool supports the following features:
Generating change audit data in XML format

The tool uses the existing Change Audit log data and generates the Change Audit log data in XML
format.
See Running cwcli export changeaudit for the usage and XML schema details
Generating configuration data in XML format

The tool uses existing configuration archive APIs and generates latest configuration data from the
configuration archive in XML format.
Elements in the XML file are created at the configlet level in the current configuration archive.
Predefined rules that currently exist in the configuration archive are used to get the configlets data.
See Running cwcli export config for the usage and XML schema details
Generating inventory data in XML format

The tool has servlet access and command line utilities that can generate inventory data for devices
managed by the LMS server.
See Running cwcli export inventory Command for the usage and XML schema details
A-42
OL-25941-01
Appendix A
CLI Utilities
CWCLI
The cwcli export command is located in the following directories, where install_dir is the directory
in which LMS is installed:
On UNIX systems, /opt/CSCOpx/bin
On Windows systems, install_dir\CSCOpx\bin

If you install LMS on an NTFS partition on Windows, only users in the administrator or casuser group
can access cwcli export. Users with read-write access to the CSCOpx\files\archive directory and the
directories under that can also use cwcli export.
You can also perform the cwcli export tasks using the servlet. You will have to upload a payload XML
file, which contains the cwcli export command arguments and LMS user credentials.
For post request,
perl

perl

<payload>
<command>
</command>
</payload>
For get request,
http://lms-server:lms-port/rme/cwcli?command=cwcli export commandname -u user -p BAse64

https://lms-server:lms-port/rme/cwcli?command=cwcli export commandname -u user -p BAse64

The URL encode for,
Double quotes () is %22 and Percentage sign (%) is %25

OL-25941-01
A-43
Appendix A
CLI Utilities
CWCLI
Using the cwcli export Command

The command line syntax of the application is in the following format:
cwcli export
command GlobalArguments AppSpecificArguments
cwcli export is the CiscoWorks command line interface for exporting

inventory/config/changeaudit details into XML format.
Command specifies which core operation is to be performed.
GlobalArguments are the additional parameters required for each core command.
AppSpecificArguments are the optional parameters, which modify the behavior of the specific cwcli
export core command.
The order of the arguments and arguments are not important. However, you must enter the core
command immediately after cwcli export.
The following sections describe:
The cwcli export commands (See cwcli export Commands)
The mandatory and optional arguments (See cwcli export Global Arguments)
The default archiving location (See Archiving cwcli export Data in XML File)
On UNIX, you can view the cwcli export man pages by setting the MANPATH to /opt/CSCOpx/man.
The commands to launch the cwcli export man pages are:
man cwcli-exportTo
launch the cwcli export command man page.
man export-changeauditTo
man export-configTo
man export-inventoryTo
launch the cwcli export changeaudit command man page.
launch the cwcli export config command man page.

launch the cwcli export inventory command man page.
cwcli export Commands

The following table lists the command part of the cwcli export syntax.
Command
Description
cwcli export changeaudit
Generates Change Audit log data in XML format.
cwcli export config
Generates configlets in XML format
cwcli export inventory
Generates Inventory data in XML format.
You must invoke the cwcli export command with one of the core commands specified in the above
table. If no core command is specified, cwcli export can execute the -v or -h. arguments only.
Argument -v specifies the version of the cwcli export utility and argument -h (or null argument)
displays the usage information of this tool.
A-44
OL-25941-01
Appendix A
CLI Utilities
CWCLI
cwcli export Global Arguments

The following describes the mandatory and optional global arguments for cwcli export:
Global Arguments
-u
userid
Description
Mandatory
Specifies the LMS username.
-p
password
Mandatory
Specifies the password for the LMS username.
If you want to avoid the -p argument which will reveal the password in clear text in cli, you will
have to store your username and password in a file and set a variable cwcli CWCLIFILE which
points to the file.
You will have to maintain this file and control access permissions to prevent unauthorized access.
looks for current working directory if cwcli CWCLIFILEis set only to file name
instead of full path.
cwcli export
If you use the -p argument, even after setting the cwcli CWCLIFILE variable the password is taken
from the command line instead of cwcli CWCLIFILE. This is not secure and usage of this argument
is not recommended.
username password
where username is the LMS user name given in the command line.The delimiter between the
username and password is single blank space.
You must enter the delimiter if the password is blank. Otherwise, cwcli export will fail to validate
the password.The password file can contain multiple entries with different user names. The
password that matches first is considered in case of duplicate entries.
Note
If -p password is used, the password is read from the command line instead of cwcli
This is highly insecure and therefore not recommended.
CWCLIFILE.

{ -device devicename |
viewname|
-input inputfilename |
-view
-ipaddress
mgmt-ip-address }
Mandatory
-device
devicename
Specifies the device name of the device that you have added in the Device and Credentials database
(Inventory > Device Administration > Add / Import / Manage Devices). You can enter multiple
device name separated by a comma. You can use either wildcard or specific device(s) but not at the
same time.
The argument syntax used for -device argument may be a single device or a device list. Devices
in a list are separated by a ','. The wild card symbol '%' may be used to specify a group of devices
having a pattern.
For example if a pattern x% is specified as a device in the list, then all the LMS devices that have
names that start with x will be selected for this operation.

OL-25941-01
A-45
Appendix A
CLI Utilities
CWCLI
Global Arguments
Description
-view viewname |
Mandatory
-ipaddress
mgmt-ip-address}
-view
viewname
If the data needs to be generated for all the devices in a specific group, you can use the -view
argument. You can use this argument to generate data for devices in all device views including
system-defined groups and user-defined groups.
You can enter multiple group name separated using a comma.
For view name, you have to enter the fully qualified path as in the Group Administration window.
To separate the path you must use forward slash only.
For example, -view /RME@ciscoworks_servername/All Devices
viewname
-view
-ipaddress
mgmt-ip-address}
Mandatory
-input
inputfilename
You can create an input list file that contains a list of devices to perform the operation on. The
contents of the input list file are a sequence of lines. Each line specifies a device name as entered
in the Device and Credential Repository.
The arguments must be specific to the function. You cannot include group names in the input list
file. You can include comments in the input list file by starting each commented line with #.
-device
1.1.1.1,2.2.2.2,3.3.3.3
or
viewname
-view
-ipaddress
mgmt-ip-address}
-device
1.1.1.1
-device
2.2.2.2
-device
3.3.3.3
Mandatory
-ipaddress
mgmt-ip-address
Specify the device IP4 address as entered in the Device and Credential Repository. You can enter
multiple IP address with comma separated.
You cannot use this option with -device, -view, or -input. Also, you cannot specify wildcard
characters.
-d
debuglevel
Optional
debug_level is a number between 1 (the least information is sent to the debug output) and 5 (the
most information is sent to the debug output). If you do not specify this argument, 4(INFO) is the
default debug level.
-l
logfile
Optional
Logs the results of the cwcli export command to the specified log file name. By default the
command output will be displayed on the standard out.
A-46
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Global Arguments
-m
mailid
Description
Optional
Mails the results of the cwcli export command to the specified email address. This argument
notifies you whether the task is completed. Only one mail id can be given at a time.
-f
filename
This is applicable only for changeaudit and inventory applications.

Optional
Specifies the name of the file to which the changeaudit and inventory information is to be exported
on LMS server.
If you are using cwcli remotely (get or post request), by default the output file is available at this
location on LMS server:
On Windows:
NMSROOT\MDC\tomcat
NMSROOT/objects/dmgt
Archiving cwcli export Data in XML File

By default, the data generated through cwcli export command is archived at the location:
cwcli export Command
Location on LMS Server
changeaudit

/var/adm/CSCOpx/files/rme/archive/YYYY-MM-DD-HH-MM-SS
-changeaudit.xml
On Windows: NMSROOT\files\rme\archive\YYYY-MM-DD-HH-MM-SS
-changeaudit.xml
config

/var/adm/CSCOpx/files/rme/cwconfig/YYYY-MM-DD-HH-MM-SS-MSMS
MS-Device_Display_Name.xml
On Windows:
NMSROOT\files\rme\cwconfig\YYYY-MM-DD-HH-MM-SS-MSMSMS
-Device_Display_Name.xml
inventory

/var/adm/CSCOpx/files/rme/archive/YYYY-MM-DD-HH-MM-SS-inventory.
xml
On Windows: NMSROOT\files\rme\archive\YYYY-MM-DD-HH-MM-SSinventory.xml

You can also specify a directory to store the output. This application does not have a feature to delete
the files created in the archive. You should delete the files when necessary.
While generating data through the servlet, the output will be displayed in the client terminal.

OL-25941-01
A-47
Appendix A
CLI Utilities
CWCLI
Running cwcli export changeaudit

Using this command you can export the Change Audit log data in the XML format.
The command syntax for cwcli export changeaudit is:
cwcli export changeaudit {-u
username -p password -device devicenames}
[- ipaddress mgmt-ip-address]
[-f filename]
[-from mm/dd/yyyy] ---> eg: 05/01/2004
[-to mm/dd/yyyy] ---> eg: 05/06/2004
[-app comma separated list of applications]
[-cat comma separated list of categories]
Arguments in square brackets ([]) are optional; arguments in curly braces ({}) are required. You must
provide one argument from each group of arguments in curly braces ({}) that is separated by vertical
bars (|).
If you enter an argument which has space then use double quotes for that argument. For example for
Software Management, you enter this as Software Management.
The following table describes the arguments that are specific to cwcli export changeaudit command.
The other common arguments used by cwcli export are explained in Using the cwcli export Command.
Arguments
Description
[-from mm/dd/yyyy]
Optional.
Enter the from date.
If you enter only -from date then the report will be generated from the date that you
have specified, to the current date.
[-to mm/dd/yyyy]
Optional.
Enter the from date.
If you enter only -to date then the report will be generated from the date LMS has
logged Change Audit record to the -to date that you have specified.
A-48
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Arguments
Description
[-app comma separated list of

applications]
Specify the application name. The supported applications are:
Archive Mgmt
ConfigEditor
CwConfig
ICServer
NetConfig
Software Management
If you do not specify the -app argument, then changes made by all applications is
reported.
[-cat comma separated list of
categories]
Specify the category name. The supported categories are:
CONFIG_CHANGEConfiguration changes on the device.
INVENTORY_CHANGEHardware changes on the device.
SOFTWARE_CHANGESoftware changes on the device.
If you do not specify the -cat argument, then changes made by all categories is
reported.
Note
If you do not enter -from and -to arguments, all the Change Audit records logged till the current date
will be displayed.
The following sections describes:
XML Schema for cwcli export changeaudit
XML Schema for Configuration Management Application
XML Schema for Software Management
Usage Examples for cwcli export changeaudit Command
XML Schema for cwcli export changeaudit

The following is the schema used for exporting the change audit data in XML format.
<?xml version = "1.0" encoding = "UTF-8"?>

<xsd:schema xmlns:xsd = "http://www.w3.org/2000/10/XMLSchema">
<xsd:element name = "changeRecord">
<xsd:complexType>
<xsd:sequence>
<xsd:element ref = "groupId"/>
<xsd:element ref = "category"/>
<xsd:element ref = "host"/>
<xsd:element ref = "user"/>
<xsd:element ref = "device"/>
<xsd:element ref = "connectionMode"/>
<xsd:element ref = "timestamp"/>
<xsd:element ref = "description"/>
</xsd:sequence>
<xsd:attribute name = "id" use = "required" type = "xsd:integer"/>
</xsd:complexType>

OL-25941-01
A-49
Appendix A
CLI Utilities
CWCLI
</xsd:element>
<xsd:element name =
<xsd:element name =
<xsd:element name =
<xsd:element name =
<xsd:element name =
<xsd:element name =
<xsd:element name =
<xsd:element name =
<xsd:element name =
<xsd:complexType>
<xsd:sequence>
<xsd:element ref
<xsd:element ref
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name =
<xsd:element name =
<xsd:complexType/>
</xsd:element>
<xsd:element name =
<xsd:complexType>
<xsd:sequence>
<xsd:element ref
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:schema>
"groupId" type = "xsd:string"/>

"category" type = "xsd:string"/>
"application" type = "xsd:string"/>
"host" type = "xsd:string"/>
"user" type = "xsd:string"/>
"device" type = "xsd:string"/>
"connectionMode" type = "xsd:string"/>
"timestamp" type = "xsd:string"/>
"description">
= "summary"/>
= "details"/>
"summary" type = "xsd:string"/>

"details">
"changeRecordSet">
= "changeRecord" maxOccurs = "unbounded"/>
Detailed Description of changeaudit Schema

The table below describes elements in the changeaudit schema:
Field
Description
Category
Type of the change. For example, configuration, inventory, or software.
Application
Name of the LMS application involved in the network change (Device Configuration,
Inventory, or Software Management).
Host
Host device from which the user accessed the device or the host name of the LMS server.
User
Name of the person who performed the change. This is the name entered when the person
logged in. It can be the name under which the LMS is running, or the name under which the
Telnet connection is established.
Device
Network device on which the change occurred. The device name as entered in the Device and
ConnectionMode
Connection mode through which the change was made, for example, Telnet, snmp, console,
or LMS.
A-50
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Field
Description
Timestamp
Date and time at which the application communicated the network change or when Change
Audit saw the change record.
Description
Contains the detailed information of the changes that had occurred on the device.
The description changes based on the application you have selected:
Archive Mgmt (See XML Schema for Configuration Management Application for more
information.)
ConfigEditor (See XML Schema for Configuration Management Application for more
information.)
CwConfig (See XML Schema for Configuration Management Application for more
information.)
ICServerInventory Collection Service (See XML Schema for Inventory Collection

Service for more information.)
NetConfig (See XML Schema for Configuration Management Application for more
information.)
Software Management (See XML Schema for Software Management for more
information.)
The following section describes the schema used by these application when you run the command cwcli
with -app argument:
export changeaudit
Archive Mgmt, ConfigEditor, CwConfig, NetConfig
Inventory Collection Service
Software Management
XML Schema for Configuration Management Application

The following XML schema is used by all Configuration Management application when you run the
cwcli export changeaudit command with -app argument and the -app argument values as either
Archive Mgmt, ConfigEditor, CwConfig, or NetConfig.
The schema file is:
- 
- <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
attributeFormDefault="unqualified">
- <xs:element name="ConfigDiff">
- <xs:annotation>
<xs:documentation>Comment describing your root element</xs:documentation>
</xs:annotation>
- <xs:complexType>
- <xs:sequence>
- <xs:element name="OldConfig">
- <xs:complexType>
- <xs:sequence>
<xs:element name="Command" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="Version" type="xs:integer" />
</xs:complexType>
</xs:element>
- <xs:element name="NewConfig">
- <xs:complexType>

OL-25941-01
A-51
Appendix A
CLI Utilities
CWCLI
- <xs:sequence>
<xs:element name="Command" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="Vesrion" type="xs:integer" />
</xs:complexType>
</xs:element>
</xs:sequence>
<xs:attribute name="CASLogID" type="xs:integer" />
<xs:attribute name="DeviceName" type="xs:string" />
</xs:complexType>
</xs:element>
</xs:schema>
Detailed Description of Configuration Management Schema

The table below describes elements in the Configuration Management schema.
Field
Description
Category
Host
Application
Name of the application. For example, Archive Mgmt, NetConfig, etc.
User
Device
ConnectionMode
or LMS.
Timestamp
Summary
Description describing what caused the change. For example:
ConfigDiff
Configuration Download due to job
Syslog triggered Config Collection
FirstConfig, SecondConfig
DeviceNameNetwork device on which the change occurred. The device name as

entered in the Device and Credential Repository.
VersionConfiguration file version number.
CommandDiff PolarityChanges in the configuration file.

POSNEGNo change
POSITIVE Added new commands
IGNOREDIgnored the commands
NEGATIVEDeleted the commands
A-52
OL-25941-01
Appendix A
CLI Utilities
CWCLI
XML Schema for Inventory Collection Service

The following XML schema is used by Inventory Collection Service application when you run the cwcli
command with -app argument and the -app argument values as ICServer.
export changeaudit
The schema file is:

<xsd:schema xmlns:xsd = "http://www.w3.org/2000/10/XMLSchema">
<xsd:element name = "InventoryChangeDetailRecord">
<xsd:complexType>
<xsd:sequence maxOccurs = "unbounded">
<xsd:element ref = "Section"/>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name = "Section">
<xsd:complexType>
<xsd:sequence maxOccurs = "unbounded">
<xsd:element ref = "Attributes"/>
</xsd:sequence>
<xsd:attribute name = "Name" type = "xsd:string"/>
<xsd:attribute name = "Identity" type = "xsd:string"/>
</xsd:complexType>
</xsd:element>
<xsd:element name = "Attributes">
<xsd:complexType>
<xsd:all maxOccurs = "unbounded">
<xsd:element ref = "Previous_value"/>
<xsd:element ref = "Current_value"/>
<xsd:element ref = "Action"/>
</xsd:all>
</xsd:complexType>
</xsd:element>
<xsd:element name = "Previous_value" type = "xsd:string"/>
<xsd:element name = "Current_value" type = "xsd:string"/>
<xsd:element name = "Action" type = "xsd:string"/>
</xsd:schema>
Detailed Description of Inventory Collection Service Schema

The table below describes elements in the Inventory Collection Service schema.
Field
Description
Name
Name of the physical and logical entities.

The main physical entities are Chassis, Backplane, Card, CommunicationConnector,
FlashDevice, FlashPartition, FlashFile, SoftwareIdentity, PhysicalMemory
The main logical entities are ManagedNetworkElement, LogicalModule, Port, MemoryPool,
OSElement, IPProtocolEndpoint, IfEntry, AdditionalInformation
See Detailed Description of the Inventory Schema for further information.
Identity
Identifies the entity that has changed on the device.

For example: If the Flash File name has changed then Identity will be Flash Device 2, Flash
Partition 3.

OL-25941-01
A-53
Appendix A
CLI Utilities
CWCLI
Field
Description
AttributeName
Name of the different physical and logical entities

For example: In MemoryPool, the different entities are User, Free, PoolType.
See Detailed Description of the Inventory Schema for further information.
Previous_value
Value of the entity before the change occurred.
Current_value
Value of the entity after the change occurred.
Action
Type of change that has occurred on the device:
Inserted Added a new entity.
ChangedChanged in the entity.
DeletedDeleted an entity.
XML Schema for Software Management

The following XML schema is used by Software Management application when you run the cwcli
command with -app argument and the -app argument values as Software
Management.
export changeaudit
The schema file is:

- 
- <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
- <xs:element name="SwimHistoryRecord">
- <xs:annotation>
<xs:documentation>Models a set of image changes on the device.</xs:documentation>
</xs:annotation>
- <xs:complexType>
- <xs:sequence>
- <xs:element name="JobID" type="xs:positiveInteger" minOccurs="0">
- <xs:annotation>
<xs:documentation>ID of the Job in which the change happened</xs:documentation>
</xs:annotation>
</xs:element>
- <xs:element name="ImageChange" maxOccurs="unbounded">
- <xs:complexType>
- <xs:sequence>
<xs:element name="OldImage" type="Image" />
<xs:element name="NewImage" type="Image" />
</xs:sequence>
<xs:attribute name="ID" type="xs:positiveInteger" use="required" />
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
- <xs:complexType name="Image">
- <xs:annotation>
<xs:documentation>Models an Image.</xs:documentation>
</xs:annotation>
- <xs:sequence>
- <xs:element name="Type">
- <xs:annotation>
<xs:documentation>Label of corresponding image type from enumeration
com.cisco.nm.xms.xdi.ags.imageparser.ImageType</xs:documentation>
</xs:annotation>
A-54
OL-25941-01
Appendix A
CLI Utilities
CWCLI
- <xs:simpleType>
- <xs:restriction base="xs:string">
<xs:whiteSpace value="preserve" />
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name="Name" type="xs:string" />
<xs:element name="Version" type="xs:string" />
- <xs:element name="Attribute" minOccurs="0" maxOccurs="unbounded">
- <xs:complexType>
- <xs:sequence>
- <xs:element name="AttributeName">
- <xs:simpleType>
</xs:restriction>
</xs:simpleType>
</xs:element>
- <xs:element name="AttributeValue">
- <xs:simpleType>
</xs:restriction>
</xs:simpleType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:schema>
Detailed Description of Software Management Schema

The table below describes elements in the Software Management schema.
Field
Description
Category
Host
Application
Name of the application. For example, Archive Mgmt, NetConfig, etc.
User
Device
ConnectionMode
or LMS.
Timestamp
Summary
Description describing what caused the change. For example, Software upgrade.
Job ID
Job ID for the Software Upgrade.

OL-25941-01
A-55
Appendix A
CLI Utilities
CWCLI
Field
Description
OldImage
Displays the details on device type, name of the software image, and version of the image.
NewImage
Displays the details on device type, name of the software image, and version of the image.
Usage Examples for cwcli export changeaudit Command

This section provides some examples of usage for the cwcli export changeaudit command.
Example 1: To generate the Change Audit report for all applications and categories for a particular device group.
cwcli export changeaudit -u
admin -p admin -view "/RME@ciscoworksservername/Normal
Devices"
SUMMARY
========
Successful: export:
D:/PROGRA~1/CSCOpx/files/rme/archive/2004-10-15-04-09-42-changeaudit.xml
Example 2: To generate the Change Audit report for a specific application and category for a device in a given time frame
admin -p admin -device 10.6.8.6 -from 09/30/2004 -to 10/15/2004
"Archive Mgmt" -cat CONFIG_CHANGE

-app
SUMMARY
========
Successful: export:
D:/PROGRA~1/CSCOpx/files/rme/archive/2004-10-15-04-44-50-changeaudit.xml
Example 3: To generate the Change Audit report in the given output file
admin -p admin -device % -f changeaudit.xml
SUMMARY
========
Successful: export: changeaudit.xml
The output for this is written to the changeaudit.xml file in the Install_dir/CSCOpx/bin directory. Where
Install_dir is the LMS installed directory.
Example 4: To generate the Change Audit using the cwcli get request
The password that you enter here must be in base64 encoded.
In this example,
YWRtaW4= is the base64 encoded password for admin.
%25 is the URL encode for %
%2f is the URL encode for _
A-56
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Enter this in your browser:

http://ciscowork_servername :1741/rme/cwcli?command=cwcli export changeaudit -u admin -p
YWRtaW4= -device 10.7.3.8 -app %22Archive Mgmt%22 -cat %22CONFIG%2fCHANGE%22 -f
changeaudit.xml
The output for this is written to the changeaudit.xml file.The changeaudit.xml file is located:
On Windows:
NMSROOT\MDC\tomcat
Example 5: To generate the Change Audit report using cwcli post request method
The password that you enter here must be in base64 encoded. In this example, YWRtaW4= is the base64
encoded password for admin.
The payload file, changeaudit.xml contains:
<payload>
<command>
cwcli export changeaudit -u admin -p YWRtaW4= -device 1.6.8.6 -from 09/30/2004 -app
"Archive Mgmt" -cat CONFIG_CHANGE -view "/RME@CiscoWorks_servername/Pre-deployed" -f
changeauditreport.xml
</command>
</payload>
At the command prompt enter:

perl
samplepost.pl https://LMS_Servername:443/rme/cwcli changeaudit.xml
SUMMARY
========
Successful: export: changeauditreport.xml

The output for this is written to the changeauditreport.xml file.The changeauditreport.xml file is located:
On Windows:
NMSROOT\MDC\tomcat

OL-25941-01
A-57
Appendix A
CLI Utilities
CWCLI
Running cwcli export config

Using this command you can retrieve the configuration data in the XML format specified by the schema.
The Configlet Generator provides a wrapper over the existing Config Archive to retrieve configlets data
for the selected device. The exported data contains the entire running configuration data.
The command syntax for cwcli export config is:
cwcli export config{-u username -p password} [-d debuglevel] [-m mailid] [-l logfile] {-device
devicename | -input inputfilename | -view viewname | - ipaddress mgmt-ip-address}
bars (|).
If you enter an argument which has space then use double quotes for that argument.
The following table describes the argument that is specific to
command. The other common arguments used by
cwcli export are explained in Using the cwcli export Command.
cwcli export config
Arguments
Description
-s 1
Optional.
Displays the exported configuration file on the console.
If you use this command, you can specify only one device. You cannot export the
configuration files of multiple devices.
To export the configuration files of multiple devices, either make multiple requests
to the servlet, or get these files from the LMS server.
Usage of this option:
admin -p admin
10.22.33.44 -s 1
cwcli export config -u

-device
The output files depends on the number of devices specified. There are as many configuration XML
output files as the number of devices. The output files are created under this location on LMS server:
/var/adm/CSCOpx/files/rme/cwconfig/YYYY-MM-DD-HH-MM-SS-XXX-Device_Display_Name.xml
On Windows:
NMSROOT\files\rme\cwconfig\YYYY-MM-DD-HH-MM-SS-XXX-Device_Display_Name.xml
A-58
OL-25941-01
Appendix A
CLI Utilities
CWCLI
XML Schema for cwcli export config

The following is the schema used for exporting the configuration data in XML format.
<?xml version="1.0" encoding="UTF-8"?>

<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified"
<xs:element name="DeviceConfiguration">
<xs:annotation>
<xs:documentation>This has list of Configlets</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element ref="Confilglet" maxOccurs="unbounded"/>
<xs:element name="DeviceName" type="xs:string">
<xs:annotation>
<xs:documentation>Device Name as managed by RME</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="DeviceFamily" type="xs:string">
<xs:annotation>
<xs:documentation>MDF devcie family</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="CreationTime" type="xs:date">
<xs:annotation>
<xs:documentation>Date and Time this was created</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Version" type="xs:string">
<xs:annotation>
<xs:documentation>Config File Version</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Data" minOccurs="0"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Confilglet">
<xs:annotation>
<xs:documentation>Configlet can have subconfiglets</xs:documentation>
</xs:annotation>
<xs:complexType>
<xs:sequence>
<xs:element ref="Confilglet" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="command" minOccurs="0" maxOccurs="unbounded">
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="LineNo"/>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="SubModeCommand" type="xs:string" minOccurs="0">
<xs:annotation>
<xs:documentation>Command to change the mode</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="Name" type="xs:string" use="required">
<xs:annotation>
<xs:documentation>Configlet Name</xs:documentation>

OL-25941-01
A-59
Appendix A
CLI Utilities
CWCLI
</xs:annotation>
</xs:attribute>
<xs:attribute name="Checkedout" type="xs:boolean" use="optional" default="false">
<xs:annotation>
<xs:documentation>Future Use </xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="Rebuild" type="xs:boolean" use="optional" default="false">
<xs:annotation>
<xs:documentation>Specifies if the entire list of commands in particular configlet needs a rebuild if any of
the coammnds is modified</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="Submode" type="xs:boolean" use="optional" default="false">
<xs:annotation>
<xs:documentation>Specfies if the commands under the configlet falls under a submode</xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="OrderSensitive" type="xs:boolean" use="optional" default="false">
<xs:annotation>
<xs:documentation>Specifies if the commands in the configlet are oreder sensitive or not</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
</xs:element>
</xs:schema>
Detailed Description of config Schema

The table below describes elements in the config schema:
Field
Description
Device
Device device name as entered in the Device and Credential Repository.
Date
Date and time at which the configuration changes have occurred.
Version
Configuration file version.
Configlet name
Name of the configlet. The available configlets vary from device to device; the following are
examples:
SNMP displays SNMP configuration commands, for example, snmp-server community

public RO.
IP Routing displays IP routing configuration commands, for example, router abcd 100.
Interface folder displays the different interface configuration commands, for example,
Global displays global configuration commands, for example no ip address.
Line con 0 displays configuration commands for line console 0.
IP displays IP configuration commands, for example, ip http server.
A-60
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Usage Examples for cwcli export config Command

This section provides some examples of usage for the cwcli export config command.
Example 1: To generate the config report for a particular device group

admin -p admin -view "/RME@ciscoworksservername/Normal Devices"
SUMMARY
========
Successful: ConfigExport:D:/PROGRA~1/CSCOpx/files/rme/cwconfig
The output folder will contain separate config file for every devices in the Normal Devices group.
Example 2: To generate the config report for the devices that are specified in the device input file
The input configdevices.txt contains these devices:
-device
10.22.33.44,10.22.33.55,1.1.1.1
admin -p admin -input configdevices.txt
Example 3: To generate the config using the cwcli get request

In this example,

http://ciscowork_servername :1741/rme/cwcli?command=cwcli export config -u
admin -p
YWRtaW4= -device %25


SUMMARY
========
Successful: ConfigExport: D:/PROGRA~1/CSCOpx/files/rme/cwconfig
Example 4: To generate the Change Audit report using cwcli post request method
The payload file, config.xml contains:
<payload>
<command>
cwcli export config -u admin -p YWRtaW4= -device 1.6.8.6
</command>
</payload>

perl
samplepost.pl https://LMS_Servername:443/rme/cwcli config.xml
-->

OL-25941-01
A-61
Appendix A
CLI Utilities
CWCLI
SUMMARY
========
Successful: ConfigExport: D:/PROGRA~1/CSCOpx/files/rme/cwconfig
Running cwcli export inventory Command

Using this command you can export inventory data in the XML format.
The command syntax for cwcli export inventory is:
cwcli export inventory {-u username -p password} [-d debuglevel] [-m mailid] [-l logfile] [-f filename]
{-device devicename | -input inputfilename | -view viewname | - ipaddress mgmt-ip-address} [-hop
hopdevice]
The above command retrieves the inventory data in XML format specified by the schema. The -f
parameter stores the output in the file specified by filename. If you have not specified the filename, the
output is stored at the following location:
PX_DATADIR/rme/archive/timestampinventory.xml (On Solaris and Soft Appliance)
PX_DATADIR\rme\archive\timestampinventory.xml (On Windows)
Where PX_DATADIR is the NMSROOT/files directory and NMSROOT is the LMS installed directory.
The device name can also have a wild card symbol "%" to choose all devices with that particular name.
If the number of devices is large, the list of devices can be stored in an input file and the name of the
input file can be given in the command line.The input argument cannot occur with the device or view
arguments.
If the data needs to be generated for all the devices in a specific group, you can use the -view argument.
You can use this argument to generate data for devices in all device groups including system-defined
groups and user-defined groups.
The following table describes the arguments that are specific to cwcli export inventory command.
The other common arguments used by cwcli export are explained in Using the cwcli export Command.
Global Arguments
-hop
hopdevice
Description
Optional
Used to increase performance by using more memory. This indicates the number of devices to be
worked upon at a time. By default, this value is 1.
Given below is the list of combinations, which could occur for the inventory command.
cwcli export inventory -u
admin -p admin -f myinv.xml
admin -p admin -f myinv.xml -device device1
admin -p admin -device device%
admin -p admin -input inv.txt
admin -p admin -view "/RME@ciscoworksservername/Normal Devices"
admin -p admin -f myinv.xml -input inv.txt
A-62
OL-25941-01
Appendix A
CLI Utilities
CWCLI
To apply the cwcli export command on more than one LMS device you must use the format in the
example given below. The parameter, inputlist, is a text file which will have the list of device names
separated by a new line. A line starting with # will be treated as a comment.
Example:
#comment
-device device1,device2,device3
#comment
where device1, device2, and device3 are device displaynames.
XML Schema for cwcli export inventory Data

The following is the schema used for exporting the inventory data in XML format.
<xs:schema xmlns:xs = "http://www.w3.org/2001/XMLSchema" elementFormDefault = "qualified"
attributeFormDefault = "unqualified">

<xs:element name = "InvDetails">
<xs:complexType>
<xs:sequence>
<xs:element ref = "SchemaInfo" minOccurs = "0" maxOccurs = "1"/>
<xs:element ref = "RMEPlatform" minOccurs = "0" maxOccurs = "unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name = "SchemaInfo">
<xs:complexType>
<xs:sequence>
<xs:element name = "RMEServer" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "CreatedAt" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "SchemaVersion" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name = "RMEPlatform">
<xs:complexType>
<xs:sequence>
<xs:element ref = "Cisco_Chassis" minOccurs = "0" maxOccurs = "unbounded"/>
<xs:element ref = "Cisco_NetworkElement" minOccurs = "0" maxOccurs = "unbounded"/>
<xs:element ref = "Cisco_ComputerSystemPackage" minOccurs = "0" maxOccurs = "unbounded"/>
<xs:element ref= "Cisco_EnergyWise" minOccurs="0" maxOccurs= "1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name = "Cisco_Chassis">
<xs:complexType>
<xs:sequence>
<xs:element name = "InstanceID" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>

OL-25941-01
A-63
Appendix A
CLI Utilities
CWCLI
<xs:element name = "Model" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>

<xs:element name = "HardwareVersion" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "SerialNumber" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "ChassisSystemType" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "NumberOfSlots" type = "xs:integer" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "NoOfCommunicationConnectors" type = "xs:integer" minOccurs = "0" maxOccurs = "1"/>
<xs:element ref = "Cisco_Backplane" minOccurs = "0" maxOccurs = "unbounded"/>
<xs:element ref = "Cisco_Card" minOccurs = "0" maxOccurs = "unbounded"/>
<xs:element ref = "AdditionalInformation" minOccurs = "0" maxOccurs = "unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name = "Cisco_Backplane">
<xs:complexType>
<xs:sequence>
<xs:element name = "BackplaneType" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name = "Cisco_Card">
<xs:complexType>
<xs:sequence>
<xs:element name = "InstanceID" type = "xs:integer" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "RequiresDaughterBoard" type = "xs:boolean" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "LocationWithinContainer" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "PartNumber" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "CardType" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "HardwareVersion" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "Description" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "OperationalStatus" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "FWManufacturer" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "Manufacturer" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "NumberOfSlots" type = "xs:integer" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "NoOfCommunicationConnectors" type = "xs:integer" minOccurs = "0" maxOccurs = "1"/>
<xs:element ref = "SoftwareIdentity" minOccurs = "0" maxOccurs = "unbounded"/>
<xs:element ref = "Cisco_CommunicationConnector" minOccurs = "0" maxOccurs = "unbounded"/>
<xs:element ref = "Cisco_FlashDevice" minOccurs = "0" maxOccurs = "unbounded"/>
<xs:element ref = "Cisco_PhysicalMemory" minOccurs = "0" maxOccurs = "unbounded"/>
<xs:element ref = "Cisco_Card" minOccurs = "0" maxOccurs = "unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name = "Cisco_CommunicationConnector">
<xs:complexType>
<xs:sequence>
<xs:element name = "ConnectorType" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "POEAdminStatus" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "MaximumPower" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "PowerAllocated" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name = "Cisco_FlashDevice">
<xs:complexType>
<xs:sequence>
A-64
OL-25941-01
Appendix A
CLI Utilities
CWCLI

<xs:element name = "InstanceName" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "FlashDeviceType" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "Size" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "NumberOfPartitions" type = "xs:integer" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "ChipCount" type = "xs:integer" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "Removable" type = "xs:boolean" minOccurs = "0" maxOccurs = "1"/>
<xs:element ref = "Cisco_FlashPartition" minOccurs = "0" maxOccurs = "unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name = "Cisco_FlashPartition">
<xs:complexType>
<xs:sequence>
<xs:element name = "Upgrade" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "NeedsErasure" type = "xs:boolean" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "PartitionStatus" minOccurs = "0" maxOccurs = "1">
<xs:simpleType>
<xs:restriction base = "xs:string">
<xs:enumeration value = "unknown"/>
<xs:enumeration value = "readOnly"/>
<xs:enumeration value = "runFromFlash"/>
<xs:enumeration value = "readWrite"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name = "FileSystemSize" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "AvailableSpace" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "FileCount" type = "xs:integer" minOccurs = "0" maxOccurs = "1"/>
<xs:element ref = "Cisco_FlashFile" minOccurs = "0" maxOccurs = "unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name = "Cisco_FlashFile">
<xs:complexType>
<xs:sequence>
<xs:element name = "FileSize" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "FileStatus" minOccurs = "0" maxOccurs = "1">
<xs:simpleType>
<xs:enumeration value = "unknown"/>
<xs:enumeration value = "deleted"/>
<xs:enumeration value = "invalidChecksum"/>
<xs:enumeration value = "valid"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name = "Checksum" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name = "Cisco_PhysicalMemory">
<xs:complexType>
<xs:sequence>
<xs:element name = "MemoryType" minOccurs = "0" maxOccurs = "1">
<xs:simpleType>

OL-25941-01
A-65
Appendix A
CLI Utilities
CWCLI

<xs:enumeration value = "nvRam"/>
<xs:enumeration value = "NVRAM"/>
<xs:enumeration value = "processorRam"/>
<xs:enumeration value = "RAM"/>
<xs:enumeration value = "ROM"/>
<xs:enumeration value = "FEPROM"/>
<xs:enumeration value = "BRAM"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name = "Capacity" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name = "Cisco_NetworkElement">
<xs:complexType>
<xs:sequence>
<xs:element name = "InstanceID" type = "xs:integer" maxOccurs = "1"/>
<xs:element name = "PrimaryOwnerName" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "PhysicalPosition" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "SysObjectId" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "SysUpTime" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "OfficialHostName" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "NumberOfPorts" type = "xs:integer" minOccurs = "0" maxOccurs = "1"/>
<xs:element ref = "Cisco_LogicalModule" minOccurs = "0" maxOccurs = "unbounded"/>
<xs:element ref = "Cisco_Port" minOccurs = "0" maxOccurs = "unbounded"/>
<xs:element ref = "Cisco_MemoryPool" minOccurs = "0" maxOccurs = "unbounded"/>
<xs:element ref = "Cisco_IfEntry" minOccurs = "0" maxOccurs = "unbounded"/>
<xs:element ref = "Cisco_IPProtocolEndpoint" minOccurs = "0" maxOccurs = "unbounded"/>
<xs:element ref = "Cisco_PEHasIfEntry" minOccurs = "0" maxOccurs = "unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name = "Cisco_LogicalModule">
<xs:complexType>
<xs:sequence>
<xs:element name = "ModuleNumber" type = "xs:integer" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "ModuleType" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "EnabledStatus" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "NumberOfPorts" type = "xs:integer" minOccurs = "0" maxOccurs = "1"/>
<xs:element ref = "Cisco_Port" minOccurs = "0" maxOccurs = "unbounded"/>
<xs:element ref = "Cisco_LogicalModule" minOccurs = "0" maxOccurs = "unbounded"/>
<xs:element ref = "Cisco_OSElement" minOccurs = "0" maxOccurs = "unbounded"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name = "Cisco_Port">
<xs:complexType>
<xs:sequence>
<xs:element name = "PortNumber" type = "xs:integer" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "PortType" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "IfInstanceID" type = "xs:integer" minOccurs = "0" maxOccurs = "unbounded"/>
</xs:sequence>
</xs:complexType>
A-66
OL-25941-01
Appendix A
CLI Utilities
CWCLI
</xs:element>
<xs:element name = "Cisco_MemoryPool">
<xs:complexType>
<xs:sequence>
<xs:element name = "PoolType" type = "xs:integer" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "DynamicPoolType" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "AlternatePoolType" type = "xs:string" minOccurs = "0" maxOccurs = 1"/>
<xs:element name = "IsValid" type = "xs:boolean" minOcurs = "0" maxOccurs = "1"/>
<xs:element name = "Allocated" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "Free" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "LargestFree" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>

</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name = "Cisco_OSElement">
<xs:complexType>
<xs:sequence>
<xs:element name = "OSFamily" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "Version" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name = "Cisco_IfEntry">
<xs:complexType>
<xs:sequence>
<xs:element name = "ProtocolType" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "Speed" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "RequestedStatus" minOccurs = "0" maxOccurs = "1">
<xs:simpleType>
<xs:enumeration value = "up"/>
<xs:enumeration value = "down"/>
<xs:enumeration value = "testing"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name = "OperationalStatus" minOccurs = "0" maxOccurs = "1">
<xs:simpleType>
<xs:enumeration value = "Up"/>
<xs:enumeration value = "Down"/>
<xs:enumeration value = "Testing"/>
<xs:enumeration value = "Unknown"/>
<xs:enumeration value = "Dormant"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
<xs:element name = "PhysicalAddress" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "NetworkAddress" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
</xs:sequence>
</xs:complexType>
</xs:element>

OL-25941-01
A-67
Appendix A
CLI Utilities
CWCLI
<xs:element name = "Cisco_IPProtocolEndpoint">

<xs:complexType>
<xs:sequence>
<xs:element name = "Address" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "SubnetMask" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "DefaultGateway" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name = "Cisco_PEHasIfEntry">
<xs:complexType>
<xs:sequence>
<xs:element name = "Cisco_IPProtocolEndpoint" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "Cisco_IfEntry" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name = "Cisco_ComputerSystemPackage">
<xs:complexType>
<xs:sequence>
<xs:element name = "Antecedent" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<xs:element name = "Dependent" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
<!-Antecedent is the InstanceID from Cisco_Chassis Element
Dependent is the InstanceID from Cisco_NetworkElement
-->
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Cisco_EnergyWise">
<xs:complexType>
<xs:sequence>
<xs:element name= "InstanceID" type= "xs:string" minOccurs= "0" maxOccurs= "1"/>
<xs:element name= "DomainName" type= "xs:string" minOccurs= "0" maxOccurs= "1"/>
<xs:element name= "Role" type= "xs:string" minOccurs= "0" maxOccurs="1"/>
<xs:element name= "Keyword" type= "xs:string" minOccurs= "0" maxOccurs= "1"/>
<xs:element name= "Importance" type= "xs:string" minOccurs= "0" maxOccurs= "1"/>
<xs:element ref= "Cisco_EnergyWiseInterface" minOccurs= "0" maxOccurs= "1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name= "Cisco_EnergyWiseInterface">
<xs:complexType>
<xs:sequence>
<xs:element name= "InstanceID" type= "xs:string" minOccurs= "0" maxOccurs= "1"/>
<xs:element name= "Description" type= "xs:string" minOccurs= "0" maxOccurs= "1"/>
<xs:element name= "Role" type= "xs:string" minOccurs= "0" maxOccurs= "1"/>
<xs:element name= "Keyword" type= "xs:string" minOccurs= "0" maxOccurs= "1"/>
<xs:element name= "Importance" type= "xs:string" minOccurs= "0" maxOccurs= "1"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name = "SoftwareIdentity">
<xs:complexType>
<xs:sequence>
<xs:element name = "Classification" minOccurs = "0" maxOccurs = "1">
<xs:simpleType>
<xs:enumeration value = "Firmware"/>
<xs:enumeration value = "Software"/>
</xs:restriction>
</xs:simpleType>
</xs:element>
A-68
OL-25941-01
Appendix A
CLI Utilities
CWCLI
<xs:element name =
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name =
<xs:complexType>
<xs:sequence>
<xs:element name =
<xs:complexType>
<xs:attribute name
<xs:attribute name
</xs:complexType>
</xs:element>
</xs:sequence>
</xs:complexType>
</xs:element>
</xs:schema>
"VersionString" type = "xs:string" minOccurs = "0" maxOccurs = "1"/>
"AdditionalInformation">
"AD" minOccurs = "0" maxOccurs = "unbounded">

= "name" type = "xs:string"/>
= "value" type = "xs:string"/>

OL-25941-01
A-69
Appendix A
CLI Utilities
CWCLI
Detailed Description of the Inventory Schema

The inventory schema provides the structure for the inventory information exported from LMS. The
schema divides inventory information into two groups:
Physical Inventory
Logical Inventory
The Physical Inventory contains the chassis information and related details for the device. The main
elements in the schema for the physical inventory part are:
Chassis (Cisco_Chassis
Backplane (Cisco_ Backplane
Card (Cisco_Card)
CommunicationConnector (Cisco_CommunicationConnector)
FlashDevice (Cisco_FlashDevice)
FlashPartition (Cisco_FlashPartition)
FlashFile (Cisco_FlashFile)
.SoftwareIdentity (Cisco_SoftwareIdentity)
PhysicalMemory (Cisco_PhysicalMemory)
The Logical Inventory part of the schema contains the details of the managed network element. The main
elements in the schema for the logical inventory part are:
.ManagedNetworkElement (Cisco_NetworkElement)
LogicalModule (Cisco_LogicalModule)
Port (Cisco_Port)
MemoryPool (Cisco_MemoryPool)
OSElement (Cisco_OSElement)
IPProtocolEndpoint (Cisco_IPProtocolEndpoint)
IfEntry (Cisco_IfEntry)
Chassis (Cisco_Chassis
The Chassis class represents the physical elements that enclose other elements in the device and provide
specific functions, such as a desktop, networking node, UPS, disk or tape storage, or a combination of
these functions.
The following table describes the elements in Chassis:
Element
Description
InstanceID
Unique identifier.
Model
Chassis model / Chassis ID.
Version
Hardware version of the chassis
SerialNumber
Serial number associated with the chassis.
Type
Chassis type.
A-70
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Element
Description
NumberOfSlots
Number of slots in a chassis.
NoOfCommunicationConnectors
Number of physical connectors in a chassis.
Chassis also contains the elements Card and Backplane.
Backplane (Cisco_ Backplane

Backplane is an instance of a backplane in a chassis. The following table describes the elements in
Backplane:
Element
Description
BackplaneType
Type of backplane
Model
Model of the backplane
SerialNumber
Serial number of the backplane.
Card (Cisco_Card)
Card represents:
A type of physical container that can be plugged into another card, motherboard, or hosting board
A motherboard or hosting board in a chassis
This element includes any package capable of carrying signals and providing a mounting point for
physical components such as chips, or other physical packages such as other cards. The following table
describes the elements in Card:
Element
Description
InstanceID
Card number. This is used to correlate with the logical part of the card.
Model
Model of the card.
SerialNumber
Serial number of the card.
LocationWithinContainer
Number that indicates the physical slot number. This can be used as an index into a
system slot table, irrespective of whether that slot is physically occupied or not.
PartNumber
Part number of the Hardware Component.
CardType
Type of the card (Card Type)
Description
Descriptive string used to describe the card.
OperationalStatus
Status of the card describing whether it is up or down
FWManufacturer
Manufacturer of the firmware
Manufacturer
Manufacturer of the hardware
NumberOfSlots
Number of slots in the card.
NoOfCommunicationConnectors
Number of ports in the card.

OL-25941-01
A-71
Appendix A
CLI Utilities
CWCLI
Apart from the elements described in the table above, the card element also contains reference to itself,
which can represents a sub card. It also contains other elements such as CommunicationConnector and
FlashDevice.
CommunicationConnector (Cisco_CommunicationConnector)
CommunicationConnector represents a physical port. The table below describes the elements in
CommunicationConnector:
Element
Description
InstanceID
Indicates the connector number for the chassis or system.
ConnectorType
Type of the physical port.
Description
Descriptive string used to describe the card.
FlashDevice (Cisco_FlashDevice)
FlashDevice represents physical flash memory. Flash memory may reside on a PCMCIA card, line card,
or any other type of card. FlashDevice may consist of one or more actual flash memory chips.
It also consists of reference to one or more flash partitions described in FlashPartition. The table below
describes the elements in FlashDevice.
Element
Description
InstanceID
FlashDevice sequence number to index the flash devices within the table of initialized
FlashDevices.
InstanceName
Name of FlashDevice. This name is used to refer to the device within the system. Flash
operations get directed to a device based on this name.
Size
Total size of FlashDevice. For a removable device, the size will be zero if the device has been
removed.
NumberOfPartitions
Number of Flash partitions present in f FlashDevice
ChipCount
Total number of chips within FlashDevice. This element provides information to a network
management station on how much chip information to expect.
It also helps the management station to check the chip index against an upper limit when
randomly retrieving chip information for a partition.
Description
Description of a FlashDevice. The description is meant to explain what FlashDevice is and its
purpose.
Removable
Specifies whether FlashDeviceis removable. Typically, only PCMCIA Flash cards are treated as
removable. Socketed Flash chips and Flash SIMM modules are not treated as removable.
FlashPartition (Cisco_FlashPartition)
FlashPartition corresponds to the Cisco-flash-mib. The elements in FlashPartiion are derived from the
table of properties of ciscoFlashPartitionTable for each initialized flash partition.
When there is no explicit partitioning for a device, it is assumed that there is a single partition spanning
the entire device exists. Therefore, a device always has at least one partition.
A-72
OL-25941-01
Appendix A
CLI Utilities
CWCLI
FlashPartition contains one or more FlashFileSystems as described in FlashFile. The table below
describes the elements in FlashPartition.
Element
Description
InstanceID
FlashPartition sequence number used to index FlashPartitions within the table for
initialized FlashPartitions.
InstanceName
FlashPartition name used to refer to a partition by the system.
PartitionStatus
Status of the partition.
Upgrade
Upgrade information for the partition. This helps to download new files into the
partition, and is needed when the PartitionStatus is run from flash.
NeedsErasure
Boolean parameter indicating whether the partition requires to be erased before any
write operations can occur.
Size
FlashPartition size. It should be an integral multiple of

ciscoFlashDeviceMinPartitionSize. If there is a single partition, this size will be equal
to ciscoFlashDeviceSize.
FreeSpace
Free space within aFlashPartition.
FileCount
Number of files stored in the file system.
FlashFile (Cisco_FlashFile)
FlashFile manages the storage and organization of files on a Flash memory device. The table below
describes the elements in FlashFile
Element
Description
InstanceID
FlashFile sequence number used to index within a FlashPartition directory table.
FileSize
Size of the file in bytes.This size does not include the size of the filesystem file header.
FileStatus
Status of a file. A file could be explicitly deleted if the file system supports such a user
command. Alternatively, an existing good file would be automatically deleted if another
good file with the same name were copied in.
Deleted files continue to occupy prime space in flash memory. A file is marked as
having an invalid checksum if any checksum mismatch was detected while writing or
reading the file.
Incomplete files (files truncated either because of lack of free space, or because of a
network download failure) are also written with a bad checksum and marked as invalid.
Checksum
File checksum stored in the file header. This checksum is computed and stored when the
file is written into Flash memory, and serves to validate the data written into Flash.
Where the system generates and stores the checksum internally in hexadecimal form,
checksum provides the checksum in a string form. Checksum is available for all valid
and invalid-checksum files.
FileName
FlashFile name as specified by the user while copying the file to Flash memory.
The name should not include the colon (:) character as it is a special separator character
used to separate the device name, partition name, and the file name.

OL-25941-01
A-73
Appendix A
CLI Utilities
CWCLI
.SoftwareIdentity (Cisco_SoftwareIdentity)
SoftwareIdentity provides the hardware and firmware version of the card. The table below describes
elements in SoftwareIdentity.
Element
Description
Classification
Specifies whether the information is for hardware or firmware.
VersionString
Version information for software or firmware.
PhysicalMemory (Cisco_PhysicalMemory)
PhysicalMemory specifies the memory type and capacity of the device. The table below describes
elements in PhysicalMemory.
Element
Description
MemoryType
Specifies the type of memory, that is whether RAM, ROM, or NVRAM.
Capacity
Capacity in bytes.
.ManagedNetworkElement (Cisco_NetworkElement)
ManagedNetworkElement is the entity that contains all logical parts of the device, which the users can
configure (such as Logical Module, Port, Interfaces, Software Image details, and Memory Pool). The
table below describes elements in ManagedNetworkElement.
Element
Description
InstanceID
Index number assigned to the network element.
Description
Description of the network element. This description includes the full name and version
identification of the system's hardware type, operating system, and networking software.
The description can have only printable ASCII characters.
PrimaryOwnerName
Identification of the contact person for this managed node, and information on how to
contact this person.
InstanceName
Administratively defined name for the network element.
PhysicalPosition
Physical location of the network element.
SysObjectId
Vendor's authoritative identification of the management subsystem contained in the

element.
SysUpTime
Time in hundredths of a second since the network management portion of the element
was last initialized.
OfficialHostName
Name of the device.
NumberOfPorts
Number of ports in the network element.
A-74
OL-25941-01
Appendix A
CLI Utilities
CWCLI
LogicalModule (Cisco_LogicalModule)
LogicalModule is the logical device corresponding to a line card in the network device.
For example, a line card in a switch is an instance of LogicalModule, associated with the
ManagedNetworkElement, in this case the switch. LogicalModule is not necessarily independently
managed.
To represent a sub module, LogicalModule contains a reference to itself. It also contains Port and the
OSElement. The table below describes the other elements in LogicalModule.
Element
Description
InstanceID
Index that correlates the physical card and the logical module. This helps to correlate
the physical card to logical card details.
ModuleNumber
Number assigned to the module by its parent ManagedNetworkElement.
ModuleType
Type or model of the module.
InstanceName
Name of the logical module.
EnabledStatus
Status of the module, that is whether it is up or down.
NumberOfPorts
Number of ports in the logical module.
Port (Cisco_Port)
Port is the logical representation of network communications hardware - a physical connector and the
setup or operation of the network chips, at the lowest layers of a network stack
For example, an Ethernet port on an Ethernet line card uses an instance of Port to represent its
operational and logical properties. A port should be associated with either a LogicalModule or directly
with a ManagedNetworkElement.
It also contains the element IPProtocolEndpoint. The table below describes the other elements in Port.
Element
Description
PortNumber
Number assigned to the port. Ports are often numbered relative to either a logical
module or a network element.
PortType
Type of the port.
InstanceName
Name assigned to the port.
IfInstanceID
Index of the interface related to this port.

OL-25941-01
A-75
Appendix A
CLI Utilities
CWCLI
MemoryPool (Cisco_MemoryPool)
MemoryPool corresponds to entries to monitor entries. Each pool is a range of memory segregated by
type or function. The table below describes the other elements in MemoryPool.
Element
Description
InstanceName
Name assigned to the MemoryPool.
PoolType
Dynamic type value assigned to a dynamic MemoryPool. This is valid only when the
PoolType attribute has the value Dynamic. MemoryPools can be divided into two groups
Predefined Pools and Dynamic Pools.
For dynamic pools, the PoolType is set to the dynamic value (65536) and the
DynamicPoolType is set to an integer value used to distinguish the various dynamic pool
types.
DynamicPoolType
This attribute holds the dynamic type value assigned to a dynamic memory pool. It is
only valid when the PoolType attribute has the value Dynamic (65536).
AlternatePoolType
Indicates whether this MemoryPool has an alternate pool configured. Alternate pools
are used for fallback when the current pool runs out of memory.
If the value is set to zero, then this pool does not have an alternate. Otherwise the value
is the same as the value of PoolType of the alternate pool.
IsValid
Indicates whether the other attributes in this MemoryPool contain accurate data.
If an instance of this object has the value, False, (indicating an internal error condition),
the values of the remaining objects in the instance may contain inaccurate information.
That is, the reported values may be less than the actual values.
Used
Indicates the number of bytes from the MemoryPool that are currently in use by
applications on the managed device.
Allocated
Indicates the number of bytes from the MemoryPool that are currently unused on the
managed device.
Free
Indicates the largest number of contiguous bytes from the MemoryPool that are
currently unused on the managed device.
OSElement (Cisco_OSElement)
OSElement represents the software element that is deployed to a network system and describes the
software behind the operating system.The table below describes the other elements in OSElement.
Element
Description
InstanceName
Name of the OS image.
Family
Family of the OS component.
Version
Version of the OS.
Description
Description of the OS image.
A-76
OL-25941-01
Appendix A
CLI Utilities
CWCLI
IPProtocolEndpoint (Cisco_IPProtocolEndpoint)
IPProtocolEndpoint contains the subnet mask and default gateway information corresponding to the
management IP Address.
Element
Description
Address
IP address of this endpoint, formatted according to the convention as defined in the

AddressType property of this class.
SubnetMask
Mask for the IP address of this element, formatted according to the convention as
defined in the AddressType property of this class (e.g., 255.255.252.0).
DefaultGateway
Default gateway address.
IfEntry (Cisco_IfEntry)
IfEntry represents the contents of an entry in the ifTable as defined in RFC 1213.
Element
Description
InstanceID
Index in the interface table defined in RFC 1213 for the entry containing the interface
attributes of this object.
InstanceName
ifName attribute in the interface table defined in RFC 1213.
IfType
Interface type enumeration taken from the IANA definition of ifType.
IfSpeed
Estimate of the current bandwidth of the interface in bits per second. In cases, where the
current bandwidth cannot be given, the nominal bandwidth should be specified.
IfAdminStatus
Desired state of the interface.
IfOperStatus
Current operational status of the interface.
Description
Description of the interface.
PhysicalAddress
Hardware address of the interface.
NetworkAddress
Network address of the interface.
AdditionalInformation is used to describe device specific information. It contains name and value
attributes for elements specific to the device.
Class
Element
AdditionalInformation Tag
Cisco Call
Manager
Cisco_NetworkElement
ActivePhones, InActivePhones, ActiveGateways, InActiveGateways,

CallManagerIndex, CallManagerName, CallManagerDescription,
CallManagerVersion, CallManagerStatus
Cisco_Chassis
ApplicationPackageIndex, PackageManufacturer, Productname,

Packageversion, Package SerialNumber

OL-25941-01
A-77
Appendix A
CLI Utilities
CWCLI
Class
Element
Cisco FastSwitch
With_Module
FwdEngRev, BoardRev, SwitchPortNumber , SharedPortNumber,

FirmwareSource
Cisco_FlashDevice
FlashBankStatus
Cisco_Card
InstanceID, ID
Cisco Firewall
None
None
Cisco
IPX-IGX-BPX
Cisco_Chassis
InstanceName , Number
Cisco_Card
SecondarySwRev, slotIndex, RAMId, ROMId, BRAMId, BOOTId,

LocationWithinContainer, SecondaryStatus
Cisco_Port
switchIfSlot,switchIfPort, SubPortNo, Status, Speed, PortType
Cisco_Chassis
Slot0 (Type), Slot1(Type), AvailableSlots
ConfigReg
Cisco_PhysicalMemory
NVRAMUsed, RomVersion
Cisco MGX
Cisco_Chassis
Name, switchIfSlot, switchIfPort, SubPortNo, Status, Speed,

PortType
Cisco Catalyst
3900 Switch
Cisco_Chassis
ModuleCount, Configuration, SwitchCount
Cisco_Card
CiscoTsNumber, PermanentMAC, LocalMAC, CiscoTsModNumber ,

StackNo
Cisco Router 700

Series
Cisco_Chassis
MACAddress, PortCount, Type
Cisco Router
NVRAMUsed, ROMVersion
Config
Cisco LS1010
Switch
Cisco Catalyst IOS Cisco_Chassis

Switch
Cisco_Card
MACAddress, PortCount, Type

FlashSize,FlashFree,FlashCard
Cisco_Chassis
Config
Cisco_Chassis
Slot0, Slot1 , MACAddress, PortCount, Type
Config
Cisco VPN 3000

Concentrators
Cisco_Chassis
PowerSupply1Type, PowerSuppy2Type, RAMSize
Cisco_Card
LocationWithinContainer, CryptoHardwareType, SepState,

DSPCodeVersion
Cisco Catalyst
Switch
Cisco_Chassis
PowerSupply1, PowerSupply2 , MgmtType, BroadcastAddress,

AvailableSlots
Cisco_Card
ModuleIndex, RedundantModule, ModuleSubType
Cisco_LogicalModule
moduleIndex,ModuleIPAddress
RFUnitDetected, RFUnitID, RFUnitState, RFPeerUnitID,

RFPeerUnitState, ActivateRF, ManualSwitchPermitted ,
StartupSyncStatus, RunningSyncStatus
NVRAMUsed
Cisco Catalyst
L2L3 Switch
Cisco Optical
Switches
A-78
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Class
Element
Cisco FastSwitch
FwdEngRev, BoardRev, SwitchPortNumber , SharedPortNumber,

FirmwareSource
Cisco_FlashDevice
FlashBankStatus
Cisco_Chassis
EPROMRev
Cisco_CommunicationConnect
or
swPortIndex , PortTableSize, RevName, Type
Cisco Content
Service Switch
None
None
Cisco Aironet
Config
None
None
Cisco Management None

Engines
None
Cisco NAM
Overview: cwcli inventory Command

The cwcli inventory is a Device Management application command line tool. This tool supports the
following features:
You can check the specified device credentials for the devices.
You can export device credentials of one or more devices in clear text.
You can delete the specified devices.
You can view the devices state.
The cwcli inventory command is located in the following directories, where install_dir is the directory
in which LMS is installed:
On Solaris and Soft Appliance systems, /opt/CSCOpx/bin
On Windows systems, install_dir\CSCOpx\bin

Using the cwcli inventory Command
Running the cwcli inventory cda Command
Running the cwcli inventory crmexport Command
Running the cwcli inventory deletedevice Command
Running the cwcli inventory getdevicestate Command
If you install LMS on an NTFS partition on Windows, only users in the administrator or casuser group
can access cwcli inventory.
You can also perform the cwcli inventory tasks using the servlet. You will have to upload a payload
XML file, which contains the cwcli inventory command arguments and LMS user credentials.

OL-25941-01
A-79
Appendix A
CLI Utilities
CWCLI

For post request,
perl

perl

<payload>
<command>
</command>
</payload>
For get request,
http://lms-server:lms-port/rme/cwcli?command=cwcli inventory commandname -u user -p BAse64

https://lms-server:lms-port/rme/cwcli?command=cwcli inventory

The URL encode for,
Using the cwcli inventory Command

cwcli inventory

cwcli export
cwcli inventory
is the CiscoWorks command line interface for:
Checking the specified device credentials for the LMS devices.

Exporting device credentials of one or more LMS devices in clear text.
Deleting the specified LMS devices.
A-80
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Viewing the LMS devices state.
Command specifies which core operation is to be performed.
GlobalArguments are the additional parameters required for each core command.
AppSpecificArguments are the optional parameters, which modify the behavior of the specific cwcli
core command.
inventory
The order of the arguments and arguments are not important. However, you must enter the core
command immediately after cwcli inventory.
The following sections describe:
The cwcli inventory commands (See cwcli inventory Commands)
The mandatory and optional arguments (See cwcli inventory Global Arguments)
On UNIX, you can view the cwcli inventory man pages by setting the MANPATH to
/opt/CSCOpx/man. The man pages to launch the cwcli inventory are:
man cwinventory-cda to launch the cwcli inventory cda command.
man cwinventory-delete to launch the cwcli inventory delete command.
man cwinventory-export to launch the cwcli inventory export command.
man cwinventory-state to launch the cwcli inventory getdevicestate command
cwcli inventory Commands

The following table lists the command part of the cwcli inventory syntax:
Command
Description
cwcli inventory cda
You can check the specified device credentials for the devices.
See Running the cwcli inventory cda Command
cwcli inventory crmexport
You can export device credentials of one or more devices in clear text.
See Running the cwcli inventory crmexport Command
cwcli inventory deletedevice
You can delete the specified devices.

See Running the cwcli inventory deletedevice Command
cwcli inventory getdevicestate
You can view the devices state.

See Running the cwcli inventory getdevicestate Command

OL-25941-01
A-81
Appendix A
CLI Utilities
CWCLI
cwcli inventory Global Arguments

The following describes the mandatory and optional global arguments for
cwcli inventory:
Argument
Description
Usage Notes
-u
user
Enter a valid LMS username.
Mandatory.
-p
password
Enter the password for the username.
Mandatory.
You can provide this as part of argument or
you can enter the password when you get the
password prompt.
You can also specify the password in a file.
See Setting CWCLIFILE Environment
Variable for more details.
{-device name | -view name device nameEnter the Device Name of the Mandatory
| -device list -view name|
device that you have added in the Device and
You can enter multiple device list
Credentials database (Inventory > Device
-ipaddress list}
separated using a comma.
Administration > Add / Import / Manage
For example, if there are two devices
Devices)
with Device Names Rtr12 and Rtr13,
using Rtr% will display both the devices.
To include all the devices, use the wild

card character "%".
For example, To use all the devices, use
-device %.
view
nameEnter the Device Group name.
Mandatory
You can enter multiple group name separated
using a comma.
For view name, you have to enter the fully
qualified path as in the Group Administration
GUI.
For example, -view
/RME@ciscoworks_servername/
All Devices
list view nameEnter the Device

Name and the Device Group name.
device
Mandatory.
listEnter the device IP4 address Mandatory.

as entered in the Device and Credential
You cannot use this option with -device,
Repository. You can enter multiple IP address
-view, or -input. Also, you cannot specify
with comma separated.
wildcard characters.
ipaddress
[-d debug_level]
Enter the debug level.
Optional.
debug_level is a number between 1 (the least
information is sent to the debug output) and 5
(the most information is sent to the debug
output). If you do not specify this argument,
4(INFO) is the default debug level.
A-82
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Argument
Description
Usage Notes
[-m email]
Specify an e-mail address to send the results. Optional.

email is one or more e-mail addresses for
notification. They can be separated by a space
or comma.
[-l logfile]
Specify a file to which this command has to

write log messages.
The default log filename is cli.log.
Optional.
Use the relative pathname to specify the
log_filename.
The default log directory is:

On Windows:
NMSROOT\log
Where NMSROOT is the LMS installed
directory.
/var/adm/CSCOpx/log
Displays command usage information
-help
None.
Running the cwcli inventory cda Command

You can use this command to check the following device credentials:
SNMP Read Community StringSNMP version 2 read community string.
SNMP Write Community StringSNMP version 2 write community string.
SNMP Version 3SNMP version 3 username and password.
TelnetTelnet username and password.
Telnet Enable Mode User Name and PasswordTelnet username and password in Enable mode.
SSHSSH username and password.
SSH Enable Mode User Name and PasswordSSH username and password in Enable mode.
You can update these credentials using Inventory > Device Administration > Add / Import / Manage
Devices.
The command syntax for cwcli inventory cda is:
userid -p password {-invoke | -status} [-credType credTypeList] {-device
list | -view name | -device list -view name | ipaddress list} [-d debuglevel] [-m email] [-help] [-l
logfile]
cwcli inventory cda -u
bars (|).
If you do not specify an optional argument, the default value configured for the system is used.
The following table describes the arguments that are specific to cwcli inventory cda command.
The other common arguments used by cwcli export are explained in Using the cwcli export Command

OL-25941-01
A-83
Appendix A
CLI Utilities
CWCLI
Argument
Description
Usage Notes
{-invoke | -status}
InvokeInvokes the Check Device Attribute Mandatory.

operation.
These arguments are mutually exclusive. You
StatusDisplays the check device attributes cannot run -invoke and -status together.
result.
After using the -invoke argument to the
check device attribute you must run the
command again with -status argument to view
the result.
If you are checking the device credentials for
same devices and for same set of credentials,
then you can use -invoke argument only
once.
If you are checking the device credentials for
different devices and different credentials
then you must use -invoke argument first and
then you must use -status.
{-credType credTypeList}
Enter the device credentials for which you

want to view the status. You can use the
following arguments to view the different
credentials status:
0 Enter 0 to view all credentials status.
1 Enter 1 to view status for Read

Community.
2 Enter 2 to view status for Write

Community.
3 Enter 3 to view status for SNMP

version 3 username and password.
4 Enter 4 to view status for Telnet

username and password.

username and password in Enable mode.
6 Enter 6 to view status for SSH


Mandatory.
If you do not specify the credentials type, all
credentials status are displayed.
You can specify multiple arguments separated

by comma to check multiple credentials
A-84
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Argument
Description
Usage Notes
Command Argument for Inventory CDA createjob
{-device
-device comma_separated_devicelist
comma_separated_devicelist
- Specify devices to be used for the job.
}|{-view device_view_name}
The comma_separated_devicelist is list of
devices.
-view
device_view_name
Specify the device view to be used for the job.

The device_view_name is the name of a
device view.
You can specify the date and time as well as
[{-schedule
the frequency of the CDA job.
MM/dd/yyyy:HH:mm:ss
-scheduletype Once | Daily |
To specify the date and time when you
Weekly | Monthly |
want to run the CDA job, use the
LastDayOfMonth | 6hourly |
schedule option.
12hourly}]
To specify the frequency of the job use
the scheduletype option.
[-input argFile]
Mandatory.
These arguments are mutually exclusive. You
cannot run -device and -view together.
cwcli inventory cda createjob -u
Username -p Password -device Device 1,

Device 2 |-view device_view_name,
-schedule Schedule -scheduletype
Schedule Type
Optional.
scheduletype can have any of the following
values:
Once
6hourly
12hourly
You have to set both the schedule and

scheduletype options for a scheduled job.
Daily
Weekly
You do not have to set the schedule and

scheduletype for an Immediate job.
Monthly
Input file containing the details of the

subcommands to be used for a job creation.
If the schedule option is not specified, the

job will be created as an immediate job.
Optional
If you are specifying the argument file, you
need not specify the arguments in the
command line.
admin -p admin
[-input argFile]
[-description
JobDescription]
Gives details of the job.
[-notificationmail
Specify the e-mail addresses to which the
comma_separated_email_list configuration job will sends status notices.
]
JobDescription is a user-defined entry

describing the job details.
Optional

OL-25941-01
A-85
Appendix A
CLI Utilities
CWCLI
Argument
Description
Usage Notes
{-credType credentialList}
Enter the device credentials for which you

want to create a job. You can use the
following arguments to view the different
credentials status:
Mandatory
0 Enter 0 to view all credentials status.

(ALL).
1 Enter 1 to view status for Read

Community.
2 Enter 2 to view status for Write

Community.
3 Enter 3 to view status for SNMP

version 3 username and password.




If you do not specify the credentials type, all

credentials status are displayed.
You can specify multiple arguments separated

by comma to check multiple credentials.
Command Argument for Inventory CDA stopjob
{-id Job ID}
You can stop only one job at a time.
Mandatory
You can stop a CDA job that is in scheduled

as well as running state.
Use this command to stop an Inventory CDA

job that is scheduled.
cwcli inventory cda stopjob -u
userid -p
password {-id jobID}

Command Argument for Inventory CDA deletejob and jobdetails
{-id Job IDs}
You can delete more than one job at a time.

Enter the Job IDs that you want to delete,
separated by commas.
You can list the details of more than one job
at a time. Enter the Job IDs separated by
commas.
Mandatory
Inventory CDA deletejob command:
cwcli inventory cda deletejob -u
-p
userid
password {-id jobID1, jobID2..}
Inventory CDA jobdetails command:

cwcli inventory cda jobdetails -u userid
-p
password {-id jobID1, jobID2..}
A-86
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Argument
Description
Usage Notes
Command Argument for Inventory CDA listjobs
[-jobstatus status]
You can specify the status of the job. This can Optional.
be:
Username
Password [-jobstatus A, R, C, P]
cwcli inventory cda listjobs -u
All jobs
Running jobs
Completed jobs
Pending jobs.
-p
Command Arguments for Inventory CDA jobresults
{-id Job ID, Job ID}
You can list the results of more than one job

at a time. Enter the job IDs separated by
commas.
[-csvoutput filepath]
cwcli inventory cda jobresults -u

Username -p Password -id "Job ID 1"
"Job ID 2" , "Job ID 3"
You can specify the fully qualified pathname If you do not specify this argument, the job
for saving the job results.
results appear in the console itself.
If the specified path does not exist, the job
results are stored in the default location.
admin
admin {-jobid jobID} [-csvoutput
filepath]
cwcli inventory cda jobresult -u
-p
The Table A-1 maps the device credentials that you have entered in the Device and Credentials
(Inventory > Device Administration > Add / Import / Manage Devices) database and the credentials
that appear in the
cwcli inventory cda command:
Table A-1
Credentials Mapping
Credentials displayed in
Credentials in Device and Credentials Database
cwcli inventory cda
Device Name
deviceName
SNMP V2C RO Community String
ro
SNMP V2C RW Community String
rw
SNMP V3 Username and Password
snmpv3
Primary Credentials Username
telnet
Primary Credentials Username and Primary Enable

Password
telnetEnable
Primary Credentials Username
ssh
Primary Credentials Username and Primary Enable

Password
sshEnable

OL-25941-01
A-87
Appendix A
CLI Utilities
CWCLI
Table A-2 describes the Credential Verification Report Status messages:

Table A-2
Understanding Credential Verification Report
Status Message
Description
OK
Check for device credentials completed. The device credentials data

in the Device and Credential Repository matches the physical device
credentials.
No authentication configured Device was not configured with authentication mechanism

(Telnet/LocalUsername/TACACS). LMS was able to use Telnet and
log into the device successfully with out using the values entered in
the Device and Credential Repository.
Incorrect
Check for device credentials completed. The device credentials data

in the Device and Credential Repository does not match with the
physical device credentials for one of the following reasons:
The device credentials data in Device and Credential Repository

is not correct.
The device is unreachable or offline.
One of the interfaces on the device is down.
No Data Yet
Check for device credentials is in progress.
Did Not Try
Check for device credentials is not performed for one of the following
reasons:
A Telnet password does not exist, so could not login to the device.
Device Telnet login mode failed, so enable mode login is not

attempted.
No Value To Test
Check for device credentials is not performed because you have not
entered the device credentials data.
Not Supported
Check for Telnet passwords is not performed because Telnet

credential checking is not supported on this device.
Failed
Check failed because a Telnet session could not be established due to

a not responding device.
Not Selected For Verification Protocol was not selected for verification.
Usage Examples for cwcli inventory cda Command

This section provides some examples of usage for the cwcli inventory cda command.
Example 1: Invoking the Check Device Attributes

admin -p admin -invoke -device 3750-stack
The command output is:

CDA invoked for given device and credType list
SUMMARY
========
Successful: CDA: Success
A-88
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Example 2: Checking the read and write device credentials for multiple devices
admin -p admin -device 3750-stack, rtr% -credtype 1,2 -status
CDA Status :
============
deviceId | deviceName | ro | rw | snmpv3 | telnet | telnetEnable | ssh | sshEnable
25 | rtr10005 | OK | OK |
27 | 3750-stack | OK | OK |
|
|
|
|
|
|
32 | rtr10K | No Data Yet | No Data Yet |
SUMMARY
========
Example 3: Checking all device credentials for a group

admin -p admin -view "/RME@ciscoworksservername/Pre-deployed"
-status
CDA Status:
==========
29 | v2 | No Data Yet | No Data Yet | No Data Yet | No Data Yet | No Data Yet | No Data
Yet | No Data Yet
SUMMARY
========
Example 4: Checking device credentials for a device using the cwcli get request
http://ciscowork_servername:1741/rme/cwcli?command=cwcli inventory cda -u
admin -p
YWRtaW4= -device 10.10.10.12 -status

The output for this appears on your console:
-->
CDA Status :
============
12 | 10.10.10.12 | OK | OK | No Value To Test | Incorrect | Did Not Try | Failed | Did
Not Try
SUMMARY
========

OL-25941-01
A-89
Appendix A
CLI Utilities
CWCLI
Example 5: Checking device credentials for a device using the cwcli post request
The payload file, cda.xml contains:
<payload>
<command>
cwcli inventory cda -u admin -p YWRtaW4=
-device 10.10.16.20 -status
</command>
</payload>

perl
samplepost.pl http://ciscowork_servername:1741/rme/cwcli cda.xml
-->
CDA Status :
============
deviceId | deviceName | ro | rw | snmpv3 | telnet | telnetEnable | ssh | sshEnab
le
71 | 10.10.16.20 | No Data Yet | No Data Yet | No Data Yet | No Data Yet | No
Data Yet | No Data Yet | No Data Yet
SUMMARY
========
Example 6: Creating a job using cwcli inventory cda createjob command

cwcli inventory cda createjob -u admin -p admin - Cat6230, Cat4500 | -view myview
-schedule 03/23/2007:12:15:01 -scheduletype Once
This command creates a cda job for the devices Cat6230 and Cat4500 in the view myview and scheduled
for 23rd march 2007 at 12:15 pm with schedule type specified as Once.
Example 7: Stopping a cwcli inventory cda job using stopjob command

There is a job 1098, which is currently running. You can use this command to stop the job 1098.
cwcli inventory cda stopjob -u admin -p admin -id 1098
Example 8: Deleting cwcli inventory cda jobs using deletejob command

There are two jobs 1057 and 1058 scheduled. You can use this command to stop the two jobs.
cwcli inventory cda deletejob -u admin -p admin -id 1057,1058
Example 9: Getting details of jobs using cwcli inventory cda jobdetails command
There are two jobs 1001 and 1002 that are scheduled. You can use this command to list the details of
both the jobs:
cwcli inventory cda jobdetails -u admin -p admin -id 1001, 1002
A-90
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Example 10: Listing the cda jobs based on the status using the listjobs command
cwcli inventory cda listjobs -u admin -p admin -jobstatus R, C
Use this command to list those jobs whose status is Running or Completed.
Example 11: Obtaining results of jobs using jobresults comand

There are two jobs 1023 and 1024 that are completed. You can use this command to save the results of
these jobs to the specified location.
cwcli inventory cda jobresult -u admin -p admin -jobid 1023, 1024 -csvoutput
C:/jobs/results
Running the cwcli inventory crmexport Command

You can use this command to export device credentials in CSV or XML format.
The command syntax for cwcli inventory crmexport is:
userid -p password [-d debuglevel] [-m email] [-l logfile] {-device
list | -view name | -device list -view name} [ipaddress list] {-filetype format | -filename outputfile}
cwcli inventory crmexport -u
bars (|).
The following table describes the arguments that are specific to cwcli inventory crmexport command.
The other common arguments used by cwcli export are explained in Using the cwcli inventory
Command.
Argument
Description
Usage Notes
{-filetype format }
-filetype
format Enter the file format to

export, either XML or CSV.
Mandatory.
{ -filename outputfile }
-filename
outputfileEnter the filename.
The default CSV file format version is 3.0.

Mandatory.
Specifies the name of the file to which the
device credentials information is to be
exported on LMS server.
If you are using cwcli remotely (get or post
request), by default the output file is available
at this location on LMS server:
On Windows:
NMSROOT\MDC\tomcat
Where, NMSROOT is the LMS installed
directory.
Usage Examples for cwcli inventory crmexport Command

This section provides some examples of usage for the cwcli inventory crmexport command.

OL-25941-01
A-91
Appendix A
CLI Utilities
CWCLI
Example 1: Exporting device credentials of all devices in XML format

cwcli inventory crmexport -device
% -filetype xml -filename crmexport-xml -u admin -p admin
SUMMARY
======== Successful: Export: Success
The device credentials are exported into a file, crmexport-xml in XML format. The credentials that are
exported depends on the data that you have provided when you added the devices to Device Credentials
Repository.
Example 2: Exporting device credentials of all devices in Normal State in CSV format
"/RME@ciscoworksservername/Normal Devices" -filetype csv
crmexport-csv -u admin -p admin
cwcli inventory crmexport -view

-filename
SUMMARY
========
Successful: Export: Success
The device credentials for devices that are in Normal state are exported into a file, crmexport-csv in CSV
version 3.0 format. The credentials that are exported depends on the data that you have provided when
you added the devices to Device Credentials Repository.
Example 3: Exporting device credentials of all devices using cwcli get request method
In this example,

http://ciscowork_servername:1741/rme/cwcli?command=cwcli inventory crmexport -u admin -p
YWRtaW4= -device %25 -filetype xml
-filename getxml
The output is written in the getxml file. The getxml file is located:
On Windows:
NMSROOT\MDC\tomcat
Example 4: Exporting device credentials of all devices using cwcli post request method
The payload file, crmexport.xml contains:
<payload>
<command>
cwcli inventory crmexport -u admin -p YWRtaW4=
-filename /opt/CSCOpx/crmexport-xml
-device 10.66.162.208 -filetype xml
A-92
OL-25941-01
Appendix A
CLI Utilities
CWCLI
</command>
</payload>

perl
samplepost.pl http://ciscowork_servername:1741/rme/cwcli crmexport.xml
SUMMARY
========
Successful: Export: Success
The device credentials are exported into a file, crmexport-xml in XML format. This file is created in the
/opt/CSCOpx directory. By default, the specified file is created in this location:
On Windows:
NMSROOT\MDC\tomcat
The credentials that are exported depends on the data that you have provided when you added the devices
to Device Credentials Repository.
Running the cwcli inventory deletedevice Command

You can use this command to delete devices.
The device information will be retained in the Device Credentials Repository. This information will not
be removed till you delete the device from Device Credentials Repository.
The command syntax for cwcli inventory deletedevice is:
userid -p password [-d debuglevel]
[-m email] [-l logfile] [-view name] {-device list | -input inputfile | ipaddress list}
cwcli inventory deletedevice -u
bars (|).
The following table describes the arguments that are specific to cwcli inventory deletedevice
command. The other common arguments used by cwcli export are explained in Using the cwcli export
Command.

OL-25941-01
A-93
Appendix A
CLI Utilities
CWCLI
Argument
-input
Description
inputfile
Usage Notes
inputfileEnter the full path of the

Mandatory
file containing comma-separated list of
You must also enter the file format either
device name as entered in Device Credentials
CSV or txt.
Repository.
-input

-device
1.1.1.1,2.2.2.2,3.3.3.3
or
-device
1.1.1.1
-device
2.2.2.2
-device
3.3.3.3
Usage Examples for cwcli inventory deletedevice Command

This section provides some examples of usage for the
cwcli inventory deletedevice command.
Example 1: To delete a device

admin -p admin -device 10.76.10.10
<cwcli> INFO - Total number of devices deleted successfully: 1

SUMMARY
========
Successful: Delete Device: Success
Example 2: To delete devices listed in a file

The input file, deletedevice contains list of device Device Name separated by a comma:
-device
3750-stack,rtr1000,rtr10005
admin -p admin -input deletedevice.csv
Example 3: To delete devices using cwcli get request

Enter the following in your browser:
http://ciscowork_servername:1741/rme/cwcli?command=cwcli inventory deletedevice -u
admin -p YWRtaW4= -device 10.10.10.41,10.10.10.51

-->

SUMMARY
========
A-94
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Example 4: To delete devices using cwcli post request

The payload file, deletedevicestate.xml contains:
<payload>
<command>
cwcli inventory deletedevice -u admin -p YWRtaW4=
10.77.9.10,10.77.9.18,10.76.8.6
-device
</command>
</payload>

perl
samplepost.pl http://doclab2:1741/rme/cwcli deletedevice.xml
-->
SUMMARY
========
Running the cwcli inventory getdevicestate Command

You can use this command to view the device state.
The command syntax for cwcli inventory getdevicestate is:
userid -p password [-d debuglevel]
[-m email] [-l logfile] [-view name] {-device list | -input inputfile | ipaddress list}
cwcli inventory getdevicestate -u
bars (|).
The following table describes the arguments that are specific to cwcli inventory getdevicestate
command. The other common arguments used by cwcli export are explained in Using the cwcli
inventory Command.

OL-25941-01
A-95
Appendix A
CLI Utilities
CWCLI
Argument
-input
Description
Usage Notes
inputfileEnter the full path of the

file containing comma-separated list of
devices name as entered in Device
Credentials Repository.
Mandatory
inputfile
-input
You must also enter the file format either

CSV or txt.

-device
1.1.1.1,2.2.2.2,3.3.3.3
or
-device
1.1.1.1
-device
2.2.2.2
-device
3.3.3.3
Usage Examples for cwcli inventory getdevicestate Command

This section provides some examples of usage for the
cwcli inventory getdevicestate command.
Example 1: To view the device state of the devices

cwcli inventory getdevicestate -u
admin -p admin -device 10.10.19.10,10.10.19.12
<cwcli> INFO - Device State Information

DisplayName:Device State
10.10.19.10:PREDEPLOYED
10.10.19.12:NORMAL
SUMMARY
========
Successful: getdevicestate: Success
Example 2: To view the devices state specified in a file

The input file, deletedevice contains list of device name separated by a comma:
-device
VG200,rtr1750,cat4000
admin -p admin -input devicestate.csv
Example 3: To view the devices state using get request

Enter the following in your browser:
http://ciscowork_servername:1741/rme/cwcli?command=cwcli inventory getdevicestate -u
admin -p YWRtaW4= -device 10.16.10.15,10.16.10.35

-->

A-96
OL-25941-01
Appendix A
CLI Utilities
CWCLI
10.16.10.15:NORMAL
SUMMARY
========
.
Example 4: To view the device state using post request

The payload file, getdevicestate.xml contains:
<payload>
<command>
cwcli inventory getdevicestate -u admin -p YWRtaW4=
12.20.12.26,10.6.12.21,12.18.10.129,10.7.9.13
-device
</command>
</payload>

perl
samplepost.pl http://ciscowork_servername:1741/rme/cwcli getdevicestate.xml
To invoke the servlet using a script, see the Sample Script to Invoke the Servlet.
-->

12.18.13.129:ALIAS
10.6.12.21:NORMAL
12.20.12.26:NORMAL
SUMMARY
========
Overview: cwcli invreport Command

The cwcli invreport is a CiscoWorks command line tool which allows you to run previously created
Inventory Custom Reports and also system reports. The supported output file format is Comma
Separated Value (CSV).
The above command retrieves the inventory report in CSV format. The -file parameter stores the output
in the file specified by filename. If you have not specified the filename, the output is stored at the
following location:
NMSROOT\files\rme\cri\archives\inventory\reportname_timestamp.csv (On Windows)

OL-25941-01
A-97
Appendix A
CLI Utilities
CWCLI
/var/adm/CSCOpx/files/rme/cri/archives/inventory/reportname_timestamp.csv (On Solaris and

Soft Appliance)

You can:
Use the -reportname argument to generate the report.

This can be the name of:
An already defined custom template
or
A system report name such as Detailed Device Report.
Note
Use the -input argument to specify a file containing the parameters for the report generation.
The -view argument is not allowed in the input file.
Enable debug mode and set the debug level using the -d argument.
E-mail the output to an e-mail recipient using the -m argument.
Log the error messages to a file using the -l argument. The log and the output files are created in
the current directory.
List the existing reports with the -listreports argument.
Running the cwcli invreport Command
To use the cwcli invreport command, you must be able to run the cwcli command
You should be authorized to generate inventory reports.
The command syntax is:
cwcli invreport -u
-reportname
userid -p password [-d debuglevel] [-m email] [-l logfile] {-listreports |

name {-view viewname | -device list | -ipaddress list} [-file filename] | -input
inputfile}
bars (|).
If you do not specify an optional argument, the default value configured for the system is used. Valid
values for arguments are described in the following table:
Argument
Description
Usage Notes
-u
user
Provide valid LMS username.
None.
-p
password
Provide password for username.
None.
You can also specify the password in a file. See

Setting CWCLIFILE Environment Variable for
more details.
A-98
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Argument
Description
Usage Notes
[ -d debug_level ]
Set debug level.
Optional.
debug_level is a number between 1 (the least
information is sent to the debug output) and
5 (the most information is sent to the debug
output). If you do not specify this argument,
4(INFO) is the default debug level.
[-m email]
Specify an e-mail address to send the results.
Optional.
email is one or more e-mail addresses for
notification. They can be separated by a
space or comma.
[ -l log_filename ]
Logs the error messages and debug of messages Optional.

of the invreport command, to the specified logfile
log_filename can be full pathname or
name.
filename in local directory.
If not specified, it will be written to default logs
(invreports.log and cli.log).
[ -l log_filename ]
Logs the error messages and debug of messages Optional.

of the invreport command, to the specified logfile log_filename can be full pathname or
name.
filename in local directory.
If not specified, it will be written to default logs
(invreports.log and cli.log).

OL-25941-01
A-99
Appendix A
CLI Utilities
CWCLI
Argument
Description
Specify any one of the required arguments:

{-listreports |
-reportname name {-view
-listreports
viewname | -device list |
-reportname
-ipaddress list} [-file
filename] | -input inputfile} -input
Usage Notes
-listreports argument lists out all
Inventory system reports and custom reports
templates. You can run this command if you
have the required permissions to generate
reports.
-reportname name specifies the name of an
already defined custom template or the name
of a system report (such as Detailed Device
Report) for which the CSV formatted report
is to be generated.
inputfile specifies the input file

containing report parameters. The
parameters in this file will be used to
generate the CSV formatted report(s).
-input
For Solaris and Soft Appliance, you must

specify the complete path of the input file.
For Windows, this file should be located in
the current directory or you can specify the
complete path of the input file.
The -view argument is not allowed in the
input file.
A-100
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Argument
Description
Usage Notes
If you selected -reportname name, then

specify any one of these arguments:
-view viewname. This confines the
device search to the specified view.

-device list. This specifies one or more
device names as a comma-separated list.

Optionally, you can also specify -file
filename. Name of the file where CSV
formatted report will be stored.
If you do not specify the location, the
default location is:
NMSROOT\files\rme\cri\archives\invent
ory\reportname_timestamp.csv (On
Windows)
/var/adm/CSCOpx/files/rme/cri/archive
s/inventory/reportname_timestamp.csv
(On Solaris and Soft Appliance)
ipaddress listThis specifies IP4
address as entered in the Device and

Credential Repository. You can enter
multiple IP address with comma
separated.
You cannot use this option with -device,
-view , or -input. Also, you cannot
specify wildcard characters.
Usage Examples
This section provides some examples of usage for the cwcli invreport command:
Example 1
Example 2
Example 3
Example 4
Example 5
Example 6
Example 1
cwcli invreport -u
admin -p admin -reportname "Detailed Device Report" -device %
This generates Detailed Device Report for all devices and CSV file will be located at
NMSROOT\files\rme\cri\archives\inventory\Detailed Device Report_timestamp.csv (On Windows)
/var/adm/CSCOpx/files/rme/cri/archives/inventory/Detailed Device Report_timestamp.csv. (On

Solaris and Soft Appliance)

OL-25941-01
A-101
Appendix A
CLI Utilities
CWCLI
Example 2
cwcli invreport -u admin -p admin -reportname "Detailed Device Report" -device % -file
D:\cisco\CSCOpx\a.csv
This generates Detailed Device Report, a system report, for all devices, and the result will be written to
D:\cisco\CSCOpx\a.csv
Example 3
cwcli invreport -u
admin -p admin -reportname "Detailed Device Report" -device % -file a.csv
This generates the Detailed Device Report, a system report, for all devices, and the result will be written
to the file a.csv in the current directory (from where you are running this command).
Example 4
cwcli invreport -u
admin -p admin -input cliinputs.txt
Generate the reports using the parameters provided in the file cliinputs.txt. Using -input argument you
can run multiple reports at a time by providing parameters in the file.
Example 5
cwcli invreport -u
admin -p admin -listreports
Displays a list of all Inventory system report and custom templates.

You can run this command if you have the required permissions to generate reports.
Example 6
admin -p admin -d 3 -m xxx@yyy.com -reportname acmeinventory -view acme

acmeinventory.txt
cwcli invcreport -u
-file
Generates the report named acmeinventory, using the acme device view and the CSV formatted output
will be written to acmeinventory.txt
You can place this file in the current directory (from where you are running the command).
Example 7
cwcli invreport -u
admin -p admin -reportname HardwareStatisticsReport -device devname -file
hwstreport.txt
Generates the Hardware Statistics Report for the device devname and the CSV formatted output will be
written to hwstreport.txt
Example 8
cwcli invreport -u
admin -p admin -reportname DeviceStatisticsReport -device devname -file
devstreport.txt
Generates the Device Statistics Report for the device devname and the CSV formatted output will be
written to devstreport.txt
Example 9
cwcli invreport -u
admin -p admin -reportname POEReport -device devname -file report.txt
Generates the POE Report for the device devname and the CSV formatted output will be written to
report.txt
A-102
OL-25941-01
Appendix A
CLI Utilities
CWCLI
cwcli invreport Remote Access

You can also perform the cwcli invreport tasks using the servlet. You will have to upload a payload
XML file, which contains the cwcli invreport command arguments and LMS user credentials.
The following is the servlet to be invoked to execute any command:
For post request,
perl

perl

<payload>
<command>
</command>
</payload>

OL-25941-01
A-103
Appendix A
CLI Utilities
CWCLI
For get request,

http://lms-server:rme-port/rme/cwcli?command=cwcli invreport commandname -u user -p BAse64

https://lms-server:lms-port/rme/cwcli?command=cwcli invreport

The URL encode for,
Overview: cwcli netshow Command

You can invoke NetShow features from Command Line Interface (CLI).
The cwcli netshow commands let you use NetShow features from the command line. You can use the
cwcli netshow commands to view, browse, create, delete, and cancel NetShow jobs.
You can also view the Command Sets assigned to each user by entering the command listcmdsets from
CLI.
You can set the following job attributes using the command line option:
E-mail Notification
Job Based Password
Execution Policy
Approver List
However, the Administrator must define and assign the command sets to you, in the browser interface.
If you do not have permission to run custom commands, you can run a command or command set from
the CLI only if:
The command set is assigned to you by the Administrator.
The command set has at least one command that can be run on the specified device.
If you have permission to run custom commands, you can run any of the following adhoc commands:
show
version
where
ping
traceroute
Administrator level users have all command sets assigned to them. However, only system-defined
command sets are assigned to all users, by default. Other commands have to be assigned to the user by
the Administrator. If any users create a command, it is automatically assigned to them.
A-104
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Running cwcli netshow Command

The command syntax for running cwcli netshow commands is:
cwcli netshow common_arguments subcommands command_arguments
In the CLI version, you can provide the arguments in the (operating system shell) command line or in an
input file. The input file provides you with flexibility and control over commands and command sets.
You can specify the devices on which you want to run the command sets.
In the input file, you can include subcommands and command arguments.
For example, you can create a new netshow job with command sets, set1 and set2, and the custom
commands, custom command 1 and custom command 2, by entering:
cwcli netshow createjob -u Username -p Password -commandset Command Set 1, Command Set
2 -device Device 1, Device 2 -customcmd Custom command 1, Custom command 2 -schedule
Schedule -scheduletype Schedule Type
Items in square brackets ([]) are optional; items in curly brackets ({}) are required.
The arguments are described in the following sections.
Subcommands
Subcommands specify the actions that you perform. Valid values for subcommands are described in the
following table.
Sub Command
Description
Usage Notes
createjob
Creates a new job that can be

scheduled to run immediately
or to be run sometime in the
future.
Either use an input file

containing the details of the
subcommands or enter the full
command syntax.
You can also specify the job

attributes you want to enable.
Example
cwcli netshow createjob -u
Username -p Password
-commandset Command Set 1,
Command Set 2 -device Device
Name 1, Device Name 2
-customcmd Custom Command
1, Custom Command 2
-schedule Schedule
-scheduletype Schedule Type
Or
cwcli netshow createjob -u
Username -p Password -input

Input File
canceljob
Cancels an existing job.
Enter the job ID.
cwcli netshow canceljob -u

Username -p
Password -id Job
ID
deletejob
jobdetails
Deletes existing jobs.
Displays details of specified

job.
Enter the job IDs separated by

commas.
Enter the job IDs separated by
commas.
cwcli netshow deletejob -u
Username -p Password -id Job ID

1, Job ID 2
cwcli netshow jobdetails -u
Username -p Password -id Job
ID 1,Job ID 2, Job ID 3

OL-25941-01
A-105
Appendix A
CLI Utilities
CWCLI
Displays a list of jobs created

by the user and the job status.
listjobs
Specify the type of jobs to be

listed. The command type is
case sensitive.
cwcli netshow listjobs -u

Username -p Password -status
R,C
The commands that you can use

are:
A
All jobs
Running jobs
Completed jobs
Pending jobs
You can use combinations of

status options. Separate the
options by commas.
listcmdsets
Displays a list of command sets None.

assigned to the user.
jobresults
Displays results of specified

jobs
Specify the job IDs. Separate the cwcli netshow jobresults -u

Username -p Password -id "Job
job IDs by commas.
ID 1" , "Job ID 2" , "Job ID 3"
help
Displays command usage

information.
None.
cwcli netshow listcmdsets -u

Username -p Password
cwcli netshow -help
Common Arguments
Common arguments specify parameters that apply to all subcommands. Valid values for
common_arguments are described in the following table.
Command
Description
Usage Notes
-u
user
None
-p
password
Enter the password for the

username.
None
You can also specify the password

in a file. See Setting CWCLIFILE
Environment Variable for more
details.
[-d
debug_level]
Set the debug level.
Optional
debug_level should be a number between 1-5.
1 The least information is sent to the debug output
5 The most information is sent to the debug output.
[-l
log_filename]
Identifies a file to which Network Optional

Show Commands will write log
log_filename can be a full path to the file or a filename in the
messages.
local directory.
If you do not specify this, the log
output will appear on screen.
[-m
Email ID]
Enter your Email ID
You will get the output of the CLI operation in an Email.
A-106
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Command Arguments
Command arguments specify parameters that apply only to specific subcommands. Valid values for
command arguments are described in the following table.
Arguments in square brackets ([]) are optional. Arguments in curly brackets ({}) are required. You must
provide one argument from each group of arguments in curly brackets ({}) that is separated by vertical
bars (|).
Command Arguments
Description
Usage Notes
Command Arguments for createjob
{-device devicelist | -view view_name} Defines devices on which you want the
command set to run.
device_list List of device names.

Separate these names by commas.
view_name Name of a device view.
{-commandset commandset}
Defines available command sets that you commandset is the name of the
want to run on the selected devices.
command set that was assigned to you.
You can specify more than one
command set separated by commas. The
command set name is case sensitive.
You must specify command set or
custom command or both to create a job.
{-customcmd customcommand}
Defines the user-defined commands that customcommand is a user-defined show

you want to run on the selected devices. command.
You must specify command set or
custom command or both to create a job.
The custom commands which can be run
on NetShow are:
show
version
where
ping
traceroute
You can use the short forms of these

commands. For example, sh for show.
[-description
description]
Gives details of the job.
description is a user-defined entry

describing the job details.

OL-25941-01
A-107
Appendix A
CLI Utilities
CWCLI
Command Arguments
Description
[{-schedule MM/dd/yyyy:HH:mm:ss
-scheduletype Once | Daily | Weekly |
Monthly | LastDayOfMonth | 6hourly |
12hourly}]
You can specify the date and time as well scheduletype can have any of the
following values:
as the frequency of the NetShow job.
To specify the date and time when

you want to run the NetShow job,
use the schedule option.
To specify the frequency of the job
use the scheduletype option.
You have to set both the schedule and

schedule type options for a scheduled
job.
Usage Notes
Once
6hourly
12hourly
Daily
Weekly
Monthly
LastDayOfMonth
You do not have to set the schedule and
If the schedule option is not specified,
schedule type for an Immediate job.
the job will be created as an immediate
job.
[-makercomments comments]
Job creator's comments to Job approver.
[-mkemail email]
Maker e-mail ID for sending approval

notifications
[-notificationmail email]
Defines the e-mail addresses of persons email can contain a comma separated
who need to get mails when the job has email list.
started and completed.
If you do not specify this option in the
CLI, the e-mail address specified in the
UI are used.
[-execution Sequential|Parallel]
Execution policy. Specifies the order in

which you want to run the job on the
devices.
If you do not specify these options in the

CLI, the corresponding settings from the
UI are used.
ParallelAllows the job to run on

multiple devices at the same time.
By default, the job runs on five devices
at a time.
SequentialAllows the job to run on
only one device at a time.
{-primary_user username
password}
Primary username and password to

connect to devices.
{-enable_pass password}
Execution mode password to connect to

device.
[-input input file]

subcommands
-primary_pass
If you are specifying the input file, you

do not need to specify the
subcommands.
A-108
OL-25941-01
Appendix A
CLI Utilities
CWCLI
Command Arguments
Description
Usage Notes
Command Argument for listjob
{-status status}
You can specify the status of the job.

This can be:
All jobs
Running jobs
Completed jobs
Pending jobs.
Command Argument for canceljob
{-id Job ID}
You can cancel only one job at a time.
Command Argument for deletejob and jobdetails
You can delete more than one job at a

time. Enter the Job IDs that you want to
delete, separated by commas.
You can list the details of more than one
job at a time. Enter the Job IDs separated
by commas.
Command Arguments for jobresults
You can list the results of more than one

job at a time. Enter the job IDs
separated by commas.
[-output file path]
You can specify the fully qualified

pathname for saving the job results.
If you do not specify this argument, the

job results appear in the console itself.
If the specified path does not exist, the
job results are stored in the default
location.
Executing Netshow CLI Remotely

You can run NetShow CLI from a remote console.
NetShow uses the Remote Access feature in the CLI framework to help you to invoke the NetShow
commands from the client in the same way as you run them on the LMS server.
The name of the servlet, to be invoked, is /rme/cwcli.
You must invoke the following URLs to run any command.
For POST request:

payload XML file
For GET request:

http://lms-server:lms-port/rme/cwcli?command=cwcli netshow
command -u Username -p
Password command_specific_args

OL-25941-01
A-109
Appendix A
CLI Utilities
The contents of the payload.xml is:

<payload>
<command>
cwcli netshow command -u Username -p Password command_specific_args
</command>
</payload>
For example to run the listcmdsets command payload.xml will be as follows:

<payload>
<command>
cwcli netshow listcmdsets -u Username -p Password
</command>
</payload>

Performance Tuning Tool (PTT) is a Command Line Interface (CLI) utility that enables you to apply and
list various profiles available in LMS server. Profiles consists of configuration files, which are in the
form of XML files whose values are based on the recommendations for various applications. For more
information on PTT features, refer to PTT Features.
There are two profiles shipped with LMS. You can use any of the profile that matches the system. For
more information on PTT Profiles, see Profiles and PTT.
There maybe multiple configuration files that are involved while applying a profile. The parameters such
as, snmp.threads.min, snmp.threads.max, ICSThreadCount, ICS DBConnectionCount,
ThreadPoolCount, CDLNumOfThreads, max_db_connections, max_threads_for_config_fetch,
EssentialsDMServicesHeapsize,ConfigJobManager.heapsize, and CDA_MIN_THREADS are tuned and
available in each profile. You can apply the required profile to the system and improve performance.
This is a major advantage of using PTT.
To know more about the command usage, see PTT Commands.
PTT Features
The PTT CLI utility allows you to:
List the profile that is currently applied to the target machine.
List the profiles that match the system configuration.
List the profiles that match the operating system.
Apply a selected profile onto the target machine.
Reverse the changes done to a target machine by applying the default profile to restore the default
settings.
View details of a profile.
A-110
OL-25941-01
Appendix A
CLI Utilities
Profiles and PTT

Profiles are XML files whose values are based on the recommendations of the various LMS applications.
Each profile (XML file) consists of tuned parameters which when applied, improves performance.
There are two profiles that are shipped with LMS. They are:
Default Profile
Perftune - Windows and Perftune - Solaris and Soft Appliance
All the configuration files are backed up before applying a profile.
Note
PTT identifies the matching profile for a LMS server based on the following criteria:
The operating system for which the profile is created.
The System Configurations such as Dual CPU and 4 GB RAM.
A profile is considered matching only if it meets these criteria.

When you apply a profile, the tuned parameters, see Table A-3 corresponding to that profile is applied
to the system.
These parameters belong to Sync Archive, Netconfig, Syslog, Device Management, Check Device
Attributes (CDA) and Inventory Collection sub systems of the LMS application. The profile, with tuned
parameters when applied, improves the performance. Before running PTT, ensure that the Daemon
manager is stopped.
Default Profile
A default profile is a profile with default values. It is used to rollback the changes done by PTT. You can
roll back the changes made to a profile, by applying the default profile. This action rolls back the
parameters to their original values. The parameters and the original values are:
Table A-3
Default Profile Original Values
Sub system
Parameters
Original Values
Platform Supported
CDA
CDA_MIN_THREADS
Windows and Solaris and

Soft Appliance
EssentialsDM
ConfigJobManager.heapsize
192m

Soft Appliance
EssentialsDM
EssentialsDMServiceHeapsize
256

Soft Appliance
Inventory Collection
snmp.threads.min
10

Soft Appliance
snmp.threads.max
15

Soft Appliance
ICS ThreadCount
10

Soft Appliance
ICS DBConnectionCount

Soft Appliance
NetConfig and SyncArchive
max_threads_for_config_fetch

Soft Appliance

OL-25941-01
A-111
Appendix A
CLI Utilities
Table A-3
Default Profile Original Values
Sub system
Parameters
Original Values
Platform Supported
ThreadPoolCount
10

Soft Appliance
CDLNumOfThreads

Soft Appliance
max_db_connections
20

Soft Appliance
Xmx
Config Management (Config
Management Server Daemons dmgtd.conf Arguments for max
heap size.)
192
Solaris and Soft Appliance
Xms
Management Server Daemons dmgtd.conf Arguments for
minimum heap size.)
64
Solaris and Soft Appliance
Perftune - Windows and Perftune - Solaris and Soft Appliance
This profile consists of parameters that are tuned to improve performance.
Perftune - Windows profile is applied to a system that has a Windows operating system, provided
the profile matches the required criteria.
Perftune - Solaris and Soft Appliance profile is applied to a system that has a Solaris and Soft
Appliance operating system, provided the profile matches the required criteria.
See Profiles and PTT for more informationon criteria for a profile to match a system.
The parameters that can be tuned are:

Table A-4
Perftune - Windows and Perftune - Solaris and Soft Appliance Parameters
Sub system
Parameters
Original
Values
New
Value
CDA
CDA_MIN_THREADS
14

Soft Appliance
EssentialsDM
ConfigJobManager.heapsize
192m
256

Soft Appliance
EssentialsDM
EssentialsDMServiceHeapsize
256
512

Soft Appliance
snmp.threads.min
10
20

Soft Appliance
snmp.threads.max
15
25

Soft Appliance
ICS ThreadCount
10
20

Soft Appliance
Platform Supported
A-112
OL-25941-01
Appendix A
CLI Utilities
Table A-4
Perftune - Windows and Perftune - Solaris and Soft Appliance Parameters
Sub system
Parameters
Original
Values
New
Value
ICS DBConnectionCount
10

Soft Appliance
max_threads_for_config_fetch
10

Soft Appliance
ThreadPoolCount
10
20

Soft Appliance
CDLNumOfThreads
20

Soft Appliance
max_db_connections
20
40

Soft Appliance

Management Server Daemons dmgtd.conf Arguments for max
heap size.)
Xmx
192
256
Solaris and Soft

Appliance

Management Server Daemons dmgtd.conf Arguments for
minimum heap size.)
Xms
64
128
Solaris and Soft

Appliance
Platform Supported
Example 1
If the Perftune - Windows profile is applied to a system which already has a default profile applied, the
parameters are changed from the original values to new values. See Table A-4 for Original and New
values.
Example 2
If the default profile is applied to a system which already has a Perftune - Windows profile applied to it,
the parameters are rolled back to original values. See Table A-3 for Original values.
PTT Commands
Table A-5 lists the various PTT command options that you can use. These command options are common
for Windows and Solaris and Soft Appliance.
Table A-5
PTT Command Options
PTT command options
Description
-apply <profileName>
Applies a particular profile.

To reset, specify the default profile name as parameter and apply that profile.
apply
Finds the matching profile and applies it automatically in a single step.
apply Default
Finds the default profile and applies it automatically in a single step.
-show
Displays the currently applied profile.
-list
Lists all the profiles that match the target operating system.

OL-25941-01
A-113
Appendix A
CLI Utilities
PTT command options
Description
-list Match
Lists the profile that matches the system configuration.
-view <profileName>
Displays the profile details.

The details of the profile, which is specified in the command is displayed.
Displays help for all commands.
rmeptt -help
Command Usage
In Windows enter:
rmeptt.bat
<option> <argument>
For example, to list all the profiles that matches the target operating system, the command is:
rmeptt.bat -list
In Solaris and Soft Appliance, enter:

rmeptt.sh <option > <argument>
For example to display the profile details, the command is:

rmeptt.sh -view
Where x is the name of the profile.
The syslogConf.pl is a perl script CLI utility. You can use this utility to:
Change Syslog Analyzer Port.
Change Syslog Collector Port.
Configure Remote Syslog Collector (RSAC) Address and Port in LMS server.
Change Syslog File Location.
You can run this script in the LMS server as well as the RSAC server. All the activities mentioned above
can be performed in a LMS server by running the syslogConf.pl script from the command prompt.
In RSAC server, you can only change the Syslog Collector Port and Syslog File location. The Syslog
Collector and Syslog Analyzer ports can be any number between 1025 and 5000.
This utility is available under:
NMSROOT/bin/ (On Solaris and Soft Appliance)
NMSROOT\bin (On Windows)
A log file for the syslogconf.pl script is available at:
In Solaris and Soft Appliance
/var/adm/CSCOpx/log/SyslogConf.log
In Windows
NMSROOT\log\SyslogConf.log
A-114
OL-25941-01
Appendix A
CLI Utilities
Note
Before you run the syslogConf.pl script, ensure that the Daemon Manager is stopped.
Running the syslogConf.pl Script
To run the script:

Step 1
Go to the command prompt and enter:

NMSROOT/bin/perl NMSROOT/syslogConf.pl
When you run this syslogConf.pl script, a message appears with five options.
[1] Change Syslog Analyzer Port
[2] Change Syslog Collector Port
[3] Configure Remote Syslog Collector(RSAC) Address and Port
[4] Change Syslog File Location
[Q] Quit
Enter Your Choice:
Step 2
Enter your choice.
If you enter 1 the following message is displayed with the old Syslog Analyser Port number. You
are also prompted to enter the new port number for the Syslog Analyser.
INFO: You have opted to change Local Syslog Analyser port.
Old Syslog Analyser Port :xxxx
Enter new Syslog Analyser port:
For example, you can change the Syslog Analyser Port from 4444 to 2222.
After providing the new port information, the following message is displayed.
INFO:Local Syslog Analyser port has been changed from 4444 to 2222 successfully
If you enter 2 the following message is displayed with the old Syslog Collector Port number. You
are also prompted to enter the new port number for the Syslog Collector.
INFO: You have opted to change Local Syslog Collector port.
Old Syslog Collector Port :xxxx
Enter new Syslog Collector port:
For example you can change the Syslog Collector Port from 1111 to 3333.
After providing the new port information, the following message is displayed.
INFO:Local Syslog Collector port has been changed from 1111 to 3333 successfully
If you enter 3, the following message is displayed, with the old Syslog Collector Port number. You
are also prompted to provide the new RSAC Address and the new port number for the Syslog
Collector.
INFO: You have opted to change RSAC port.
Enter the RSAC Address:
Old Syslog Collector Port :0
Enter new Syslog Collector port:
Ensure that the RSAC port that you configure in the LMS server corresponds with the Collector port
configured in the RSAC server.
You can specify srme-w2k as the RSAC Address, and change the Syslog Collector port from 0 to
3456.

OL-25941-01
A-115
Appendix A
CLI Utilities
After providing the RSAC Address and port information, the following message is displayed.
INFO: Remote Syslog Collector(RSAC) port has been changed from 0 to 3456.
If you enter 4, the following message is displayed with the old Syslog Directory Path. You are also
prompted to enter the new Syslog Directory path.
INFO: You have opted to change Syslog File Location
Old Syslog Directory : /var/log/
Enter Full Path of New Syslog Directory:
Ensure that you enter the full directory path, if you are running the syslogConf.pl script on Solaris
and Soft Appliance. You can provide the relative directory path if you are running the syslogConf.pl
script on Windows.
For example you can change the Syslog Directory location from /var/log/ to /var/log/newSyslogLoc.
After providing the required information, the following message is displayed.
Syslog file location changed from: /var/log/ to: /var/log/newSyslogLoc
If you enter Q, you are allowed to quit from the script.

You can invoke Software Management (SWIM) features from Command Line Interface (CLI).
The cwcli swim commands let you use SWIM features from the command line. You can use the cwcli
swim commands to:
List Images from Software Management (SWIM) Repository
Export Images from Software Management (SWIM) Repository
These functions are only accessible to the Network Administrator, Network Operator and super users
who have all of the roles.
If you do not have permission to run custom commands, you can run a command or command set from
the CLI only if:
The command set is assigned to you by the Administrator.
The command set has at least one command that can be run on the specified device.
Running cwcli swim Command
Running SWIM CLI Remotely
Running cwcli swim Command

The command syntax for running cwcli swim commands is:
cwcli swim subcommands common_arguments command_arguments
In the CLI version, you can provide the arguments in the (operating system shell) command line or in
aninput file.
The input file gives you flexibility and control over commands and command sets. You can specify the
images on which you want to run the command sets.
A-116
OL-25941-01
Appendix A
CLI Utilities
In the input file, you can include subcommands and command arguments.
Items in square brackets ([]) are optional; items in curly brackets ({}) are required.
The arguments are described in the following sections.
Subcommands
Subcommands specify the actions that you perform. Valid values for subcommands are described in the
following table.
Sub Command
Description
Example
listimages
Displays a list of images available in the

Software Repository.
cwcli swim listimages -u
exportimages
Exports specified images in a

non-compressed format from the Software
Repository to any directory. The default
target directory is the current directory.
cwcli swim exportimages -u Username -p

Password [-imagenames imagename1,
imagename2...] [-all] [-dirname directoryname]
[-input argumentFile] [-m email][-l logfile]
Userid -p Password
For exportimages command either one of

these arguments is mandatory:
-imagenames|-all|-input
Displays command usage information.
help
cwcli swim -help
Common Arguments
Common arguments specify parameters that apply to all subcommands. Valid values
forcommon_arguments are described in the following table.
Command Arguments
Description/Action
Usage Notes
-u
user
None
-p
password
Enter the password for the

username.
None
You can also specify the password

in a file. See Setting CWCLIFILE
Environment Variable for more
details.
[-l
log_filename]
Identifies a file to which Software This argument is optional.

Management Commands will
log_filename can be a full path to the file or a filename in the
write log messages.
local directory.
If you do not specify this, the log If you do not specify filename, the log file will be created in:
output will appear on screen.
/var/adm/CSCOpx/log (On Solaris and Soft Appliance)

[-m
Email ID]
Enter your Email ID
This argument is optional.

You will get the output of the CLI operation in an e-mail.

OL-25941-01
A-117
Appendix A
CLI Utilities
Command Arguments
Command arguments specify parameters that apply only to specific subcommands. Valid values for
command arguments are described in the following table.
Arguments in square brackets ([]) are optional. Arguments in curly brackets ({}) are required. You must
provide one argument from each group of arguments in curly brackets ({}) that is separated by vertical
bars (|).
Command Arguments
Description
Usage Notes
Specify the image names that you want

to export using this command.
cwcli swim exportimages -u
Command Arguments for exportimages
{-imagenames ImageName1,
ImageName2}
Username -p Password [-imagenames

imagename1, imagename2...] [-all]
[-dirname directoryname] [-input
argumentFile] [-m email][-l logfile]
ImageName1, ImageName2 List of
images. Separate these names by
commas.
{-all}
Specify this option if you want to export -all images from Software Repository to
the current directory or any specified
directory.
{-input argumentFile}

subcommands
If you are specifying the input file, you

need not specify the subcommands.
For instance, if you are using sample.txt
as the argumentFile for -input command,
you have to provide the following
command:
cwcli swim exportimages -input
sample.txt
Example of sample.txt:
{imagename1},
[imagename2...]
-imagenames
{imagename4},
[imagename5...]
-imagenames
Items in square brackets ([]) are

optional; items in curly brackets ({}) are
required.
[-dirname directoryname]
Specify a directory name if you want to If you do not specify this the images are
export images to a specified directory
exported to the NMSROOT/temp
using this command.
directory, where CLI is launched.
A-118
OL-25941-01
Appendix A
CLI Utilities
Running SWIM CLI Remotely

You can run Software Management (SWIM) CLI from a remote console.
SWIM uses the Remote Access feature in the CLI framework to help you to invoke the SWIM commands
from the client in the same way as you run them on the LMS server.
The name of the servlet to be invoked is /rme/cwcli.
You must invoke the following URLs to run any command.
For POST request:

payload XML file
For GET request:

http://lms-server:lms-port/rme/cwcli?command=cwcli swim command -u Username -p Password
command_specific_args
The contents of the payload.xml is:

<payload>
<command>
cwcli swim command -u Username -p Password command_specific_args
</command>
</payload>
For example to execute the listimages command payload.xml will be as follows:

<payload>
<command>
cwcli swim listimages -u Username -p Password
</command>
</payload>
Note
The Base64 encoded password is used for accessing Software Management (SWIM) CLI remotely.

OL-25941-01
A-119
A P P E N D I X

Cisco Prime LMS allows you to create new configuration templates (.xml format) that can be deployed
using the Template Center feature.
This appendix explains:
Understanding the XML Schema

This section explains the XML schema that you can use to create new templates (.xml format) and deploy
them in LMS. See Detailed Description of Template XML Schema for more information.
The XML schema file is:
<xs:schema
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:jaxb="http://java.sun.com/xml/ns/jaxb"
xmlns:xjc="http://java.sun.com/xml/ns/jaxb/xjc"
jaxb:extensionBindingPrefixes="xjc"
jaxb:version="1.0">
<xs:annotation>
<xs:appinfo>
<jaxb:globalBindings generateIsSetMethod="true">
<xjc:serializable uid="1255591397484"/>
Defining root OOTB template -->
<xs:element name="ootb-template">
<xs:complexType>
<xs:sequence>
<xs:element name="template-metadata" type="template-metadata" minOccurs="1"
maxOccurs="1" />
<xs:element name="config" type="config" minOccurs="1" maxOccurs="unbounded"
/>
</xs:sequence>
</xs:complexType>

OL-25941-01
B-1
Appendix B
</xs:element>

<xs:complexType name="template-metadata">
<xs:all>
<xs:element name="template-details" type="template-details"minOccurs="1"
maxOccurs="1" />
<xs:element name="parameter-metadata" type="parameter-metadata" minOccurs="0"
maxOccurs="1" />
</xs:all>
<xs:attribute name="name" type="xs:string" use="required"/>
</xs:complexType>

<xs:complexType name="template-details">
<xs:all>
<xs:element name="description" type="xs:string" maxOccurs="1" minOccurs="1" />
<xs:element name="task" type="xs:string" maxOccurs="1" minOccurs="0"/>
<xs:element name="author" type="xs:string" maxOccurs="1" minOccurs="0"
default="Cisco Systems"/>
<xs:element name="template-version" type="xs:string" maxOccurs="1"
minOccurs="0" />
<xs:element name="scope" type="xs:string" default="Device" maxOccurs="1"
minOccurs="0" />
<xs:element name="type" type="xs:string" default="Partial" maxOccurs="1"
minOccurs="0" />
<xs:element name="features" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="pin" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="hardware-platform" type="xs:string" minOccurs="0"
maxOccurs="1" />
<xs:element name="imagefeature" type="xs:string" minOccurs="0" maxOccurs="1"
/>
<xs:element name="conflictingtag" type="conflictingtag" maxOccurs="1"
minOccurs="0" />
</xs:all>
</xs:complexType>


<xs:complexType name="conflictingtag">
<xs:sequence>
<xs:element name="platform" type="conflict-platform" minOccurs="1"
maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="conflict-platform">
<xs:sequence>
<xs:element name="feature" type="featureType" maxOccurs="unbounded" minOccurs="1"
/>
</xs:sequence>
<xs:attribute name="name" type="xs:string" use="required" />
</xs:complexType>
<xs:complexType name="featureType">
<xs:sequence>
<xs:element name="cli-command" type="cli-command" minOccurs="0" maxOccurs="1" />
</xs:sequence>
<xs:attribute name="name" type="xs:string" use="required"></xs:attribute>
<xs:attribute name="message" type="xs:string" use="required"></xs:attribute>
</xs:complexType>
B-2
OL-25941-01
Appendix B



<xs:complexType name="parameter-metadata">
<xs:sequence>
<xs:element name="param-group" type="param-group"minOccurs="1"
</xs:sequence>
</xs:complexType>
<xs:complexType name="param-group">
<xs:sequence>
<xs:element name="description" type="xs:string" maxOccurs="1" minOccurs="1" />
<xs:element name="parameter" type="parameter"minOccurs="1" maxOccurs="unbounded"
/>
</xs:sequence>
<xs:attribute name="cliName" type="xs:string" use="required"></xs:attribute>
<xs:attribute name="isMandatory" type="xs:boolean" use="required"></xs:attribute>
</xs:complexType>
<xs:complexType name="parameter">
<xs:sequence>
<xs:element name="description" type="xs:string"minOccurs="1" maxOccurs="1" />
<xs:element name="html-component" type="xs:string"minOccurs="0" maxOccurs="1"
/>
<xs:element name="default-value" minOccurs="0" maxOccurs="unbounded" >
<xs:complexType>
<xs:simpleContent>
<xs:extension base="xs:string">
<xs:attribute name="label" type="xs:string"
use="optional"></xs:attribute>
</xs:extension>
</xs:simpleContent>
</xs:complexType>
</xs:element>
<xs:element name="data-type" type="xs:string"minOccurs="0" maxOccurs="1" />
<xs:element name="mandatory" type="xs:boolean"minOccurs="0" maxOccurs="1" />
<xs:element name="isGlobal" type="xs:boolean"minOccurs="0" maxOccurs="1" />
<xs:element name="help-description" type="xs:string"minOccurs="0"
maxOccurs="1" />
<xs:element name="syntax" type="syntax"minOccurs="0" maxOccurs="1" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="syntax">
<xs:all>
<xs:element name="min" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="max" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="pattern" type="cli-command" minOccurs="0" maxOccurs="1" />
</xs:all>
</xs:complexType>


<xs:complexType name="config">
<xs:sequence>
<xs:element name="device-filtering-details" type="device-filtering-details" />
<xs:element name="cli" type="cliType" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="platform" type="xs:string" use="required"/>
</xs:complexType>
<xs:complexType name="cliType">

OL-25941-01
B-3
Appendix B
<xs:sequence>
<xs:element name="clicommand" type="cli-command" minOccurs="1"
</xs:sequence>
<xs:attribute name="name" type="xs:string" use="required"/>
</xs:complexType>

<xs:complexType name="device-filtering-details">
<xs:sequence>
<xs:element name="family" type="family" minOccurs="1" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
<xs:complexType name="family">
<xs:all>
<xs:element name="min-supported-imageversion"
type="min-supported-imageversion" minOccurs="1" maxOccurs="1" />
</xs:all>
<xs:attribute name="value" type="xs:string" use="required" />
</xs:complexType>
<xs:complexType name="min-supported-imageversion">
<xs:sequence>
<xs:element name="device-type" type="device-type" minOccurs="1"
</xs:sequence>
<xs:attribute name="value" type="xs:string" use="required" />
</xs:complexType>
<xs:complexType name="device-type">
<xs:all>
<xs:element name="name" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="sysobjectid" type="xs:string" minOccurs="0" maxOccurs="1" />
</xs:all>
</xs:complexType>

<xs:simpleType name="cli-command">
<xs:restriction base="xs:string">
<xs:annotation>
<xs:appinfo>
<jaxb type="CDATA" />
</xs:appinfo>
</xs:annotation>
</xs:restriction>
</xs:simpleType>
</xs:schema>
B-4
OL-25941-01
Appendix B

Detailed Description of Template XML Schema

The table below describes elements in the XML schema.
Table B-1
Elements in the XML Schema
Xml Tag Name

<ootb-template>
<template-metadata>
Tag Description
Occurrence
Sample values
Minimum
Maximum
Any Template should start with

this
Configuration specific metadata

should be under this tag.
<template-metadata name="3750
access config">
<template-details>
<ootb-template>
</ootb-template>
It has the following attribute:
<template-details>
nameSpecifies the name of

the Template. This name is
used for identifying the
template.
This tag comes under

template-metadata tag.
</template-details>
This tag will take up the metadata

such as description, task, author,
revision to the template, date of
the template creation
<description>

template-details tag.
<description>c3750 stacked
configuration</description>
<task>Snmp Community
settings</task>
<author>cisco systems</author>
<template-version>1.0</template-ver
sion>
Gives a small description about

the template.
<task>

It gives the functionality of the
tag.
<author>

It gives the name of the person
who has created the template.
Multiple names can be given
separated by commas. By default,
the author name is Cisco Systems.
<template-version>

It gives the revision number to the
template.

OL-25941-01
B-5
Appendix B
Table B-1
Xml Tag Name
Tag Description
Occurrence
Sample values
<scope>

<scope>port</scope>
<type>partial</type>
<features>dhcp snoop, auto

qos</features>
<pin>edge</pin>
<hardware-platform>stack</hardwar
e-platform>
<imagefeature>ipbase</imagefeature
>
<conflictingtag></conflictingtag>
It gives the scope of the template

that accepts values of either
Device, Port, Module
<type>

It refers to the type of the
template taking values of either
partial or complete.
<features>

It gives the list of features for
which this config can be applied.
Features can be given in a comma
separated values
<pin>

It gives the devices in the network
to which the template is
applicable. Comma separated
values are allowed
<hardware-platform>

It gives the hardware type to
which the template is applicable.
Comma separated values are
allowed.
<imagefeature>

It gives the image feature that is
required to apply this template.
<conflictingtag>

The template cannot be applied
when any cli is given under this
tag.
B-6
OL-25941-01
Appendix B

Table B-1
Xml Tag Name
Tag Description
Occurrence
Sample values
<platform>

conflictingtag tag.
Unlimited <platform name="ios"> </platform>
Unlimited <feature name="dot1x"

message="since dot1x conflict is
there, do not configure the following
template in the device."
platform="ios">
It has an attribute name that

specifies to which platform the
conflicting tag belongs to.
Following are the values taken by
name attribute:
ios,catos,pixos,nam,Soft
Appliance,ios_ssl,ios_wlsm,ios_
mwam,ios_webvpn,webns,ACE,
ACNS,CSM
<feature>
This tag will come under

conflictingtag. It has the
following attributes,
<cli-command>
nameName of the feature

that is conflicting to this
template.
messageWarning message
that needs to be shown when
this feature is available.
platformSoftware platform
to which this feature is
conflicting to this template.
</feature>
This tag comes under feature tag. 0
<cli-command>no aaa new-model

clock summer-time utc
recurring</cli-command>
<parameter-metadata>
Cli which needs to be searched in

a running configuration. If this
configuration is found, the cli will
not be deployed.

template-metadata tag.
</parameter-metadata>
This section describes the

variables that are used in the
template.

OL-25941-01
B-7
Appendix B
Table B-1
Xml Tag Name
Tag Description
Occurrence
<param-group>
1
parameter-metadata tag and is
used to group the parameters. For
example, if there are five
parameters, two can be grouped
in one and the remaining three in
another group.
Sample values
Unlimited <param-group name="Identity
Commands" cliName="identity"
isMandatory="true" >
</param-group>
Attributes of this tag:
<description>
nameName of the group
cliNameA key that maps

the parameter group to a Cli
group. Both cliName and the
name of the cli should be
same.
isMandatoryTo indicate if
this group is mandatory for
the template or not. Useful in
case of partial template,
where you will have the
option in the UI as Skip this
section.

param-group tag.
<description>Readonly Community
String</description>
Unlimited <parameter name="readonly">
Unlimited <html-component>textbox</html-co
mponent>
Provides a simple description

about the parameter.
It is mandatory as this will be
taken as a Label for the html
component.
<parameter>

parameter-metadata tag.
Describes about a single
parameter to get input from the
user. This parameter will be
converted into a html component.
Any variable defined in the cli
should have a parameter tag
defined. It takes the name as an
attribute to this tag.
<html-component>
This tag comes under parameter

tag.
Specifies what html component is
rendered for the specified
parmeter.
B-8
OL-25941-01
Appendix B

Table B-1
Xml Tag Name
Tag Description
Occurrence
Sample values
<default-value>

tag.
Unlimited <default-value
label="0-shut">0</default-value>
Default value for the parameter.

This tag can be used to give
values for a select box. It has the
following attribute:
labelIt is used to build the
combo box content. The label
value is displayed as a content to
the combo box. The element
value defined is considered as a
selected value in the backend.
<data-type>

tag. It specifies datatype of the
input that is given to the
parameter.
<datatype>integer</datatype>
Boolean or Integer
<mandatory>

tag.
<mandatory></mandatory>
<isGlobal></isGlobal>
<help-description></help-description
>
<syntax></syntax>
To specify if this parameter is

mandatory parameter or not.
Accepts value true or false.
<isGlobal>

tag.
To specify if this parameter is
applicable for all devices or only
one device.
Accepts the following values:
<help-description>
trueapplicable for all

devices
falseapplicable for per

device level

tag.
Use for describing more about
this parameter.
<syntax>
This tag come under parameter

tag.
To specify the validation part for
numeric field and the string
parameter.

OL-25941-01
B-9
Appendix B
Table B-1
Xml Tag Name
Tag Description
Occurrence
Sample values
<min>
This tag comes under syntax tag.
<Min>0</min>
<max>100</max>
<patter>[a-z]*</pattern>
<config></config>
<device-filtering-detail This tag comes under config tag. 1

s>
To specify the filtering details for
the device.
<device-filtering-details></device-fil
tering-details>
To specify the minimum value for

a numeric field. The datatype
should be numeric.
<max>

To specify the maximum value
for a numeric parameter. The
datatype should be numeric.
<pattern>

To specify the regular expression
for the string parameter. The
reqular expression is used to
validate the value that is specified
by the user.
<config>

ootb-template tag.
The respective config which
needs to be deployed into the
devices is defined here. For
example, config tag should come
under OOTB-Template
It has the following attribute:
platformSpecifies to what
software platform this config is
applicable.
Following are the values taken by
this attribute:
ios,catos,pixos,nam,Soft
Appliance,ios_ssl,ios_wlsm,ios_
mwam,ios_webvpn,webns,ACE,
ACNS,CSM
<family>

device-filtering-details tag.
Unlimited <family value="cisco catalyst 3750-e

series switches"> </family>
To specify what family this

filtering belongs to. The Value
should be as specified in
mdfData.xml for the supported
devices.
B-10
OL-25941-01
Appendix B

Table B-1
Xml Tag Name
Tag Description
Occurrence
Sample values
<min-supported-image
version>
This tag come under family tag.
<device-type>

min-supported-imageversion.
Unlimited <device-type> </device-type>
To specify the minimum

supported image version to which
this template will be applicable.
<min-support-imageversion>12.2(40
)se</min-support-imageversion>
To specify which device type this

template will be applicable.
<name>
This tag comes under device-type 0

tag.
<name> </name>
<sysObjectId></sysObjectId>
It gives the MDF name of the

device type.
<sysobjectid>
This tag comes under device-type 0

tag. It gives the sysobjectid of the
device.
<cli>
This tag come under config tag.
Unlimited <cli name="snmpSecurity">
Unlimited <clicommand><![CDATA[]]></clico
mmand>
To specify multi-line commands 0

like, banner and crypto certificate
commands.
Unlimited If you use this tag between cdata tags,

then you must use <MLTCMD>. For
example:
It specifies the cli for the

mentioned software platform.
It has the attribute called name.
The value should be same as that
of param-group name. This is
used to map the param-group to
that of cli.
<clicommand>
This tag comes under cli tag.

To specify the command that will
be deployed.
<MLTCMD>
The commands within the

MLTCMD tags are considered as
a single command and will be
downloaded as a single command
onto the device
These tags are case-sensitive and
you must enter them only in
uppercase. You cannot start this
tag with a space. You can have a
blank line within a multi-line
command.
<MLTCMD>banner login "Welcome

to Cisco Prime LMS - you are using
If cdata is not present, then you must
use <MLTCMD>. For example:
<MLTCMD> banner login
"Welcome to Cisco Prime LMS - you
are using Multi-line commands"
</MLTCMD>

OL-25941-01
B-11
Appendix B

The section shows the template for Identity - Change of Authorization:
<?xml version="1.0"
encoding="iso-8859-1"?>
<!-Copyright (c) 2009, 2010 Cisco Systems, Inc.
-->
<!-All rights reserved.
-->

<ootb-template>
<template-metadata name="Identity - Change of Authorization">
<template-details>
<description>Identity - Change of Authorization</description>
<task>Identity</task>
<author>Cisco Systems</author>
<template-version>1.0</template-version>
<scope>Device</scope>
<features></features>
<pin>edge</pin>
<hardware-platform>Device</hardware-platform>
<imagefeature>ipbase</imagefeature>
</template-details>
<param-group name="Identity Commands" cliName="identity" isMandatory="true" >
<description>A standard RADIUS interface is one where the request for
authorization originates from the device attached to the network, and the response comes
from the queried RADIUS servers. However, Catalyst Switches support the RADIUS Change of
Authorization (CoA). CoA allows for the dynamic reconfiguration of sessions from external
RADIUS servers.</description>
<parameter name="ipaddress">
<description>RADIUS client IP address or Host name</description>
<html-component>textbox</html-component>
<default-value></default-value>
<data-type>string</data-type>
<help-description></help-description>
<syntax>
<min></min>
<max></max>
<pattern></pattern>
</syntax>
</parameter>
<parameter name="authtype">
<description>Type of authorization the device uses for RADIUS clients</description>
<html-component>select</html-component>
<default-value label="any">any</default-value>
<default-value label="all">all</default-value>
<default-value label="session-key">session-key</default-value>
<syntax>
<min></min>
<max></max>
<pattern></pattern>
</syntax>
B-12
OL-25941-01
Appendix B

</parameter>
<parameter name="server-key">
<description>RADIUS Key shared between the device and RADIUS clients</description>
<html-component>password</html-component>
<default-value></default-value>
<syntax>
<min></min>
<max></max>
<pattern></pattern>
</syntax>
</parameter>
<parameter name="port">
<description>Port on which the device listens for RADIUS requests [0 65535]</description>
<default-value>1700</default-value>
<data-type>numeric</data-type>
<syntax>
<min>0</min>
<max>65535</max>
<pattern></pattern>
</syntax>
</parameter>
</param-group>
</template-metadata>
<config platform="ios">
<device-filtering-details>
<family value="Switches and Hubs">
<min-supported-imageversion value ="12.2(52)SE">
<device-type>
<name>Cisco Catalyst 2960-24TC Switch</name>
<sysobjectid>1.3.6.1.4.1.9.1.694</sysobjectid>
</device-type>
<device-type>
<name>Cisco Catalyst 2960-48TC Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960G-24TC Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960G-48TC Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960-24TT Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960-48TT Switch</name>
</device-type>

OL-25941-01
B-13
Appendix B
<device-type>
<name>Cisco Catalyst 2960-8TC Compact Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960G-8TC Compact Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960-24-S Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960-24TC-S Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960-48TC-S Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960-24PC-L Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960-24LT-L Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960PD-8TT-L Compact Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960-8TC-S Compact Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960-48TT-S Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960-48PST-L Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960-24LC-S Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960-24PC-S Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960-48PST-S Switch</name>
</device-type>
<device-type>
<name>Cisco Enhanced Layer 2 EtherSwitch Service Module</name>
</device-type>
<device-type>
</device-type>
B-14
OL-25941-01
Appendix B

<device-type>
</device-type>
<device-type>
</device-type>
<device-type>
<name>Cisco Catalyst 2960S-48TS-S Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960S-24TS-S Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960S-48FPD-L Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960S-48LPD-L Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960S-48TD-L Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960S-24PD-L Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960S-24TD-L Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960S-48FPS-L Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960S-48LPS-L Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960S-24PS-L Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960S-48TS-L Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960S-24TS-L Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2960 stack</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2926 Switch</name>
</device-type>

OL-25941-01
B-15
Appendix B
<device-type>
<name>Cisco Catalyst 2980G-A Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2980G-A Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 2948G-GE-TX Switch</name>
</device-type>
<device-type>
</device-type>
</min-supported-imageversion>
</family>
<device-type>
<name>Cisco Catalyst 3560G-24PS Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 3560G-24TS Switch</name>
</device-type>
<device-type>
</device-type>
<device-type>
</device-type>
<device-type>
<name>Cisco Catalyst 3560 Series Switches</name>
</device-type>
<device-type>
<name>Cisco Catalyst 3560-48PS Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 3560-24TS Switch</name>
</device-type>
<device-type>
</device-type>
<device-type>
<name>Cisco Catalyst 3560E-24TD-E,S Switch</name>
</device-type>
<device-type>
</device-type>
<device-type>
<name>Cisco Catalyst 3560E-24PD-E,S Switch</name>
B-16
OL-25941-01
Appendix B

</device-type>
<device-type>
</device-type>
<device-type>
<name>Cisco Catalyst 3560-8PC Compact Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 3560E-12D-S,E Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 3560E-12SD-E,S Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 3560-12PC-S Compact Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 3560V2-48PS Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 3560V2-24DC Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 3560V2-24TS Switch</name>
</device-type>
<device-type>
</device-type>
<device-type>
</device-type>
<device-type>
<name>Cisco Enhanced Layer2,Layer3 EtherSwitch Service
</device-type>
<device-type>
</device-type>
<device-type>
</device-type>
<device-type>
</device-type>
<device-type>
</device-type>
<device-type>
Module</name>
Module</name>
Module</name>
Module</name>
Module</name>
Module</name>

OL-25941-01
B-17
Appendix B
</device-type>
<device-type>
<name>Cisco Catalyst 3560X-24T-L,S Switch</name>
</device-type>
<device-type>
</device-type>
<device-type>
<name>Cisco Catalyst 3560X-24P-L,S Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 3560X-48PF-L,S Switch</name>
</device-type>
</family>

<device-type>
<name>Cisco 3750 Stack</name>
</device-type>
<device-type>
<name>Cisco Catalyst 3750G-12S Switch</name>
</device-type>
<device-type>
</device-type>
<device-type>
<name>Cisco 2600,2800,3700,3800 Series 16-Port EtherSwitch Service
Module</name>
</device-type>
<device-type>
<name>Cisco 2800,3800 Series 23-Port EtherSwitch Service Module</name>
</device-type>
<device-type>
<name>Cisco 2851,3800 Series 48-Port EtherSwitch Service Module</name>
</device-type>
<device-type>
<name>Cisco 2851,3800 Series 24-Port EtherSwitch (with Stackwise
Connectors) Service Module</name>
</device-type>
<device-type>
<name>Cisco 2600,2800,3700,3800 Series 16-Port EtherSwitch Service
Module</name>
</device-type>
<device-type>
<name>Cisco Catalyst 3750 Metro 24-DC Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 3750G-12S-SD Switch</name>
B-18
OL-25941-01
Appendix B

</device-type>
<device-type>
</device-type>
<device-type>
</device-type>
<device-type>
</device-type>
<device-type>
</device-type>
<device-type>
<name>Cisco Catalyst 3750G-24 Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 3750G-48 Switch</name>
</device-type>
<device-type>
</device-type>
<device-type>
<name>Cisco Catalyst 3750G-24T Switch</name>
</device-type>
<device-type>
</device-type>
<device-type>
</device-type>
<device-type>
</device-type>
<device-type>
</device-type>
<device-type>
<name>Cisco Catalyst 3750G-24TS-1U Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 3750-24FS Switch</name>
</device-type>
<device-type>
</device-type>
<device-type>

OL-25941-01
B-19
Appendix B
</device-type>
<device-type>
</device-type>
<device-type>
</device-type>
<device-type>
</device-type>
<device-type>
</device-type>
<device-type>
<name>Cisco Catalyst 3750X-24P-L,S Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 3750X-48PF-L,S Switch</name>
</device-type>
</family>
<min-supported-imageversion value ="12.2(50)SG">
<device-type>
</device-type>
<device-type>
</device-type>
<device-type>
<name>Cisco Catalyst 4506-E Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 4510R-E Switch</name>
</device-type>
<device-type>
</device-type>
<device-type>
<name>Cisco Catalyst 4507R-E Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 4507R Switch</name>
</device-type>
<device-type>
</device-type>
<device-type>
B-20
OL-25941-01
Appendix B


</device-type>
<device-type>
<name>Cisco Catalyst 4510R Switch</name>
</device-type>
</family>

<min-supported-imageversion value ="12.2(33)SXI">
<device-type>
</device-type>
<device-type>
<name>Cisco Catalyst 6509-NEB-A Switch</name>
</device-type>
<device-type>
</device-type>
<device-type>
<name>Cisco Catalyst 6509-NEB Switch</name>
</device-type>
<device-type>
</device-type>
<device-type>
</device-type>
<device-type>
<name>Cisco Catalyst 6509-V-E Switch</name>
</device-type>
<device-type>
<name>Cisco Catalyst 6500 Series SSL Services Module</name>
</device-type>
<device-type>
</device-type>
</family>
</device-filtering-details>
<cli name="identity">
<clicommand>
<![CDATA[
aaa server radius dynamic-author
client ${ipaddress}
server-key ${server-key}
port ${port}
auth-type ${authtype}
]]>
</clicommand>
</cli>
</config>

OL-25941-01
B-21
Appendix B
</ootb-template>

The section shows the template for IF statment:
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
- 
- <!-Copyright (c)2011 Cisco Systems, Inc.
-->
- <!-All rights reserved.
-->
- 
- <ootb-template>
- <template-metadata name="SGACL-NEXUS">
- <template-details>
<description>This template is used to define Secure Group Access Lists (SGACL). In
SGACLs, you can
control the operations that users can perform based on assigned
security groups. You can use
Secure Group tags to modify security groups and introduce
new privileges or restrict current
permissions.</description>
<task>TrustSec</task>
<author>System</author>
<template-version>1.0</template-version>
<scope>Device</scope>
<features>Secure Group Access</features>
<tags>SGACL</tags>
<pin>Access</pin>
<hardware-platform>Nexus 7000</hardware-platform>
<imagefeature />
</template-details>
- <parameter-metadata>
- <param-group cliName="intcommands" isMandatory="true" name="SGACL-NEXUS </br> <div
style=word-wrap: break-word> </br> Notes:</br> <ul> <li> SGT Value and DGT Value fields
are
mandatory if you have selected RBACL SGT Mapping as SGT Value and RBACL DGT
Mapping as DGT Value
respectively <li> In the Secure Group Tag value field, you can
enter only hexadecimal values
ranging from 0x2 to 0xffef </div> </br>">
<description />
- <parameter name="Vlanid">
<description>Vlan ID[1-3967]</description>
<help-description />
- <syntax>
<min>1</min>
<max>3967</max>
<pattern />
</syntax>
</parameter>
- <parameter name="vrfname">
<description>VRF Name</description>
- <syntax>
B-22
OL-25941-01
Appendix B

<min />
<max />
<pattern />
</syntax>
</parameter>
- <parameter name="Ipaddress">
<description>IP Address</description>
- <syntax>
<min />
<max />
<pattern>(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)</pattern>
</syntax>
</parameter>
- <parameter name="sgttag">
<description>Secure Group Tag Value[0x2-0xffef]</description>
<data-type>String</data-type>
- <syntax>
<min />
<max />
<pattern />
</syntax>
</parameter>
- <parameter name="sgtip">
<description>Secure Group Tag of IP Address[1-65519]</description>
- <syntax>
<min>1</min>
<max>65519</max>
<pattern />
</syntax>
</parameter>
- <parameter name="RGACLname">
<description>RGACL Name</description>
- <syntax>
<min />
<max />
<pattern />
</syntax>
</parameter>
- <parameter name="RGACLmode">
<description>Mode</description>
<default-value label="Deny packet forwarding">deny</default-value>
<default-value label="Permit packet forwarding">permit</default-value>

OL-25941-01
B-23
Appendix B
- <syntax>
<min />
<max />
<pattern />
</syntax>
</parameter>
- <parameter name="UDPportparameters">
<description>UDP Port Parameters</description>
<default-value label="Destination port parameters">dst</default-value>
<default-value label="Source port parameters">src</default-value>
- <syntax>
<min />
<max />
<pattern />
</syntax>
</parameter>
- <parameter name="UDPparametermatching">
<description>UDP Parameter Matching</description>
<default-value label="Match packets on the given port
number">eq</default-value>
<default-value label="Match packets on port number greater than the given port
number">gt</default-value>
<default-value label="Match packets on port number less than the given port
number">lt</default-value>
<default-value label="Match packets not on the given port
number">neq</default-value>
- <syntax>
<min />
<max />
<pattern />
</syntax>
</parameter>
- <parameter name="portnumber">
<description>Port Number[0-65535]</description>
- <syntax>
<min>0</min>
<max>65535</max>
<pattern />
</syntax>
</parameter>
- <parameter name="RBACLSGT">
<description>RBACL Secure Group Tag Mapping</description>
<default-value label="SGT Value">sgtvalue</default-value>
<default-value label="Any">any</default-value>
B-24
OL-25941-01
Appendix B

<default-value label="Unknown">unknown</default-value>
- <syntax>
<min />
<max />
<pattern />
</syntax>
</parameter>
- <parameter name="sgtvalues">
<description>Secure Group Tag Value[0-65519]</description>
<mandatory>false</mandatory>
- <syntax>
<min>0</min>
<max>65519</max>
<pattern />
</syntax>
</parameter>
- <parameter name="RBACLDGT">
<description>RBACL Destination Group Tag Mapping</description>
<default-value label="DGT Value">dgtvalue</default-value>
<default-value label="Unknown">unknown</default-value>
- <syntax>
<min />
<max />
<pattern />
</syntax>
</parameter>
- <parameter name="dgtvalues">
<description>Destination Group Tag Value[0-65519]</description>
<mandatory>false</mandatory>
- <syntax>
<min>0</min>
<max>65519</max>
<pattern />
</syntax>
</parameter>
</param-group>
</template-metadata>
- <config platform="Nexus">
- <device-filtering-details>
- <family value="Data Center Switches">
- <min-supported-imageversion value="NX-OS 5.0.2">
- <device-type>
<name>Cisco Nexus 7000 10-Slot Switch</name>
<sysobjectid>1.3.6.1.4.1.9.12.3.1.3.612</sysobjectid>
</device-type>
- <device-type>

OL-25941-01
B-25
Appendix B

</device-type>
- <device-type>
</device-type>
</family>
</device-filtering-details>
- <cli name="intcommands">
<clicommand>vlan ${Vlanid} cts role-based enforcement exit vrf context ${vrfname}
cts
role-based enforcement exit cts sgt ${sgttag} vlan ${Vlanid} cts role-based
sgt-map
${Ipaddress} ${sgtip} exit vrf context ${vrfname} cts role-based sgt-map
${Ipaddress} ${sgtip}
exit cts role-based access-list ${RGACLname} ${RGACLmode} udp
${UDPportparameters}
${UDPparametermatching} ${portnumber} exit #if((${RBACLSGT} eq
"sgtvalue") and (${RBACLDGT} eq
"dgtvalue")) cts role-based sgt ${sgtvalues} dgt
${dgtvalues} access-list ${RGACLname}
#elseif(${RBACLSGT} eq "sgtvalue") cts
role-based sgt ${sgtvalues} dgt ${RBACLDGT} access-list
${RGACLname} #elseif
(${RBACLDGT} eq "dgtvalue") cts role-based sgt ${RBACLSGT} dgt
${dgtvalues}
access-list ${RGACLname} #else cts role-based sgt ${RBACLSGT} dgt ${RBACLDGT}
access-list ${RGACLname} #end</clicommand>
</cli>
</config>
</ootb-template>
B-26
OL-25941-01
A P P E N D I X

This appendix covers the Troubleshooting tips and FAQs for:
NetConfig
Config Editor
Software Management
Job Approval
cwcli config
cwcli export
VRF Lite
For Installation related FAQs and Troubleshooting tips, see the Installing and Migrating to Cisco Prime
LAN Management Solution 4.2.
This section provides the troubleshooting information and FAQs for Configuration Archive:
Configuration Archive FAQs
Troubleshooting Configuration Archive
Login Authentication in Telnet Mode
Login Authentication in SSH Mode
Enable Login Authentication in Telnet Mode
Enable Login Authentication in SSH Mode

OL-25941-01
C-1
Appendix C
Configuration Archive FAQs
Q.Can I define the protocol order for configuration fetch and deploy?
Why does the Telnet session appear in the data capture trace although I have selected TFTP as the
configuration transport protocol?
Q.How Configuration Management interprets device credentials?
Q.What are the supported device prompts?
Q. Can I define the protocol order for configuration fetch and deploy?
A. Yes, you can define the order of protocol that has to be used for Configuration Management
applications (Configuration Archive, Config Editor, and NetConfig). You can define this in the
Transport Settings window (Admin > Collection Settings > Config > Config Transport Settings).
Q. When I select:
a. TFTP alone as the configuration transport protocol
b. Run Sync Archive Job for a device
c. Run a data capture trace
The data capture trace shows Telnet traffic along with SNMP/TFTP sessions.
Why does the Telnet session appear in the data capture trace although I have selected TFTP as the
configuration transport protocol?
Q. The Telnet session that appears in the data capture trace is a socket connection to the Telnet port. It
identifies the IP address of the Cisco Prime LMS server. This is important in multi-homed servers
where the IP address that Cisco Prime server uses to contact the device, has to be identified.
Q. How Configuration Management interprets device credentials?
A. You can enter the device credentials when you,
Add/import devices using the LMS Device Management option (Inventory > Device
Administration > Add / Import / Manage Devices). In this flow, you can enter:
Primary UsernameUser name for the device.
Primary PasswordPassword for the device.
Primary Enable PasswordConsole-enabled password for the device.
If you have enabled Enable Job Password option (Admin > Network > Configuration Job Settings
> Config Job Policies) then while scheduling for a job, you can enter these credentials:
Login User nameUser name for the device.
Login PasswordPassword for the device.
Enable PasswordConsole-enabled password for the device.
These credentials are used while running the job. The credentials that you have entered in the Device
and Credential Repository are ignored while running the job.
TACACS (Terminal Access Controller Access Control System) uses a separate centralized server to
track usernames and passwords. This simplifies authentication and authorization, because information
is maintained in only one database rather than being spread out over many devices.
If your devices are configured to use TACACS, you must provide TACACS device credentials when you
add or import the devices.
C-2
OL-25941-01
Appendix C

Login Authentication in Telnet Mode

When LMS logs into non-privileged mode (User mode), depending on your device authentication
configuration, the device will prompt for either username and password, or password only.
If the device prompts for username and password, LMS responds with the following:
If Primary Username and Primary Password credentials are entered in the Device and Credential
Repository, LMS sends Primary Username and Primary Password to the device.
If you have enabled Enable Job Password option in the Job Policy dialog box (Admin > Network
> Configuration Job Settings > Config Job Policies) and if you have entered the Login Password
at the time of scheduling a job, LMS sends the Login Password entered in this dialog box. The
Primary Password entered in the Device and Credential Repository (Inventory > Device
Administration > Add / Import / Manage Devices) is ignored.
If:
Authentication fails with the Primary credentials or Login User name and Login Password
Or
The Primary credentials or Login User name and Login Password are not present in the
database.
LMS reports the login as failure.
If the device prompts for password only, LMS responds with the following:
If Primary Password is entered in the database, LMS sends Primary Password to the device.
If you have configured only the Telnet password (without configuring username) on your device.
You have to enter a string in the Login Username field. That is, you cannot leave the Login
Username field blank.
The Login Username string will be ignored while connecting to the device as the device is
configured only for the Telnet password.
If:
Authentication fails with the Primary Password or Login Password
Or
The Primary Password or Login Password is not present in the database.
Login Authentication in SSH Mode

This section describes how the device credentials are interpreted by LMS in SSH mode.
Open an SSH session to the device.
The device prompts for username and password, LMS responds with the following:
If Primary Username and Primary Password are entered in the database, LMS sends Primary
Username and Primary Password to the device.

OL-25941-01
C-3
Appendix C
If:
Authentication fails with the Primary credentials or Login User name and Login Password
Or
The Primary credentials or Login User name and Login Password are not present in the database
Enable Login Authentication in Telnet Mode

This section describes how the TACACS and other credentials are interpreted by LMS in Telnet mode.
Logging into the Privileged mode (Enable mode) involves two steps:
1.
LMS logs into non-privileged mode (See Login Authentication in Telnet Mode).
2.
If logging into non-privileged mode is successful, LMS issues enable command for the device to
enter into privileged mode.
If the device prompts for password, LMS responds with the following:
If Primary Enable password is entered in the database, LMS sends Enable Primary password to
the device.
If you have enabled Enable Job Password option in the Job Policy dialog box (Admin >
Network > Configuration Job Settings > Config Job Policies) and if you have entered the
Login Password at the time of scheduling a job, LMS sends the Login Password entered in this
dialog box. The Primary Password entered in the Device and Credential Repository (Inventory
> Device Administration > Add / Import / Manage Devices) is ignored..
If authentication fails or Enable Password or Primary Enable Password is not present in
database
or
If logging into non-privileged mode fails or authentication fails in all above cases.
Enable Login Authentication in SSH Mode

This section describes how the TACACS and other credentials are interpreted by LMS in SSH mode.
Logging into the Privileged mode (Enable mode) involves two steps:
1.
LMS logs into non-privileged mode (See Login Authentication in SSH Mode).
2.
If logging into non-privileged mode is successful, LMS issues the enable command for the device
to enter into privileged mode.
If the device prompts for password, LMS responds with the following:
If Primary Enable Password is entered in the database, LMS sends Primary Enable password to
the device.
C-4
OL-25941-01
Appendix C

If you have enabled Enable Job Password option in the Job Policy dialog box (Admin >
Network > Configuration Job Settings > Config Job Policies) and if you have entered the
Login Password at the time of scheduling a job, LMS sends the Login Password entered in this
dialog box. The Primary Password entered in the Device and Credential Repository (Inventory
> Device Administration > Add / Import / Manage Devices) is ignored.
If authentication fails or Enable Password or Primary Enable Password is not present in
database
or
If logging into non-privileged mode fails or authentication fails in all above cases.

Q. What are the supported device prompts?
A. The supported device prompts are:
The supported Device authentication prompts are:
Routers
Username:, Username:
Password:, Password:
Switches
username: , Username:
password: , "Password:
Cisco Interfaces and Modules Network Analysis Modules

login:
Password: password:
Security and VPN PIX

username: , Username:
passwd: , password: , Password:
Content NetworkingContent Service Switch

Username: , username: , login: ,Username: , username: , login:
Password: , password: , passwd: ,Password: , password: , passwd:
Content Networking Content Engine

Username: ,login:
Password:
Storage Networking MDS Devices

Username:, Username:
Password:, Password:

OL-25941-01
C-5
Appendix C
Troubleshooting Configuration Archive

Message ID
Error Message
Probable Cause
Possible Action
CM0003
Version $1 does not

exist in archive $2
Version may have been deleted
None
CM0005
Archive does not exist

for $1
Error during archive creation.
Check the file system/user privileges.
CM0006
Archives do not exist
Error during archive creation.
Check the file system/user privileges.
CM0008
Checkout not permitted

on archive $1
You may not have the required

permission
Check with the administrator for your

privilege.
CM0010
Checkin not permitted

on archive $1

permission

privilege.
CM0011
Delete not permitted

permission

privilege.
CM0012
Could not create new

version on archive $1
Insufficient disk space or config

file may be incomplete.
Check whether disk space is available

and that the directory has required
permissions
CM0013
Cannot delete version

on archive $1

permission

privilege.
CM0015
Could not check out

config for archive $1

permission

privilege.
CM0016
Could not undo check

out config for archive $1 permission

privilege.
CM0017
Could not check in

config for archive $1
Check whether the file system is full and

if you have required permissions.
CM0021
Version does not exist in Version may have been deleted

archive $1
None
CM0022
Archive already exists
Archive names should be unique
Enter a different name
CM0023
Archive creation not

permitted

permission

privilege.
CM0024
Error while deleting

archive

permission

privilege.
CM0025
Cannot delete device

archive
Only the system purge can delete

the device archive
Schedule for a purge job.
CM0026
Archive Relocation
failed
The destination folder may not

have the required disk space or
required permission.
$2
Check if the destination folder has

the required permission
Check if the disk space is available
Check if the user has the write

permission.
CM0034
Cannot list versions for

$1

permission or version do not exist. privilege.
CM0037
Database Connection
Error
Database Engine may be down
Restart the RMEDbMonitor and

CmfDbMonitor services
C-6
OL-25941-01
Appendix C

Message ID
Error Message
Probable Cause
Possible Action
CM0038
Error in Database
Database Engine may be down
Restart the RMEDbMonitor and

CmfDbMonitor services
CM0040
Error while reading the

file from the system
Either:
Verify whether you have the correct

privileges and that the file system is not
corrupted.
The file may not exist

Or
CM0041
Error while writing the

file to the system
You may not have required

permissions.
Either:
The file may not exist
Verify whether you have the correct

privileges and that the file system is not
full
Or
CM0043

permissions.
Error while copying the Either:

file
The source or destination file
may not exist
Or
Verify whether:
The files exist
The file system is not full.
You have permission

permissions.
CM0050
Configuration types are different

Cannot compare the
configurations since
they are not of the same
type.
Select device of the same type.
CM0051
Cannot connect to
ConfigMgmtSever
process
Process may be down or maximum Restart the ConfigMgmtSever process.

connection have been reached.
CM0054
Error while initializing

Transport for $1
Device packages may not exist.
Check whether:
The user exists in LMS and has

required permissions,
Device is reachable
Required device packages are

available in LMS.
CM0076
Job creation failed
$1
Check whether Jrm and CTMJrmServer

processes are running
CM0077
Job modification failed
$1
Check whether Jrm and CTMJrmServer

processes are running
CM0080
Could not send e-mail.
The e-mail configuration in your

profile may be either missing or
incorrect
Check e-mail configuration.
CM0082
Job execution failed.
The job policy may not be enabled Enable the policy and try again
CM0085
Cannot list jobs of type
Jobs of this type may not exist in

LMS.
Enable the policy and try again.

OL-25941-01
C-7
Appendix C
Message ID
Error Message
Probable Cause
Possible Action
CM0086
Cannot load job with id. Job may not exist in LMS
Verify that the Job ID exists and try

again
CM0087
Cannot obtain lock on

device
Another application/job may have

locked the device.
Verify that there are no other jobs is

running on the device. Retry the job
after some time.
CM0088
Configuration archival
failed for $1
Not enough disk space.
Check whether the device is reachable

and that the credentials are correct.
CM0090
Reload task failed on

device
Device many not be reachable.
Check whether the device is reachable

and that the credentials are correct.
CM0096
Job ID is not valid
The job may not exist in LMS
Verify that the job exists and try again.
CM0097
No failed devices in the

job
There may not be any failed

devices in the job.
Check for failed devices and try again.
CM0098
Invalid Job-based
password specified
The Job-based password data may

be null or cannot be used.
Enter the correct Job-based password

and try again.
CM0109
Cannot read admin

preferences.
Application may not have been

initialized correctly
Retry the task
CM0122
No commands to write.
Command may not be available
Verify whether there are any commands

to deploy
CM0123
Exception while getting Templates may have been deleted

all baseline templates.
CM0125
Cannot persist template. Template may be empty or invalid. Check whether the commands are valid
CM0126
Cannot find baseline

archive $1
Archive may have been deleted
Check if the archive exist.
CM0128
Cannot get baseline

branch.
Branch may not exist.
Check if the branch exist.
CM0131
Cannot find template
Template may have been deleted
Check if the template exist.
CM0132
Cannot find result for

job
Job may not exist.
Check if the job has been deleted.
CM0133
Invalid check-type for

command
Check type may be invalid
Verify if the check-type is valid.
CM0136
Regular expression
match failed.
Not a valid Regular expression.
Check if the expression is valid.
CM0137
No commandlets.
None
None
CM0138
Cannot find result for

device
Device has been deleted.
Check if the device exist.
CM0139
Could not archive

configuration
File system may be full or user may Check whether device is reachable and
not have the required permission. device credentials are correct.
Check if the template exist.
Increase timeout value, if required.

CM0148
User or device
authorization failed.
User may not exist or does not have Check whether the user exists and has
privileges to operate on any or all required privileges to execute jobs.
of the devices in the job.
CM0201
Could not start the

SdiEngine.
The package path may be incorrect Check whether the specified package
path is correct
C-8
OL-25941-01
Appendix C

NetConfig
Message ID
Error Message
Probable Cause
Possible Action
CM0202
Could not access the

device using SNMP.
SNMP may be disabled on the

device
Check the Read Community string
CM0203
Could not create the

CIDS Device
Representation for
device
Device package may not exist
Check if the required device packages

are installed.
CM0204
Could not create Device Device package may not exist

Context for the device
Check whether the required device

packages are available in LMS.
CM0205
Device package not

found

CM0206
Could not get the

configuration transport
implementation for $1

CM0207
Could not get

configuration analyzer
implementation for $1

CM0210
Cannot generate
Configuration file may be
processed configuration corrupted or incomplete
Check that device returns complete

configuration and the configuration file
is not empty.
NetConfig
This section provides the troubleshooting information and FAQs for NetConfig:
NetConfig FAQs
NetConfig FAQs
Q.What are the supported protocols for NetConfig Reload task?
Q. What are the supported protocols for NetConfig Reload task?
A. The supported protocols for NetConfig Reload task are Telnet, SSH and TFTP.
SSH and TFTP protocols are supported by NetConfig Reload task only if these protocols are also
supported by the devices.

OL-25941-01
C-9
Appendix C
NetConfig
This section provides the troubleshooting information for the NetConfig application:
Message ID
Error Message
Probable Cause
Possible Action
CFG0025
Cannot retry.
Retry is not supported on

periodic jobs.
None.
CFG0026
You can retry only failed A Successful job has been Select a Failed job and try again.
jobs.
selected instead of a
Failed job.
CFG0029
Job approval is enabled. You have scheduled a job Do not select Immediate job type while
that requires Job approval scheduling the job.
with the Immediate
schedule type. The job
will run only when it has
been approved by the
Approver.
CFG0009
Error occured while

processing.
Check netconfigclient.log Retry the operation. If the problem persists,

for more details.
send the logs to Cisco Technical Assistance
Center (TAC).
The netconfig logs are available at this
location:
On Windows:
NMSROOT\log\netconfigclient.log
/var/adm/CSCOpx/log/netconfigclient.log
CFG0029
Job approval is enabled. This job requires job

approval. So it can run
only when the job is
approved. So you cannot
schedule a job with
immediate schedule type.
CFG0041
You have selected an

instance that does not
have a task associated
with it.
None.
Do not select Immediate schedule type.
Select an instance that has an associated task.
C-10
OL-25941-01
Appendix C

Config Editor
Config Editor
This section provides the troubleshooting information for the Config Editor application:
Message-ID
Error Message
Probable Cause
Possible Action
CEDT0001
No device selected
You have not selected a device.
Select a device and try again.
CEDT0002
There is no
There is no configuration file for Perform Synch Archive to get the
configuration file for the the selected device in the
configuration file for the device
device.
archive.
CEDT0003
Modified Config not

selected.
You have not selected a

Select a configuration file from Modified
modified configuration from the Configs list.
Modified Configs list.
CEDT0004
No Config Selected for

Download.
You have not selected a

configuration file for
downloading either from the
archive or from Modified
Configs list.
Select a configuration file for downloading

either from the archive or the Modified
Configs list.
CEDT0005
Enter job description.
You have not entered a job

description while creating a job
Enter the job description. This is mandatory.
CEDT0007
No job selected.
You have not selected a job.
Select a job
CEDT0009
Job {JobId} cannot be

{Action}.
You have tried to do any of the

following:
User should select the appropriate job and

appropriate action.
Edit a completed job
Copy an incomplete job
Stop a completed job
Stop an already stopped job.
CEDT0010
Cannot get details for

Job {JobID}.
The Job was recorded

incorrectly.
None.
CEDT0011
Could not get the

summary of the job.
None.
Check Cfgedit.log for more details.
CEDT0012
Job not found.
None

Contact Cisco TAC with log details for
further assistance.
CEDT0013
Some change in Jsp

leading to incompatible
with Action class.
None.
Check cfgedit.log for more details.
CEDT0014
Label not selected for

search
You have tried to search labeled Select a label from the drop down.
configurations without selecting
a label
CEDT0015
Cannot open
configuration file.
None.

further assistance.

further assistance.

OL-25941-01
C-11
Appendix C
Config Editor
Message-ID
Error Message
Probable Cause
Possible Action
CEDT0016
Cannot open Baseline

Template.
Template may be deleted
Check whether the template exists.
CEDT0017
Baseline Templates not

present for the selected
device.
There are no templates for the

selected device type.
Create a Baseline Template for the selected

device type from the archive.
CEDT0018
No Config found for the The pattern you have entered

specified search pattern cannot be found in any of the
configs
Change the search pattern.
CEDT0019
External Config to be
opened not selected
You have not selected an

External Config.
Select the External Config File from the

browser.
CEDT0020
Invalid configuration
file.
Configuration file is corrupted.
Recreate config.
CEDT0021
Version to be opened not None.

selected.
CEDT0022
Cannot load query.

Check whether the
query exists.
The query you selected may

have been deleted.
Use Configuration > Configuration Archive >

Views > Custom Queries to check whether the
query exists. Create a query if it does not
exist.
CEDT0023
Cannot find query.

Check whether the
query exists
The query you selected may

have been deleted.
Use Configuration > Configuration Archive >

Views > Search Archive> to check whether
the query exists. Create a query if it does not
exist.
CEDT0024
No External Syntax
Checker is registered
with CMIC.
Either:
Select a valid version
Register the syntax checker tool correctly

with CMIC before Launching External
You may have launched the
Syntax checker.
External Syntax checker
without registering the
syntax checker tool with
CMIC.
or
The syntax checker is not

registered correctly with
CMIC.
CEDT0025
The device image you have

Select another device image that supports
Syntax Checking
selected does not support Syntax Syntax Checking functionality.
functionality is not
supported by this device Checking functionality.
image.
CEDT0029
One or more of the

devices selected are
already added to this
job.
A config for the device has

already been added
CEDT0030
No configuration file
exists for the device
There is no configuration file for Perform Synch Archive to get the

the selected device in the
configuration file for the device
archive.
CEDT0031
There are no commands None.

to download.
Only one config can be downloaded to a

device in a Job.
Remove the device from job and try again.
C-12
OL-25941-01
Appendix C

Software Management
Message-ID
Error Message
Probable Cause
Possible Action
CEDT0032
Approval is enabled.
Cannot schedule
immediate jobs.
You cannot schedule Immediate Select Schedule type, Once instead of

jobs if Approval is enabled.
Immediate
CEDT0033
Selected Job Execution

date is invalid.
You have selected a past date for Select a valid future date.
running a job.
CEDIT0034
Job user name or

password not entered.
You have enabled the Job based Either:

password option but not entered
Deselect the Job-based password option
password.
Or
CEDT0039
Enter at least one

pattern.
Enter the user name and password fields.
You have not entered any search Either:

patterns.
Select one of the queries listed
Or
Enter a search pattern.
Software Management
This section provides the troubleshooting information and FAQs for the Software Management
applications:
Software Management FAQs
Software Management FAQs
Q.What are the high-level features of Software Management?
Q.What privilege level is required to run Software Management functions?
Q.How do I know which functions I can access in Software Management?
Q.Are there DNS dependencies for Remote Copy Protocol (RCP) to work properly for a device?
Q.Can I use Remote Copy Protocol (RCP) to transfer images to devices?
Q.What connection mechanism does Software Management use to upgrade software?
Q.What is the default Simple Network Management Protocol (SNMP) timeout used by Software
Management? Can I configure it?
Q.Can I configure TACACS or Radius authentication for devices that Software Management has
upgraded?
Q.Can I configure default privileges on terminal lines for Cisco IOS devices that Software
Management has upgraded?
Q.What is Job Approval?
Q.What is the approver list?
Q.Is the Job Approval policy enforced system-wide?
Q.How do I configure Job Approval for Software Management?

OL-25941-01
C-13
Appendix C
Software Management
Q.Which Cisco IOS devices support bootldr images?
Q.How do you identify bootldr image files?
Q.How does the Software Management bootldr recommendation process work?
Q.Where is the storage location of the bootldr image on the Cisco IOS device?
Q.Does Software Management erase Bootflash if there is not enough free space on Bootflash?
Q.Does Software Management change the configuration file for bootldr upgrades?
Q.Can Software Management back up the current bootldr image while Software Management runs
the Distribute Images job?
Q.Does Software Management recommend bootldr images from Cisco.com in the Distribute Images
function?
Q.Can I upgrade modules on the device using advanced Distribution mode?
Q.What image extension type are not supported in Software Management?
Q.How can secured image upgrades be performed using Software Management?
Q.How to use Reboot order configuration feature?
Q.Is Image import from URL is treated as separate Job?
Q.What is the best effort verification performed while distributing the image using Advance mode?
Q.When does Software Management Application use SSH?
Q.How can a protocol be Enabled/Disabled for a job?
Q.How are devices upgraded using Secured Copy Protocol?
Q.How much Disk space should be available while performing parallel image upgrade to large
number of devices (more than 100)?
Q.What is the swap file size required for Software Management application?
Q.What Version of SCP is supported in Software Management application?
Q.What are the pre requisites for using SCP for image upgrade?
Q.Why is the job still running after I cancel it?
Q.Why do I get an error message such as, Navigation to other areas of this
application is not available until the opened wizard is finished or
canceled.?
Q.The Cisco.com profile window is sometimes filled with user and password and sometimes not.
Why?
Q.I am not able to select both sequential execution and sequential reboot at 'Schedule Job' step
during distribution?
Q.During Distribution by Advance flow, I get Software Management application could not verify
the flash inputs since there was no flash information available. Edit the expert input file and verify
once again. If you do not edit the expert input file, you can continue with the task by clicking Next.
However, the results may be inaccurate.?
Q.Why am I not able to see Immediate during software management jobs?
A.Check if approval is enabled. If approval is enabled for Software Mgmt Jobs, you will not be able
to schedule Immediate job.
Q.I am not able to select the device (greyed box) at Software Management device selector page, but
I'm able to select at inventory.
C-14
OL-25941-01
Appendix C

Software Management
Q.I am not able to select a user script which is in xxx path.
Q.In ACS login mode. I'm not able to see links that I usually get to see.
Q.In the Job Details Window (clicking on job ID in the Software Management Job Browser) I don't
see the job status being updated.
Q.What Validations are performed by Software Management before actual image distribution onto
the device?
Q.What is the minimum software version required to be running on the device for Software
Management to upgrade the software?
Q.Can I have a different script for each device in a job?
Q.What device types can be used as remote stage device?
Q.What device types cannot be upgraded using remote stage flow?
Q.What are the pre-requisites for using the device as remote stage?
Q.What Configuration changes are performed by Software Management on the remote stage device?
Q.If I use the device as remote stage device does it impact the device's other functionalities? or what
are the performance implications of using the device as remote stage device?
Q.Are there any Bad version of IOS for Remote stage device?
Q.Can I perform module upgrade (like Bootloader/mica/microcom etc.) using remote stage flow?
Q.How many devices in a job can be upgraded using remote stage?
Q.Can I perform Parallel upgrade using remote stage flow?
Q.Can I perform Slam dunk upgrade using the remote stage?
Q.What is the difference between Run-from-RAM and Run-from-Flash devices?
Q.When does Software Management use the remote copy protocol (rcp) to transfer images?
Q.How does Software Management ensure that file corruption does not occur during transfer?
Q.After an upgrade, why does Software Management sometimes leave behind image files in the
tftpboot directory?
Q.How much temporary space do you need during image distribution?
Q.Is Cisco.com connection mandatory for Software Management?
A.Cisco.com connection is not mandatory for using basic Software Management functionality.
Image distribution, library management, tracking software upgrade changes, and other functions can
run without Cisco.com connectivity.
Q.How does Software Management handle proxy environments?
Q.Does Software Management support proxy with user authentication environments?
Q.Why is the Cisco.com filter option on the Software Management Edit Preferences screen not
provided for Catalyst or Cisco 700 Series images?
Q.How come the Cisco.com filter option does not work in LS1010 devices?
Q.Can I configure Software Management to retrieve images from a Cisco.com mirror site rather than
the main Cisco.com site?
Q.Why I cannot download crypto images?
Q.How does Software Management verify the integrity of the images after importing them from
Cisco.com?

OL-25941-01
C-15
Appendix C
Software Management
Q.Why does the Flash size displayed in the Add Image to Repository (Source:Cisco.com) function
not match the actual size for some Cisco IOS devices?
Q.What is a Dual Flash Bank device?
Q.Does Software Management support software upgrades on dual RSP-based systems?
Q.Why does Software Management require static IP routes or dynamic IP routing protocol for
configuration for the upgrade of a run-from-Flash (RFF) partition on a Single Flash Bank (SFB)
device?
Q.Although the configuration of the Single Flash Bank (SFB) device includes an IP default gateway,
why does Software Management not upgrade the device?
Q.How do you change the IP default gateway configuration to allow Software Management to
upgrade a device?
Q.Why does Software Management require Cisco IOS Software Release 11.1 or later to run on a
Single Flash Bank (SFB) device for an upgrade when you have configured the device with Frame
Relay subinterfaces?
Q.How is the job directory organized?
Q.Which modem cards does Software Management support?
Q.Which devices and software versions get support for the modem upgrades?
Q.Which formats of Microcom firmware images does Software Management support?
Q.Which format of Modem ISDN channel aggregation (MICA) portware do Cisco 3600 devices
support?
Q.Why does the Undo option not receive support for modem upgrades?
Q.What connection mechanism does Software Management use for modem upgrades?
Q.Does Software Management erase Flash for modem upgrades if there is not enough free space on
Flash?
Q.What is CIP?
Q.Which devices support the Channel Interface Processor (CIP) microcode upgrade? What is the
minimum software version necessary?
Q.What is the minimum Channel Interface Processor (CIP) version that Software Management
supports?
Q.How can you import Channel Interface Processor (CIP) images to the Software Management
library?
Q.Is there support for the Undo option for Channel Interface Processor (CIP) upgrades?
Q.What connection mechanism does Software Management use to upgrade Channel Interface
Processor (CIP)?
Q.Does Software Management change the configuration file for the Channel Interface Processor
(CIP) upgrade?
Q.Does Software Management supports CIP2?
Q.In which order does Software Management upgrade modules on a Cisco Catalyst 5500/5000
device?
Q.Does the Supervisor Engine card reboot after the upgrade of all modules?
Q.Does Software Management determine if the newly deployed Supervisor Engine software or
module software is compatible with the module types (or module hardware versions)?
C-16
OL-25941-01
Appendix C

Software Management
Q.Does Software Management support the upgrade of software on redundant Supervisor Engine
card-based systems?
Q.Does Software Management update the configuration file on Cisco Catalyst 5500/5000 devices
during the software upgrade?
Q.Does Software Management determine if the Supervisor Engine has the minimum required RAM
to run a new image?
Q.Are there restrictions on the downgrade of the software on the Supervisor Engine card and other
modules?
Q.Do you need to reconfigure the device when you downgrade the Supervisor Engine software?
Q.In the 4.1(1) software release and later, Supervisor Engine III cards allow the storage of
configuration files on Flash cards. Does Software Management preserve the backed up
configuration files on Flash during a software upgrade?
Q.Does Software Management allow you to upgrade epsboot images on Token Ring cards on Cisco
Catalyst 5500/5000 devices?
Q.Why does the Add Image to Repository (Source: Cisco.com) task not display Token Ring LAN
Emulation (LANE) or Permanent Virtual Circuit (PVC)-only ATM software images?
Q.How do you identify software image files for each of the ATM modules that Software
Management does support? What are the file-name conventions on Cisco.com?
Q.How can I make the Image Recommendation faster?
Q.Why do the software version numbers that the show module command output displays from
the Supervisor Engine command-line interface (CLI) and the version numbers that Software
Management uses fail to match in some cases?
Q.Does Software Management recommend the right ATM image for your ATM module type?
Q.Should you use special images with Software Management for Cisco Catalyst 2900XL/3500XL
devices?
Q.How does Software Management handle image import functionality of TAR and bin types of
images for Catalyst 2900XL/3500XL devices?
Q.Why do software upgrades take longer on Cisco Catalyst 2900XL/3500XL devices?
Q.How do you upgrade Route Switch Module (RSM) and LightStream 1010 (LS1010) module
software on Cisco Catalyst 5500/5000 and 6500/6000 series switches?
Q.Why does the Distribute Images task show all the images from Cisco.com for LightStream 1010
(LS1010) and Cisco Catalyst 8500 devices, even though you have configured Cisco.com filtering?
Q.What is the minimum version that Cisco 700 series ISDN routers support?
Q.What connection mechanism does Software Management use for Cisco 700 series upgrades?
Q.Both Cisco 760 and 770 series devices run the same image. Why do you see only some images
with versions later than 4.0(1) for 770 series devices but see all images for 760 series devices?
Q.Why do you not see the option to reboot the device later on the Job Control page for Cisco 700
series routers?
Q.Why do you not see the option to modify the boot commands on the Job Control page for Cisco
700 series routers?
Q.Why does Software Management report download failures for some images even though the
device runs the new image after the job completes?
Q.In which order does Software Management upgrade modules on a Catalyst 5000 device?

OL-25941-01
C-17
Appendix C
Software Management
Q.Does Software Management check to see that the newly deployed Supervisor software or module
software is compatible with the module types (or module hardware versions)?
Q.Does Software Management support upgrading software on redundant Supervisor card-based

systems?
Q.What is the purpose of user scripts?
Q.What if the user script crashes? Will it crash the Software Management job also?
Q.When a Software Management job is scheduled, how is the baseline determined? When I
distribute a job, is an automatic backup performed?
Q.Can I set up a periodic download of Software Management images from Cisco.com?
Q.Is browser timeout something I should consider when downloading?
Q.What are crypto images?
Q.How much temporary space is required during image distribution?
Q.At what time will the images directory get created during the process of obtaining images from a
device? Does this happen during the initial step?
Q.How can I speed up Image Recommendation?
Q.When a job is rejected, can it be edited or should I resubmit?
Q.Can different group members edit jobs? What are the restrictions?
Q.What is the role of the registry files?
Q.How do I upgrade Network Analysis Module (NAM) using Software Management?
Q.Can I change the job scheduled time?
Q.How does Software Management handle the job status for an abnormally terminated job?
Q.How does Software Management handle the job status of a pending job whose scheduled time has
passed?
Q.Why are some files left in the Software Management folder after Software Management has been
uninstalled?
Q.How can I enable or disable the SSH to Telnet fallback for Software Management jobs?
Q.How can I export the images from SWIM repository to a local drive or a file system mounted to
the LMS server?
Q.Does Flash get erased if there is no sufficient space for Patch Distribution?
Q.When I try to copy images, the Image Copy option fails indicating that the External TFTP server
is inaccessible.
Q.Can I specify the name of my input file as imagenames.txt when I try to export images using the
Software Management (SWIM) CLI exportimages command?
Q.I am getting timeout exception in cmdsvc (command service library) during a device
connection/socket establishment. How do I change the default timeout and delays in cmdsvc?
C-18
OL-25941-01
Appendix C

Software Management
Q. What are the high-level features of Software Management?

A. Software Management offers the following management functions:
Software DistributionSchedules download of software images to a single device or groups of

devices. Hardware and firmware validation verifies whether the new image can run on the device.
Image Upgrade can be performed in Sequential or in parallel. Also the In Parallel mode of upgrade
device reboot can be controlled for the job.
Provides several workflow to achieve this functionality
Distribute By Device [Basic]
Distribute [Advance]
Distribute by Image
Distribute by Remote Stage/ External TFTP server
Patch Distribution
Software RepositoryBuilds and maintains a library archive of software images. Software images
can be added to repository from,
DeviceAllows to archive the current software images on the device
Cisco.comIntegrates with Cisco Connection Online (Cisco.com) to download software
images.
File SystemAllows to import an image from a directory accessible from the LMS server
NetworkAllows the library to synchronize with the software images running on the devices.
A periodic job can generate a list of images that are not in the library. You then have the option
to import new images into the library and check them for discrepancies between software
images running on the network and images in the library.
URLAllows to download images from URL you specify.
Upgrade AnalysisDetermines the hardware upgrades required on network devices to enable them
to run new software. Software Management allows analysis based on the location of image to be
analyzed. Following locations are supported.
Cisco.com
Local Repository
Job Management
Job Approval Allows organizations to require approvals before allowing software upgrades.
Software Management jobs can be operated upon to,
Retry
Undo
Cancel
Stop
Reports
Work orderDisplays changes that will be made to network devices as part of the software
upgrade.
Synchronization reportDisplays which Software Management-supported devices are running
software images that are not in the software image repository.

Audit trailTracks software changes made on the LMS server

OL-25941-01
C-19
Appendix C
Software Management
Q. What privilege level is required to run Software Management functions?

A. Different options in Software Management require different levels of user privileges. Privilege
levels are known as roles in LMS. For a list of LMS functions and required user roles, use the
Permissions Report function (Reports > System > Users > Permission).
Q. How do I know which functions I can access in Software Management?
A. To find which functions you can access in Software Management:
Select Reports > System > Users > Who Is Logged On to find your assigned roles.
Select Reports > System > Users > Permission to verify which LMS and Software
Management tasks you can run.
Q. Are there DNS dependencies for Remote Copy Protocol (RCP) to work properly for a device?
A. Yes. If there are multiple IP addresses configured on the device, all IP addresses on the device must
be configured in the Domain Name System (DNS). Examples of devices with multiple IP addresses
are those having many interfaces, with each interface configured with its own IP address, or a device
that interfaces configured with primary and secondary IP addresses.
Configure the DNS so that all IP addresses are resolved to the same host name. The host name in
the DNS should match the host name entered in the Device and Credential Repository.
Q. Can I use Remote Copy Protocol (RCP) to transfer images to devices?
A. Use the RCP transport protocol for image transfers only on Cisco IOS devices that support the
CISCO-FLASH-MIB. Catalyst switches that run Supervisor software older than 5.2, and 700 Series
devices do not support the RCP protocol.
The Cisco IOS devices can not use RCP if they only support OLD-CISCO-FLASH-MIB, (for
example, MC3810) or if they do not support any Flash Management Information Base (MIB) (for
example, RSP 7000 devices running Cisco IOS Software Releases 10.3-11.0).
Q. What connection mechanism does Software Management use to upgrade software?
A. Simple Network Management Protocol (SNMP) is the preferred mechanism used by Software
Management to upgrade software. Some devices, however, cannot be upgraded using SNMP alone.
For such devices, Software Management uses a Telnet interface to do the upgrades. SNMP upgrades
all Run-from-RAM Cisco IOS devices, Dual Flash Bank Run-from-Flash (DFB RFF) devices, and
all Catalyst switches. If SSH is preferred for device connection then SSH is Used for connecting to
the device.
Software Management uses Telnet to perform the following upgrades:
Single Flash Bank Run-from-Flash Cisco IOS devices (SFB 2500s, 1600s, AS5200)
RSP 7000 devices running Cisco IOS Software Releases 10.3 - 11.0
Cisco 700 Series
CIP, MICA, Microcom upgrades
3500/2900 series of devices
1900/2820 Series
VPN 3000 Series of devices.
For complete list of supported protocols see Supported Device Table for Software Management.
C-20
OL-25941-01
Appendix C

Software Management
Q. What is the default Simple Network Management Protocol (SNMP) timeout used by Software
Management? Can I configure it?

A. Default retry is 2 and default SNMP time out value is 2. This value is configurable using Admin >
Collection Settings > Inventory > Inventory, Config Timeout and Retry Settings.
Q. Can I configure TACACS or Radius authentication for devices that Software Management has
upgraded?
A. Software Management supports upgrading devices that are configured for TACACS or Radius
authentication. An exception is software upgrades on the Run-from-Flash partition if the device is

configured with Radius protocol authentication. The Device and Credential Repository must be
configured with the appropriate information to access the device.
Q. Can I configure default privileges on terminal lines for Cisco IOS devices that Software
Management has upgraded?

A. Software Management upgrades software by using the Telnet interface or Command-Line Interface
(CLI) on devices that do not support enough Management Information Base (MIB) instrumentation
for software management.
Software Management uses Telnet to connect into the devices and executes privileged commands
such as copy tftp flash, copy flash tftp, erase flash, show version, copy flash modem
to perform upgrades.
Software Management modifies the configuration file using the Telnet interface to upgrade the
software. For Software Management to work on a device, there are some restrictions on how default
privileges and enable mode authentication are configured.
The restrictions apply to only those Cisco IOS devices that are managed by Software Management
through the Telnet interface. Cisco 700 Series and Catalyst 5000/6000/4000 devices are not affected.
Restrictions include the following:
Software Management tries to run the above CLI commands from privilege level 15. The user
must always configure an enable password/secret for privilege level 15, and the same
password/secret must be entered in the Device and Credential Repository.
If the device is configured with TACACS authentication for enable mode access, then the
Enable TACACS user name and password must be entered in the Device and Credential
Repository. The Enable User name and password authenticated by TACACS+ server always
should receive a privilege level of 15.
The default privilege level configured on a vty line must allow Software Management to run the
CLI commands mentioned earlier as well change the configuration file on the device. The
privilege level does not need to be 15, but setting the privilege level to 15 guarantees Software
Management can always work on the device.
Q. What is Job Approval?

A. Job Approval allows an organization to require approvals before an administrator distributes
software images. When an image distribution job is created, the administrator (or whoever creates
the job) selects from a list of users who can approve the job.
For the job to run, one of the users on the approver list must approve it before its scheduled time. If
the job is not approved, it will be rejected at the scheduled time.

OL-25941-01
C-21
Appendix C
Software Management
Q. What is the approver list?

A. An approver list consists of user names in LMS who have the authority to approve software
upgrades.
The following steps are required:
a. Create a approver (Admin > System > User Management > Local User Setup > Add).
b. Create the list by using the Create Approver List (Admin > Network > Configuration Job
Settings > Create/Edit Approver Lists). Only users who have an Approver role can be added
to the Approver List.
Q. Is the Job Approval policy enforced system-wide?
A. Yes. To create a job that does not require approval, disable the Software Management option.
Q. How do I configure Job Approval for Software Management?
A. To configure Job Approval, do the following:
a. Add the approver user.
b. Create an Approver List
c. Enable the Job Approval option
Q. Which Cisco IOS devices support bootldr images?
A. The following Cisco IOS device families support bootldr images:
Cisco 4500 and 4700
Cisco 7500, Route Switch Processor (RSP)-based 7000
Cisco 7200
Cisco AS5200, AS5300, and AS5800 Access Servers
Route Switch Module (RSM) on Cisco Catalyst 5500/5000
ESR 10K, 10K2 devices
See the Supported Device Table for Software Management application on Cisco.com for further
information.
Q. How do you identify bootldr image files?
A. Bootldr image files follow this name convention, platform-boot-mz.version
An example is rsp-boot-mz.11.0(17)BT. If the second part (feature part) of the image file name
contains boot, then the image is a bootldr image. The software library recognizes the file name
and imports the image as a bootldr image. Bootldr images earlier than Cisco IOS Software Release
10.3 contain xboot in the feature part of the image. Software Management does not support such
images.
C-22
OL-25941-01
Appendix C

Software Management
Q. How does the Software Management bootldr recommendation process work?

A. Different hardware platforms in Cisco IOS Software have different bootldr images. For example,
the bootldr image for the Cisco 4500 device is c4500-boot-mz; the bootldr image for the Cisco 7200
is c7200-boot-mz.
From the library, Software Management determines which bootldr images belong to the same family
as the target device. Software Management then recommends the most current of all available
images.
Unlike system software images, bootldr images do not have RAM requirements. Therefore,
Software Management does not perform prerequisite matches between the device and the image.
Q. Where is the storage location of the bootldr image on the Cisco IOS device?
A. Software Management always uses the Bootflash card as the target Flash for the bootldr image.
Software Management stores bootldr images on the Bootflash card only, even though Cisco IOS
Software allows the store of bootldr images on a Flash card.
If you use other Flash cards for the store of bootldr images, problems can occur when you have
stored other types of images, such as system software, Microcom, or Modem ISDN channel
aggregation (MICA), in the same location.
Q. Does Software Management erase Bootflash if there is not enough free space on Bootflash?
A. If the Bootflash card does not have enough free space to store the new bootldr image, Software
Management erases the Bootflash to make room for the new boot image. A verification warning
alerts you of the Bootflash erase.
To see this warning, click the Failure/Warning link in the Status column of the Verify Image Upgrade
window.
Software Management backs up and restores files on Bootflash with sizes of less than 1 MB.
Q. Does Software Management change the configuration file for bootldr upgrades?
A. Upon bootldr upgrade, Software Management changes the device configuration file such that the
configuration file that downloads to the device contains:

Assume that the file name of the newly downloaded bootldr image is c4500-boot-mz.112-13.bin.
no boot bootldr
boot bootldr c4500-boot-mz.112-13.bin
Q. Can Software Management back up the current bootldr image while Software Management runs the
Distribute Images job?

A. Software Management backs up the system software image only during the Cisco IOS Distribute
Images job execution. The backup of bootldr images cannot take place. Use the add images function
to import the bootldr image from device to library. (Select Configuration > Tools > Software
Image Management > Software Repository > Add).
Q. Does Software Management recommend bootldr images from Cisco.com in the Distribute Images
function?
A. Yes, Software Management does recommend the download of bootldr images directly from
http://www.cisco.com during the Distribute Images job creation.

OL-25941-01
C-23
Appendix C
Software Management
Q. Can I upgrade modules on the device using advanced Distribution mode?

A. No. Expert flow is not officially tested with all the possible module upgrade scenarios. Current
implementation claims only system software upgrades using the expert flow.
Q. What image extension type are not supported in Software Management?
A. The following file/image types are not supported:
doc, txt, pdf, xls, ppt, jpg, jpeg, bmp, csv, mpg, au, xml, html, htm, java, class,
tex, ps, pps.
Q. How can secured image upgrades be performed using Software Management?

A. Current Version (4.1) supports new protocols such as, SCP and SSH. You can choose the appropriate
protocols based on the device support.

For the devices that are upgraded using Telnet/SSH, new feature called Job based password can be
enabled for scheduled job. You can specify a temporary password for the upgrade job and it will take
precedence over all the credentials in the Device and Credential Repository.
Q. How to use Reboot order configuration feature?
A. This feature is applicable only in case of parallel mode of image upgrade. This feature can be used
to perform sequential rebooting of devices. You can make this decision based on the network
topology or any other deployment policy. The devices will be rebooted in the order specified by you.
Q. Is Image import from URL is treated as separate Job?
A. Yes, the workflow results in a job.
Q. What is the best effort verification performed while distributing the image using Advance mode?
A. Verification in Advance distribution mode is referred as the best effort verification because you can
proceed to schedule the image upgrade even without the inventory data. This is designed to support
devices that are not yet managed in Cisco Prime (pre-deployed devices).
Q. When does Software Management Application use SSH?
A. If the device type selected is to be upgraded using the CLI then Software Management application
uses SSH (if opted in the preference). Even for fetching information required during the job creation
stage, SSH is used.
Q. How can a protocol be Enabled/Disabled for a job?
A. Using the User Interface, Admin > Network > Software Image Management > View/Edit
Preferences. Available protocols list the Software Management supported protocols. You have to
add or remove the protocols to selected protocol order in order to enable or disable the protocol used
for image transfer.
Q. How are devices upgraded using Secured Copy Protocol?
A. Image staging and other checks performed before the image distribution remains same for upgrade
using SCP. The options such as Flash erasure, Delete, etc. are performed using Cisco Flash mib or
old Cisco flash mib only.
The difference lies in the model used for image upgrade. LMS positions itself as a client for the
Secured Copy options. Devices with SCP server are (like 2650XM) requested to initiate a file
transfer job. The image is transferred from LMS to the devices.
C-24
OL-25941-01
Appendix C

Software Management
Q. How much Disk space should be available while performing parallel image upgrade to large number
of devices (more than 100)?

A. The amount of disk depends upon the number of images staged in the upgrade job. If the image
selected is common for all the devices then disk space required is equal to size of the image. If
different images are selected for each job then disk space required is the sum of all the images.
Q. What is the swap file size required for Software Management application?
A. LMS recommend a swap size of 2MB for managing 300 devices.
Q. What Version of SCP is supported in Software Management application?
A. Current implementation of SCP is based on the fcpsvc library that uses the SSHv1 stack. Current
version of SCP supported is 1.0

Q. What are the pre requisites for using SCP for image upgrade?
A. The device should have SCP server Any image having 3DES feature has SCP server in it. SSH
should be enabled on the device.

Q. Why is the job still running after I cancel it?
A. In Sequential mode, the job stops only after the image upgrade for the current device or module is
finished. Canceling a running job does not cancel the software upgrade being performed at that time.
The job stops only after the current upgrade is complete.
During this time, the Browse Job Status screen shows that the job is still running. In case of parallel
upgrades, when a job is cancelled, the current set of devices being processed will be continued and
not stopped. However, new devices will be processed only after the current devices have completed
runing.
Q. Why do I get an error message such as, Navigation to other areas of this application is
not available until the opened wizard is finished or canceled.?
A. Yes, you get this when you are in a wizard (you will see Back, Next, Finish, and Cancel when you
are in a wizard at the bottom) and you click any of the other navigational links.
Q. The Cisco.com profile window is sometimes filled with user and password and sometimes not.
Why?
A. If the Cisco.com user name and password is configured for you the same will be pre-populated. You
can configure the Cisco.com credentials in the Cisco.com User Account Setup dialog box (Admin
> System > Cisco.com Settings > User Account Setup).
Q. I am not able to select both sequential execution and sequential reboot at 'Schedule Job' step during
distribution?
A. If you had selected execution to be sequential the same order applies to reboot. However, if the
execution is parallel you will be allowed to select reboot sequential.

Q. During Distribution by Advance flow, I get Software Management application could not verify the
flash inputs since there was no flash information available. Edit the expert input file and verify once
again. If you do not edit the expert input file, you can continue with the task by clicking Next.
However, the results may be inaccurate.?
A. You get this when there are no inventory information available for the device. You can expect this
error for 2900, 3500, 3550 xl devices.

OL-25941-01
C-25
Appendix C
Software Management
Q. Why am I not able to see Immediate during software management jobs?

A. Check if approval is enabled. If approval is enabled for Software Mgmt Jobs, you will not be able
to schedule Immediate job.

Q. I am not able to select the device (greyed box) at Software Management device selector page, but
I'm able to select at inventory.

A. Software Management support might not be there. See the Supported Device Table for LMS on
Cisco.com
Q. I am not able to select a user script which is in xxx path.
A. The scripts are expected to be available in the specific path. The Software Management scripts are
located at:
NMSROOT/files/scripts/swim (On Solaris and Soft Appliance)
NMSROOT\files\scripts\swim (On Windows)
Where NMSROOT is the Cisco Prime installed directory.
Q. In ACS login mode. I'm not able to see links that I usually get to see.
A. On the ACS server, check if some role to task mapping (tree) has got changed. The required
Software Management task option should be selected on the ACS server for a particular role.
Q. In the Job Details Window (clicking on job ID in the Software Management Job Browser) I don't
see the job status being updated.

A. The job status will not be updated, as only the job running status is getting refreshed.
Q. What Validations are performed by Software Management before actual image distribution onto the
device?
A. Software performs the following checks before the job execution:
Checks whether job file is Available at the job id and has required data in the format and prepares a
list of devices to be upgraded in the job.
Checks whether LMS License is valid

Whether license file is valid
Number of devices managed
Removes all devices from the list which are not authorized for the user to perform image
distribution.
Removes all devices from the list which are in Suspended state or Conflicting state. Pre-deployed
state devices are not removed.
Checks for the proper pre/post job script (if any) ownership and permission
On Solaris and Soft Appliance, check is performed for rwxr-x--- permissions for script file
(0750)
On Windows, check is performed if the given script has write permissions for any non-admin
and non-casuser
Verifies that critical data required for image upgrade are present in the job file.
C-26
OL-25941-01
Appendix C

Software Management
Q. What is the minimum software version required to be running on the device for Software
Management to upgrade the software?

A. For Cisco IOS device minimum supported version is 11.0 where as for Catalyst Images Minimum
supported version is 3.8.

For more details on minimum supported version for each device type refer to Supported Devices
Table.
Q. Can I have a different script for each device in a job?
A. No, you cannot have separate script for each device.In Software Management 4.1, script is defined
in admin preference option and is common for all Software Management jobs.
Q. What device types can be used as remote stage device?
A. All IOS devices with running image version >=12.0 version and complete CISCO-FLASH-MIB
support can be used as Remote-Stage device.

Q. What device types cannot be upgraded using remote stage flow?
A. Content Engines (CE), Network Analysis Modules (NAM), Content Service Switches (CSS), and
PIX.
Q. What are the pre-requisites for using the device as remote stage?
A. It must be an IOS device and it must be running >= 12.0 version and it must support
CISCO-FLASH-MIB completely.
Q. What Configuration changes are performed by Software Management on the remote stage device?
A. tftp-server flash-partiiton-name:image-name alias image-name is the only command that will be
added to the Remote stage device to make the image copied to Remote Stage device as accessible
through TFTP from other devices.
Q. If I use the device as remote stage device does it impact the device's other functionalities? or what
are the performance implications of using the device as remote stage device?
A. There will not be any impact on device's other functionalities and also they will no be any
performance implications on the device that is used as Remote-Stage.

Q. Are there any Bad version of IOS for Remote stage device?
A. 12.3(5x) series.
Q. Can I perform module upgrade (like Bootloader/mica/microcom etc.) using remote stage flow?
A. No.
Q. How many devices in a job can be upgraded using remote stage?
A. There is no limit specific to remote stage flow.the number of devices in a remote stage job is same
as that of other distribution flow.

Q. Can I perform Parallel upgrade using remote stage flow?
A. Yes
Q. Can I perform Slam dunk upgrade using the remote stage?
A. No. The image that you want to use must be in the Software Repository.

OL-25941-01
C-27
Appendix C
Software Management
Q. What is the difference between Run-from-RAM and Run-from-Flash devices?

A. Most Cisco IOS devices load the software image from Flash to RAM when rebooting, then run the
software from RAM. Such devices are called Run-from-RAM (RFR) devices. For these devices, the
software image on Flash can be upgraded without rebooting the device.
Certain Cisco IOS devices (namely 2500s, 1600s, and AS5200s) run the system software image
directly from Flash. These are Run-from-Flash (RFF) devices. The Flash partition in which the
current image is stored is the RFF partition, which is read-only.
Software Management supports upgrading software images on RFF partitions by using a procedure
called Rxboot upgrade. Before upgrading, reboot the device and put it into Rxboot mode, which
makes the RFF partition available to write a new software image.
Q. When does Software Management use the remote copy protocol (rcp) to transfer images?
A. Generally the order defined in selected protocol list will be used for transferring (to upload and
download) Cisco IOS Soft wares. If RCP is in the top of the selected protocol list then RCP is used
as the first protocol for image transferring on to the devices that support CISCO-FLASH-MIB.
Check the supported protocol list for the device to find out whether device supports RCP or not.
Cisco Catalyst 5500/5000 switches and Cisco 700 series devices do not support rcp. Cisco IOS
devices that do not support rcp include the Cisco 7000 series (route processor [RP]-based 7000 only)
and MC3810.
All other Cisco IOS devices support the rcp protocol.
Q. How does Software Management ensure that file corruption does not occur during transfer?
A. Software Management computes the checksum of the image file. Then, Software Management
compares this checksum to the checksum from the device after the copy of the image file to the
device Flash.
Software Management also verifies the size of the file on the Flash. If either the size or checksum
do not match, Software Management aborts the distribution and marks the job status as an error.
Q. After an upgrade, why does Software Management sometimes leave behind image files in the
tftpboot directory?
A. Software Management removes the image files from the tftpboot directory after the upgrade unless
the TFTP fallback job option is set. If the TFTP fallback option is set, Software Management
uploads the image from the device and leaves the image in the tftpboot directory for fallback.
Software Management also modifies the boot system commands on the device to add a fallback
command to boot from the original image on the LMS TFTP server if the upgraded image does not
boot.
Q. How much temporary space do you need during image distribution?
A. The amount of free space necessary depends on the image file size and the number of devices for
simultaneous upgrade. If the TFTP fallback option is set, you need additional free disk space to keep
the current image in the tftpboot directory. Both the tftpboot and temp directories use disk space.
Q. Is Cisco.com connection mandatory for Software Management?
A. Cisco.com connection is not mandatory for using basic Software Management functionality. Image
distribution, library management, tracking software upgrade changes, and other functions can run
without Cisco.com connectivity.
C-28
OL-25941-01
Appendix C

Software Management
Cisco.com connectivity provides the additional benefits of obtaining images and their attributes
from Cisco.com and viewing the status of outstanding bugs against the software images running on
the devices in the network.
The following features of Software Management require Cisco.com connectivity:
Adding image to Repository from Cisco.com. Software Management can import images for all
supported devices.
Distributing images directly from Cisco.com to devices, also called Recommend Images from
Cisco.com. Without a Cisco.com connection, the Recommend Images screen Image list box will not
show any images from Cisco.com when it creates the Distribute Images job.
Cisco.com upgrade analysis.
Cisco IOS image deferral processing.
Q. How does Software Management handle proxy environments?

A. Software Management uses HTTP protocol to communicate to Cisco.com about downloading
images and their attributes. If you use an HTTP proxy for Internet connectivity, configure Proxy
URL information in Admin > System > Cisco.com Settings > Proxy Server Setup.
Q. Does Software Management support proxy with user authentication environments?
A. Yes, Software Management support proxy that requires user authentication.
Q. Why is the Cisco.com filter option on the Software Management Edit Preferences screen not
provided for Catalyst or Cisco 700 Series images?

A. During the Distribute Images task, Software Management communicates with Cisco.com to obtain
a list of applicable images and their attributes. Based on this information, Software Management
recommends an image.
There are many Cisco IOS images available on Cisco.com, which can cause a substantial delay in
retrieving image attributes from Cisco.com. Some of these images will not be relevant to the user.
Software Management filters the amount of images being considered to make a more meaningful
and manageable subset.
For Catalyst and 700 devices, fewer images are available on Cisco.com than for Cisco IOS;
therefore, it is not necessary to filter the images.
Q. How come the Cisco.com filter option does not work in LS1010 devices?
A. Although LS1010 devices run Cisco IOS images, there are some differences in how the LS1010
images are released. LS1010 images do not follow the Cisco IOS-type image releases like general
deployment (GD), limited deployment (LD), and early deployment (ED).
Therefore, Software Management cannot effectively filter LS1010 type images. Nor does Software
Management filter Catalyst 8500 Series images.
Q. Can I configure Software Management to retrieve images from a Cisco.com mirror site rather than
the main Cisco.com site?

A. No. Although the mirror Cisco.com sites contain the images, they do not store image attributes, such
as minimum RAM and FLASH requirement. This information is available only from the main
Cisco.com site at http://www.cisco.com.

OL-25941-01
C-29
Appendix C
Software Management
Q. Why I cannot download crypto images?

A. Crypto images are available only to authorized Cisco.com users. All users can view the images
during the Recommendation stage but only users with the right privileges can download the image.
Make sure that the Cisco.com Login user configured in Cisco Prime has permission to download
crypto images.
Q. How does Software Management verify the integrity of the images after importing them from
Cisco.com?
A. Software Management checks the validity of the downloaded images by comparing the MD5
checksum of the image with the MD5 checksum value retrieved from the Cisco.com database.
Q. Why does the Flash size displayed in the Add Image to Repository (Source:Cisco.com) function not
match the actual size for some Cisco IOS devices?

A. Software Management does not erase files whose sizes are less than 1 MB on Cisco IOS devices
because those files may be config files that are backed up to Flash partitions or .html files or Java
applets used for management.
Software Management subtracts sizes of all files whose sizes are less than 1 MB from the size of the
Flash partition. The result of the subtraction is displayed as the size of the Flash partition in the
Software Management user interface.
The Software Repository Management window (Configuration > Tools > Software Image
Management > Software Repository) displays the size of the largest Flash partition on the device.
The size is displayed as an integer-truncated value in megabytes.
The Distribute Images screen displays information for all Flash partitions on the device. The values
are displayed with two-decimal-digit precision.
The example below illustrates Software Managements behavior on a Cisco IOS device, which has
two files whose sizes are 10 KB and 50 KB respectively.
The Flash cards total size is 8 MB. Because it has two files whose sizes are less than 1 MB, the Add
Image to Repository screen displays the size as 7 MB. The Distribute Images screen displays the
size as 7.94 MB.
enm-2502> show flash
System flash directory:
File Length Name/status
1 8089628 c2500-js-l.112-14.bin
2 10470 test_file1
3 52995 test_file2
8153288 bytes used, 235320 available, 8388608 total]
8192K bytes of processor board System flash (Read ONLY)
Q. What is a Dual Flash Bank device?

A. The Flash card can be partitioned into two equal banks. Each bank is called a Flash partition. A Flash
card that is not partitioned is Single Flash Bank (SFB) and the device is called an SFB device. A
device that has its Flash card divided into two partitions is a Dual Flash Bank (DFB) device.
When Flash is partitioned into two separate banks, they are named flash1 and flash2. Software
image files have to be completely stored in a single partition, so the maximum size of a software
image is limited by the total size of any Flash partition.
On a Dual Flash Bank Run-from-Flash (DFB RFF) device, Software Management supports
upgrading the flash partition that does not contain the running image. In other words, Software
Management cannot upgrade the RFF partition on DFB devices.
C-30
OL-25941-01
Appendix C

Software Management
This is because the other partition, which can be upgraded directly, is the recommended partition for
storing the new software image.
The AS5200 device has two Flash cards, Bootflash and Flash. The Flash is an RFF system and
Bootflash is an RFR system. The Bootflash is intended for storing bootldr images on the AS5200
and flash is for storing Cisco IOS System Software.
Q. Does Software Management support software upgrades on dual RSP-based systems?
A. Software Management updates the software on the master RSP processor by copying the software
image file to the master RSP Flash card (bootflash: slot0: slot1:) and updating the config file on the
master RSP. Software Management cannot do a complete job of upgrading the software on the slave
RSP processor.
Software Management can only copy the software image file to the slave RSP processor, but it
cannot update the config file on that processor. Users will have to run a separate Distribute Images
job to copy the software image file to the slave RSP processor.
Since Software Management cannot update the config file on the slave RSP processor, users must
select Don't touch config file and select the No Reboot option in the job created for upgrading
software on the slave RSP processor.
Q. Why does Software Management require static IP routes or dynamic IP routing protocol for
configuration for the upgrade of a run-from-Flash (RFF) partition on a Single Flash Bank (SFB)
device?
A. Software Management upgrades SFB devices that are in Rxboot mode. Rxboot mode does not
support IP routing, IP bridging, or Simple Network Management Protocol (SNMP). The Rxboot
image can support only one IP interface. Before the reboot of the device while in the Rxboot mode,
Software Management determines the:
Interface that connects the device to LMS servers. Software Management shuts down all interfaces
except the one that connects to the LMS server.
Default gateway IP address for the forward of all IP traffic when the device is in the Rxboot mode.
Software Management queries the ipRouteEntry MIB variables ipRouteDest and ipRouteIfIndex to
determine the default gateway IP address and the interface that connects.
If the device configuration does not include static IP routes or dynamic IP routing protocol, the
ipRouteEntry table is not set on the device. Consequently, Software Management cannot determine
the default gateway and the interface that connects to LMS.
Q. Although the configuration of the Single Flash Bank (SFB) device includes an IP default gateway,
why does Software Management not upgrade the device?

A. Software Management requires an IP default gateway address and an interface that connects. If you
configure only the IP default gateway with the configuration command (ip default-gateway
ip-address), you do not generate the ipRouteEntry MIB table on the device.
You can parse the IP default gateway from the configuration file; however, there is no reliable way
to get the connecting interface from the device without the ipRouteEntry MIB. Without the
ipRouteEntry MIB, Software Management does not allow upgrades, even if you have manually
configured the IP gateway on the device.

OL-25941-01
C-31
Appendix C
Software Management
Q. How do you change the IP default gateway configuration to allow Software Management to upgrade
a device?
A. Use the IP default gateway configuration command to convert to a static IP route. Replace ip
default-gateway gateway_ip_address with ip route 0.0.0.0 0.0.0.0 gateway_ip_address, which

removes the ip default-gateway command from the configuration file. Check the output of the show
ip route command to verify the correct configuration of a static IP route on the device.
Q. Why does Software Management require Cisco IOS Software Release 11.1 or later to run on a Single
Flash Bank (SFB) device for an upgrade when you have configured the device with Frame Relay
subinterfaces?
A. Releases earlier than Cisco IOS Software Release 11.1 do not include Frame Relay subinterfaces in
ifTable and ipRouteTable in RFC 1213. Software Management requires information from these
tables to perform Rxboot mode upgrades.
Therefore, Software Management requires Cisco IOS Software Release 11.1 or later to run on an
SFB device when the device has Frame Relay subinterfaces.
Q. How is the job directory organized?
A. When Software Management schedules a job, it creates a new directory:
On Solaris and Soft Appliance: /var/adm/CSCOpx/files/rme/swim
On Windows, NMSROOT\files\rme\swim
Where NMSROOT is the Cisco Prime installed directory.
The directory name is the integer ID of the job. (Example: /var/adm/CSCOpx/files/rme/swim/23,
where 23 is the Job ID.)
The Job directory contains the following files depending upon the type of Software Management
task:
Distribution Job
Image Import Job Image Synchronization Job
swim_debug.log
swim_debug.log
swim_debug.log
workorder.html
workorder.html
workorder.html
distribution.xml
import.xml
synchreport.xml
PostOperation.txt
PostOperation.txt
jobinfo.xml
SwOperation.txt
SwOperation.txt
synchReport.txt
SummaryTable.tab
SummaryTable.tab
Hostname.upgStatus
Hostname.upgStatus
HostName_Config_Snap
Where,
swim_debug.log contains the debug information during the job execution.
workorder.html contains the changes that user has chosen to perform with the job
deviceName.upgStatus- a serialized file created on job completion for Retry and Undo options.
PostOperation.txt used for all jobs scheduled through UI.
C-32
OL-25941-01
Appendix C

Software Management
SwOperation.txt indicates Job has been triggered. Absence indicate job has crashed for what ever
reasons
SummarTable.tab for UI purposes always exists for executed job.
_Config_snap contains the Changes that are performed by Software Management on the original
configuration.
HostName_telnet.log for some device types only.
Q. Which modem cards does Software Management support?

A. Software Management upgrades Modem ISDN channel aggregation (MICA) and Microcom 56K
modems.
Q. Which devices and software versions get support for the modem upgrades?
A. Support is available for Modem ISDN channel aggregation (MICA) portware upgrades on:
Cisco AS5200 that runs Cisco IOS Software Release 11.3(2)T or later and Bootldr version 11.2(11)P
or later.
Cisco AS5300 that runs Cisco IOS Software Release 11.2(9)XA, 11.3(2)T, or later.
Cisco 3640 that runs Cisco IOS Software Release 11.2(12)P, 11.3(2)T, or later.
Support is available for Microcom firmware upgrades on:
Note
AS5200 that runs Cisco IOS Software Release 11.2(10a)P or later.
AS5300 that runs Cisco IOS Software Release 11.1(14)AA, 11.2(7a)P, or later.
Cisco AS5800 devices also have modems. However, the modem microcode for these devices is bundled
with the system software only and receives upgrades as part of the system software upgrade.
Q. Which formats of Microcom firmware images does Software Management support?
A. The Microcom firmware for 56K modems is available in two formats:
Controller firmware and the Digital Signal Processor (DSP) code as two files, for example,
mcom-modem-fw-xx.bin and mcom-modem-dsp-xx.bin.

A combination of firmware and the DSP code in a single format, for example,
mcom-modem-code-xx.bin.
The Cisco AS5300 supports only the image combination. If the Cisco AS5200 runs a Cisco IOS
Software release later than Cisco IOS Software Release 11.2(10)P, the AS5200 supports only the
combination file format.
Software Management supports only the combination format files (for example,
mcom-modem-code-xx.bin). Software Management does not support separate firmware and DSP
code files. You cannot import the files to the software library.

OL-25941-01
C-33
Appendix C
Software Management
Q. Which format of Modem ISDN channel aggregation (MICA) portware do Cisco 3600 devices
support?
A. The 3640 digital modem network modules can run two types of modem microcode.
3600-Specific Modem Microcode FileThis file has a 3600-specific header and should have
the characters c3600-mica in the file name. Software Management does not support such files.
Cisco AS5300 Modem Microcode FileIn Cisco IOS Software Release 11.2(12)P, 11.3(2)T,
and later, the 3640 supports the AS5300 microcode files directly and the 3600-specific
microcode files.
The AS5300 microcode files have Executable and Linking Format headers that contain the
version and other information about the image file. Even though the microcode file formats
differ between the 3600 and the AS5300, the actual microcode that downloads to the MICA
modems is the same.
Software Management supports only AS5300 format files. Therefore, the earliest Cisco IOS
Software release that the 3640 supports is Cisco IOS Software Release 11.2(12)P.
Q. Why does the Undo option not receive support for modem upgrades?
A. To support the Undo option, Software Management must determine the version of software that runs
and identify the image file on the device that corresponds. The image file must be present in the
library or available on Cisco.com.
In the case of modem upgrades, Software Management cannot precisely determine the current
software version on the modems in all cases. Moreover, different modems can run different software
versions, which makes the undo process difficult to support.
Q. What connection mechanism does Software Management use for modem upgrades?
A. Software Management uses Simple Network Management Protocol (SNMP) to initiate the modem
image file transfer to the device Flash. After Software Management copies the image to Flash,
Software Management uses the Telnet interface to the device to run a command line interface (CLI)
command that downloads the code to the modems. (The command is copy flash modem.)
Q. Does Software Management erase Flash for modem upgrades if there is not enough free space on
Flash?
A. Yes, if the target Flash card does not have enough free space for the store of the new modem image,
Software Management erases the target Flash. Software Management does not erase the Flash card
if:
The upgrade of the system software does not occur within the same job as the modem upgrade.
The target Flash partition for the modem upgrade contains the current system software image.
Instead, Software Management prevents the modem upgrade on that Flash partition. On the Cisco
AS5200, the Bootflash card stores modem images, which can contain the bootloader image that
currently runs.
If there is not enough free space to contain the new modem image, Software Management erases the
Bootflash card. Back up and restore bootloader images in the case that an erase of the Bootflash is
necessary for the upgrade of the modem image. Software Management issues a verification warning
if Software Management needs to erase the Bootflash.
Q. What is CIP?
A. CIP stands for Channel Interface Processor card. This interface card allows you to connect the Cisco
7000 router to IBM or IBM-compatible mainframes.
C-34
OL-25941-01
Appendix C

Software Management
Q. Which devices support the Channel Interface Processor (CIP) microcode upgrade? What is the
minimum software version necessary?

A. Software Management supports CIP upgrades on Cisco 7000 and 7500 routers that run Cisco IOS
Software Release 11.1(1) or later.

Q. What is the minimum Channel Interface Processor (CIP) version that Software Management
supports?
A. Software Management supports CIP version 22.0 at minimum.
Q. How can you import Channel Interface Processor (CIP) images to the Software Management
library?
A. The Add Images function (Configuration > Tools > Software Image Management > Software
Repository > Add) does not support the import of CIP microcode images from Cisco.com.
a. You first must download the images to the file system on the LMS server.
b. Then, choose Add option with source as File System to import them to the software repository.
Software Management does not recommend the download of CIP microcode directly from
Cisco.com for an upgrade.
c. Populate the software Repository with modem images before you run the Distribute Images
function.
Q. Is there support for the Undo option for Channel Interface Processor (CIP) upgrades?
A. No, there is no support for the Undo option for CIP upgrades.
Q. What connection mechanism does Software Management use to upgrade Channel Interface
Processor (CIP)?
A. Software Management uses the Telnet interface to the device to copy the CIP image to the Flash.
Software Management uses TFTP (via Simple Network Management Protocol [SNMP]) for the
configuration upgrade to add the boot command to load CIP microcode.
Q. Does Software Management change the configuration file for the Channel Interface Processor (CIP)
upgrade?
A. To load the new CIP microcode, the CIP upgrade process adds these configuration commands:
microcode cip flash new_cip_image_name
microcode reload
Q. Does Software Management supports CIP2?

A. Yes, Software Management supports CIP2 images for CIP supported device types.
Q. In which order does Software Management upgrade modules on a Cisco Catalyst 5500/5000 device?
A. Software Management upgrades the Supervisor Engine module on the device before other modules.
Software Management upgrades the remainder of the modules in slot-number order. For example,
Software Management upgrades the module on Slot 3 before Slot 5.

OL-25941-01
C-35
Appendix C
Software Management
Q. Does the Supervisor Engine card reboot after the upgrade of all modules?
A. If you elect to reboot devices immediately after the upgrade of software, Software Management
reloads the Supervisor Engine card. The reload of the card results in the reload of all modules, before
the upgrade of software on other intelligent modules. This process supports instances in which the
new module requires a newer version of Supervisor Engine software.
If you choose not to reboot the device after the download of software, you then must reload the
Supervisor Engine module manually. You also should consider that software that you have newly
loaded on a module may require new Supervisor Engine software.
If a new Supervisor Engine software is necessary, you should reload the Supervisor Engine module
before you load the new software to the other intelligent modules (such as ATM, FDDI, and Token
Ring).
For example, you may download 3.1(1) FDDI software and 4.1(1) Supervisor Engine software in a
single job. The 3.1(1) FDDI software may require 4.1(1) Supervisor Engine software. Then, you
must reset the Supervisor Engine module before you can upgrade the FDDI software. In such cases,
you must have already chosen the Reboot Immediately option.
Q. Does Software Management determine if the newly deployed Supervisor Engine software or module
A. Software Management does not verify whether the newly deployed Supervisor Engine software
supports all modules that are available on the chassis.

Usually, with the upgrade of Supervisor Engine software to a newer release, the software provides
backward compatibility for all the modules that exist on the chassis. However, you should check the
release notes of the Supervisor Engine software or module software to be sure that the software
versions are compatible.
Q. Does Software Management support the upgrade of software on redundant Supervisor Engine
card-based systems?
A. The redundant architecture of Cisco Catalyst devices ensures that when the device reboots after a
software upgrade, the redundant Supervisor Engine automatically synchronizes all the data from the
primary Supervisor Engine. No special processes are necessary.
Q. Does Software Management update the configuration file on Cisco Catalyst 5500/5000 devices
during the software upgrade?

A. Software Management updates the configuration file on Catalyst 5500/5000 devices only when the
device has a Supervisor Engine III card. Software Management updates the boot system commands
and the config register value if necessary.
For Supervisor Engine I and II and other module upgrades, Software Management does not update
the configuration file on the device. Instead, Software Management uses CISCO-STACK-MIB and
TFTP to download the configuration file. Before Software Management changes the configuration
file on the device, Software Management backs up the file to the Job Schedule directory.
The example below illustrates the Software Management update of the configuration file. Assume
that a Supervisor Engine III card runs 3.1(1) software. Also, assume that the software image file is
on slot0 with the name cat5000-sup3.3-1-1.bin.
The configuration file boot system commands before the upgrade are:
set boot system flash slot0:cat5000-sup3.3-1-1.bin
C-36
OL-25941-01
Appendix C

Software Management
Software Management has upgraded the software to 4.1(2). The new software image is on the same
Flash card as cat5000-sup3-4-1-2.bin. Software Management then performs these configuration
updates:
clear all boot system all
This removes all boot system commands on the device.

The update modifies the BOOT environment variable on the Supervisor Engine III card. You can
display the environment values on the device is you issue the show boot command from the
Supervisor Engine command-line interface (CLI).
The config register update occurs only if the least significant four bits of the config register are not
all set to 1.
For example, if the current config register value is 0x10F (with the least significant four bits all 1s),
Software Management requires no change to the config register. If the current config register value
is, for example, 0x111 or 0x11A, Software Management modifies the config register to 0x11F. The
action generates this command:
set boot config-register 0x11F
Q. Does Software Management determine if the Supervisor Engine has the minimum required RAM to
run a new image?

A. Software Management uses the Minimum Required RAM field for the Supervisor Engine software
image. You can set this field when you import the image into the library. If you do not input a value
in this field, Software Management uses this matrix to determine the RAM requirement:
Image Type Software Version RAM Requirement
I, II sup < 2.1(1) 4 MB
I, II sup > = 2.1(1) & < 3.1(1) 8 MB
I, II sup8 > = 3.1(1) & < 4.1(1) 8 MB (8 MB RAM image)
I, II sup > = 3.1(1) & < 4.1(1) 16 MB
I, II sup > = 4.1(1) 16 MB
III sup3 > = 3.1(1) 32 MB
Images that are 8 MB RAM are available in 3.1 and 3.2 software releases only for Supervisor Engine
I and II cards.
Software Management tries to use CISCO-MEMORY-POOL MIB to determine the available
memory on a device. The MIB is implemented from 4.1(1) Supervisor Engine software (on all
different Supervisor Engine card typesI, II, and III).
If a device runs the software that implements this MIB, Software Management performs a
memory check between the image requirement and the size of DRAM that is on the device.
If the device does not have enough RAM to run the image, Software Management generates a
verification warning.
If the current software on the device is earlier than 4.1, Software Management generates a
generic verification warning about memory requirements.

OL-25941-01
C-37
Appendix C
Software Management
Q. Are there restrictions on the downgrade of the software on the Supervisor Engine card and other
modules?
A. You can downgrade Supervisor Engine card software to version 4.1(1) or later.
For example, if a Supervisor Engine card runs 4.2(1) software, you can downgrade the software to
4.1(2) or 4.1(1). However, you cannot downgrade the same Supervisor Engine card to 3.2(1b). If a
Supervisor Engine card runs 3.2(2), you cannot downgrade the software to 3.1(1) or 2.4(1).
There are no restrictions for the downgrade of software on other modules, such as ATM, FDDI, and
Token Ring. However, you should check the release notes of new software before you attempt
downgrades on modules.
Q. Do you need to reconfigure the device when you downgrade the Supervisor Engine software?
A. When you downgrade Supervisor Engine software, parts of the configuration may be lost. You must
check the configuration file and reconfigure as necessary. Use the backed up Software Management
configuration file from the Job Schedule directory as a reference, or use the backed up configuration
file from the Config Archive.
Q. In the 4.1(1) software release and later, Supervisor Engine III cards allow the storage of
configuration files on Flash cards. Does Software Management preserve the backed up
configuration files on Flash during a software upgrade?
A. Software Management erases a Flash card on Supervisor Engine III if the free space on the Flash
card cannot store the target software image. Software Management does not erase files of sizes that
are less than 1 MB during software upgrades. Since configuration files generally do not exceed 1
MB, Software Management does not erase these files.
Q. Does Software Management allow you to upgrade epsboot images on Token Ring cards on Cisco
Catalyst 5500/5000 devices?

A. Software Management does not allow upgrades of epsboot images on Catalyst 5500/5000 devices.
An epsboot string in the file names can identify epsboot images. Epsboot upgrades are not often
necessary. You can perform the upgrades with the Supervisor Engine card command-line interface
(CLI).
Q. Why does the Add Image to Repository (Source: Cisco.com) task not display Token Ring LAN
Emulation (LANE) or Permanent Virtual Circuit (PVC)-only ATM software images?

A. The Add Image to Repository (Source: Cisco.com) function in Software Management displays
software images for only a subset of these ATM modules:

WS-X5153
WS-X5154
WS-X5155
WS-X5156
WS-X5157
WS-X5158
Software images for these modules have version numbers that range from 2.2 to 3.2(8).
C-38
OL-25941-01
Appendix C

Software Management
The WS-X5153 to WS-X5158 modules can run:

ATM LANE
PVC Traffic Shaping
Token Ring LANE software images
Software Management also supports the upgrade of software on these modules:

WS-X5161
WS-X5162
WS-X5165
WS-X5167
WS-X5168
However, no mechanism exists to import the images from Cisco.com directly into the Software
Management software library for these modules. The software images that run on the modules
support LANE on Ethernet, Token Ring, and PVC traffic shaping.
You must download the software images for these modules directly from Cisco.com. Then, import
the images into the library with the Add Image to Repository function.
Software Management does not support software management on WS-X5166 modules.
Q. How do you identify software image files for each of the ATM modules that Software Management
does support? What are the file-name conventions on Cisco.com?

A. ATM software image file names and version numbers determine on which modules the software
image can run and identify the features that receive support. This table provides details on version
numbers and file-name conventions.
Q. How can I make the Image Recommendation faster?
A. If you select Cisco.com image recommendation, try to limit the images by filtering.
Module IDs
Image Feature/Version
Image File Name Format (Example)
Version to Input in
Software
Management
WS-X5153 to
WS-X5158
Ethernet LAN Emulation

(LANE) 2.2 to 3.2(7)
cat5000-atm.ver_number 3.2(7)
2.2-3.2(7)
WS-X5153 to
WS-X5158
Ethernet LANE 3.2(8)
c5atm-wblane.Cisco
_IOS_Software_rel_number
cat5000-atm.3-2-7.bin
3.2(8)
c5atm-wblane.113-2.5.WA4.4m.bin
WS-X5153 to
WS-X5158
Token Ring LANE 70.x
c5k-trlane.ver_number c5k-trlane.70-1-1.bin 70.x
WS-X5153 to
WS-X5158
Permanent Virtual Circuit

(PVC) Traffic Shaping 50.x
cat5000-atm-pvcshape.ver_number
50.x
cat5000-atm-pvcshape.50-1-1.bin

OL-25941-01
C-39
Appendix C
Software Management
Module IDs
Image Feature/Version
Image File Name Format (Example)
WS-X5153 to
WS-X5158
PVC Traffic Shaping 51.x
c5atm-wbpvc.Cisco
Version to Input in
Software
Management
51.x
c5atm-wbpvc.113-2.5.WA4.5.x.bin
WS-X5161,
WS-X5162,
WS-X5167,
WS-X5168
(Truckee)
Ethernet LANE, Token Ring

LANE, PVC Traffic Shaping
4.3, 4.4
c5atm-wtall.Cisco
4(3), 4(4b)
c5atm-wtall.113-2a.WA4.4b.bin
ATM version-number conventions differ for different classes of ATM images. PVC, Token Ring
LANE, and Truckee types of ATM images have unique version-number conventions. Software
Management recognizes the version numbers that appear in the last column of the table. The input
of an incompatible version number results in upgrade job failures.
ATM software release notes give the original version number of the image as well as a version
number that is close to the Software Management version-number scheme. Check the release notes
for version-number schemes.
Q. Why do the software version numbers that the show module command output displays from the
Supervisor Engine command-line interface (CLI) and the version numbers that Software
Management uses fail to match in some cases?
A. ATM module software for Cisco Catalyst devices uses Cisco IOS Software code as a basis. The
software release for Truckee ATM modules as well as ATM software releases 3.2(7) and later use
the Cisco IOS Software version-number scheme.
Software Management does not recognize the Cisco IOS Software version-number scheme for
Catalyst ATM software images. Use the simple version-number scheme that appears in the table in
this document. (See the Version to Input in Software Management column.)
Output of the show module command of the Supervisor Engine CLI and the show command on the
ATM module can display different versions. If the software that runs on the Supervisor Engine is
earlier than 4.1, the Supervisor Engine software does not recognize the Cisco IOS Software
version-number scheme of ATM images.
Therefore, the Supervisor Engine displays a different version number than the output of the show
command on the ATM module.
version
Q. Does Software Management recommend the right ATM image for your ATM module type?
A. Yes, Software Management distinguishes different flavours of ATM images and recommends
images based on current class of ATM card on the device.
C-40
OL-25941-01
Appendix C

Software Management
Q. Should you use special images with Software Management for Cisco Catalyst 2900XL/3500XL
devices?
A. The 2900XL/3500XL devices have three images:
Regular Cisco IOS Software image.
A TAR format HTML image that contains files for Visual Switch Manager.
A TAR format image that contains both of these images.
Software Management uses the TAR format image that contains the Cisco IOS Software and HTML
image. This image posts on Cisco.com, as do other images for 2900XL/3500XL.
When you use LMS for software upgrades, you should use images with the description
Enterprise-IOS and HTML-Use. When you use Add Image to Repository from Cisco.com/Slam
Dunk, you are able to see only these images.
Q. How does Software Management handle image import functionality of TAR and bin types of images
for Catalyst 2900XL/3500XL devices?

A. For 2900/3500 device types Both .tar format and .bin format images are supported as system
software. Network Synchronization option (Add image from network as source) will not be able
import tar images because when the image downloads to the switch, the image distributes as small
individual files on the Flash in different directories.
The switch command-line interface (CLI) does not provide commands to combine all the files and
make a new TAR file that Software Management can then upload. Whereas the .bin image can be
imported from the device as well as from the Network Synchronization option.
Q. Why do software upgrades take longer on Cisco Catalyst 2900XL/3500XL devices?
A. Software Management uses command-line interface (CLI) to download software to
2900XL/3500XL devices. Because the software on these devices has many HTML/gif files on the
Flash, the software must first delete all the files and then proceed with the new software download.
Deletion of the images takes time, which is why software downloads to devices can take up to 20
minutes.
Q. How do you upgrade Route Switch Module (RSM) and LightStream 1010 (LS1010) module
software on Cisco Catalyst 5500/5000 and 6500/6000 series switches?

A. The RSM (also called the VLAN router) on a Catalyst 5500/5000 or 6500/6000 switch and the
LS1010 module on a Catalyst 5500/5000 switch run Cisco IOS Software. RSMs and LS1010
modules have individual IP addresses and Simple Network Management Protocol (SNMP) agents.
The LMS Inventory manages these modules as separate devices.
You can find the IP address of the RSM if you look at the Detailed Inventory report of the Catalyst
5500/5000 and 6500/6000 device that has the RSM on the chassis. The Module IP Address column
in the Stack Modules section shows the IP addresses of all modules on the chassis.
If you do not find the addition of RSM or LS1010 to Inventory, you must first add the module as a
device to Inventory before you attempt Software Management functions. Software Management
functions that run on Cisco IOS devices also can run on an RSM or an LS1010.

OL-25941-01
C-41
Appendix C
Software Management
Q. Why does the Distribute Images task show all the images from Cisco.com for LightStream 1010
(LS1010) and Cisco Catalyst 8500 devices, even though you have configured Cisco.com filtering?
A. Although LS1010 and the 8500 devices run Cisco IOS Software images, differences exist in the
means of image release. The images do not follow the Cisco IOS Software image releases, such as
general deployment (GD), limited deployment (LD), and early deployment (ED). Therefore,
Software Management cannot effectively filter LS1010-type and 8500-type images.
Q. What is the minimum version that Cisco 700 series ISDN routers support?
A. For Cisco 760 Series ISDN routers, Software Management requires a minimum software version of
3.2(4) on the device. For Cisco 770 Series ISDN routers, the minimum version necessary is 4.0(1).
Q. What connection mechanism does Software Management use for Cisco 700 series upgrades?
A. Software Management uses the Telnet interface to the device to copy the 700 series image to the
Flash. Software Management uses TFTP protocol. The LMS workstation is the TFTP client, and the
device is the TFTP server.
Q. Both Cisco 760 and 770 series devices run the same image. Why do you see only some images with
versions later than 4.0(1) for 770 series devices but see all images for 760 series devices?
A. When you load an image with a version earlier than 4.0(1) onto a 770 series device, the sysObjectID
box changes to something other than Cisco-assigned. Also, LMS identifies the device as a non-Cisco
device. Therefore, Software Management does not list images with versions earlier than 4.0(1) for
Cisco 770 series upgrades.
Q. Why do you not see the option to reboot the device later on the Job Control page for Cisco 700 series
routers?
A. There is no option to reboot the device later because 700 series routers reboot at the time of the new
image download.
Q. Why do you not see the option to modify the boot commands on the Job Control page for Cisco 700
series routers?
A. Only one image at a time can appear on the 700 series devices, which means the boot command does
not apply to these devices.

Q. Why does Software Management report download failures for some images even though the device
runs the new image after the job completes?

A. Some new Cisco 700 series images use nonstandard name convention or nonstandard versions.
Software Management incorrectly parses the version number from file names of those images. After
the download of the new image, the device reboots.
Software Management retrieves the new image version from the device and compares that with the
version that Software Management parsed. The two versions do not match. As a result, the software
download appears to have failed, which generates as an error.
This problem occurs with c760-in.b-US.42-3.5.bin and c760-in.b-US.43.1.bin images for all
countries.
You can resolve this issue by entering the correct version number when you import the image from
the file system.
For example, for c760-in.b-US.42-3.5.bin, enter 4.2(3.5). For c760-in.b-US.43.1.bin, enter 4.3(1) as
the version number.
C-42
OL-25941-01
Appendix C

Software Management
Q. In which order does Software Management upgrade modules on a Catalyst 5000 device?
A. Software Management upgrades the Supervisor module on the device before other modules. The
remainders of the modules are upgraded in the order of their slot number. For example, the module
on Slot #3 is upgraded before Slot #5.
Q. Does Software Management check to see that the newly deployed Supervisor software or module
A. Software Management does not verify whether the newly deployed Supervisor software supports all
modules that are available on the chassis.

Usually, when Supervisor software is upgraded to a newer release, the software provides backward
compatibility for all the modules that exist on the chassis. Users are encouraged to check the release
notes of the Supervisor software or module software to make sure that the software versions are
compatible.
Q. Does Software Management support upgrading software on redundant Supervisor card-based
systems?
A. The redundant architecture of Catalyst devices ensures that when the device reboots after a software
upgrade, the redundant Supervisor automatically synchronizes all the data from the primary
Supervisor. No special processing is required.
Q. What is the purpose of user scripts?
A. User-supplied scripts are run before and after each device upgrade. They can be used for pre- and
post validation checks. For example,

The pre-upgrade script can check whether the device is accessible.
The pre-upgrade script can check whether any users are connected to the access server. If the
script finds that some users are connected, it can decide whether to disable the connections
before proceeding with the upgrade.
The post-upgrade script can check whether the device has upgraded successfully or not.
Depending on the return value, Software Management either halts or continues with the rest of
the upgrade job.
Q. What if the user script crashes? Will it crash the Software Management job also?
A. No, crashing of the script will not stop the Software Management job. Software Management
executes the script in a different process space so the script crashing will not crash the Software
Management job. However, Software Management will assume the script has failed.
Q. When a Software Management job is scheduled, how is the baseline determined? When I distribute
a job, is an automatic backup performed?

A. There are two options that import images from the network to the Software Repository:
Baseline tasks
Synchronization
The baseline task (Configuration > Tools > Software Image Management > Software Repository
> Add > Network) should be done only once as a part of the initial setup. This imports the images
running on the network to your Repository.
To keep the Repository synchronized with any new images and changes caused by upgrades from
sources other than Software Management, schedule a synchronization job to run periodically at
appropriate intervals.

OL-25941-01
C-43
Appendix C
Software Management
When this synchronization job runs, it looks for differences between the Repository and the network
and allows any new images to be imported. During job distribution, Software Management backs up
the current running image only if the option, Use current running image as tftp fallback image was
selected when the job was created.
Q. Can I set up a periodic download of Software Management images from Cisco.com?
A. No. However, you can schedule a one-time import from Cisco.com to occur at a later time. Software
Management does not allow you to automatically import images from Cisco.com to the Repository
based upon your preferences.
Q. Is browser timeout something I should consider when downloading?
A. The Image Import option from Cisco.com and other devices can be done on a scheduled basis. Since
this process runs as a background task on the server, the browser is not involved. However, when an
Immediate Import job runs, it is performed as a foreground task, and the browser can still timeout.
Q. What are crypto images?
A. Crypto images are software images that use 56-bit Data Encryption Standard (DES) (or higher)
encryption, and are subjected to export regulations. You must be a registered Cisco.com user, and
be eligible and authorized to download such images.
Q. How much temporary space is required during image distribution?
A. The amount of free space that is required depends upon the image file size and the number of devices
that are being upgraded simultaneously. If the tftpfallback option is set, additional free disk space
is required to keep the current image in the tftpboot directory. Disk space is used both in the tftpboot
and temp directories.
Q. At what time will the images directory get created during the process of obtaining images from a
device? Does this happen during the initial step?

A. The software images directory gets created at the time of importing an image to the Repository;
however, this should be transparent to you.

Q. How can I speed up Image Recommendation?
A. If you include Cisco.com for Image Recommendation, try to limit the images by filtering (Admin
> Network > Software Image Management > View/Edit Preferences).

Q. When a job is rejected, can it be edited or should I resubmit?
A. No. You cannot edit or retry the rejected job. You should schedule a new job.
Q. Can different group members edit jobs? What are the restrictions?
A. The only job attribute that can be edited is the schedule time for non-Job Approval jobs. Any user
who has the Network Administrator role defined can edit jobs or create new jobs; however, in the
Job Approval model, the jobs can only be approved by users who are in the approver list specified
during the creation of the job.
C-44
OL-25941-01
Appendix C

Software Management
Q. What is the role of the registry files?

A. Software Management manipulates the Windows registry to automatically manage remote
authentication during the rcp transfers on Windows. The following registry parameters are
important for rcp service on Windows:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crmrsh\Parameters\DEBUG
Dictates the amount of debug information written in the Windows event log.
(Default = 0, Maximum = 0xff)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crmrsh\Parameters\rhosts
Contains the list of authenticated hosts that can run remote commands on this machine. This list
is automatically managed by Software Management.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crmrsh\Parameters\rusers
Contains the list of authenticated remote users that can run remote commands on this machine.
This list is automatically managed by Software Management.
HHKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services\crmrsh\Parameters\NoRuserC
heck
If set to 1, the remote user authentication is skipped or, in other words, any remote user from
authenticated hosts can run commands on this machine. (Default = 0)
HKEY_LOCAL_MACHINE\SYSTEMCurrentControlSet\Services\crmrsh\Parameters\NoRhostCh
eck
If set to 1, the remote host authentication is skipped or, in other words, commands can be run
on this machine from any remote machine.
(Default = 0)
Q. How do I upgrade Network Analysis Module (NAM) using Software Management?

A. To upgrade NAM using Software Management:
Ensure that the passwords for NAMs application and maintenance modes are the same.
This is because Software Management takes the password information from Inventory.
However, Inventory requires the application mode password to manage the device, and
Software Management requires the maintenance mode password to upgrade the device.
Therefore, the passwords for NAMs application and maintenance modes should be the same.
For a NAM card present in a Catalyst 6000 device running CatOS, ensure that you set auto
logout to a value that is high enough to allow the copying of the new image.
This is because a NAM image is usually very large (nearly 65 MB), and it may take between 1
to 2 hours to copy this image during Software Management upgrade. We recommend that you
set the auto logout to 0 to ensure that there is no auto logout while the image is being copied.
To set the auto logout value, use the CLI command, set logout 0.
For a NAM card present in a Catalyst 6000 device running IOS, ensure that you set exec timeout
to a value that is high enough to allow the copying of the new image. We recommend that you
set the exec timeout value to 0 (exec-timeout 0 0) on all the vty lines.
Ensure that the htdocs directory under CSCOpx has enough space to stage the NAM image.
During the NAM upgrade, Software Management first copies the NAM image from the
NMSROOT/files/sw_images directory (On Solaris and Soft Appliance) or
NMSROOT\files\sw_images (On Windows), to the NMSROOT/CSCOpx/htdocs/swimtemp (On
Solaris and Soft Appliance) or NMSROOT\CSCOpx\htdocs\swimtempdirectory (On Windows),
and then copies the NAM image to the NAM card, using HTTP.

OL-25941-01
C-45
Appendix C
Software Management
Ensure that NAM is added with the correct Local User (root) and its password.
Ensure that NAM is added with the correct SNMP read/write community strings.
Ensure that the switch, which contains NAM, is added with the correct attributes.
Q. Can I change the job scheduled time?

A. The job scheduled time can be modified only for pending jobs that do not require approval.
For a job that requires approval, you must cancel the job and retry or recreate the job.
Q. How does Software Management handle the job status for an abnormally terminated job?
A. Software Management checks the last modification time of the job results file for each running job
when the Browse Job Status screen is displayed. If the results file has not been modified for the last
six hours, Software Management assumes that the job was terminated abnormally (server reboot is
a probable cause for the termination), and the job status is changed to Error.
Q. How does Software Management handle the job status of a pending job whose scheduled time has
passed?
A. Software Management checks the scheduled time for each pending job when the Browse Job Status
screen is displayed. If the current time is an hour past the scheduled time for starting the job, (lack
of operating system resources is a probable cause for the job not running at the scheduled time), the
job status is changed to Error.
Q. Why are some files left in the Software Management folder after Software Management has been
uninstalled?
A. When uninstalled, Software Management does not remove the software images directory from the
LMS server. The software images directory contains subdirectories for storing software images for
various device families.
Q. How can I enable or disable the SSH to Telnet fallback for Software Management jobs?
A. To enable or disable SSH to Telnet fallback for Software Management jobs:
Step 1
Go to Admin > Network > Software Image Management > View/Edit Preferences.
Under the Distribution pane, there is a checkbox option, Use SSH for software image upgrade and
software image import through CLI (with fallback to TELNET).
Step 2
Step 3
Check this option, to enable the use of SSH for software image upgrade and software image import
through CLI along with fallback to Telnet.
Uncheck this option, to disable the use of SSH for software image upgrade and software image
import through CLI along with fallback to Telnet.
Click Apply to save your changes.
C-46
OL-25941-01
Appendix C

Software Management
Q. How can I export the images from SWIM repository to a local drive or a file system mounted to the
LMS server?
A. To export the image from Software Repository to a local drive or a file system:
Step 1
Step 2
Select images that you want to export, then click Export.

A confirmation message appears, The selected images will be exported.
Step 3
Click OK.
The Select directory to export window appears.
Step 4
Click on Browse to select a directory to which you want to export the selected images.
Step 5
Choose the required directory and click OK.

The Image Directory field in the Select directory to export window displays the directory location which
you had selected.
Step 6
Click Next
A progress bar appears indicating the progress of the export of images.
The Export Images Summary Report appears after completion of the export of the images with these
details:
Step 7
Number of Selected Images
Target Directory
Summary
Click Finish.
You have successfully exported the images to the selected directory.
Q. Does Flash get erased if there is no sufficient space for Patch Distribution?
A. No. Patch Distribution requires sufficient amount of free space in Flash and so it cannot be erased.
Q. When I try to copy images, the Image Copy option fails indicating that the External TFTP server is
inaccessible.
A. If you come across this error, try any of these:
Check whether TFTP service is running or stopped in the External TFTP server. If stopped, start it.
Check if any security agent is preventing the application. If so register the application with security
agent or disable the security agent.
Q. Can I specify the name of my input file as imagenames.txt when I try to export images using the
Software Management (SWIM) CLI exportimages command?

A. Do not name your input files similar to arguments.
For example, if you specify

cwcli swim exportimages -input imagenames.txt -u admin -p admin

OL-25941-01
C-47
Appendix C
Software Management
the following error message will be displayed

Invalid argument: imagenames
For example, you can specify the input filename as sample.txt

You can enter the following argument in your sample.txt
-imagenames image1,image2,image3,image4...........
So the exportimages command with input file will be:

cwcli swim exportimages -input sample.txt -u admin -p admin
Q. I am getting timeout exception in cmdsvc (command service library) during a device
connection/socket establishment. How do I change the default timeout and delays in cmdsvc?
A. You can change the default timeout and delays in cmdsvc using the cmdsvc.properties file available
in the following directory: $NMSROOT/objects/cmf/data

To change the default timeout and delay values:
Step 1
Go to the directory $NMSROOT/objects/cmf/data
Step 2
Open the cmdsvc.properties file.

Various timeout and delay values are listed in the file.
Step 3
Remove the Hash symbol (#) to uncomment a particular timeout or delay value.
Step 4
Remove the existing timeout or delay value.
Step 5
Enter new timeout or delay value.
Step 6
Save the cmdsvc.properties file.

Message-ID
Error Message
Probable Cause
Possible Action
SWIM0013
Image Import option not

supported for the selected
devices
Image Import option is not

supported because of device
limitations.
None.
Check Software Management

feature support matrix against
the selected device platform.
SWIM0014
No images to import into

library from the selected
devices
Either:
There are no images on

the Flash
Or
Cannot get Flash

information from
inventory.
Check the Inventory Detailed Device Report

to ensure that Flash file information exists for
the device.
If report generation fails, schedule an
inventory collection job and redo the
Software Management image import job.
C-48
OL-25941-01
Appendix C

Software Management
Message-ID
Error Message
SWIM0019
Could not perform Image Could not fetch Image

recommendation for the
information from the
selected devices because of Inventory database.
insufficient data.

to ensure that Inventory data exists for the
device.
Image Import option not

supported for the selected
devices
None.
SWIM0020
Probable Cause
Image Import option is not

supported because of device
limitations.
Possible Action
If report generation fails, schedule an

inventory collection job and perform
Software Management recommendation.
Check Software Management

feature support matrix against
the selected device platform.
Either the Job Data file could Check whether you have access permissions
not be located or the data for to Job Directory, or re-create the job.
Image Upgrade was not
If the problem persists, send all log files
provided.
under job directory to TAC.
SWIM0021
Error encountered while

parsing Job Data.
SWIM0027
Staging of the Image on the Image Copy to Remote Stage

Remote Stage Device
device failed because of
SNMP Agent problems
failed.
during transfer.
Check for any known bugs against the Image

running on Remote Stage, or choose a
different device.
SWIM0028
Cleanup option on Remote Image Erase or a

Stage Device failed.
Configuration download
caused an error.
Check for any known bugs against the Image

running on Remote Stage.
SWIM0034
Device reboot failed.
Check whether the snmp-server shutdown

command is configured on the device.
Either:
The device configuration

You can do any of the following:
for reboot is missing
Or
If the problem persists, send all log files

under job directory to TAC
The image downloaded

onto the device is not
suitable for the device to
come up.
Configure the devices and re-schedule

the jobs.
Use NetConfig reload template to reload

the devices.
Reload manually if you have only a few

set of devices.
SWIM0036
Image addition to Software Either an invalid image was

Library failed
imported into library or the
image is corrupted.
Check whether the image is downloaded

completely in the directory
SWIM0056
Invalid Remote Stage

device selected.
Cannot use this device as

Remote stage because of
device limitations.
Check the Help documentation to see which

devices can be used as Remote Stage.
SWIM0067
System software analysis

failed
This is an unexpected runtime contact Cisco TAC.

error.

OL-25941-01
C-49
Appendix C
Software Management
Message-ID
Error Message
SWIM0089
Check the Software Management feature

Could not perform Image Add Image from Cisco.com
Import from Cisco.com on not supported for the device. support matrix against the selected devices
platform.
the selected devices.
This is because Cisco.com
could not find the device
platform in the supported list.
SWIM0092
Could not perform Image

Import from Cisco.com on
the selected devices
because of insufficient
data.
The device information

needed to fetch images from
Cisco.com does not exist in
Inventory.

to ensure that Chassis information exists for
the device.
Could not get Image

information from
Cisco.com
Could not connect to

Cisco.com from Cisco Prime
Server either because of
incorrect Cisco.com
credentials or missing proxy
configuration.
Check whether Cisco.com credentials are

correct. If they are correct, check whether the
proxy server is configured with right proxy
credentials.
The current version of the

image on the device is
different from the earlier
version of the image.
This message is displayed

when you retry a failed
distribution job.
Try a new distribution job instead of retrying.
Software Management
application could not
verify the inputs since
there was no running
image information.
Advanced Distribution Flow: Schedule the distribution job for a future date
when the device is deployed
Either:
SWIM0093
SWIM0101
SWIM0118
Probable Cause
If Chassis information is missing, schedule an

inventory collection job and retry the import
workflow.
To configure proxy, go to:

Cisco Prime Home page > Server > Security
> Proxy Server Setup.
This mainly happens when

other jobs change the current
running image of this device
before scheduling the retry.
The device package may

not have been installed.
You can install it now and
retry the task or you can
install it before running the
job. However, the results
may not be accurate.
Possible Action
Otherwise, the device package for this

The selected device is not
unsupported device will be installed and
yet deployed in the
available in the LMS server.
network (pre-provisioned
device)
Or
It is still not supported by

LMS.
C-50
OL-25941-01
Appendix C

Software Management
Message-ID
Error Message
Probable Cause
Possible Action
SWIM0119
Software Management
verify the Flash inputs
since there was no Flash
information available.
The selected device does not

have any Flash related
information.
None.
Edit the expert input file

and verify it again.
If you do not want to edit
the expert input file, you
can continue with the task
by clicking Next.
However, the results may
not be accurate.
SWIM0120
Software Management
application did not verify
the inputs since there was
no running image
information. If you find
that the device package is
not installed, install it
before running the job.
The image distribution will
proceed based on the
unverified inputs.
not be accurate.
SWIM0121
Software Management
application did not verify
the Flash inputs as there
was no Flash information.
The image distribution will
proceed based on the
unverified inputs.
not be accurate.
Generally the Flash details

are present in the Inventory.
You can check the Detailed
Device Report to see the
Flash details.
If there are no Flash details
for this device, Software
Management will allow the
user to schedule a distribution
job without verifying the
Flash details.
Advanced Distribution Flow: Schedule the distribution job for a future date
when the device is deployed.
Either:
unsupported device will be available and
yet deployed in the
installed in the LMS server.
network (pre-provisioned
device)
Or

LMS.
The selected device does not

have any Flash related
information.
None.
Generally the Flash details

are present in the Inventory.
You can check the Detailed
Device Report to see the
Flash details.
If there are no Flash details
for this device, Software
Management allows a user to
schedule a distribution job
without verifying the Flash
details.

OL-25941-01
C-51
Appendix C
Software Management
Message-ID
Error Message
Probable Cause
Possible Action
SWIM0122
Software Management
image information
available.
Either:
Schedule the distribution job for a future date

Update your inventory and

retry the task. If you do not
want to update the
inventory, you can
continue with the task by
clicking Next.

yet deployed in the
network (pre-provisioned unsupported device will be available and
device)
Or

LMS.

not be accurate.
SWIM0123
Software Management
image information.
Advanced Distribution Flow:

The selected device is not yet
deployed in the network
(pre-provisioned device) or it
is not supported by LMS.
Schedule the distribution job for a future date

None.
Please contact Cisco TAC with the UI log

available under:

unsupported device will be available and
Update your inventory and

retry the task. The image
distribution will proceed
based on the unverified
inputs. However, the
results may not be
accurate.
SWIM0125
An unexpected error has

occurred. Contact Cisco
support and attach the
swim_debug.log file.
Windows:
CSCOpx\logs\swim_debug.log
Solaris and Soft Appliance:

/var/adm/CSCOpx/log/swim_debug.log
SWIM0126
An unexpected error has

occurred. Contact Cisco
support and attach the
swim_debug.log file.
None.

available under:
Windows:

C-52
OL-25941-01
Appendix C

Software Management
Message-ID
Error Message
Probable Cause
Possible Action
SWIM0138
Cannot connect to the Job

Manager. Check whether
the jrm process is running
properly.
None
To check whether jrm is running, run

command:
pdshow jrm
If jrm is down, restart Cisco Prime.
If it is not running, restart it

and try scheduling the job
again.
SWIM0139
Running image
information is not
available in Inventory for
Remote-Stage device
Devicename.
Perform Update Inventory
and check whether the
required Flash data appears
in the Detailed Device
report.
Either:
The Inventory is not

updated
This higher image populates the Detailed

Device report with the required Flash data.
Or
If data is not available from the device (due to

bug in the image), upgrade the device with the
higher version image.
The image device

running on the device is
not populating the
required Flash MIB
information.
If it appears, retry the job;

else, the data is not yet
available from the device.
SWIM0141
There is not enough free

space on the repository to
store the selected files.
Disk space is not sufficient on Free up some disk space and retry the job.
the server.
Please free up some disk

space and retry the job.
SWIM0142
RepositoryException
while checking for disk
space.
Disk space is not sufficient on Free up some disk space and retry the job.
the server.
SWIM0146
Could not get active image A distribution job scheduled Ensure that the device is deployed or the
device package for this device is installed
using Advanced flow for
information.
pre-provisioned devices has before a distribution job is run on this device.
Either the device is not
failed and you have tried a
reachable or the
Retry task on this job.
sysconfigName OID
information is not provided The pre-provisioned devices
does not have running images
by the device.
and so this error message is
displayed.
SWIM1001
The input parameters to the You may have used incorrect Check the application log file for more
details.
Image Distribution/Image Device Data for this task.
Import/Image Activate are
invalid.
SWIM1002
An error occurred in
staging Image Image
Name.
Retry the Image Upgrade option.

There may not be correct
permissions for the image in
the software repository or for
the directories required for
staging.

OL-25941-01
C-53
Appendix C
Software Management
Message-ID
Error Message
Probable Cause
Possible Action
SWIM1003
SNMP Agent does not

support the required
instrumentation to get
information about the
Flash File system.
The SNMP Agent on the

Check for any known bugs related to these
device does not support
MIBs for the image version running on the
CISCO-FLASH-MIB/OLD-C device.
ISCO-FLASH-MIB.
SWIM1004
Cannot get details about

the Flash File system on
the device.
There may be a faulty

implementation of the MIB
on the device.
Check the Bug Toolkit application for any

known issues on the running image version.
SWIM1005
Flash Device or Partition

does not exist on the
device.
Either the Inventory data on

the device is stale, or the
selected Flash Device or
Partition is invalid.
Trigger inventory collection on the device.
SWIM1006
Flash Partition does not

exist on the device.
Either the Inventory data on

the device is stale, or the
selected Flash Partition is
invalid.
Update the inventory collection on the device.
SWIM1007
None.
You have specified the
storage location on the
device in an invalid format.
Enter a valid format.

For example:
moduleNumber\flashPartitionName:partition
Number:filename
In case of Andiamo devices:
flashDeviceName://flashPartitionName/filen
ame
SWIM1008
You have specified an

invalid format for the
destination storage
location.
None.
Enter a valid format.

For example:
moduleNumber\]flashPartitionName:partiti
onNumber:filename
In case of Andiamo devices:
flashDeviceName://flashPartitionName/file
name
SWIM1009
Inventory reported enough The inventory data may be

stale.
space on Flash partition,
but the distribution task
found that the space is
insufficient and requires
erasure.
Update the inventory for the device and retry

the job.
The distribution task is

being terminated.
SWIM1010
The size of the partition

None.
selected to copy the image,
is less than the image size.
Select another partition to copy the image.
C-54
OL-25941-01
Appendix C

Software Management
Message-ID
Error Message
Probable Cause
Possible Action
SWIM1011
Destination file size on

storage location and the
source file size are
different.
This may be because of a

network problem or a bug on known issues on the running image version. If
the device.
there are no issues, retry the task.
SWIM1012
The file copied on the

destination storage
location is invalid.
The File Copy may have

failed because of temporary
network errors.
Retry the File Copy option.
SWIM1013
You have specified an

invalid Job directory.
The destination directory that

has been specified to copy the
configuration file from the
device is invalid.
Check whether the destination directory

exists. If the directory exists, check whether
there are write permissions.
Also check whether there is enough disk
space.
SWIM1014
Cannot generate
configuration changes for
Remote Stage option.
None.
Check for file permissions on the Job

directory.
SWIM1015
Cannot generate
configuration changes for
activating the device.
None.
Check for file permissions on the Job

directory.
SWIM1016
Cannot load new

configuration to Remote
Stage Device.
None.

known issues on the running image version. If
SWIM1017
Cannot fetch configuration None.

file from the device.

SWIM1018
Cannot upload new

None.
configuration to the device
during image activation.

SWIM1019
Cannot reload the device. The image upgraded on the

device has some issues.
Device is not responding
after the Reload command.

known issues on the upgraded image version.
Manually restore the device through the
console.
SWIM1020
The device is not running

the new image.
This may be because the new Check the Bug Toolkit application for any
image is invalid or corrupted known issues on the upgraded image version.
and the device has booted
from another image.
SWIM1021
Cannot get the IP Address

of the server.
The DNS resolution of the

Enable DNS resolution.
LMS server may have failed.
SWIM1023
Distribution task is not

supported for this device.
The device packages that are

installed may not be the
correct package.
Check whether the correct device packages

are installed on the server.
SWIM1024
Either the file already

exists in the directory or
the system cannot create
this file.
Check whether another file

with the same name already
exists in the directory, or
check whether there is
enough disk space.
Create disk space and retry the task.

OL-25941-01
C-55
Appendix C
Software Management
Message-ID
Error Message
Probable Cause
Possible Action
SWIM1025
The Configuration
The Configuration Register is Change the Configuration Register on the
Register on the device does not set to value 0x2102.
device and retry the job.
not allow you to boot the
image from Flash.
SWIM1026
Cannot create a file and

store the modified
configuration.
There may not be sufficient

permissions for the
application to create the file,
or there may not be enough
disk space.
None.
SWIM1027
Error while fetching

inventory information.
The data required for the

selected task is either
incomplete or missing in
Inventory.
Check whether the Inventory data exists for

the device in the Inventory Detailed Device
Report.
If there is no inventory data for the device,
schedule an Inventory Collection job and
retry the task.
Either there was no inventory Update inventory for the device and retry the
task.
collection for the device or
the device is not responding.
SWIM1029
Cannot get the required

inventory information for
the device.
SWIM1030
This is a Run From Flash Either the inventory has not Update the inventory and retry the task.
been updated or the Flash file
(RFF) device, but the
application cannot find the is deleted from the Flash.
running image on the
Flash.
SWIM1031
No Candidate Images
found for the running
software.
Either:
Cisco.com is not
included in the admin
preferences
Check Admin preference or add images to

software repository.
Or
SWIM1032
Images obtained for

Recommendation do not
meet the hardware and
software requirements of
the selected device.
There are no applicable

images in the software
repository or Cisco.com
Either:
The Candidate Images

were filtered based on the
selected Admin
Preferences
Check the Admin Preference or add more

images to software repository and retry
thejob.
Or
They did not meet the

Flash/RAM/BootROM
needed to run on the
device.
C-56
OL-25941-01
Appendix C

Software Management
Message-ID
Error Message
Probable Cause
Possible Action
SWIM1033
Cannot find the Best-fit

image for the device by
applying compatibility
checks.
Either:

images to software repository and retry the
job.
The Candidate Images

were filtered based on the
selected Admin
Preferences
Or
SWIM1034
No applicable images
found for the device from
the configured image
sources.
They did not meet the

Flash/RAM/BootROM
needed to run on the
device.
Either:
Cisco.com is not
included in the admin
preferences

images to software repository and retry the
job.
Or
SWIM1035
Error while performing

Recommendation option.
There are no applicable

images in the software
repository or Cisco.com
None.
Runtime error encountered

while filtering images
caused by a problem with a
running image on the
device.
Retry the job. If the problem persists, send the

debug logs to Cisco Technical Assistance
Center (TAC).
The debug logs are available at this location:
On Windows:
SWIM1036
Runtime error while

performing
Recommendation.
None.
Retry the job.If the problem persists, send the

Center (TAC).
On Windows:
SWIM1037
Error while fetching Flash

Partition information.
Either:
The Flash information

cannot be got from
Inventory
Update the inventory and retry the task. If the

problem persists, check the Bug Toolkit
application for any known issues on the
running image version.
Or
There is a problem with

the running image on the
device.

OL-25941-01
C-57
Appendix C
Software Management
Message-ID
Error Message
Probable Cause
Possible Action
SWIM1038
No Read-Write Partition
found on the device.
None.
Install a Flash device with a read-write

partition and update the inventory.
SWIM1039
No Storage
Recommendation is made
for the device.
The selected device may not

have sufficient free size
partition to copy the image.
Check whether the selected device has the

sufficient free size partition to copy the
image.
SWIM1040
Cannot get the Flash

Either:
information for the device.
The Flash information
cannot be got from
Inventory
Or
Perform Inventory Collection and check

whether the Flash information appears in the
Detailed Device report.
If so, retry the job. Else, data is not available
from the device.
There is a problem with

the running image on the
device.
Make sure that the appropriate SSH/Telnet
passwords are configured correctly in Device
and Credential Repository.
SWIM1041
This device upgrade

requires opening an
SSH/Telnet connection to
the device.
Enable password is not

configured correctly in
Device and Credential
Repository.
SWIM1042
The amount of Bootflash

on the device may not be
enough to run the selected
image.
The amount of Bootflash on Specify the Bootflash size for the image by
the device may not be enough editing the attributes of the image stored in
to run the selected image.
the software repository, increase the
Bootflash size for the device, or select a
different image for upgrading.
SWIM1043
Runtime error while

performing Bootloader
image verification.
Selected image version may Retry the job. If the problem persists, send the
not be in the standard version debug logs to Cisco Technical Assistance
format.
Center (TAC).
On Windows:
SWIM1044
Select a different Bootloader image if

Bootflash partition will be Selected Bootloader image
erased before copying new does not fit in available space available.
image.
on Bootflash.
SWIM1046
Selected software does not Selected software image does Select a different Flash partition for
fit in selected Flash
not fit in the available space upgrading.
partition.
on Bootflash.
SWIM1047
Minimum software version None.

required for MICA image
upgrade is not known.
Select the image in the software repository

and update the minimum system software
version using View/Edit Image Attributes
option.
C-58
OL-25941-01
Appendix C

Software Management
Message-ID
Error Message
Probable Cause
Possible Action
SWIM1048
The system software that is

active on the device,
cannot run the selected
image.
The system software that is

active on the device, is not
compatible with the selected
image.
Select a different image that can be upgraded

with the current system software or upgrade
the system software to Software Version.
SWIM1049
The selected image

None.
requires Flash to be erased
during image upgrade.
SWIM1050
Read-Write SNMP
community string is not in
the Device and Credential
Repository.
The Read-Write SNMP

community string is not
available in the Device and
Add Read-Write community string for the

device in the credentials repository.
SWIM1051
Credential information
cannot be obtained for the
device.
Either:
None.
Check whether you have performed the

necessary backup.
The device is not

managed in the LMS
server
Or
The device credentials

are not correct or the
device access privileges
are insufficient.
SWIM1052
Enable password is not

configured for the device.
Configure the Enable password in the

For Run For Flash (RFF)
partition software upgrades, credentials repository.
the Enable password must be
configured.
SWIM1053
Selected MICA Image is

the same as the running
image on the device.
The software version of the

image is the latest on the
device.
None.
SWIM1054
Error while checking the

Telnet credential of the
device.
None.
Make sure that the Telnet credentials for the

device are correct.
SWIM1055
Selected Flash partition is

ReadOnly.
Check whether the Read-Write partition

Either the Flash partition is
exists. Set the Flash partition to be
not write-enabled or the
Read-Write partition does not write-enabled.
exist.
SWIM1056
The method to update the None.

software on the selected
storage device is unknown.
Select a different Flash partition, if available.
SWIM1057
The device will be put into None.

Rxboot mode for the image
upgrade.
Select a different Flash device for the system

software, if available.

OL-25941-01
C-59
Appendix C
Software Management
Message-ID
Error Message
Probable Cause
SWIM1058
None.
The selected software
version has some known
problems in the Flash MIB
options which will make
this application unable to
perform software upgrades
on the device.
SWIM1059
Ensure Dial Shelf runs a

compatible software image
with the newly loaded
Router Shelf software
image.
The Router shelf software

image is not compatible with
the Dial Shelf software
image.
SWIM1060
Cannot obtain the file size

of the selected image.
The selected image may have Select another image for upgrading.
been removed from
Cisco.com.
SWIM1061
Image available at
Cisco.com is selected for
upgrade.
None.
Verify that connectivity to Cisco.com is

available when the job is scheduled to run or
select another image from the software
repository.
None.
Verify that this is the image you want to

upgrade for the device. If so, no action is
required. If this is not the image you want,
select a different image.
This image will be

imported from Cisco.com
when the job is run.
Possible Action
Upgrade the device manually or select a later
software version, if available.
See the Release Notes for the Router Shelf

software image to make sure the current Dial
Shelf software is compatible.
If not, upgrade the Dial Shelf software.
SWIM1062
Selected image is already

running on the device.
SWIM1063
RAM available on the device

Minimum RAM
requirement of the selected may not be enough to activate
this image.
image cannot be
determined.
SWIM1064
RAM available on the

device may not be large
enough to activate the
selected image.
RAM available on the device Select another image or upgrade the RAM on
may not be large enough to
the device and retry Upgrade.
activate the selected image.
SWIM1065
RAM available on the

device may not be enough
to activate the selected
image.
RAM available on the device Specify the RAM size for the image by
may not be large enough to
editing the attributes of the image stored in
activate the selected image.
the software repository, increase the RAM
size for the device, or select a different image
for upgrading.
SWIM1067
Runtime error while

performing verification of
the selected image.
None.
Update the minimum RAM value using

View/Edit Image attributes or make sure that
the device has enough RAM to activate the
selected image or select a different image.
Select another image for upgrading. If the

problem persists, send the debug logs to
Cisco Technical Assistance Center (TAC).
On Windows:
C-60
OL-25941-01
Appendix C

Software Management
Message-ID
Error Message
SWIM1063
Minimum RAM
RAM available on the device
requirement of the selected may not be enough to activate
image cannot be
the selected image.
determined.
SWIM1068
Selected image does not

have the minimum system
software version required
for the upgrade.
Selected image does not have Select another image with a version higher
the minimum system software than 11.0.
version required for the
upgrade.
SWIM1069
Feature subset of the

running image cannot be
determined. Select a
different image.
This is a wrong message

caused by a bug. The correct
message is:

running image cannot be
determined. Select a
different image.
This is a wrong message

caused by a bug. The correct
message is:
System software analysis

failed.
Some unknown error has

occurred during image
analysis.
SWIM1070
SWIM1071
Probable Cause
Possible Action
Update the minimum RAM value using
View/Edit Image attributes or make sure that
the device has enough RAM to activate the
selected image or select a different image.
None.

selected image is a subset
or equal to running
software feature set.
None.

selected image is a subset
or equal to running
software feature set.

available under:
Windows:
SWIM1072
Boot loader analysis failed. Some unknown error has

occured during analysis of the available under:
image.
Windows:
SWIM1074
The selected image does

not have any requirement
to be analyzed.
None.
None.
The image can be used to

upgrade the device.
SWIM1075
Cannot find an image that None.

is newer and can fit on the
Bootflash.
Add Bootloader images, to the Software

Repository, with version greater than the
running image version and that can fit into the
Bootflash. Then retry the job.

OL-25941-01
C-61
Appendix C
Software Management
Message-ID
Error Message
Probable Cause
Possible Action
SWIM1076
Cannot find a Read-Write

Boot partition on the
device.
Read-Write Boot partition is

not available on the device.
Insert a read-write Bootflash on the device

and update the inventory.
SWIM1077
Cannot find a Bootflash

Bootflash partition is not
partition for the Bootloader available for the Bootloader
image.
image.
Insert a read-write Bootflash on the device

and update the inventory.
SWIM1078
System and Bootloader

System and Bootloader
images are getting upgraded
images are getting
upgraded to the same Flash to the same Flash partition.
partition.
Select individual partitions for both, if

available.
SWIM1079
Image version cannot be

compared.
SWIM1080
Read-Write partition exists You may have selected Read Select the Read-Write partition for upgrading.
but you have selected the only partition instead of Read
ReadOnly partition.
- Write partition.
SWIM1081
Wrong image selected for

You have selected the
Compressed System Image Upgrade.
for Run From Flash (RFF)
Upgrade.
Select the correct image.
SWIM1082
Runtime error while

Either a wrong modem image
comparing Modem Image. is selected for comparison or
the modem image formats or
not compatible.
Select a different Modem Image for

upgrading.
The image formats of both the Check the format of the version. Select a
images may not be
different image for upgrading.
compatible for comparison.
If the problem persists, send the debug logs to

On Windows:
SWIM1083
Cannot find an image that

is newer and fits in the
Flash.
None.
Add another image into software repository

and retry the task.
SWIM1084
Cannot find a Minimum

Flash Requirement for the
device.
The Flash space available on

the device may not be
sufficient for the selected
image.
Check whether the image fits on the device.
SWIM1085
The MinFlash Attribute is

unknown for the selected
image.
The selected image does not

fit on the selected partition.
Check whether the image fits on the selected

partition or select a different image.
SWIM1086
Device not supported.
The required device packages Check whether the appropriate device

may not be installed on the
packages are installed correctly on the server.
server.
C-62
OL-25941-01
Appendix C

Software Management
Message-ID
Error Message
Probable Cause
Possible Action
SWIM1087
Cannot get the device

representation.
The required device packages Check whether the appropriate device

may not be installed on the
packages are installed correctly on the server.
server.
SWIM1088
Runtime error occurred

while creating the device
upgrade data.
None.

Center (TAC).
On Windows:
SWIM1091
Minimum BootROM
version of the selected
image is not available in
the software repository, or
on Cisco.com.
The minimum BootROM

value is not updated in
View/Edit Image attributes
for the selected image in
software repository.
Update the minimum BootROM value using

View/Edit Image attributes of the selected
image in the software repository.
SWIM1092

for system upgrade.
None.
Select an image that has a higher version than

the minimum supported version.
SWIM1093
Cannot get Chassis

Information from the
inventory.
Check whether the Inventory If there is no inventory data for the device,
schedule an Inventory Collection job and
data exists for the device in
retry the task.
the Inventory Detailed
Device Report.
SWIM1094
SNMP-V3 parameters not

in the Device and
This could have been caused

by any of the following:
See the documentation for the Compatibility

Matrix for Cisco IOS software.
Check whether the SNMP-V3 password,

SNMP-V3 algorithm, and SNMP-V3 engine
ID is configured in the Device and Credential
The SNMP-V3 password
Repository.
is wrongly configured
The SNMP-V3 algorithm

is wrongly configured
The SNMP-V3 engine ID

is not configured in the
Repository.
SWIM1095
Error while checking the

The SNMP-V3 credentials in Update the SNMP-V3 credentials in the
SNMP-V3 user name in the the Device and Credential
Device and Credential Repository and retry
device context.
Repository is not up to date. the task.
SWIM1096
Selected image is not

applicable to this module.
SWIM1097
Check whether the higher version is available

Selected Bootloader image The Bootloader image
is a lower version than the version running on the device for upgrading.
version of the Bootloader is the latest.
running on the device.
The selected image is not

applicable to this module.
Use the Cisco.com Upgrade Analysis feature

to find an appropriate image.

OL-25941-01
C-63
Appendix C
Software Management
Message-ID
Error Message
Probable Cause
Possible Action
SWIM1098
The selected image is

lower than the running
The image version running on Select a higher image for device software
the device is the latest.
upgrade.
SWIM1099
Image Upgrade procedure

may revert to the
SSH/Telnet-based
approach, based on the
MIB instrumentation on
the running image.
The SSH/Telnet passwords

may not be configured in the
Repository.
SWIM1100
Cannot find SNMP-V2

Read-Write Community
String in the Device and
Check whether the SNMP-V2 credentials are

The SNMP-V2 credentials
configured correctly in the Device and
may not be correctly
configured in the Device and Credential Repository.
SWIM1101
This Device Upgrade

requires opening an
the device.
Enable password for the

device is not configured in
Repository.
Make sure that appropriate SSH/Telnet

passwords are configured correctly in the
SWIM1102
This Device Upgrade

requires opening a
the device.
There was an error while

checking the credentials of
the device.

SWIM1103
Selected image may not be Image belongs to the same

compatible to the device.
device family as the running
However, it is identified as
non-compatible.
SWIM1104
The total space on the

selected partition is not
enough to upgrade all of
the selected modules.
Multiple modules may be

Select individual partitions for the selected
selected for upgrading on the modules, or deselect some modules.
same partition.
SWIM1105
Image status for the

selected image cannot be
determined.
The selected image might be

in the Deferred status.
SWIM1106
Image selected for upgrade None.

is compressed in .tar
format. Flash will be
overwritten while
upgrading the image.
SWIM1107
This option requires

devicename data in the
inventory.

passwords are configured in the Device and
Check the Cisco.com documentation whether

any caveats are identified for the selected
image.
Ensure that the image is not in the Deferred

status. See the relevant documentation on
Cisco.com before upgrading the images.
Ensure that necessary backup jobs are
completed before upgrading.
The required device

Perform Update Inventory and check whether
information is not available in the required data appears in the Detailed
the inventory.
Device Report.
If so, retry the job. Else the data is not
retrieved from the device.
C-64
OL-25941-01
Appendix C

Software Management
Message-ID
Error Message
Probable Cause
SWIM1109
Image status for the

Image status for the selected
selected image is either
image is either Deferred or
Deferred or Not Supported. Not Supported.
Ensure that the image is supported by

Software Management application.
SWIM1110
.bin images are not

supported for Stack
Upgrade.
Select a tar image for Stack Upgrade.
SWIM1111
The available free space is Insufficient space for image

not enough for upgrading upgrade.
this type of image.
SWIM1112
This module can be

upgraded if managed
independently.
SWIM1113
Device Reboot failed or

The device is not running the Verify the configuration used to load the new
Reboot Verification failed. new image after it is
image.
rebooted.
Verify whether the new image exists on the
device in a valid Flash partition.
SWIM1114
Either:
The device cannot be
reached after the reboot.
An invalid image has
Number of attempts to
been loaded onto the
verify the device status has
device
exceeded the maximum
Or
retry count.
The .bin image has been

selected for Stack Upgrade.
Possible Action
Check the documentation on Cisco.com

before upgrading the image.
Select a different image or free up some

space. Update the inventory and retry the job.
This module can be upgraded Assign an independent IP Address to this

only if it is managed as a
module. Manage it as a separate device and
separate device.
select that device to upgrade this module.
Use the device console to determine if the

device has reloaded with the desired image.
There are network

connectivity problems.
SWIM1115
Device is booted from

TFTP server.
The backup running image is None.

not supported.
SWIM1116
Read-Write SNMP
community string cannot
be fetched from the Device
Context.
The Read-Write community

string is not available in the
Repository for this device.
Add the Read-Write community string to the

SWIM1117

incompatible and cannot
incompatible and cannot run
run on the selected device. on the selected device.
Use the Cisco.com Upgrade Analysis feature

to find an appropriate image.
SWIM1118
Selected image has a lower The selected image has a

Verify whether the correct image is running
version than the version of lower version than the
on the device. If so, no action is required. If
the running image.
version of the running image. not, select a different image.
SWIM1119
Telnet credentials are not

present for this device.
There was an error while
checking the credentials of
the device.
The SSH/Telnet passwords

are not configured correctly
in the Device and Credential
Repository.
Ensure that appropriate SSH/Telnet


OL-25941-01
C-65
Appendix C
Software Management
Message-ID
Error Message
Probable Cause
Possible Action
SWIM1120
Cannot obtain the

Either:
Manually enter the device type information in
sysObjectID of the device.
the Device and Credential Repository.
The device did not
respond when you added
it to LMS
Or
SWIM1122
Runtime error found

during verification.
The device cannot be

added correctly.
None.

Center (TAC).
On Windows:
SWIM1123
Telnet username not

present for this device.
Either:
The Primary Credentials

is not configured
Check whether the primary username is

configured for the selected device, in Device
and Credential Repository.
Or
It not configured
properly for the selected
device in the Device and
SWIM1124
Cannot copy the image

from Flash with return
code of Code.
None.
Retry the job. If the problem persists, check

the Bug Toolkit application for any known
issues on the running image version.
SWIM1125
Cannot copy the image

from Flash with return
code of Code.
None.

the Bug Toolkit application for any known
issues on the running image version.
SWIM1126
Image copy to module

failed with return code of
Code.
None.

Center (TAC)
On Windows:
NMSROOT\files\rme\jobs\swim\JobID
/var/adm/CSCOpx/files/rme/jobs/swim/JobI
D
SWIM1127
Cannot connect to device

through SSH/Telnet
because of Device.
Check whether the SSH/Telnet credentials are

The SSH/Telnet credentials
correctly configured in the Device and
configured in the Device and Credential Repository.
C-66
OL-25941-01
Appendix C

Software Management
Message-ID
Error Message
Probable Cause
SWIM1128
Cannot disconnect from

device because of Device.
the SSH/Telnet credentials

Check whether the device is configured
correctly.
configured in the Device and
SWIM1139
Select any available Boot

flash partition, for bootldr
upgrade.
This happens when the user

has selected a Bootloader
image for Distribution and a
storage location other than
Bootflash.
We recommend that you

use boot flash for bootldr
upgrade.
SWIM1150
Either:
Could not get Command
Service instance for device
The device login
DeviceName because of
credentials in DCR are
CmdSvc Exception.
wrong or empty.
Possible Action
Select any available boot flash partition for

bootldr upgrade.
Check whether the Login credentials in DCR

and Login credentials specified during job
scheduling are correct.
Or
SWIM1151
Could not connect to the

device DeviceName
because of
CmdSvcException.
The SSH option is

selected in the Swim
Admin pane and the
target device does not
support SSH.
Either:
The device login

credentials in DCR are
wrong or empty.
Check whether the Login credentials in DCR

and Login credentials specified during job
scheduling are correct.
Or
SWIM1161
RXBOOT credentials are

not configured for the
device. If TACACS is used
by the device, configure
RXBOOT Mode
credentials in the
credentials repository.
The SSH option is

selected in the Swim
Admin pane and the
target device does not
support SSH.
RXBOOT credentials are not If TACACS is used by the device, configure

configured for the device in RXBOOT Mode credentials in the Device
credentials repository.
Device Credentials
Repository (DCR).
This will be used for Run

From Flash (RFF) devices
when connecting in RX boot
This will be used to contact mode.
the device in RXBOOT
Mode (if configured) for
Run From Flash (RFF)
devices.

OL-25941-01
C-67
Appendix C
Software Management
Message-ID
Error Message
Probable Cause
Possible Action
SWIM1162
Error when recommending Swim recommends the image

image for the device.
based on device ROM, RAM
and Flash which it collects
from LMS Inventory module.

to ensure that Inventory data exists for the
device (like Flash Partition size).
Image Import from Device None.

failed because of some
unexpected error.
Please contact Cisco TAC with the Job logs

available under:
If not, check the device for a faulty hardware

If the device is having a faulty or a bug in device software.
hardware (FLASH) then this
will not be available in
inventory.
SWIM1163
Windows:
NMSROOT\files\rme\jobs\swim\
jobID
/var/adm/CSCOpx/files/rme/jobs/swim/jobI
D
SWIM1164
Image Distribute to Device None.

failed because of some
unexpected error.
Please contact Cisco TAC with the Job logs

available under:
Windows:
NMSROOT\files\rme\jobs\swim\
jobID
/var/adm/CSCOpx/files/rme/jobs/swim/jobI
D
SWIM129
Selected image does not fit

on the free Flash size on
the device. Selected
storage partition will be
erased during the
distribution.
Either:
The boot loader image is
selected for upgrade (and no
system software image is
selected along with it)
or
Since the system software is not selected for

upgrade, ensure that running system software
is not in the selected storage partition.
Back up the running system software and
ensure that the device boots from the backed
up image in case the job fails.
The storage location is not

erased for the boot loader
image to be copied.
SWIM1501
Supervisor cannot be
downgraded to an image
version less than 4.1(1).
This happens when you try to If you continue to downgrade, the device may
distribute a CATOS image
lose its configuration.
lesser than 4.1(1).
Use a higher version.
SWIM1506
Cannot move file from

Location 1 to Location 2.
There may not be sufficient

permissions for the
application to move or copy
the file, or there may not be
enough disk space.
None.
C-68
OL-25941-01
Appendix C

Software Management
Message-ID
Error Message
Probable Cause
Possible Action
SWIM1507
Cannot back up the

running image.
Either the file name or the

storage partition name
specified for backup is
invalid.
You can stop the job, manually back up the

running image, and retry the job.
SWIM1508
Cannot copy image

Imagename to storage
partition Partitionname .

Either the filename or the
storage destination is invalid the Bug Toolkit application for any known
or the device does not provide issues on the running image version.
the required MIB
instrumentation for copying
an image.
SWIM1510
Runtime error while

performing Reload on a
device.
None.

Center (TAC).
On Windows:
D
SWIM1518
Runtime error during

configuration upload.
None.

there are no issues, retry the job.
On Windows:
D
SWIM1525
Unknown package type.
None.
Check whether the module is supported in the

Software Management Function and Device
Support Matrix on Cisco.com.
SWIM1529
There is no module
information available in
the inventory for
devicename.
There is no module
information available in the
inventory for devicename.
Update the inventory and retry the task.
SWIM1530
Storage not applicable for

the module modulename.
This module does not support None.

storage.
SWIM1532
No read-write partition
exists on the device to
accommodate the selected
image.
None
Create some free space.

OL-25941-01
C-69
Appendix C
Software Management
Message-ID
Error Message
Probable Cause
Possible Action
SWIM1542
Minimum supported
version for Supervisor is
3.8.
None.
Select a higher version of the image to

upgrade.
SWIM1543
Selected image has the

same or a lower version
than the version of the
running image.
The selected image has the

same or a lower version than
the version of the running
image.
Verify whether the correct image is running

on the device. If so, no action is required. If
not, select a different image.
SWIM1546
The NVRAM size on the

enough to run the image.
The NVRAM size on the

enough to run the image.
Select a different image or upgrade the

NVRAM on the device and retry the Upgrade
option.
SWIM1547
Available NVRAM size on RAM size on this module

the selected image cannot may not be large enough to
be determined.
store this image.
Make sure the module has enough NVRAM

to run the selected image. Else, select a
different image or upgrade the RAM on the
module.
SWIM1548
There are no software

None.
requirements found for the
selected image.
Select a different image.
SWIM1549
Verify that the new

software selected is
compatible.
SWIM1554
The selected image cannot The device does not have any Select a different image.
module that can run the
be used to upgrade the
device.
selected image.
SWIM1556
Select the Storage

partition.
SWIM1560
Slot number corresponding None.

to the module cannot be
got from inventory.
SWIM2001
Telnet error while

connecting to the device.
Cannot connect to device
%s.
Software Management cannot Check the Release Notes for the new software
determine the features in the to determine if all the features in the old
software are available in the new software.
ATM software.
None.
None.
Update Inventory and retry the task.
Invalid access information in Verify the username and the passwords in

the inventory.
Device and Credential Repository and retry
the task.
Either the Flash device is not None.
available or the Flash
information format has
changed.
SWIM2002

Flash File system on the
device.
SWIM2503
Different images have been None.

selected for upgrade of the
Active and Stand-by
processors.
Select the same image for upgrade of Active

and Stand-by CPUs.
This may make the device

unavailable.
SWIM3501
Cannot fetch device

The credentials may not be
credentials for the selected configured correctly in
device.
Repository.
Check whether there are credentials are

configured correctly in Device and Credential
Repository.
C-70
OL-25941-01
Appendix C

Software Management
Message-ID
Error Message
Probable Cause
Possible Action
SWIM3502
Cannot fetch the

credentials of the parent
device, for the selected
device.
The NAM device Supervisor Add the Supervisor of the NAM device to the
is not recognized by the LMS LMS Inventory.
Inventory.
SWIM3503
Telnet credentials are not

present for the parent
device.
The Telnet credentials are not Check whether the Telnet credentials are
properly configured for the
configured for the parent device.
parent device.
SWIM3504
If Auto Logout is enabled None.

on the parent device, it may
get disconnected during
upgrade.
None.
Configure No Auto Logout

for the parent device.
SWIM3505
NAM images are large.
The disk space available is

insufficient.
Ensure that there is enough disk space

available in the
htdocs/swimtemp directory
under the Cisco Prime install directory.
SWIM3703

for system upgrade.
None.
Select a different Image with a version higher

than 11.3(0).
SWIM3705
This NRP2 is in
ROMMON state. Cannot
perform software upgrade
on this device.
The NRP2 device is not in

normal mode.
Manually bring the device into the normal

mode and retry the task.
SWIM5001
Cannot connect to the

device devicename using
protocol.
The device may not be

reachable or there is invalid
access information in the
Repository.
Verify whether the device is reachable and the

credentials in Device and Credential
Repository are correct and retry the job.
SWIM2002

Flash File system on the
device.
Either the Flash device is not Done.

available or the Flash
information format has
changed.
SWIM4602
Only image versions 6.2 or The image version in the

above are supported
device is less than 6.2.
through AUS.
Manually upgrade the device to a version

higher than 6.2.
SWIM4800
The version running on the None.

device is less than the
minimum supported
version.
Manually upgrade the device to the minimum

supported version or higher.
SWIM5003
Cannot copy the image.
Check whether the server address is correct

and whether the image is accessible to the
device.
Either the server address is

incorrect or the image is
inaccessible to the device.

OL-25941-01
C-71
Appendix C
Software Management
Message-ID
Error Message
Probable Cause
SWIM5004
Cannot initiate SNMPset

option.
The SNMP Write Community Check whether the correct SNMP Write
String might be wrong.
Community String is entered in Device and
SWIM5005
Device reboot option

failed.
The device is not configured

for reboot. The command,
Modify the device configuration and retry the

job.
snmp-server

system-shutdown,
should be
in the running configuration
on the device.
Possible Action

On Windows:
SWIM5006
SWIM5007
Device reboot option

failed.
CPU switchover failed.
The device is not configured

for reboot. The SNMP Write
Community string might be
wrong.
The command SNMP server system

shutdown should be in the running
configuration on the device.
Modify the device configuration and check
whether the Write Community string is
configured on the device is same as the one
that is entered in Device and Credential
Repository.
Either the SNMP set failed or Do any of the following:

the device is not in hot
Check the SNMP credentials in the
standby mode or the two
Device and Credential Repository
CPUs are not running similar
Ensure that the device is in hot standby
images.
mode,
SWIM5008
Device not responding

after running the switch
cpu command.
SWIM5009
Device is not in
The Standby CPU may be
HotStandby Mode. Switch down.
Operation terminated.
Ensure that the two CPUs are running

similar images, before attempting the
switchover.

known issues on the running image version.
Bring up the standby CPU and retry the job.
C-72
OL-25941-01
Appendix C

Job Approval
Job Approval
This section provides the troubleshooting information for the Job Approval application:
Message ID
Error Message
Probable Cause
Possible Action
JBAP0001
Cannot enable approval

for applications that do
not have an
Approver-List assigned
to them
You have attempted to enable

Approval without assigning a
list to the application.
Go to the Approval > AssignLists

screen and assign a list to the
application.
JBAP0002
Specify a valid E-mail

address.
You have entered an invalid

E-mail-address.
Enter a valid E-mail address
JBAP0003
Select at least one job.
You have attempted to perform

an action on a job without
selecting a job
Select a job before performing an action

on it.
JBAP0004
Select only one job.
You have attempted to view

JobDetails, with more than one
job selected
Select only one job.
JBAP0005
List {0} has no users.
This is not an error. This is an

Information message when you
adda list for the first time.
Add users before saving the list
To save the list

successfully, add users
and click Save
JBAP0006
{0} is not a valid

Approver.
Enter a user with
Approver role
Enable Approval again.
You have attempted to add a user You must first add the user as Approver
who has not been added as
into CMF. Only then can you add this
user into LMS.
Approver in CMF.
JBAP0007
Select an Approver, to
change E-mail.
You are trying to save without

selecting a user.
Go back and select a user.
JBAP0008
List {0} already exists.
You have attempted to add a list Add the list with a different list name.
that already exists.
JBAP0009
Could not
approve/reject the job
{0}.
Either approve/reject mails

Make sure mail server is configured
cannot be sent, or the database is properly and that the database is
not running.
running.
Verify that the database

and mail server are
running.
JBAP0010
Cannot reject a job

without comments.
You have attempted to reject a

job without giving reasons for
rejecting
JBAP0011
Select a future start date. You have selected a past date

while changing a job schedule
Select a future date.
JBAP0012
Job {0} is changed

successfully.
None.
Not an error message
Add comments if you want the job to be

rejected.

OL-25941-01
C-73
Appendix C
Job Approval
Message ID
Error Message
Probable Cause
Possible Action
JBAP0013
Are you sure you wish to Alert message before deleting None.
not an error message.
delete?
Approval will be
disabled for applications
to which {list-name} is
assigned.
JBAP0014
Enter a valid
Approver-List name.
You may have entered invalid

characters such as spaces in the
Approver name.
JBAP0015
{list-name} already
exists.
You have attempted to add a list Select a different name

name that already exist
JBAP0016
{user-name} already
exists.
You have attempted to add a user Add a new user name. This field is
name that already exists.
case-sensitive.
JBAP0017
Are you sure you wish to Warning message for deleting a

user.
delete?
This will disable
approval for
applications having
{user-name} as the sole
approver.
JBAP0018
Add a valid user-name
None.
If you have enabled Approval

for an application whose sole
approver is this user, it will be
disabled.
You have attempted an User not selected.

action without selecting
a user.
Select a user before performing the

action.
Select a user before

performing the action.
JBAP0019
You have attempted an List not selected.

action without selecting
a list. Select a list before
performing the action
Select a list before performing the action
JBAP0021
Cannot save a list that

has no approvers in it.
Add approvers before trying to save the

list.
JBAP0022
Cannot change schedule None.

for {0}. A runtime error
occurred when you tried
to change the schedule
of the job.
No approver available for the

selected list.
This exception will appear in the

MakerChecker.log in the following
location:
NMSROOT/log (On Solaris and Soft
Appliance)
where NMSROOT is the Cisco Prime
install directory. Contact Cisco
Technical Assistance Center (TAC) with
this log file.
JBAP0024
None.
Cannot send approval
E-mails. Make sure that
SMTP Server is
configured correctly.
Go to Admin > System > System

Preferences and configure SMTP
Server correctly.
C-74
OL-25941-01
Appendix C

cwcli config
cwcli config
This section provides the troubleshooting information for the cwcli config commands:
Message-ID
Error Message
Probable Cause
Possible Action
CCLI0001
Could not get any

devices to work on.
This problem occured because of Do any of the following, depending on what

any of the following:
caused the problem:
Specified devices is not

managed by LMS.
Specify valid devices that are managed

by LMS
You have not used the

correct Device Display name
Use a valid Device Display name.
DCR server is down
Use the pdshow command to verify

whether the DCR server is running.
CCLI0002
The job could not be

created since no device is any of the following:
caused the problem:
available.
You have entered invalid
Enter valid arguments.
arguments for the command.
Verify that the devices you have entered
are managed by LMS.
You have entered devices
that are not managed by
LMS.
whether the CTMJrm server and jrm are
running.
CTMJrmServer and jrm are
down.
The ConfigMgmtServer process should
be up for the configuration Download
ConfigMgmtServer process
and Fetch options.
is down.
CCLI0003
Could not get results for

devices within the
specified time interval
Less timeout is configured
Either:
Increase the timeout value using the

-timeout option.
Or
CCLI0004
CCLI0005
Could not retrieve the

Device Identification
number for the device.
There are no archived

configurations for this
device
Use Configuration Archive Job Browser

to see the results.

caused the problem:
Specified devices are not

managed by LMS.
Specify valid devices that are managed

by LMS.
You have not used the

correct Device Display name
Use a valid Device Display name.
DCR server is down

whether the DCR server is running.
Sync Archive has not happened

for the specified device.
Archive the configuration using the Sync

Archive feature.
For details on using the Synch Archive
feature, see the Online Help.

OL-25941-01
C-75
Appendix C
cwcli config
Message-ID
Error Message
Probable Cause
CCLI0006
Cannot create a
temporary file to store
the running
configuration.

caused the problem:
There is not enough space to

create a file in your file
system.
You do not have permissions

to create a file in the
specified location.
The specified version does not

exist in the archive.
Possible Action
Verify whether there is enough space to

create a file in your file system.
Verify whether you have permissions to

create a file in the specified location.
Verify whether the specified version exists in

the archive. Use the listversions
command to see the available versions.
CCLI0007
Cannot retrieve the

configuration file from
the archive.
CCLI0008
Could not create a

This problem occured because of Do either of the following, depending on
what caused the problem:
temporary file in DCMA any of the following:
temporary directory.
There is not enough space to
Verify whether there is enough space to
create a file in your file
create a file in your file system.
system.
Verify whether you have permissions to
create a file in the specified location.
You do not have permissions
to create a file in the
specified location.
CCLI0009
Cannot get running

configuration.
The archive does not contain any Verify whether the specified version exists in
versions for the device.
the archive. Use the listversions
command to see the available versions.
CCLI0010
Device has only one

version archived.
Synch Archive has not happened Archive the configuration using the Synch
for the specified device
Archive feature.
For details on using the Synch Archive
feature, see the Online Help.
CCLI0011
The specified version of

the configuration does
not exist.
You have entered an invalid

version of the configuration.
Use the listversions command to see the

available versions and enter an existing
version
CCLI0012
No baseline templates
exist for this device.
None.
Use the listversions command to see the

available baseline templates.
CCLI0013
Data file does not contain None

any device.
CCLI0014
The job could not be

created because of the
errors reported.
CCLI0015
Add the devices in the data file and try again
This problem occured because of Do either of the following, depending on

what caused the problem:
You have entered invalid

arguments.
Verify whether you have entered valid

arguments.
The data file is missing some

parameters.
Update the data file if there are missing

parameters.
You should not use the -f Multiple devices are specified for Use the -input option to specify the file for
option with more than
the command to be executed
every device
one device.
along with -f option
C-76
OL-25941-01
Appendix C

cwcli export
cwcli export
This section provides the FAQs for the cwcli export tool:
Q.What does cwcli export do?
Q.What is ComputerSystemPackage Class?
Q.Where does cwcli export collect the configuration information from?
Q.Is the containment hierarchy in inventory schema exactly the same as that in CIM?
Q.What is an XSD file?
Q.What is the AdditionalInformation tag in the inventory schema used for?
Q.How do I know what fields come under AdditionalInformation?
Q.Where can I find information specific to a particular node which I can see in detailed device
information but not in cwcli export.?
Q.How can I make use of the servlet interface?
Q.How can I get data for some particular entity from devices which are managed by different LMS
servers?
Q.While using the -m option, can I use more than one E-mail id?
Q.Where can I get the descriptions of each node in the schema?
Q.Why am I getting parse error when trying to parse some of the output files?
Q. What does cwcli export do?

A. cwcli export is a command line tool that also provides servlet access to export inventory,
configuration and change audit data. You can use this tool to export inventory, configuration
archive, and change audit data for devices in LMS, in the XML format.
You can use the cwcli export command to generate the Inventory and Configuration data in XML
format. In addition to this, you can also export Change Audit data.
See these topics in the Configuration Management Help:
Running cwcli export changeaudit for the usage and XML schema details.
Running cwcli export config for the usage and XML schema details.
Running cwcli export inventory Command for the usage and XML schema details.
Q. What is ComputerSystemPackage Class?
A. It is the class that contains the InstanceIDs of Cisco-Chassis and Cisco-NetworkElement, and relates
the two.
Q. Where does cwcli export collect the configuration information from?
A. cwcli export collects the running configuration data from the latest configuration in the Config
Archive.
Q. Is the containment hierarchy in inventory schema exactly the same as that in CIM?
A. No. Although the containment hierarchy in inventory schema is based on Common Information
Model (CIM), it does not follow the exact containment hierarchy because of the limitations in the
LMS database schema.

OL-25941-01
C-77
Appendix C
cwcli export
Q. What is an XSD file?

A. XSD file is an XML based alternative to Document Type Definition (DTD). It is based on XML
schema language which describes the structure of an XML document. An XML schema defines the
legal building blocks of an XML document, just like a DTD.
An XML Schema:
Defines elements that can appear in a document.
Defines attributes that can appear in a document.
Defines which elements are child elements.
Defines the order of child elements.
Defines the number of child elements.
Defines whether an element is empty or can include text.
Defines data types for elements and attributes.
Defines default and fixed values for elements and attributes.
Q. What is the AdditionalInformation tag in the inventory schema used for?

A. The AdditionalInformation tag is provided to define information that is specific to a device. The
inventory schema may not contain information for all the elements in all the devices supported by
cwcli export. The AdditionalInformation tag addresses scenarios where the inventory schema does
not have tags to define information that you want to collect for some of the elements in a particular
device.
Q. How do I know what fields come under AdditionalInformation?
A. For this information, see the topic, Additional Information Table, in the Configuration Management
Online Help.
Q. Where can I find information specific to a particular node which I can see in detailed device
information but not in cwcli export.?

A. For this information, see the topic, Additional Information Table, in the Configuration Management
Online Help.
Q. How can I make use of the servlet interface?
A. You must write customized scripts which could connect to the servlet. The arguments and options
have to be specified in XML format.

For more details, see the section, Using cwcli Commands in the Configuration Management Online
Help.
Q. How can I get data for some particular entity from devices which are managed by different LMS
servers?
A. You have to write a script to connect to different LMS servers and aggregate all data into a single
file. After you get the aggregated data, you can parse it and get the data for any required entity.
Q. While using the -m option, can I use more than one E-mail id?
A. No. You can use only one E-mail address at a time, when you use the -m option of the cwexport
command.
C-78
OL-25941-01
Appendix C

VRF Lite
Q. Where can I get the descriptions of each node in the schema?

A. You can find the descriptions in the Configuration Management Online help. See the topic
Overview: cwcli export and sub-topics.

Q. Why am I getting parse error when trying to parse some of the output files?
A. Some of the classes in IDU and Optical switches contains some special characters with ASCII code
larger than 160. Most of the XML parsers does not support these characters and hence fails to parse
these characters.
To overcome this, you have to manually search for those elements with special characters and
append CDATA as given in the example below:
If there is an element,
checksum o /checksum
you must change it to
checksum <![CDATA[o ]]> /checksum
VRF Lite
Q. What is VRF Lite ?
A. VRF Lite is an application that allows you to pre-provision, provision and monitor Virtual Routing
and Forwarding-Lite (VRF-Lite) technology on an enterprise network.

Q. What is Network Virtualization?
A. Virtualization deals with extending a traditional IP routing to a technology that helps companies
utilize network resources more effectively and efficiently. Using virtualization, a single physical
network can be logically segmented into many logical networks. The virtualization technology
supports multiple virtual routing instances of a routing table to exist within a single routing device
and work simultaneously.
Q. What is VRF-Lite ?
A. Virtual Routing and Forwarding - Lite (VRF - Lite) is the one of the simplest form of implementing
virtualization technology in an Enterprise network. A Virtual Routing and Forwarding is defined as

VPN routing/forwarding instance. A VRF consists of an IP Routing table, a derived forwarding
table, a set of interfaces that use the forwarding table and set of routing protocols that determine
what goes into the forwarding table.
Q. What are the pre-requisites to manage a device using VRF Lite?
A. The pre-requisites to manage a device in VRF Lite are:
1.
The device must be managed by LMS.
2.
The device must either be L2/L3 or L3 device
3.
The devices failing to satisfy pre-requisite # 1 or #2, are not displayed in VRF Lite.
The device must have the necessary hardware support. For more information on hardware support,
see http://www.cisco.com/en/US/products/sw/cscowork/ps563/
products_device_support_tables_list.html.
If the device hardware is not supported then the device will be classified as Other devices
4.
If a device does not support MPLS VPN MIB, it is classified as a capable device.

OL-25941-01
C-79
Appendix C
VRF Lite
5.
VTP Server must be support MPLS VPN MIB. If the VTP Server does not support MPLS VPN MIB,
LMS will not manage VTP Clients.
Q. The device must be managed by LMS to exercise all the functionality of VRF. The desired device
is not listed in the device selector for the VRF configuration workflows. What is the reason for a
device not listed in the device selector?
A. A device is not listed in the device selector due to the following reasons:
All VRF Lite Configuration workflows like Create, Edit, Extend, Delete VRF and Edge VLAN
Configuration.
A device will not be listed in the Device Selector, if a device does not satisfy the pre-requisites as
mentioned in the Pre-requisites.
If VRF Lite Configuration workflow is either Edit VRF, or Delete VRF or Edge VLAN
Configuration then a device will not be listed in the Device Selector, if a device is not participating
in the selected VRF.
In the Readiness Report, a device listed as a supported device may be because it is not managed by
LMS. You can check if a device is managed by LMS using the Device Management State Summary.
You can access the Summary by selecting Device Management option.
In Extend VRF workflow, the devices listed in the Device Selector are the devices that are not
participating in the selected VRF.
In Edge VLAN Configuration workflow, the devices listed in the Device Selector are only L2/L3
devices that are not participating in the selected VRF.
Q. What are the different categories in which the devices are managed by VRF Lite? Or what criteria
are used by VRF Lite to categorize the devices in the network?

A. VRF Lite identifies the devices based on the minimum hardware and software support required to
configure VRF on the devices.

Based on the available hardware and software support in the devices, VRF Lite classifies the devices
into following categories:
VRF Supported Devices Represents the devices with required hardware and software support
available to configure VRF on the devices.

VRF Capable Devices Represents the devices with required hardware support available. But
the device software must be upgraded to support MPLS VPN MIB. For information on the IOS
version that supports MPLS VPN MIB, refer http://tools.cisco.com/ITDIT/MIBS/MainServlet.
VRF Lite classifies all the devices from Cat 3k and Cat 4k family of devices as VRF Capable
devices as these devices do not have the required MPLS VPN MIB support.
Other Represents the devices without required hardware support to configure VRF. SysOID
of the device needs to be checked.
C-80
OL-25941-01
Appendix C

VRF Lite
Q. While performing the VRF Lite Configuration, VRF Lite application prompts the following
messages:
The device(s) with display name(s) are already locked as they are used by configuration
workflows. You cannot configure these devices. Wait for some time Or Ensure the devices are not
used by configuration workflows and free the devices from Resource Browser.
Or
Selected Device(s) are locked as they are used by configuration workflows. You cannot configure
these devices. Wait for some time Or Ensure the devices are not used by configuration workflows
and free the devices from Resource Browser.
The above messages appear even if no VRF Lite configuration is performed parallelly. Why do I get
these messages?
A. The VRF Lite application prompts with these messages when some other configurations are
performed simultaneously.
You can check the status of the configuration workflow using Resource Browser. The JOB Id/Owner
column will give the details of the workflows currently running in the application.
These messages also appear if any VRF Lite configuration workflow is abruptly ended or an error
has occurred while unlocking the device. You can release the locked devices only after ensuring that
no other configuration workflows are running simultaneously. You can release the locked device
using the Resource Browser option.
Note
If you unlock a device which is participating in a configuration workflow, the configurations details will
be overwritten or corrupted. By default, a lock will be released after two hours.
Q. Sometimes, while performing VRF Lite configuration, I get the following message:
The device(s) with display name(s) are already locked as they are used by configuration workflows.
You cannot configure these devices. Wait for some time Or Ensure the devices are not used by
configuration workflows and free the devices from CS > Admin > Resource Browser.
Or
Selected Device(s) are locked as they are used by configuration workflows. You cannot configure
these devices. Wait for some time OR Ensure the devices are not used by configuration workflows
and free the devices from Resource Browser.
Can I get the details of the user who has locked the devices to perform VRF Lite configuration?
A. You cannot get the details of user who has locked the devices to perform VRF Lite configurations.

OL-25941-01
C-81
Appendix C
VRF Lite
Q. In the Create, Edit, or Extend workflow, the application do not list the Routing Protocols used while
configuring VRF. The Routing Protocol information displayed is NA. What do I need to do to get
the routing protocol configurations details?
A. When the Routing Protocol information displayed is NA, it means that the configuration details are
not fetched successfully in LMS. You can schedule the Sync Archive job from Configuration >
Configuration Archive > Synchronization.
Q. What are the details of the VRF Lite log files? In which location are the VRF Lite log files located?
A. The following are the details of the VRF Lite log files:
1.
Vnmserver.log This log file logs the messages pertaining to the VNMServer process.
2.
Vnmcollector.log This log file logs the messages pertaining to the VRF collection.
3.
Vnmclient.log This log file logs the messages related to the User Interface.
4.
Vnmutils.log This log file logs the messages pertaining to the utility classes used by VRF
client and server.
The above-mentioned VRF Lite log files are located in the following location:
In Solaris and Soft Appliance : /var/adm/CSCOpx/log/
In Windows: NMSROOT\logs
Q. When is the VRF Collection process triggered?
A. Manually:
You can manually schedule to run the VRF Collection process by :

Providing the setting details using Admin > Collection Settings > VRF Lite.
Automatically:
If you enable the Run VRF Collector After Every Data Collection in the VRF Collector Schedule
page. The VRF Collection process will be automatically triggered after the completion of Data
Collection.
You can reach the VRF Collector Schedule page using Admin > Collection Settings > VRF Lite.
Q. After the completion of the Data collection process, the VRF Lite Collector failed to run, What is
the reason for failure?

A. Check if the Run VRF Collector After Every Data Collection option is enabled in the VRF
Collector Schedule page. You can reach the VRF Collector Schedule page from Admin > Collection
Settings > VRF Lite page.
C-82
OL-25941-01
Appendix C

VRF Lite
Q. What is the reason for VLANs not getting populated in the VLAN to VRF Mapping page in the
Create VRFand Extend VRFworkflows ?

A. The VLAN to VRF Mapping page lists the links connecting the source and the destination device.
The VLANs are not listed in fields displaying the links in the VLAN to VRF Mapping page because
VRF Lite tries to find a free VLAN in the devices connected using a link based on the following
procedure
1.
An SVI, VRF Lite searches for free VLANs in the range 1- 1005
2.
An SI, VRF Lite searches for free VLANs in the range 1006-4005
Q. Why do I see the VRF description for all VRF(s) in home page as Discovered by VRF Lite ?
A. While creating or extending VRF, the description that you have provided is deployed to the selected
devices on which VRF is configured. But, the description provided while configuring or extending,
is not read by the VRF Lite application. Instead, the VRF Lite application provides the default
description for all VRFs as Discovered by VRF Lite.
Q. Why some port-channels are are not discovered in LMS?
A. VRF Lite does not support port-channel and GRE Tunnel. Also, Currently VRF Lite supports only
802.1Q
Q. What is tested number of devices support in VRF Lite?
A. In an Enterprise network, VRF Lite is tested to support the configuration of 32 VRFs with VRF
configuration supported in 550 devices in your network. However, at a given time, you can select
up to 20 devices and configure VRF using the Create, Edit and Extend VRF workflow.
Q. What are the property files associated with VRF Lite?
A. The following property files are associated with VRF Lite:
1.
The property file used to provide the settings for Purge and Home page auto Refresh is:
NMSROOT/vnm/conf/VNMClient.properties (On Solaris and Soft Appliance)
NMSROOT\vnm\conf\VNMClient.properties (On Windows)
2.
The property file used to provide the SNMP and VNMServer settings is:
NMSROOT/vnm/conf/VNMServer.properties (On Solaris and Soft Appliance)
NMSROOT\vnm\conf\VNMServer.properties (On Windows)
3.
The property file that stores the SNMP Timeout and Retries that you have configured is:
NMSROOT/vnm/conf/VRFCollectorSnmp.conf (On Solaris and Soft Appliance)
NMSROOT\vnm\conf\VRFCollectorSnmp.conf (On Windows)

OL-25941-01
C-83
Appendix C
VRF Lite
Q. In the Interface to VRF Mapping page for the Create, Edit and Extend VRF workflow, why are
values for the IP Address and SubnetMask fields empty?

A. If the physical interface that links two devices is not configured with an IP Address, then the IP
Address and the SubnetMask fields are empty.

Q. What is protocol ordering for configuration workflows?
A. Configuration workflow uses the protocol ordering similar to ordering used by NetConfig.
Choose the NetConfig as Application Name from using Admin > Collection Settings > Config >
Config Transport Settings page. You can view the protocol ordering in the Transport Settings page.
Q. What is protocol ordering for troubleshooting?
A. Troubleshooting VRF workflow uses the protocol ordering similar to ordering used by NetShow in
LMS.
Choose the NetShow as Application Name from using Admin > Collection Settings > Config >
Config Transport Settings page. You can view the protocol ordering in the Transport Settings page.
Q. If you configure commands to be deployed to two different devices, will the commands be deployed
parallelly or serially?
A. The commands will be deployed to multiple devices parallelly, where as a series of commands
with-in a single device, will be deployed in serial manner.

Q. Which VRF Lite configuration jobs that are failed can be retried?
A. You can retry all the VRF Lite Configuration jobs which are failed. VRF Lite Configuration jobs are
the jobs pertaining to Create, Edit, Extend, Delete VRF and Edge VLAN Configuration workflow.
Q. In the Troubleshooting VRF page, after selecting the source device, no VRFs are listed in the VRF
List to troubleshoot. Why?

A. Initially, check if a VRF is configured on the selected source device. The VRF list in the
Troubleshooting page enlists the VRF(s) configured in the selected source device as well as in the
Global Table, which refers to the global routing table.
Q. Which interfaces are displayed in the Troubleshooting VRF page
A. When a VRF is selected then all the interfaces that are configured with the selected VRF in the
corresponding device is listed.

If you select VRF as Global Table, then the application displays all the interfaces that are not
configured to any VRF
C-84
OL-25941-01
Appendix C

VRF Lite
Q. In some scenarios, the VRF configuration commands are pushed to unselected devices. What is the
reason?
A. In the following scenarios, the VRF configuration commands are pushed to unselected devices:
The VLANs are created in the VTPServer by default. In any VRF Lite Configuration workflow, if
you create a VLAN in VTP Client devices, then VRF Lite application finds the corresponding VTP
Server and create VLANs in that device.
In Delete VRF workflow, the virtualized interface in the connecting device will also be deleted, even
if the device is not selected.
Q. Why the FHRP and DHCP configurations are not shown in VRF Lite?
A. VRF Lite does not fetch the details for the FHRP or DHCP configuration from the device. Also,
VRF Lite wont put the list of vlan(s) allowed on a trunk

The Protocols and DHCP Server details for existing or newly created SVIs are not fetched from the
selected devices.

OL-25941-01
C-85
INDEX
non-compliance report, running
baseline configuration templates

access
7-37
7-11
creating
privileges for NetConfig jobs, assigning

Telnet and SSH, configuring
5-4
advanced
9-40
deleting
Adhoc task, in NetConfig
editing
7-16
7-11
7-9
about
5-40
exporting
7-10
using
5-34
importing
7-24
applications
Config Editor
8-1
NetConfig
6-1, 7-1
5-1
CA (Certification Authority) task in NetConfig
Software Management
9-1
Cable BPI/BPI+ task in NetConfig
Archive Management (part of Configuration Management)

archive status, checking
6-3
5-95
Cable DHCP-GiAddr and Helper task in NetConfig

Cable Downstream task in NetConfig
custom search queries
Cable Interface Bundling task in NetConfig
5-104
6-25
Cable Spectrum Management task in NetConfig
deleting
6-27
Cable Trap Source task in NetConfig
running
6-27
Cable Upstream task in NetConfig
6-26
5-97
5-98
creating
editing
5-46
5-104
5-106
5-100
Catalyst devices
search report, displaying
6-28
Authentication Proxy task in NetConfig

authorizing a distribution job, in Software
Management 9-51
1900/2820 device upgrade recommendations

5-41
upgrade recommendations, understanding
9-95
9-94
cautions regarding
NetConfigs Adhoc task
5-40
NetConfig commands in a user-defined template

CDP task in NetConfig
5-26
5-44
Change Audit, using

Banner task in NetConfig
5-43
troubleshooting
baseline configurations
Baseline Compliance report
Baseline Configs window
commands, deploying
7-27
7-5
7-28
compliance jobs, deleting
C-73
CIP microcode image types, and software image

upgrades 9-49
Cisco.com
adding images from
7-40
9-12
Software Management tasks, and
9-5

OL-25941-01
IN-1
Index
software repository, synchronizing with
9-23
opening
Cisco IOS device upgrade recommendations
9-93
removing
CiscoWorks Server, and Software Management

CLI utilities
cwcli
8-13
8-14
configuration restore operation

configuration tools
A-1
profiles and PTT

PTT
saving
9-4
8-26
commands
PTT features
to display changes
A-113
files, selecting
A-116
CLI utilities(see cwcli config)
8-40
8-33
work orders, reviewing
A-1
8-39
editor manager, working with
(see also cwcli config, using)
8-9
Config Editor, using jobs, in
A-1
command-line tool
credentials, modifying with
see cwcli netconfig command

managing policy profiles
opening a file
deleting policy profiles
duplicating policy profiles
4-9
running compliance check
4-10
viewing job history

Config CLI, troubleshooting
preferences, setting up
8-31
8-25
8-8
8-16
restore operation
7-28
8-32
search and replace in configuration files
C-75
Config Editor
tasks in
editor manager, working with

in processed mode
8-26
viewing a list of open files

printing a file
4-11
config_DeployBaselinTempUI
8-25
from an external location
4-10
8-12
8-26
by device and version
4-8
8-11
8-10
open files, viewing list of
4-8
adding policy profiles
processed mode
5-128
Compliance and Audit Manager
8-15
8-2
undoing all edits
8-15
Config Editor application
8-10
troubleshooting
Config Editor, using
C-11
8-3
changes in this release
archive searches
8-8
configuration files
editing
8-36
starting a job
command reference
6-24
configuration files
changes to
8-20
downloading
8-40
job status, viewing

A-114
8-33
8-35
job scheduling
A-116
A-114
syslogConf.pl utility
closing
8-23
job password policy
A-119
running swim cli commands
benefits of
8-22
downloading configuration files
A-110
execute SWIM cli remotely

syslogConf
8-23
to compare versions
A-110
SWIMcli
8-20
to check syntax
A-111
8-32
displaying
8-33
closing
8-9
exporting to HTML format
8-17
8-23
8-20
currently open, viewing list of
8-25
IN-2
OL-25941-01
Index
downloading
base config with latest config of mulitple

devices 6-38
8-33
files, selecting
8-35
job password policy

job scheduling
startup versus running
8-40
starting a new job
by baseline
tasks (table)
by pattern search
external files
Config Viewer
8-27
6-7
Sync on Device
8-13
labels, configuring
8-14
8-23
8-23
8-22
Configuration Management, using
6-1, 7-1
Failed Devices report
6-5
Partially Successful Devices report

Successful Devices report
6-6
purging
6-24
viewing
6-23
deleting queries
6-27
6-18
6-28
6-16
6-24
troubleshooting
6-30
6-10
6-30
C-1
configuring
inter-VLAN routing
11-30
on an external router
11-32
on RSM, MSFC3, and L2/L3 devices
6-26
search report, displaying

comparing configurations
using
6-27
archive status, checking
6-12
Out-of-Sync report
6-48
6-25
about
Device Configuration Quick View
6-50
6-46
creating queries
running queries
6-22
Configuration Version summary
archive searches with custom queries
editing queries
6-24
archive search report
6-49
job details, viewing

stopping a job
deleting
6-20
reports
6-5
Archive Management Job Browser
retrying a job
6-21
6-10
Quick Configuration Download feature
6-4
deleting a job
creating
editing
8-23
versions of, comparing

archival reports
6-12
6-13
Sync Archive
external interface
6-44
job scheduling
8-16
about
8-3
configuration version tree
8-26
8-31
syntax checking
8-3
Configuration Archive Job Browser
8-29
by device and version
removing
6-35
functional flow (figure)
8-17
8-26
printing
6-36
Config Editor option
8-9
exporting to HTML format
saving
two versions of same
8-39
6-34
6-33
two versions of different
8-33
opening
6-41
running versus latest archived
8-36
job status, viewing
editing
Config Diff Viewer
8-40
6-28
6-3
6-33
Configuring VRF
12-2

Summary
11-31
12-9
12-11

OL-25941-01
IN-3
Index
Create VRF
overview
running

Crypto Map task in NetConfig
cwcli config, using
on multiple devices
5-47
syntax examples
uses
A-2, A-7
CLI framework
command parameters
A-15
A-8
A-10
A-10
device and archive updates
A-13
delete command
A-11
deleting configurations
A-11
compare command
A-11
comparing configurations
A-2, A-7
all commands
A-10
additional information
12-5
A-1
batch processing
A-2, A-7
remote access
A-11
A-10
cwcli netconfig command
A-13
core options and nmconfig equivalents
man page
A-19
A-8
5-128
5-128
examples of cwcli config and nmconfig

equivalents A-20
getting started
A-8
man page information
A-20
deleting
arguments and options, about

function-dependent options
A-22
function-independent options
function-specific options
input list file format
-view option usage
export
5-3
5-49
downloading configuration files

A-27
files, selecting
A-27
job scheduling
8-40
8-36
job status, viewing

starting a job
8-33
8-35
job password policy
A-28
9-15
5-4
DNS task in NetConfig
A-28
8-40
8-33
8-39
12-31
A-29
listlock
A-29
A-29
reload
5-3
device security, modifying

A-25
A-28
import
put
prompts, verifying
A-27
deploybaseline
5-3
images from, adding to the software repository
A-25
comparewithbaseline
get
credentials, verifying
A-22
A-26
compareanddeploy
delete
configurations, verifying
A-23
man page information for subcommands
9-24
devices, managing
A-22
A-25
mandatory arguments
compare
images from the software repository
A-22
A-30
run2start
A-30
start2run
A-30
write2run
write2start
A-31
Layer 3 Features
Summary
12-35
12-36
Trunk Configuration
12-35
A-31
IN-4
OL-25941-01
Index
VLAN to VRF Mapping

Editing VRF
12-33
12-13
editor manager (see under Config Editor)
IGMP Configuration task in NetConfig
8-9
IKE (Internet Key Exchange) Configuration task in

NetConfig 5-59
eem
EEM NetConfig tasks
EEM environmental variable task
embedded event manager task
Enable
images
5-116
adding to software repository
5-117
from a file system
C-4
Enable Password task in NetConfig

EtherChannel
from devices
attributes
11-46
creating
9-12
9-15
9-21
9-26
default attribute values, understanding
Ethernet VLANs
about
9-17
from the network
11-46
9-11
9-19
from Cisco.com
11-46
understanding
using
from a URL
5-50
11-46
configuring
5-57
editing and viewing
11-15
9-28
finding missing attribute information
11-16
understanding
exporting
configuration files, to HTML format
deleting
8-17
9-28
9-27
9-24
distribution by
searching for
9-28
9-60
9-26
Interface IP Address Configuration task in

NetConfig 5-58
files
IVR (inter-VLAN routing)

configuration (see configuration files)
Software Management, locating
8-9
configuring
9-105
11-30
on on external router
11-32
on RSM, MSFC3, and L2/L3 devices

understanding
using
11-31
11-30
11-30
gold
NetConfig tasks for GOLD
GOLD boot level task
5-123
GOLD monitoring test task
5-124
Job Approval, using

troubleshooting
C-73
H
How
C-2
HTML format, exporting a configuration file to

HTTP, configuring for software image upgrades
HTTP Server task in NetConfig
8-17
9-49
Local Username task in NetConfig

Login
5-54
C-3
5-53

OL-25941-01
IN-5
Index
Cable BPI/BPI+ task
5-95
Cable DHCP-GiAddr and Helper task

MICA portware image types, and software image
upgrades 9-49
Cable Downstream task
microcode and modem firmware requirements for software

image upgrades 9-49
Cable Spectrum Management task
5-98
Cable Interface Bundling task

Cable Trap Source task
Microcom firmware image types, and software image

upgrades 9-49
Cable Upstream task

CDP task
5-104
5-104
5-106
5-100
5-44
Certification Authority (CA) task
Crypto Map task
NetConfig, using
before you begin
DNS task
5-3
device configurations, verifying

device credentials, verifying
device prompts, verifying
5-50
5-53
IGMP Configuration task
5-4
device security, modifying

job approval, enabling
HTTP Server task
5-3
5-39
5-49
Enable Password task
5-3
IKE Configuration task
5-3
5-57
5-59
Interface IP Address Configuration task
5-4
job policies, default, configuring
5-4
Local Username task
task access privileges, assigning
5-4
NTP Server Configuration task
cwcli netconfig command description

interactive commands, handling
.ini file
5-46
5-47
dialog box, understanding
5-1
5-97
5-54
5-61
RADIUS Server Configuration task
5-128
RCP Configuration task
5-33
Reload task
5-34
5-63
5-66
5-67
user-defined templates
5-34
SNMP Community Configuration task
jobs, browsing and editing
5-18
SNMP Security Configuration task
job details, viewing
SNMP Traps Configuration task
5-23
multi-line commands, handling
SSH Configuration task
5-34
Syslog task
port based system-defined tasks

Catalyst Integrated Security Features task
Manage Auto Smartports task
PoE task
Smartports task
Transform task
5-112
rolling back configuration changes

rollback commands, creating
system-defined tasks
5-88
5-5
tasks
5-107
5-94
5-2
troubleshooting
5-41
5-33
C-9
user-defined tasks, creating and editing

user permissions, understanding
5-43
5-91
5-94
tasks, assigning to users
5-40
Auto Smartports task
Web User task
5-5
5-35
Authentication Proxy task

Banner task
5-89
5-92
User-Defined Protocol task
5-5
rollback on failure, configuring

Adhoc tasks
5-72
Telnet Password Configuration task
5-113
5-70
5-83
TACACS Configuration task
5-111
5-68
5-87
TACACS+ Configuration task
5-114
5-58
5-25
5-5
administrator task permissions
5-6
IN-6
OL-25941-01
Index
job approval permissions

job editing permissions
5-6
5-6
user-defined task permissions
RADIUS Server Configuration task in NetConfig
5-6
NTP Server Configuration task in NetConfig
rcp
5-61
configuring for software image upgrades

on Solaris
9-43
9-43
selecting as active file transfer method

RCP Configuration task in NetConfig
overviews
editing a configuration file in Config Editor
of cwcli config
8-9
rollback commands, creating

Route Distinguisher
8-23
Pari
searching for images
deleting policy
editing policy groups
NetConfig tasks
4-5
Smart Call Home task
4-6
PVLAN (private VLAN)
5-76
SNMP
SNMP Community Configuration task in
NetConfig 5-68
SNMP Security Configuration task in NetConfig
creating
about
SNMP Traps Configuration task in NetConfig
11-26
primary
Software Management, using
11-26
promiscuous ports, configuring

secondary
9-51
distribution by images
9-60
distribution job, authorizing
promiscuous ports
11-24
PVLAN host ports
11-24
PVLAN trunk ports

11-24
11-25
CiscoWorks Server
files, locating
9-105
Job Approval
9-6
patch distribution
by device
by patch
5-72
9-51
9-4
Cisco.com, logging into
11-24
11-25
11-28
5-70
9-1
distribution by devices
environment, setting up
11-29
understanding
11-28
11-27
secondary, associating ports with
using
A-23
Smart Call Home
4-7
PIX Firewall devices, upgrade recommendations,

understanding 9-95
types
11-3
security warning regarding -p
4-7
duplicating policy groups
deleting
9-26
advantages of VLANs in
4-1
deleting policy groups
5-5
security
4-1
adding policy groups
5-5
12-4
managing policy groups
5-66
5-5
rollback on failure, configuring
8-26
syntax checking in Config Editor
9-45
rolling back configuration changes in NetConfig
A-2, A-7
opening a configuration file
5-63
9-5
9-4
9-67
9-67
9-71

OL-25941-01
IN-7
Index
remote staging and distribution

software distribution
methods
9-75
9-29
TACACS+ Configuration task in NetConfig
9-35
upgrade analysis
TACACS Configuration task in NetConfig
9-29
Upgrade Analysis report, understanding

upgrades, configuring devices for
upgrades, planning
9-32
9-38, 9-47
upgrades from Cisco.com, planning
software image repository, maintaining
schedule, changing
9-97
9-38
deploying templates
guidelines
9-24
synchronization jobs, removing
synchronization report, scheduling

synchronization report, viewing
syncrhonizing with Cisco.com
deleting
9-11
editing
9-10
9-11
9-23
support for IOS software modularity

C-13
3-19
exporting
3-20
importing
3-22
multi-line commands, handling
3-22
3-25
3-21
3-21
TFTP, configuring for software image upgrades
9-95
9-95
on Solaris
on Windows
9-50
user-supplied scripts, understanding

SSH Configuration task in NetConfig
viewing template details
9-95
9-93
for VPN 3000 series devices
5-83
3-20
importing running config from device
for Catlyst 1900/2920 devices

for PIX Firewall devices
3-18
importing from XML file
9-93
9-94
for Cisco IOS devices
3-15
importing from Cisco Configuration Professional

file 3-23
9-65
upgrade recommendations, understanding
3-26
3-27
managing templates
9-8
3-2
3-31
job browser
9-26
for Catalyst devices
3-2
assigning templates to user
9-11
synchronization
3-1
system-defined templates
9-26
images, deleting
Syslog task in NetConfig
C-3
accessing template center
9-99
9-7
image attributes
upgrades, scheduling
C-3
Telnet Password Configuration task in

NetConfig 5-91
Template Center
succesful, undoing
troubleshooting
in SSH mode
in Telnet mode
9-100
searching
C-4
Telnet
9-98
images, adding
C-5
C-4
in Telnet mode
9-100
software repository
in SSH mode
9-95
failed job, retrying

stopping
C-2
custom TACACS prompts, troubleshooting
9-30
upgrades from the software repository,

planning 9-31
deleting
5-88
enable login authentication
9-37
Software Management jobs
TACACS credentials, interpreting
5-89
9-102
5-87
9-47
9-47
9-47
token ring bridge relay function VLANS (see trCRF

VLANs) 11-18
Transform task in NetConfig
5-92
trBRF VLANs
IN-8
OL-25941-01
Index
creating
planning
11-17
trCRF VLANs
creating
from Cisco.com
11-18
troubleshooting
C-1
Change Audit
Config CLI
9-31
identifying possible changes
9-37
9-37
testing the new images
C-11
Config Management
NetConfig
from the software repository
software repository, maintaining
C-75
Job Approval
9-30
prerequisites, satisfying
C-73
Config Editor
for Catalyst devices
C-9
9-93
for PIX Firewall devices
characteristics of trunks
for VPN 3000 devices
11-41
9-95
9-95
remote staging and distribution
11-40
DTP (Dynamic Trunking Protocol)

encapsulation types
11-42
trunk encapsulation
11-41
scheduling
11-40
9-95
9-94
for Cisco IOS devices
C-13
11-40
considerations in
9-93
for Catalyst 1900/2820 devices
C-73
9-38
9-38
recommendations, understanding
C-1
Software Management
trunking
9-37
9-75
9-50
Upgrade Analysis report, understanding

User-Defined Protocol task in NetConfig
9-32
5-94
user-supplied scriptsfor software management
9-102
U
V
upgrades
analyzing prerequisites and impact
configuring devices for
Software Management synchronization reports
9-38
additional requirements, meeting

additional SFB checks
HTTP
9-39
configuration process
minimum requirements, meeting

modem firmware requirements
rcp, configuring
prerequisites
9-49
9-39
SCP, configuring
using
9-51
distribution methods
11-46
11-46
11-46
inter-VLAN routing
9-60
9-35
11-1
11-2
understanding
distribution job, authorizing
10-11
11-46
configuring
9-55
distributing by images
(see also VLANs)

EtherChannel
9-47
distributing by devices
advanced
9-40
10-5
10-9
VLAN and VTP management
9-42
Telnet and SSH access, configuring

TFTP, configuring
10-2
standalone to VSS mode

Virtual to standalone
9-43
10-1
10-2
support for VSS
9-49
9-11
Virtual Switching System

about Virtual Switching System (VSS)
9-40
9-49
microcode requirements
basic
viewing
9-29
9-51
configuring
understanding
11-30
11-30

OL-25941-01
IN-9
Index
using
using
11-30
PVLAN (private VLAN)

creating
11-26
deleting
11-29
types
reports, displaying
views, using
version 3
using
11-24
11-39
11-35
11-25
11-21
trunking
11-37
11-24
understanding
reports
11-37
warnings
11-40
regarding security and -p
characteristics of trunks
considerations in
11-41
Web User task in NetConfig
11-40
What
DTP (Dynamic Trunking Protocol)

encapsulation types
11-42
trunk encapsulation
11-41
11-40
A-23
5-94
C-5
whats new in this release

in Config Editor
8-8
Windows, and the NetConfig .ini file
5-34
VLAN Port Assignment (see VLAN Port

Assignment) 11-47
VTP (see VTP)
11-33

starting
11-48
understanding
using
11-47
11-48
11-49
VLANs
about
11-2
advantages of
11-2
in adds, moves, and changes

in broadcast activity
in security
11-3
components of
11-3
deleting
11-2
11-2
11-19
types supported by Campus Manager

trCRF VLANs
11-18
types supported by LMS

Ethernet VLANs
11-4
11-15
VPN 3000 devices, upgrade recommendations,

understanding 9-95
VRF Lite
12-1
VTP (VLAN trunking protocol)

domain components
domains, about
11-33
11-34
11-34
IN-10
OL-25941-01

LMS Config Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LMS Config Guide

Uploaded by

Copyright:

Available Formats

Configuration Management with Cisco

Prime LAN Management Solution 4.2

Text Part Number: OL-25941-01

Obtaining Documentation and Submitting a Service Request

OpenSSL/Open SSL Project

Overview of Configuration Management

Best Practices Deviation

Device Change Audit

Config Protocol Summary

Job Information Status

About Configuration Dashboard

Configuration Management Tasks

Managing and Deploying Templates

Creating Configuration Templates

Managing Templates 3-18

Exporting Templates 3-20

Understanding the Template Center Jobs Browser

Guidelines for Creating Configuration Templates Using IF and FOREACH Statements

Using Compliance and Audit Manager Feature

Managing Policy Groups 4-1

Managing Policy Profile 4-6

Understanding Compliance Violation Fix Job Browser

Understanding Compliance and Audit Manager (CAAM) Policies

Configuration Management with Cisco Prime LAN Management Solution 4.2

Miscellanous Service 4-143

Outdated Devices As Per Vendor Specific EOL/EOS Announcements 4-264

Configuration Management with Cisco Prime LAN Management Solution 4.2

Call Processing Solutions - 63708 [IOS] 4-320

HTTP Command Injection - 68322 [IOS] 4-382

OSPF, MPLS VPN Vulnerability - 100526 [IOS] 4-452

PIX TCP Reset - 13639 [PIX, ASA] 4-504

Syslog Crash -13660 [IOS] 4-570

Making and Deploying Configuration Changes Using NetConfig

Preparing to Use NetConfig 5-3

Configuration Management with Cisco Prime LAN Management Solution 4.2

Verifying Device Prompts 5-4

Starting a New NetConfig Job 5-7

Browsing and Editing Jobs Using the NetConfig Job Browser

Creating and Editing User-defined Tasks 5-25

Handling Interactive Commands 5-33

Using System-defined Tasks 5-35

Configuration Management with Cisco Prime LAN Management Solution 4.2

Interface IP Address Configuration Task 5-58

cwcli netconfig 5-128

Archiving Configurations and Managing them using Configuration Archive

Using the Config Fetch Protocol Usage Report

Checking Configuration Archival Status 6-3

Using the Configuration Version Tree

Understanding the Config Viewer Window

Viewing the Configuration Version Summary

Configuring Labels 6-20

Comparing Configurations 6-33

Compare Base Config vs. Latest Configuration Version of Multiple Devices

Using Baseline Templates to Check Configuration Compliance

Baseline Template Management Window 7-5

Deploying a Baseline Template 7-28

Editing and Deploying Configurations Using Config Editor

Benefits of Configuration Editor

Overview: Editing a Configuration File

Configuration Management with Cisco Prime LAN Management Solution 4.2

Editing Configuration Files by Handling Interactive Commands in Config Editor Jobs

Printing a Configuration File

Exporting Changes of a Configuration File

Selecting Configuration Tools