Versatile management options make the VPN 3000 Concentrators easy to administer. They can be managed using the command-line interface (CLI), and in fact, some CLI administration is necessary during the initial configuration stages. The login screen and main menu of the CLI
Private Network
are shown in Example 3-1. But the web interface is the tool that you want to use. Intuitive menu systems, onscreen help, drop-down-box selection windows, error checking, and security make this one of the slickest management interfaces in Cisco’s product line.
The VPN Concentrator Manager breaks the concentrator management process into three management areas: Configuration, Administration, and Monitoring. Figure 3-8 shows the main menu screen of the manager.
Figure 3-8 VPN Concentrator Manager Main Page Example 3-1 VPN Concentrator Command Line Interface
Login: admin Password:
Welcome to Cisco Systems VPN 3000 Concentrator Series Command Line Interface
Copyright (C) 1998-2002 Cisco Systems, Inc.
1) Configuration 2) Administration 3) Monitoring
4) Save changes to Config file 5) Help Information
6) Exit Main ->
Configuration changes are stored within the memory of the VPN concentrator and take effect immediately. This feature allows the administrator to make configuration modifications on the fly without having to reboot the system or disrupt users. The next sections take a little closer look at the three major management areas of the VPN Concentrator Manager.
Configuration
Figure 3-9 shows the Configuration menu that appears when you click that option from the main menu. This menu identifies the four subheadings under the Configuration portion of the manager: Interfaces, System, User Management, and Policy Management.
Figure 3-9 VPN Concentrator Manager—Configuration
Clicking the Interfaces option brings up the window shown in Figure 3-10. This window shows an image of the concentrator and allows you to select the interface that you need to configure.
This screen gives a quick synopsis of the status of the interfaces and shows their IP configuration properties.
Figure 3-10 VPN Concentrator Manager—Configuration | Interfaces
The other three options on the Configuration menu cover the following areas:
•
System—Server access, address assignment, tunneling protocols, IP routing, built-in management servers, system events, and system identification•
User Management—Attributes for groups and users that determine their access to and use of the VPN•
Policy Management—Policies that control data traffic through the VPN via filters, rules, and IPSec Security Associations; network lists; access times; and NATA hierarchy in the User Management section determines the inherited properties that groups and users assume. The root of all inherited properties is the group called the Base Group. The properties within this group are the default properties for all users, unless the users are members of specific groups. When specific groups are defined, for example, Accounting, Topeka Sales, or Network, those groups inherit their default settings from the Base Group. Those settings can be overridden within the specific groups. Users inherit the properties of the group when they are added to specific groups. If a user is not a member of a specific group, he or she defaults to the settings of the Base Group. It is a simple yet effective method of assigning properties to groups and users.
The following two sections present an overview of the Administration and Monitoring sections of the VPN Manager. Chapter 7, “Monitoring and Administering the Cisco VPN 3000 Series Concentrator,” provides more detail on these topics.
Administration
The Administration screen is shown in Figure 3-11.
Figure 3-11 VPN Concentrator Manager—Administration
The administration functions available from this menu are as follows:
•
Administer Sessions—View statistics for logout and ping sessions.•
Software Update—Update concentrator and client software images to the most current versions using the appropriate choice from these two selections:— Concentrator—Upload and update the VPN concentrator software image.
— Clients—Upload and update the VPN client software image.
•
System Reboot—Set options for VPN concentrator shutdown and reboot.•
Ping—Use Internet Control Message Protocol (ICMP) ping to determine connectivity.•
Monitoring Refresh—Enable automatic refresh of status and statistics in the Monitoring section of the Manager.•
Access Rights—Configure administrator profiles, access, and sessions. The Access Rights option provides these four selections:— Administrators—Configure administrator usernames, passwords, and rights.
— Access Control List—Configure IP addresses for workstations with access rights.
— Access Settings—Set administrative session idle timeout and limits.
— AAA Servers—Set administrative authentication using TACACS+.
•
File Management—Manage system files in flash memory. The File Management option provides these four selections:— Files—Copy, view, and delete system files.
— Swap Configuration Files—Swap backup and boot configuration files.
— TFTP Transfer—Use TFTP to transfer files to and from the VPN concentrator.
— File Upload—Use HTTP to transfer files to the VPN concentrator.
•
Certificate Management—Install and manage digital certificates. The Certificate Management option provides these three selections:— Enrollment—Create a certificate request to send to a Certificate Authority.
— Installation—Install digital certificates.
— Certificates—View, modify, and delete digital certificates.
Monitoring
The Monitoring screen is shown in Figure 3-12.
Figure 3-12 VPN Concentrator Manager—Monitoring
The monitoring functions available from this menu are as follows:
•
Routing Table—Current valid routes, protocols, and metrics.•
Filterable Event Log—Current event login memory, filterable by event class, severity, IP address, and so on. Within this monitoring section, you also find access to current log entries from the following selection:— Live Event Log—Current event log, continuously updated.
•
System Status—Current software revisions, uptime, SEP modules, system power supplies, Ethernet interfaces, front-panel LEDs, and hardware sensors. To monitor the LED status indicator panel, select the following System Status option:— LED Status—Current status of the VPN Concentrator front-panel LED indicators.
•
Sessions—Currently active sessions sorted by protocol, SEP, and encryption. “Top ten”sessions sorted in descending order by data (total bytes transmitted and received), duration (total time connected), and throughput (average bytes per second).