The Ultimate CCNA Security Study Guide

Chris Bryant, CCIE #12933 http://www.thebryantadvantage.com

Back To Index

An Introduction To SDM

Overview

Even if you've used SDM before, don't skip this introduction. I've got a very important tip for you regarding SDM that guarantees success with it in both the exam room and the real world.

Cisco's Security Device Manager is a GUI application that you'll use to perform tasks from placing a router into one-step lockdown to running a security audit, and everything in between!

SDM is also a tremendous learning tool. Whatever you're working on in SDM, you'll be shown a list of "How Do I...." subjects that can help you carry out your task.

We're going to look at SDM throughout this course, and use it to execute quite a few tasks, including the ones mentioned previously. Before we do that, though, we have to get it to work!

The SDM install generally goes smoothly, but there are some prerequisite configurations you must be aware of for both the CCNA Security exam and the real world.

I wouldn't be surprised to see these configs show up in the exam room, and I can guarantee you that one day you'll run into someone having problems with an SDM install because they didn't pre-configure the router with the commands we'll look at in

What Is SDM?

Preinstallation Requirements

Installing SDM

The Home Window And Preferences

The Configure Window

The Monitor Window

this section. (Obviously, they didn't take this course!)

Let's go to the router!

Preinstallation Commands For Your SDM Router

We need to enable the router as an HTTP and HTTPS server, so we'll take care of that first. We also need to enable authentication for those services. I'll use IOS Help to display the options, and then configure the router to use the local user database for authentication.

SDM_1(config)#ip http server

SDM_1(config)#ip http secure-server

SDM_1(config)#ip http authentication ?

enable Use enable passwords

local Use local username and passwords

tacacs Use tacacs to authorize user

SDM_1(config)#ip http authentication local

Now we need to create that local database! I'll configure one user with a privilege level of 15 and another with a privilege level of 1.

SDM_1(config)#username cbryant privilege 15 password universe

SDM_1(config)#username jbrisco privilege 1 password oklahoma

Some routers come from the factory with the SDM files already installed. The files numbered 2 - 6 in the following output of show flash are SDM-specific files. If you have these files already on your router, you do not need to install SDM from a CD.

SDM_1#show flash

System flash directory:

File Length Name/status

1 7750032 c831-k9o3sy6-mz.123-8.T6.bin

2 1038 home.shtml

3 2802 sdmconfig-83x.cfg

4 112640 home.tar

5 1505280 common.tar

6 6389760 sdm.tar

If you don't have those files, you do need the install CD. Not all Cisco routers can run SDM; be sure to check Cisco's website for the latest list of SDM-compliant routers.

When you run the CD, you'll have these two choices:

First-Time Router Setup

Run SDM

I won't insult you by telling you that you need to run First-Time Router Setup.... well, the first time you run the CD! That option will show you exactly how to cable your particular router, and once you're done there, SDM Express runs. After this initial config, the full SDM version will run.

Okay, we've got SDM installed and the router preconfigured, so let's run SDM. You'll have an option during install for SDM to place a shortcut on the desktop, which I'll click now...

... and then we're going to see a series of windows and prompts. I know there's documentation out there that makes it seem as though you go straight to the main SDM window after clicking that icon, but that's not exactly the case. Here's the first window:

Note the option for HTTPS. I'll check that box and in the dropdown window, I'll select 10.10.10.1, the neighboring interface on the router. After clicking Launch, we're launched to the next window!

A browser window opens and contains this message:

Note that you can close this window without affecting SDM. That is not the case with future windows. In just a few seconds, we'll see a second window...

... and this is the one you can't close until you're done! Actually, you can close it, but SDM will close along with it.

In just a few more seconds, we're prompted for a username/password combination.

Earlier, we configured two different users with different privilege levels. You've probably already guessed which one we need to log in as here, but let's try the jbrisco/oklahoma combination first. I'll enter that, click OK, and then in just a few seconds....

... the prompt comes back, and the username/password fields are blank.

Note that we were not told what the problem was. There's no "username does not have the required level of access" message or anything like that, so unauthorized users do not get a clue as to why they can't log in.

We do have a clue in that opening line of the prompt, though - "Enter login details to access level_15_or_view_access". The user we log in as must have a privilege level of 15 (the highest level possible) in order to successfully log in to SDM. After entering the cbryant/universe combination that does have the required privilege level, we're almost at the SDM Home window.

You'll first see a screen indicating that SDM is populating its database with information about the router....

... and once that's completed, we'll see the SDM Home screen.

The Home window displays a great deal of helpful information about the router, including....

The router model, memory, Flash, and IOS Version

The policies and VPNs in operation

The routing protocols in use

You'll also see if there are any services that are unavailable. Note the message "IPS not supported" in the lower right-hand section under Intrusion Prevention. I wanted to show you that you cannot necessarily run every SDM service on every router, so this install was performed on a router that does not quite have enough memory to run IPS. No worries, we'll use a different router in future labs, and run plenty of IPS labs as well.

There are some SDM display and operational defaults you may wish to change before getting started. To see these options, select Edit > Preferences.

There are no "right" or "wrong" settings here, but you should know how to change them. I personally like to see the commands before they're delivered to the router, but that is not a default. In other sections in this course, you'll see the command previews; please note that this is not a default.

We're going to spend a lot of time in SDM during this course, and by the end of the course you'll be more than familiar with SDM's capabilities. Right now, we'll take a guided tour of each SDM section, and I'll give you a brief summary of each section's purpose and capabilities. Don't try to memorize where every section and option is right now, since we'll be covering many of these sections later in the course.

You navigate SDM by using the buttons at the top of the window.

We'll spend most of our time in the Configure section. Just click on that button and we're there.

By default, the Configure screen opens to the Interfaces and Connections screen. Here, we can configure an interface or edit an existing connection. The previous illustration shows you the Create Connection screen; the next shows you the Edit Interface/Connection screen.

That screen shows you the IP addresses of the router interfaces, the up/down status, and details of the highlighted interface.

Did you notice the How Do I: option at the bottom of the Create screen?

Each SDM section has a specialized set of How Do I questions - and more importantly, answers! This really is a fantastic series of tutorials. To see the entire list, just click the drop-down box next to the Go button (not shown in the previous illustration, but this is shown in the illustration of the full Configure window), and make your choice!

We'll stay in the Configure section for a while. Next, a look at the Firewalls And ACL section. After clicking that button on the left-hand side of the screen, we see this screen:

We'll spend plenty of time in this section later in the course! Note that the How Do I default question has changed - all questions in this section naturally have something to do with firewalls and ACLs.

Here's the VPN section. Note that there's even a design guide here for us to use! We'll build some VPNs later in the course with SDM later in the course.

The How Do I option will appear on the screen once you make a VPN selection from the choices on the left-hand side of the screen.

Here's the Security Audit section. Note that security audits are not the only feature available here - we can also perform a one-step lockdown. We'll perform both of those later in the course.

We will not be using the Routing section in this course, but here's what it looks like:

To begin configuring a routing protocol with SDM, just click Add and follow the prompts!

Next, we'll look at the NAT screen. Those of you who aren't fond of configuring NAT will really enjoy using SDM to do so!

We'll look at the Intrusion Prevention screen later in the course.

To conclude our SDM tour, I want to introduce you to possibly the most important section - Additional Tasks.

Believe me, if you need to perform a task in SDM and it's not in one of the other sections, it's definitely here! You can configure DHCP, DNS, URL filtering, AAA, dot1x, Class and Policy maps, and just about everything in between!

When you click on the appropriate subject in the left pane, you'll see subject-appropriate information appear on the right. In the previous screen, I highlighted AAA, and you can see that AAA is disabled. Just for fun, I clicked on the Enable AAA button in the

upper-right hand corner ...

... and I'm given a description of what's about to happen and a final yes/no decision. When you're enabling a protocol or service in SDM, you're usually (but not always) going to be prompted with a similar window.

Once I clicked Yes, I was presented with the following window. Remember, this is not a default - you're only going to be shown the actual configuration if you checked that option in Preferences, as we did earlier.

Note the option to save the running config to the startup config is not selected by default. I'll select that option, click Deliver, and the following window appears:

While the configuration is being written to the router, the blue squares will move back and forth across the white bar. When the config is finished, you'll see the following.

Click OK, and you're done! A final confirmation message appears:

To conclude our tour, let's take a quick look at the Monitor section. Clicking the Monitor button at the top of SDM brings up the Overview screen.

This is an excellent way to take a quick look at your router's CPU and memory usage. You can also see basic information on interface, firewall, and VPN status as well as logging information.

The Monitor section also has a row of Task buttons, and they're similar to the buttons in the Configure section in that each has a specific area of router operations to monitor.

We will not look at each of these screens now, but we'll check in on a few of them during the course. The main emphasis is on the Configure screen, but it never hurts to Monitor your work!

Now here's that SDM tip I promised you.

Whether it's in the exam room or a production network, sooner or later you're going to have to configure a service or find information that you've never found in SDM. "For everything, there is a first time."

The key to success with SDM is this: stay calm!

All the information you need to pass the CCNA Security exam and prosper with SDM in production networks is right in front of you. You just have to find it - and most of it is clearly labeled.

And if you don't see a Task button relating to what you need to do - anything from DNS to DHCP to class maps - always look in Additional Tasks! :)

Copyright © 2008 The Bryant Advantage. All Rights Reserved.