Management Center for VPN Routers

Management Center for VPN Routers v1.1 (Router MC) is a web-based application designed for large-scale management of VPN and firewall configurations running on Cisco routers. Management Center for VPN Routers is one of the components of Cisco Works.

Router MC enables network administrators to configure and maintain VPN connections between multiple Cisco VPN routers using a hub-and-spoke topology. Router MC features support provisioning all critical connectivity, security, and performance parameters for a large-scale site-to-site VPN.

Router MC supports overlaying a VPN over a Frame Relay network for added security. It can be used to facilitate the migration from leased-line connections to Internet or intranet-based VPN connections.

Router MC-developed firewall and/or VPN configurations can be deployed to individual devices or groups of devices. The hierarchical device grouping and policy inheritance features of Router MC make it possible to configure multiple like devices simultaneously.

Features and Benefits

The Router Management Center offers features, such as smart rules hierarchy, resiliency support via IKE and generic routing encapsulation (GRE), import and deployment to files or devices, wizards-based support for setup of IKE and VPN tunnel policies, reusable building blocks, and more. The main features and benefits of the Router Management Center’s are summarized as follows:

Web browser interface—Makes it easy to define and deploy policies.
Simplified policy definitions—Wizard-based interface that steps the user through the creation of IKE policies, tunnel policies, and transform sets.
Support for a large number of devices—Uses device grouping, Smart Rules hierarchy, and reusable policy components to enable VPN configurations that scale to thousands of devices.
Enhanced resiliency with IKE keepalives or GRE for failover—Supports IKE keepalives or GRE, with EIGRP or OSPF routing protocols, to provide failover options.
Transparent translation of VPN policies to CLI commands—Web interface allows simplified and quick configuring and managing VPN policies. The application translates the VPN policies into CLI commands to be deployed to devices.
Flexible deployment to files or devices—Choice of deploying configurations directly to devices as CLI commands or generates files containing CLI commands, which can be written to devices later.
Configuration rollback—Possible to restore a device’s previous configuration if not satisfied with a configuration after deploying VPN policies.
Frame Relay network support—Deploy hub-and-spoke VPN configurations over a Frame Relay network.

Router MC v1.1 Firewall Features

Router MC v1.1 added support for the following firewall functionality features:

Support for configuring ordered access rules to be assigned per interface.
The ability to view a list of access rules per device or device group.
Context Based Access Control (CBAC) feature support, including availability of the inspect action for access rules, alert and audit settings, fragmentation settings, DNS timeouts, protocol timeouts, and Denial of Service (DoS) prevention by monitoring half-open connections.

Router MC v1.1 Enhanced VPN Features

Router MC v1.1 added support for the following VPN features:

Enhanced Certification Authority (CA) enrollment features, including support for trust-point and autoenrollment commands for devices running IOS 12.2(8)T and higher
Advanced Encryption Standard (AES) encryption algorithm for use in IKE policies and transform sets
High Availability (HA) groups of hubs, using Hot Standby Routing Protocol (HSRP)
Multiple failover and routing policies within the Router MC device hierarchy
Catalyst VPN Services Module support as a hub endpoint
Network Address Translation (NAT) traversal
Dialer interfaces

Router MC Server Requirements

Router MC is a component of Cisco’s VPN/Security Management Solution (VMS) which integrates CiscoWorks, VPN Monitor, CiscoWorks Common Services, and other individual applications.

Requirement Type	Minimum Requirement
Hardware	Intel-based computer with 1 GHz or faster Pentium processor. Color monitor with video card capable of 16-bit color. CD-ROM drive. 10 Mbps (or faster) network connection.
Memory (RAM)	1GB.
Available disk space	9GB. 2GB virtual memory. NTFS file system (recommended).
Software	ODBC Driver Manager 3.510 or later. One of the following: ?Windows 2000 Professional. ?Windows 2000 Server. Service Pack 3.

Router MC Client Requirements

You can access all product features from any PC client meeting or exceeding the following hardware, software, and browser requirements.

Requirement Type	Minimum Requirement
Hardware	Intel-based computer with 300 MHz or faster Pentium processor.
Memory (RAM)	256MB.
Available disk space	400MB virtual memory.
Software	One of the following: Windows 98 Windows NT 4.0 Windows 2000 Server or Professional with Service Pack 2.
Web browser	Internet Explorer 6.0 or 5.5 with Service Pack 2. (Netscape Navigator not supported at this time.)

Router MC User Permissions

Router MC requires all users to log in with a user name and a password, which must be authenticated by the CiscoWorks server (default) or by a Cisco Secure Access Control Server (ACS) v3.1. Once authenticated, Router MC determines the user’s defined role within the application. The role determines the set of tasks or operations the user is authorized to perform. Only those menu items, Table of Contents items, and buttons associated with authorized tasks are visible to the user. All others are hidden or disabled.

CiscoWorks Server Roles and Router MC Permissions

CiscoWorks supports the following five role types corresponding to typical functions within an organization:

Help desk	Read-only access for viewing devices, device groups, and the entire scope of a VPN.
Approver	Can review policy changes and can either approve or reject them. Can also approve or reject deployment jobs.
Network operator	Can make policy changes (except device inventory changes), as well as create and deploy jobs. Activities and jobs must be approved by an Approver.
System administrator	Can perform CiscoWorks server tasks and can make changes to the device hierarchy, such as move or delete devices. Can change administrative settings.
Network administrator	Can perform all CiscoWorks server and Router MC tasks. Can add users to the system with CiscoWorks or ACS. Can set user passwords and assign user roles and privileges.

If ACS authentication is used, the roles are different because of the group and task orientation of ACS. Each role is made up of a set of permissions that determine the role’s level of access to Router MC tasks. User groups are assigned a role and each user in the group can perform all the Router MC tasks in the role. Use the Cisco online feature to get the most current configuration and implementation information if ACS will be used.