The Ultimate CCNA Security Study Guide

Chris Bryant, CCIE #12933 http://www.thebryantadvantage.com

Back To Index

An Introduction To SDM
Overview
What Is SDM?

Preinstallation Requirements

Installing SDM

The Home Window And Preferences

The Configure Window

The Monitor Window

Even if you've used SDM before, don't skip this introduction. I've
got a very important tip for you regarding SDM that guarantees
success with it in both the exam room and the real world.

Cisco's Security Device Manager is a GUI application that you'll

use to perform tasks from placing a router into one-step
lockdown to running a security audit, and everything in between!

SDM is also a tremendous learning tool. Whatever you're

working on in SDM, you'll be shown a list of "How Do I...."
subjects that can help you carry out your task.

We're going to look at SDM throughout this course, and use it to

execute quite a few tasks, including the ones mentioned
previously. Before we do that, though, we have to get it to work!

The SDM install generally goes smoothly, but there are some
prerequisite configurations you must be aware of for both the
CCNA Security exam and the real world.

I wouldn't be surprised to see these configs show up in the exam

room, and I can guarantee you that one day you'll run into
someone having problems with an SDM install because they
didn't pre-configure the router with the commands we'll look at in
this section. (Obviously, they didn't take this course!)

Let's go to the router!

Preinstallation Commands For Your SDM Router

We need to enable the router as an HTTP and HTTPS server,

so we'll take care of that first. We also need to enable
authentication for those services. I'll use IOS Help to display the
options, and then configure the router to use the local user
database for authentication.
SDM_1(config)#ip http server
SDM_1(config)#ip http secure-server
SDM_1(config)#ip http authentication ?
enable Use enable passwords
local Use local username and passwords
tacacs Use tacacs to authorize user

SDM_1(config)#ip http authentication local

Now we need to create that local database! I'll configure one

user with a privilege level of 15 and another with a privilege level
of 1.
SDM_1(config)#username cbryant privilege 15 password universe
SDM_1(config)#username jbrisco privilege 1 password oklahoma

Some routers come from the factory with the SDM files already
installed. The files numbered 2 - 6 in the following output of
show flash are SDM-specific files. If you have these files
already on your router, you do not need to install SDM from a
CD.
SDM_1#show flash

System flash directory:

File Length Name/status
1 7750032 c831-k9o3sy6-mz.123-8.T6.bin
2 1038 home.shtml
3 2802 sdmconfig-83x.cfg
4 112640 home.tar
5 1505280 common.tar
6 6389760 sdm.tar

If you don't have those files, you do need the install CD. Not all
Cisco routers can run SDM; be sure to check Cisco's website for
the latest list of SDM-compliant routers.

When you run the CD, you'll have these two choices:

First-Time Router Setup

 Run SDM

I won't insult you by telling you that you need to run First-Time
Router Setup.... well, the first time you run the CD! That option
will show you exactly how to cable your particular router, and
once you're done there, SDM Express runs. After this initial
config, the full SDM version will run.

Okay, we've got SDM installed and the router preconfigured, so

let's run SDM. You'll have an option during install for SDM to
place a shortcut on the desktop, which I'll click now...

... and then we're going to see a series of windows and prompts.
I know there's documentation out there that makes it seem as
though you go straight to the main SDM window after clicking
that icon, but that's not exactly the case. Here's the first window:

Note the option for HTTPS. I'll check that box and in the
dropdown window, I'll select 10.10.10.1, the neighboring
interface on the router. After clicking Launch, we're launched to
the next window!

A browser window opens and contains this message:

Note that you can close this window without affecting SDM.
That is not the case with future windows. In just a few seconds,
we'll see a second window...

... and this is the one you can't close until you're done! Actually,
you can close it, but SDM will close along with it.

In just a few more seconds, we're prompted for a

username/password combination.
Earlier, we configured two different users with different privilege
levels. You've probably already guessed which one we need to
log in as here, but let's try the jbrisco/oklahoma combination first.
I'll enter that, click OK, and then in just a few seconds....

... the prompt comes back, and the username/password fields

are blank.

Note that we were not told what the problem was. There's no
"username does not have the required level of access" message
or anything like that, so unauthorized users do not get a clue as
to why they can't log in.
We do have a clue in that opening line of the prompt, though -
"Enter login details to access level_15_or_view_access". The
user we log in as must have a privilege level of 15 (the highest
level possible) in order to successfully log in to SDM. After
entering the cbryant/universe combination that does have the
required privilege level, we're almost at the SDM Home window.

You'll first see a screen indicating that SDM is populating its

database with information about the router....

... and once that's completed, we'll see the SDM Home screen.

The Home window displays a great deal of helpful information

about the router, including....

The router model, memory, Flash, and IOS Version

 The policies and VPNs in operation

The routing protocols in use

You'll also see if there are any services that are unavailable.
Note the message "IPS not supported" in the lower right-hand
section under Intrusion Prevention. I wanted to show you that
you cannot necessarily run every SDM service on every router,
so this install was performed on a router that does not quite
have enough memory to run IPS. No worries, we'll use a
different router in future labs, and run plenty of IPS labs as well.

There are some SDM display and operational defaults you may
wish to change before getting started. To see these options,
select Edit > Preferences.

There are no "right" or "wrong" settings here, but you should

know how to change them. I personally like to see the
commands before they're delivered to the router, but that is not a
default. In other sections in this course, you'll see the command
previews; please note that this is not a default.

We're going to spend a lot of time in SDM during this course,

and by the end of the course you'll be more than familiar with
SDM's capabilities. Right now, we'll take a guided tour of each
SDM section, and I'll give you a brief summary of each section's
purpose and capabilities. Don't try to memorize where every
section and option is right now, since we'll be covering many of
these sections later in the course.

You navigate SDM by using the buttons at the top of the

window.
We'll spend most of our time in the Configure section. Just click
on that button and we're there.

By default, the Configure screen opens to the Interfaces and

Connections screen. Here, we can configure an interface or edit
an existing connection. The previous illustration shows you the
Create Connection screen; the next shows you the Edit
Interface/Connection screen.

That screen shows you the IP addresses of the router interfaces,

the up/down status, and details of the highlighted interface.

Did you notice the How Do I: option at the bottom of the Create
screen?
Each SDM section has a specialized set of How Do I questions -
and more importantly, answers! This really is a fantastic series
of tutorials. To see the entire list, just click the drop-down box
next to the Go button (not shown in the previous illustration, but
this is shown in the illustration of the full Configure window), and
make your choice!

We'll stay in the Configure section for a while. Next, a look at

the Firewalls And ACL section. After clicking that button on the
left-hand side of the screen, we see this screen:

We'll spend plenty of time in this section later in the course!

Note that the How Do I default question has changed - all
questions in this section naturally have something to do with
firewalls and ACLs.
Here's the VPN section. Note that there's even a design guide
here for us to use! We'll build some VPNs later in the course
with SDM later in the course.

The How Do I option will appear on the screen once you make a
VPN selection from the choices on the left-hand side of the
screen.

Here's the Security Audit section. Note that security audits are
not the only feature available here - we can also perform a one-
step lockdown. We'll perform both of those later in the course.
We will not be using the Routing section in this course, but here's
what it looks like:

To begin configuring a routing protocol with SDM, just click Add

and follow the prompts!

Next, we'll look at the NAT screen. Those of you who aren't
fond of configuring NAT will really enjoy using SDM to do so!
We'll look at the Intrusion Prevention screen later in the course.

To conclude our SDM tour, I want to introduce you to possibly

the most important section - Additional Tasks.

Believe me, if you need to perform a task in SDM and it's not in
one of the other sections, it's definitely here! You can configure
DHCP, DNS, URL filtering, AAA, dot1x, Class and Policy maps,
and just about everything in between!

When you click on the appropriate subject in the left pane, you'll
see subject-appropriate information appear on the right. In the
previous screen, I highlighted AAA, and you can see that AAA is
disabled. Just for fun, I clicked on the Enable AAA button in the
upper-right hand corner ...

... and I'm given a description of what's about to happen and a

final yes/no decision. When you're enabling a protocol or
service in SDM, you're usually (but not always) going to be
prompted with a similar window.

Once I clicked Yes, I was presented with the following window.

Remember, this is not a default - you're only going to be shown
the actual configuration if you checked that option in
Preferences, as we did earlier.

Note the option to save the running config to the startup config is
not selected by default. I'll select that option, click Deliver, and
the following window appears:
While the configuration is being written to the router, the blue
squares will move back and forth across the white bar. When
the config is finished, you'll see the following.

Click OK, and you're done! A final confirmation message

appears:

To conclude our tour, let's take a quick look at the Monitor

section. Clicking the Monitor button at the top of SDM brings up
the Overview screen.
This is an excellent way to take a quick look at your router's
CPU and memory usage. You can also see basic information
on interface, firewall, and VPN status as well as logging
information.

The Monitor section also has a row of Task buttons, and they're
similar to the buttons in the Configure section in that each has a
specific area of router operations to monitor.
We will not look at each of these screens now, but we'll check in
on a few of them during the course. The main emphasis is on
the Configure screen, but it never hurts to Monitor your work!

Now here's that SDM tip I promised you.

Whether it's in the exam room or a production network, sooner

or later you're going to have to configure a service or find
information that you've never found in SDM. "For everything,
there is a first time."

The key to success with SDM is this: stay calm!

All the information you need to pass the CCNA Security exam
and prosper with SDM in production networks is right in front of
you. You just have to find it - and most of it is clearly labeled.

And if you don't see a Task button relating to what you need to
do - anything from DNS to DHCP to class maps - always look in
Additional Tasks! :)

Copyright © 2008 The Bryant Advantage. All Rights Reserved.