Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
28-22
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 28 Group Encrypted Transport (GET) VPNs
Configuring GET VPN Group Members
Security Policy The local group member security ACL used to deny some group
member-specific traffic over and above the security ACL downloaded
from the key server. Denied traffic is sent in clear text rather than
encrypted. For detailed information, see Understanding the GET VPN
Security Policy and Security Associations, page 28-10.
Enter the name of the ACL object or click Select to select it from a list
or to create a new object.
Enable Fail Close
Fail Close ACL
Whether to enable fail-close mode on the device, which prevents the
device from transmitting clear text traffic before the device
successfully registers with the key server. Fail-close mode requires as a
minimum Cisco IOS Software release 12.4(22)T or 15.0; you can also
configure it on all supported ASRs.
Tip Fail-close mode is a complex feature, and you must carefully
construct the fail-close ACL or you might lock yourself out of
the device. Before enabling fail-close mode, read Configuring
Fail-Close to Protect Registration Failures, page 28-8.
You must select an ACL policy object that identifies allowable clear
text traffic (using deny statements), such as SSH and SSL
communications with the Security Manager server to allow for
configuration updates. Enter then name of the object or click Select to
select it or to create a new object.
Override Key Servers Whether to override the key server list configured for the GET VPN
topology as a whole for this particular group member.
If you select this option, you can choose a subset of the key servers
configured for the topology to be used by the selected group member,
and change their priority order. This can help you load-balance
registration activity among a group of cooperative key servers. For
more information, see Configuring Redundancy Using Cooperative
Key Servers, page 28-7.
Click Select to change the key server list and priority order of the key
servers using the Key Servers Selection dialog box. A key server must
be defined for the GET VPN topology before you can modify its use for
a group member.
Table 28-4 Edit Group Member Dialog Box (Continued)
Element Description