5-34
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 5 Managing Policies
Managing Policies in Device View and the Site-to-Site VPN Manager
IOS router policies—Core connectivity policies, such as basic interface settings and accounts and
credentials policies cannot be unassigned from the device on which they are created. If you unassign
a device access policy that was used to define the password for configuring the device, you might
prevent Security Manager from configuring that device in the future. For more information, see User
Accounts and Device Credentials on Cisco IOS Routers, page 60-13.
If you unassign a VTY or console policy, Security Manager restores a default configuration to
ensure continued communication with the device. For all other policy types, if you unassign the
policy, Security Manager erases the configuration from the device.
Related Topics
Configuring Local Policies in Device View, page 5-29
Copying Policies Between Devices, page 5-31
Managing Policies in Device View and the Site-to-Site VPN Manager, page 5-28
Step 1 Do one of the following:
(Device view) Select the device that has a policy you want to unassign.
(Site-to-Site VPN Manager) Select the VPN topology that has a policy you want to unassign.
Step 2 Right-click the local policy and select Unassign Policy.
You are asked to confirm that you want to unassign the current policy.
Working with Shared Policies in Device View or the Site-to-Site VPN Manager
Sharing policies makes it possible to configure multiple devices with common policies, which provides
greater consistency in your policy definitions and streamlines your management efforts. Any changes to
a shared policy affect all the devices and VPN topologies to which the policy is assigned. This makes it
easy, for example, to update all of your Cisco IOS routers with new quality of service policies by
updating the shared Quality of Service policy assigned to these devices.
When working in Device view or the Site-to-Site VPN Manager, you can take a local policy (such as a
policy created during device discovery) and share it. You can then assign the shared policy to as many
devices or VPN topologies as you want (provided they are not locked by another user; see Understanding
Policy Locking, page 5-7), and you can change these assignments at any time. You can also take these
shared policies that were created from the local policy and add them to a policy bundle. For more
information on policy bundles, see Managing Policy Bundles, page 5-53.
Tip If you have a device that you are using as a template for the creation of other devices, you can quickly
create a policy bundle that can be used for device configuration based on the template device. To do so,
first make all policies on the device shared policies (see Sharing Multiple Policies of a Selected Device,
page 5-39), then create a policy bundle from those shared policies.
In addition, you can take a shared policy that is assigned to a device or VPN topology and turn it into a
local policy for that particular device or topology. This enables you to create a special configuration that
affects only that device or topology. Other devices or topologies assigned the shared policy continue to
use the shared policy as before.