Cisco IOS XR System Security Configuration Guide for the Cisco CRS Router, Release 4.2.x
DDoS Mitigation Support on CGSE
Downloads: This chapterpdf (PDF - 1.33MB) The complete bookPDF (PDF - 3.62MB) | Feedback

DDoS Mitigation Support on CGSE

Contents

DDoS Mitigation Support on CGSE

Distributed denial-of-service (DDoS) attacks target network infrastructures or computer services resources. The primary goal of DDoS attacks is to deny legitimate users access to a particular computer or network resources, which results in service degradation, loss of reputation, and irretrievable data loss.

DDoS Defense is based on mitigating the attack traffic at entry point into the network.

DDoS Mitigation is the process of detecting increasingly complex and deceptive assaults and mitigating the effects of the attack to ensure business continuity and resource availability.

Threat Management System software is ported to the Cisco Carrier Grade Services Engine (CGSE) to mitigate the attacks and send clean traffic back to the targeted host or network. The Cisco CGSE is an integrated multi-CPU service module offering carrier-class performance and scale in support of various applications and services.

For detailed information about DDoS mitigation support concepts, configuration tasks, and examples, see the Implementing DDoS Mitigation Support on CGSE module of the Cisco IOS XR System Security Configuration Guide for the Cisco CRS Router.

Implementing DDoS Mitigation Support on CGSE

What is Distributed Denial-of-service (DDoS)?

Distributed denial-of-service (DDoS) is one in which numerous compromised systems attack a single target system, thereby causing denial of service for users of the targeted system. DDoS attacks target network infrastructures or computer services resources. The primary goal of DDoS attacks is to deny legitimate users access to a particular computer or network resources, which results in service degradation, loss of reputation, and irretrievable data loss.

What is DDoS Mitigation?

DDoS Mitigation is the process of detecting increasingly-complex and deceptive assaults, and mitigating the effects of such attacks, to ensure business operations continuity and resource availability. DDoS mitigation is based on mitigating the attack traffic at entry point into the network.

Complete DDoS protection provides these benefits:

  • Detection and Mitigation of DDoS attacks
  • Distinguish good traffic from bad traffic to preserve business continuity
  • Include performance and architecture to deploy upstream to protect all points of vulnerability
  • Maintain reliable and cost-efficient scalability

Implementing DDoS Mitigation Support on CGSE

Threat Management System (TMS) software is ported to the Cisco Carrier Grade Services Engine (CGSE) to mitigate the attacks, and to send clean traffic back to the targeted host or network. The Cisco CGSE is a single-slot module supported on all models of Cisco's proven high-end carrier-class routing system: CRS-1 and CRS-3. CGSE offers carrier-class performance and scale in support of various applications and services.

For more information on Implementing DDoS Mitigation Support on CGSE, refer to the Implementing DDoS Mitigation Support on CGSE chapter in the Cisco IOS XR System Security Configuration Guide for the Cisco CRS Router.

For a complete description of the DDoS Mitigation Support commands, refer to the DDoS Mitigation Support on CGSE Commands module of the Cisco IOS XR System Security Command Reference for the Cisco CRS Router.

For documentation of other commands that appear in this chapter, use the command reference master index, or search online.

This module describes the tasks that you need to host Threat Management System Service on CGSE to implement DDoS Mitigation support on CGSE.

Feature History for Implementing DDoS Mitigation Support on CGSE

Release

Modification

Release 4.2.3

This feature was introduced.

Restrictions for Implementing DDoS Mitigation

This solution does not provide support for these features on Cisco CRS Router:

  • TACACS
  • CPU performance evaluation for the TMS–CGSE application
  • Latency or Jitter on box performance analysis
  • H/W Time stamping of packets
  • Co-existence of other services (e.g. CCN, CGN) in the same CGSE blade with TMS–CGSE scrubber
  • Incremental routing requirements

Prerequisites for Implementing DDoS Mitigation

These prerequisites are required to implement DDoS Mitigation support on CGSE:

Installing and Activating the PIE

Package Installation Envelope (PIE) files, are installable software files with the .pie extension. PIE files are used to copy one or more software components onto the router. A PIE may contain a single component, a group of components (called a package), or a set of packages (called a composite package).

Use the show install committed command in EXEC mode to verify the committed software packages.

You must install and activate the CGSE services PIE before you install and use the TMS–CGSE software. Download the hfr-services-px.pie to a TFTP server.

For more information about installing PIEs, refer to Upgrading and Managing Cisco IOS XR Software section of the Cisco IOS XR System Management Configuration Guide for the Cisco CRS Router.


Note


The TMS–CGSE software is part of a separate image that you download from Cisco.com. For information about the specific images, refer to the Release Notes for Cisco CRS-1 and Cisco CRS-3 for Cisco IOS XR Software Release 4.2.3.


SUMMARY STEPS

    1.    admin

    2.    install add tftp://<IP address of tftp server>/<location of pie on server>

    3.    install activate device:package

    4.    install commit

    5.    exit

    6.    show install committed


DETAILED STEPS
      Command or Action Purpose
    Step 1 admin


    Example:
    RP/0/RP0/CPU0:router# admin 
     

    Enters administration EXEC mode.

     
    Step 2 install add tftp://<IP address of tftp server>/<location of pie on server>


    Example:
    RP/0/RP0/CPU0:router(admin)# install add tftp://172.201.11.140/auto/tftp-users1/pie/
     

    Copies the contents of a package installation envelope (PIE) file to a storage device.

     
    Step 3 install activate device:package


    Example:
    RP/0/RP0/CPU0:router(admin)# install activate disk0:hfr-services-px.pie
     

    Activates the respective package and adds more functionality to the existing software.

     
    Step 4 install commit


    Example:
    RP/0/RP0/CPU0:router(admin)# install commit
     

    Saves the active software set to be persistent across designated system controller (DSC) reloads.

     
    Step 5 exit


    Example:
    RP/0/RP0/CPU0:router(admin)# exit
     

    Exits from the admin mode.

     
    Step 6 show install committed


    Example:
    RP/0/RP0/CPU0:router# show install committed
     

    Shows the list of the committed software packages.

     

    Copying TMS–CGSE RPM Package Manager (RPM) to Route Processor (RP) Disk

    Perform this task to copy TMS–CGSE RPM to RP disk and to a standby RP.


    Note


    RPM Package Manager is a package management system. The name RPM refers to two things: software packaged in the .rpm file format, and the package manager itself. RPM was intended primarily for GNU/Linux distributions; the file format is the baseline package format of the Linux Standard Base.


    Copy the TMS-CGSE RPM to a primary route processor. You should also copy the RPM to a standby route processor to enable TMS to operate in case of a route processor switchover or failover.

    We recommend to store the .rpm image on a flash card.

    Before You Begin

    Download the TMS–CGSE RPM image using TFTP, and store it in the "tftp root" directory.

    SUMMARY STEPS

      1.    configure

      2.    tftp ipv4 server homedir tftp-home-directory

      3.    Use one of these commands:

      • end
      • commit

      4.    copy tftp://<IP address of tftp server> <location of TMS–CGSE RPM image on tftp server>/<TMS–CGSE RPM image filename> disk0:<destination filename>

      5.    copy disk0:<TMS–CGSE RPM image name> location<R/S/I of Active RP> disk0:location<R/S/I of Standby RP>


    DETAILED STEPS
        Command or Action Purpose
      Step 1 configure


      Example:
      RP/0/RP0/CPU0:router# configure
       

      Enters global configuration mode.

       
      Step 2 tftp ipv4 server homedir tftp-home-directory


      Example:
      RP/0/RP0/CPU0:router(config)# tftp ipv4 server homedir disk0
       

      Enables the TFTP server or a feature running on the TFTP server.

       
      Step 3 Use one of these commands:
      • end
      • commit


      Example:
      RP/0/RP0/CPU0:router(config)# end

      or

      RP/0/RP0/CPU0:router(config)# commit
       

      Saves configuration changes.

      • When you issue the end command, the system prompts you to commit changes:
        Uncommitted changes found, commit them
        before exiting(yes/no/cancel)? [cancel]:
        
        • Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
        • Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
        • Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
      • Use the commit command to save the configuration changes to the running configuration file, and remain within the configuration session.
       
      Step 4 copy tftp://<IP address of tftp server> <location of TMS–CGSE RPM image on tftp server>/<TMS–CGSE RPM image filename> disk0:<destination filename>


      Example:
      RP/0/RP0/CPU0:router# copy tftp://198.51.100.1/tftp_directory/tms–cgse.rpm disk0:tms–cgse.rpm 
       

      Copies the TMS–CGSE RPM image to disk0:

       
      Step 5 copy disk0:<TMS–CGSE RPM image name> location<R/S/I of Active RP> disk0:location<R/S/I of Standby RP>


      Example:
      RP/0/RP0/CPU0:router# copy disk0:tms–cgse.rpm location 0/RP0/CPU0 disk0: location 0/RP1/CPU0 
       

      Copies the TMS–CGSE RPM image to the standby RP disk0:

      Note   

      Use show hfr command to identify the active RP and standby RP

       

      How to Implement DDoS Mitigation Support on CGSE

      To implement DDoS Mitigation Support, perform the tasks described in this section. The TMS application hosted on CGSE implements DDoS Mitigation Support on CGSE. Perform these procedures in the order presented to host the TMS application on CGSE.

      Configuring the CGSE Service Role as Service Engine Service Hosting (SESH)

      Configure the CGSE service role as Service Engine Service Hosting (SESH) to allow the CGSE to start the TMS–CGSE service.

      Important:

      The removal of the service role is strictly not recommended while the card is active. This puts the card into a FAILED state, and impacts service.

      SUMMARY STEPS

        1.    configure

        2.    hw-module service sesh location<R/S/I>

        3.    Use one of these commands:

        • end
        • commit

        4.    show running-config service sesh


      DETAILED STEPS
          Command or Action Purpose
        Step 1 configure


        Example:
        RP/0/RP0/CPU0:router# configure
         

        Enters global configuration mode.

         
        Step 2 hw-module service sesh location<R/S/I>


        Example:
        RP/0/RP0/CPU0:router(config)# hw-module service sesh location 0/1/CPU0 
         

        Configures the service role as SESH for the specified CGSE location in rack/slot/interface format.

         
        Step 3 Use one of these commands:
        • end
        • commit


        Example:
        RP/0/RP0/CPU0:router(config)# end

        or

        RP/0/RP0/CPU0:router(config)# commit
         

        Saves configuration changes.

        • When you issue the end command, the system prompts you to commit changes:
          Uncommitted changes found, commit them
          before exiting(yes/no/cancel)? [cancel]:
          
          • Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
          • Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
          • Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
        • Use the commit command to save the configuration changes to the running configuration file, and remain within the configuration session.
         
        Step 4 show running-config service sesh


        Example:
        RP/0/RP0/CPU0:router# show running-config service sesh
        
        Wed Jul 11 14:24:31.560 PST
        service sesh instance1
        service-location preferred-active 0/1/CPU0 
         

        Shows the location of the SESH.

         

        Configuring the Service Infrastructure Interface

        Configure the service infrastructure (serviceInfra) interface and associate it with a CGSE module to send the infrastructure traffic to the CGSE and to download the TMS–CGSE image. Reboot the CGSE module after Serviceinfra interface configuration and association. Each CGSE should have one serviceInfra interface.


        Note


        The serviceInfra interface IP address should be configured with a /29 network mask. The network should be configured with a minimum of 5 hosts. You must assign a x.x.x.1 IP address. Other serviceInfra IP addresses do not work for SESH.


        SUMMARY STEPS

          1.    configure

          2.    interface ServiceInfra <id>

          3.    ipv4 address <A.B.C.D>/<prefix>

          4.    service-location <R/S/I>

          5.    Use one of these commands:

          • end
          • commit

          6.    hw-module location <R/S/I> reload

          7.    show services role


        DETAILED STEPS
            Command or Action Purpose
          Step 1 configure


          Example:
          RP/0/RP0/CPU0:router# configure
           

          Enters global configuration mode.

           
          Step 2 interface ServiceInfra <id>


          Example:
          RP/0/RP0/CPU0:router(config)# interface ServiceInfra 1 
           

          Enters interface configuration mode for the service infrastructure.

           
          Step 3 ipv4 address <A.B.C.D>/<prefix>


          Example:
          RP/0/RP0/CPU0:router(config-if)# ipv4 address 100.1.1.1/29
           

          Sets the IP address for this interface.

           
          Step 4 service-location <R/S/I>


          Example:
          RP/0/RP0/CPU0:router(config-if)# service-location 0/1/CPU0 
           

          Location of the CGSE you set in Configuring the Service Role section in rack/slot/interface format.

          Note   

          To determine where the CGSE modules are installed in the chassis, use the show platform command in the EXEC mode. The show platform command displays the list of cards that includes CGSE modules with their service location.

           
          Step 5 Use one of these commands:
          • end
          • commit


          Example:
          RP/0/RP0/CPU0:router(config)# end

          or

          RP/0/RP0/CPU0:router(config)# commit
           

          Saves configuration changes.

          • When you issue the end command, the system prompts you to commit changes:
            Uncommitted changes found, commit them
            before exiting(yes/no/cancel)? [cancel]:
            
            • Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
            • Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
            • Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
          • Use the commit command to save the configuration changes to the running configuration file, and remain within the configuration session.
           
          Step 6 hw-module location <R/S/I> reload


          Example:
          RP/0/RP0/CPU0:router# hw-module location 0/1/CPU0 reload 
           

          Reloads the CGSE.

          Use the show platform command to monitor the CGSE boot state. The card is fully booted when it switches from the initially BOOTING state to the OK state.

           
          Step 7 show services role


          Example:
          RP/0/RP0/CPU0:router# show services role
          
          Node  Configured Role Enacted Role Enabled Services
          --------------------------------------------------
          0/1/CPU0 SESH           SESH        ServiceInfra 
           

          Displays information about the configured service role.

           

          Configuring ServiceEngine–ServiceHost Instance

          Configure the SESH instance to run on the CGSE node. Service location specifies the CGSE card location. One active card is supported with no failover, so only the preferred-active argument is supported.


          Note


          Before configuring the SESH instance and reloading it, wait approximately 15 minutes for the CGSE to come up in the OK state.


          SUMMARY STEPS

            1.    configure

            2.    service sesh <name of the sesh instance>

            3.    service-location preferred-active <R/S/I>

            4.    Use one of these commands:

            • end
            • commit


          DETAILED STEPS
              Command or Action Purpose
            Step 1 configure


            Example:
            RP/0/RP0/CPU0:router# configure
             

            Enters global configuration mode.

             
            Step 2 service sesh <name of the sesh instance>


            Example:
            RP/0/RP0/CPU0:router(config)# service sesh sesh1
             

            Configures service hosting instance.

             
            Step 3 service-location preferred-active <R/S/I>


            Example:
            RP/0/RP0/CPU0:router(config-sesh)# service-location preferred-active 0/1/CPU0 
             

            Specifies the CGSE card location in rack/slot/interface format for the SESH instance. Only one active card is supported with no failover.

             
            Step 4 Use one of these commands:
            • end
            • commit


            Example:
            RP/0/RP0/CPU0:router(config)# end

            or

            RP/0/RP0/CPU0:router(config)# commit
             

            Saves configuration changes.

            • When you issue the end command, the system prompts you to commit changes:
              Uncommitted changes found, commit them
              before exiting(yes/no/cancel)? [cancel]:
              
              • Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
              • Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
              • Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
            • Use the commit command to save the configuration changes to the running configuration file, and remain within the configuration session.
             

            Configuring Service Application Interfaces

            Before configuring the TMS-CGSE software on a CGSE module, configure three ServiceApp interfaces and bind the interfaces with the created SESH instance. Configure one ServiceApp interface for the management path to the CGSE. Configure the other two ServiceApp interfaces for the outgoing (offramp) traffic to the TMS-CGSE and for the incoming (onramp) traffic from the TMS-CGSE.

            SUMMARY STEPS

              1.    configure

              2.    vrf <vrf name>

              3.    commit

              4.    interface ServiceApp <ID>

              5.    description string

              6.    ipv4 address <A.B.C.D>/<prefix>

              7.    service sesh <name of the sesh instance>

              8.    interface ServiceApp <ID>

              9.    description string

              10.    ipv4 address <A.B.C.D>/<prefix>

              11.    service sesh <name of the sesh instance>

              12.    interface ServiceApp <ID>

              13.    description string

              14.    vrf <vrf name>

              15.    ipv4 address <A.B.C.D>/<prefix>

              16.    service sesh <name of the sesh instance>

              17.    Use one of these commands:

              • end
              • commit


            DETAILED STEPS
                Command or Action Purpose
              Step 1 configure


              Example:
              RP/0/RP0/CPU0:router# configure
               

              Enters global configuration mode.

               
              Step 2 vrf <vrf name>


              Example:
               RP/0/RP0/CPU0:router(config)# vrf arbor-tms
               

              Configures the VRF reference.

               
              Step 3 commit


              Example:
               RP/0/RP0/CPU0:router(config)# commit
               

              Use the commit command to save the configuration changes to the running configuration file, and remain within the configuration session.

               
              Step 4 interface ServiceApp <ID>


              Example:
               RP/0/RP0/CPU0:router(config)# interface ServiceApp 11
               

              Enters the interface configuration mode for the service application.

               
              Step 5 description string


              Example:
               RP/0/RP0/CPU0:router(config-if)# description tms1 mgmt interface
               

              Creates a description for the Service Application Interface.

               
              Step 6 ipv4 address <A.B.C.D>/<prefix>


              Example:
              RP/0/RP0/CPU0:router(config-if)# ipv4 address 192.0.2.3/29 
               

              Sets the IP address for the management interface.

               
              Step 7 service sesh <name of the sesh instance>


              Example:
              RP/0/RP0/CPU0:router(config-if)# service sesh sesh1
               

              Associates the interface with the SESH service instance.

               
              Step 8 interface ServiceApp <ID>


              Example:
               RP/0/RP0/CPU0:router(config)# interface ServiceApp 21
               

              Enters the interface configuration mode for the service application.

               
              Step 9 description string


              Example:
               RP/0/RP0/CPU0:router(config-if)# description tms1 scrb ingress interface
               

              Creates a description for the Service Application Interface.

               
              Step 10 ipv4 address <A.B.C.D>/<prefix>


              Example:
              RP/0/RP0/CPU0:router(config-if)# ipv4 address 204.0.0.1/24 
               

              Sets the IP address for the scrubber ingress interface.

               
              Step 11 service sesh <name of the sesh instance>


              Example:
              RP/0/RP0/CPU0:router(config-if)# service sesh sesh1
               

              Associates the interface with the SESH service instance.

               
              Step 12 interface ServiceApp <ID>


              Example:
               RP/0/RP0/CPU0:router(config)# interface ServiceApp 22
               

              Enters the interface configuration mode for the service application.

               
              Step 13 description string


              Example:
               RP/0/RP0/CPU0:router(config-if)# description tms1 scrb egress interface
               

              Creates a description for the ServiceApp interface.

               
              Step 14 vrf <vrf name>


              Example:
               RP/0/RP0/CPU0:router(config-if)# vrf arbor-tms
               

              Places the service interface in VRF.

              Note   

              One ServiceApp interface (either onramp or offramp) must be in VRF to avoid loops.

               
              Step 15 ipv4 address <A.B.C.D>/<prefix>


              Example:
              RP/0/RP0/CPU0:router(config-if)# ipv4 address 205.0.0.1/24 
               

              Sets the IP address for the scrubber egress interface.

               
              Step 16 service sesh <name of the sesh instance>


              Example:
              RP/0/RP0/CPU0:router(config-if)# service sesh sesh1
               

              Associates the interface with the SESH service instance.

               
              Step 17 Use one of these commands:
              • end
              • commit


              Example:
              RP/0/RP0/CPU0:router(config)# end

              or

              RP/0/RP0/CPU0:router(config)# commit
               

              Saves configuration changes.

              • When you issue the end command, the system prompts you to commit changes:
                Uncommitted changes found, commit them
                before exiting(yes/no/cancel)? [cancel]:
                
                • Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
                • Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
                • Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
              • Use the commit command to save the configuration changes to the running configuration file, and remain within the configuration session.
               

              Configuring TMS–CGSE Service and Applications

              To enable the TMS–CGSE Service and Applications operate on CGSE, configure the TMS–CGSE Service and Applications.

              Create a Service Engine Service Hosting (SESH) instance and bind the ServiceApp interfaces to the CGSE module, when you configure the TMS-CGSE software on CGSE.

              SUMMARY STEPS

                1.    configure

                2.    service sesh <name of the sesh instance>

                3.    service-location preferred-active <R/S/I>

                4.    service-type <service type name> <service instance name>

                5.    description string

                6.    package <name of the TMS–CGSE RPM image>

                7.    application tms-mgmt

                8.    interface ServiceApp <ID>

                9.    remote ipv4 address <A.B.C.D>/<prefix>

                10.    exit

                11.    exit

                12.    application tms-scrb

                13.    map ingress-interface ServiceApp<ID> egress-interface ServiceApp <ID>

                14.    Use one of these commands:

                • end
                • commit

                15.    show run service sesh

                16.    show service sesh instance<name of instance>


              DETAILED STEPS
                  Command or Action Purpose
                Step 1 configure


                Example:
                RP/0/RP0/CPU0:router# configure
                 

                Enters global configuration mode.

                 
                Step 2 service sesh <name of the sesh instance>


                Example:
                RP/0/RP0/CPU0:router(config)# service sesh sesh1
                 

                Configures service hosting instance.

                 
                Step 3 service-location preferred-active <R/S/I>


                Example:
                RP/0/RP0/CPU0:router(config-sesh)# service-location preferred-active 0/1/CPU0 
                 

                Specifies the CGSE card location in rack/slot/interface format for the SESH instance. Only one active card is supported with no failover.

                 
                Step 4 service-type <service type name> <service instance name>


                Example:
                RP/0/RP0/CPU0:router(config-sesh)# service-type ddos-tms tms1
                 

                Sets the service type.

                 
                Step 5 description string


                Example:
                RP/0/RP0/CPU0:router(config-tms1)# description ddos TMS instance 1
                 

                Creates a description for the service.

                 
                Step 6 package <name of the TMS–CGSE RPM image>


                Example:
                RP/0/RP0/CPU0:router(config-tms1)# package tms–cgse.rpm
                 

                Adds the TMS–CGSE image that is part of the instance.

                Note   

                The TMS–CGSE RPM image should be in the tftp_root directory.

                It takes the TMS–CGSE application approximately 10 mins to start executing, after committing the configuration.

                 
                Step 7 application tms-mgmt


                Example:
                RP/0/RP0/CPU0:router(config-tms1)# application tms-mgmt
                 

                Specifies the TMS management application.

                 
                Step 8 interface ServiceApp <ID>


                Example:
                RP/0/RP0/CPU0:router(config-tms-mgmt)# interface ServiceApp 11
                 

                Enters the interface mode of the service application.

                 
                Step 9 remote ipv4 address <A.B.C.D>/<prefix>


                Example:
                RP/0/RP0/CPU0:router(config-if)# remote ipv4 address 10.10.76.17/29
                 

                Specifies the remote IPv4 address of the service application.

                Note   

                Remote management IP requires a minimum /29 mask.

                 
                Step 10 exit

                Example:
                RP/0/RP0/CPU0:router(config-if)# exit
                 

                Exits the Interface configuration mode.

                 
                Step 11 exit

                Example:
                RP/0/RP0/CPU0:router(config-tms-mgmt)# exit
                 

                Exits the TMS Management configuration mode.

                 
                Step 12 application tms-scrb


                Example:
                RP/0/RP0/CPU0:router(config-tms1)# application tms-scrb
                 

                Specifies the TMS scrubber application.

                 
                Step 13 map ingress-interface ServiceApp<ID> egress-interface ServiceApp <ID>


                Example:
                RP/0/RP0/CPU0:router(config-tms-scrb)# map ingress-interface ServiceApp 21 egress-interface ServiceApp 22
                 

                Maps the incoming interface and outgoing interface.

                 
                Step 14 Use one of these commands:
                • end
                • commit


                Example:
                RP/0/RP0/CPU0:router(config)# end

                or

                RP/0/RP0/CPU0:router(config)# commit
                 

                Saves configuration changes.

                • When you issue the end command, the system prompts you to commit changes:
                  Uncommitted changes found, commit them
                  before exiting(yes/no/cancel)? [cancel]:
                  
                  • Entering yes saves configuration changes to the running configuration file, exits the configuration session, and returns the router to EXEC mode.
                  • Entering no exits the configuration session and returns the router to EXEC mode without committing the configuration changes.
                  • Entering cancel leaves the router in the current configuration session without exiting or committing the configuration changes.
                • Use the commit command to save the configuration changes to the running configuration file, and remain within the configuration session.
                 
                Step 15 show run service sesh


                Example:
                RP/0/RP0/CPU0:router# sh running-config service sesh
                service sesh sesh1
                service-location preferred-active 0/1/CPU0
                service-type ddos-tms tms1
                 description 'ddos TMS instance 1'
                 package arbor-cgse.rpm
                 application tms-mgmt
                  interface ServiceApp11
                   remote ipv4 address 10.10.76.17/29
                  !
                 !
                 application tms-scrb
                  map ingress-interface ServiceApp21 egress-interface ServiceApp22
                 

                Shows the configured parameters.

                 
                Step 16 show service sesh instance<name of instance>


                Example:
                RP/0/RP0/CPU0:router# show services sesh instance all
                
                Service Infra instance sesh1
                Application tms1 hosted on Location 0/1/CPU0
                       Octeon 0
                       State - UP - Application Spawned and Service App Interfaces Ready
                       Error Messages - None
                 

                Displays the state of the application. Values are:

                • INIT—Application configuration download is initiated.
                • WAITING—Application download is complete, but the service application interface is not ready.
                • UP—Application download is complete, and the service application interface is ready.

                An error message is displayed when the service application is missing or not configured.

                 

                Configuring the Zone Secret

                Zone Secret is the phrase used by all appliances in the system for internal communication. Zone Secret phrase is required to configure Peakflow SP Leader as Manager of CGSE.

                Access the TMS–CGSE to configure the Zone Secret.

                Refer to the Accessing the TMS–CGSE section for the steps for accessing the TMS–CGSE.
                SUMMARY STEPS

                  1.    services tms stop

                  2.    services tms secret set <zone secret phrase>

                  3.    services tms start


                DETAILED STEPS
                    Command or Action Purpose
                  Step 1 services tms stop


                  Example:
                  admin@arbos:/# services tms stop
                   

                  Stops the TMS service in CGSE.

                   
                  Step 2 services tms secret set <zone secret phrase>


                  Example:
                  admin@arbos:/# services tms secret set arbor
                   

                  Sets the Zone Secret phrase.

                   
                  Step 3 services tms start


                  Example:
                  admin@arbos:/# services tms start
                   

                  Starts the TMS service in CGSE.

                   

                  Configuring Peakflow SP Leader as Manager of CGSE

                  Peakflow SP leader controls the TMS for all the mitigations. Mitigation is defined in Peakflow SP by the user and Peakflow SP installs the mitigation in TMS.

                  To enable communication between the TMS-CGSE and Peakflow SP leader and for the Peakflow SP leader to control the TMS, configure TMS-CGSE to make Peakflow SP leader the manager of CGSE.

                  Access the TMS–CGSE to configure TMS-CGSE to make Peakflow SP leader the manager of CGSE.

                  Refer to the Accessing the TMS–CGSE section for the steps for accessing the TMS–CGSE.
                  SUMMARY STEPS

                    1.    services tms bootstrap <Peakflow SP leader IP Address> < Zone secret password>

                    2.    config write


                  DETAILED STEPS
                      Command or Action Purpose
                    Step 1 services tms bootstrap <Peakflow SP leader IP Address> < Zone secret password>


                    Example:
                    admin@arbos:/# services tms bootstrap 121.10.23.1 arbor
                     

                    Sets the Peakflow SP Leader the manager of the CGSE module.

                     
                    Step 2 config write


                    Example:
                    admin@arbos:/# config write
                     

                    Saves the configuration changes.

                     

                    Configuring TMS-CGSE in the Peakflow SP Web UI

                    Peakflow SP Web UI provides interface to configure and manage TMS-CGSE.

                    Configure the TMS-CGSE in the Peakflow SP Web UI.

                    • To configure a TMS-CGSE, select Administration > Peakflow Appliances from the Peakflow SP Web UI.
                    • To create a cluster that contains one or more TMS-CGSEs, select Administration > Mitigation > TMS-CGSE Clusters from the Peakflow SP Web UI.

                    For more information about configuring a TMS-CGSE, see About Configuring Peakflow SP Appliances module in the Peakflow SP User Guide Version 5.7.

                    For information about creating a cluster of TMS-CGSEs, see Configuring TMS-CGSE Clusters module in the Peakflow SP User Guide Version 5.7.

                    For information about TMS-CGSE deployment scenarios, see TMS-CGSE Deployment Scenarios module in the Peakflow SP User Guide Version 5.7.

                    Accessing the TMS–CGSE

                    To access the TMS–CGSE, SSH the TMS–CGSE from a Linux server.


                    Note


                    SSH requires the k9crypto.pie to be installed.



                    Note


                    TMS–CGSE must be reachable from the Linux server. This can be achieved by configuring appropriate routes between the Linux server and the CRS.


                    SUMMARY STEPS

                      1.    ssh tms@ <TMS Management IP Address>

                      2.    Username

                      3.    Password


                    DETAILED STEPS
                        Command or Action Purpose
                      Step 1 ssh tms@ <TMS Management IP Address>


                      Example:
                      eng-1032:~ lnx_server$ ssh tms@10.10.76.17
                       

                      Connects to the TMS–CGSE.

                       
                      Step 2 Username


                      Example:
                      arbos login: admin
                      
                       

                      Enter the login username.

                       
                      Step 3 Password


                      Example:
                      Password:
                      admin@arbos:/# 
                      
                       

                      Enter the Password.

                      Note   

                      The password will not be visible when entered.

                       
                      What to Do Next

                      It is recommended to change the default TMS–CGSE password after logging into TMS–CGSE for the first time.

                      Refer to the Changing the TMS–CGSE Login Password section for the steps for changing the username and password.

                      Changing the TMS–CGSE Login Password

                      It is recommended to change the default TMS–CGSE password after logging into TMS–CGSE for the first time.

                      SUMMARY STEPS

                        1.    services tms stop

                        2.    services aaa local password <old password string> interactive

                        3.    new password

                        4.    new password

                        5.    services tms start


                      DETAILED STEPS
                          Command or Action Purpose
                        Step 1 services tms stop


                        Example:
                        admin@arbos:/# services tms stop
                         

                        Stops the TMS service in CGSE.

                         
                        Step 2 services aaa local password <old password string> interactive


                        Example:
                        admin@arbos:/# services aaa local password admin interactive
                         

                        Prompts for password change for the user "admin".

                         
                        Step 3 new password


                        Example:
                        Password:
                         

                        Enter the new password.

                        Note   

                        The password will not be visible when entered.

                         
                        Step 4 new password


                        Example:
                        Password:
                        admin@arbos:/#
                        
                         

                        Re-enter the new password.

                        Note   

                        The password will not be visible when re-entered.

                         
                        Step 5 services tms start


                        Example:
                        admin@arbos:/# services tms start
                         

                        Starts the TMS service in CGSE.

                         

                        Configuring TMS-CGSE Time Zone and Clock

                        To configure TMS-CGSE time zone and clock follow these steps.

                        SUMMARY STEPS

                          1.    system timezone set

                          2.    <name of the timezone>

                          3.    <name of the sub-timezone>

                          4.    clock set [MMDDhhmm]

                          5.    clock


                        DETAILED STEPS
                            Command or Action Purpose
                          Step 1 system timezone set


                          Example:
                          admin@arbos:/# system timezone set
                           

                          Enters the time zone configuration.

                           
                          Step 2 <name of the timezone>


                          Example:
                          admin@arbos:/# system timezone set
                          What timezone are you in? [`?' for list]  Asia
                          
                           

                          Sets the time zone.

                           
                          Step 3 <name of the sub-timezone>


                          Example:
                          admin@arbos:/# system timezone set
                          What timezone are you in? [`?' for list]  Asia
                          Select a sub-timezone [`?' for list]: Calcutta
                          
                          
                           

                          Sets the sub time zone.

                           
                          Step 4 clock set [MMDDhhmm]


                          Example:
                           	 admin@arbos:/# clock set 01131401
                           	 Fri Jan 13 14:01:00 EST 2012
                          
                          
                           

                          Sets the clock.

                           
                          Step 5 clock


                          Example:
                           	 admin@arbos:/# clock
                           	 Fri Jan 13 14:22:10 IST 2012
                          
                          
                           

                          Displays the clock.

                           

                          Configuration Examples for Implementing DDoS Mitigation Support on CGSE

                          This section contains the configuration examples for Implementing DDoS Mitigation Support on CGSE.

                          Configuring the CGSE Service Role as Service Engine Service Hosting: Example

                          This example shows how to configure CGSE Service Role as Service Engine Service Hosting (SESH):

                          configure
                          	hw-module service sesh location 0/1/CPU0
                          	end
                          
                          Uncommitted changes found, commit them? [yes]: yes
                          								
                          show running-config service sesh
                          								
                          Wed Jul 11 14:24:31.560 PST
                          service sesh instance1
                          service-location preferred-active 0/1/CPU0 
                          
                          
                          

                          Configuring the Service Infrastructure Interface: Example

                          This example shows the Service Infrastructure Interface configuration:

                          configure
                          	interface ServiceInfra 1
                          	ipv4 address 100.1.1.1/29
                          	service-location 0/1/CPU0
                          	end
                          
                          Uncommitted changes found, commit them? [yes]: yes
                          
                          hw-module location 0/1/CPU0 reload 
                          
                          show services role
                          
                          Node  Configured Role Enacted Role Enabled Services
                          --------------------------------------------------
                          0/1/CPU0 SESH           SESH        ServiceInfra 
                          
                          
                          

                          Configuring ServiceEngine–ServiceHost Instance: Example

                          The following example shows how to configure ServiceEngine–ServiceHost Instance:

                          configure
                          	service sesh sesh1
                          		service-location preferred-active 0/1/CPU0
                          		end
                          Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]:yes
                          
                          

                          Configuring Service Application Interfaces: Example

                          This example shows how to configure service application interfaces:

                          configure
                          	vrf arbor-tms
                          	commit
                          	interface ServiceApp 11
                          		description tms1 mgmt interface
                          		ipv4 address 192.0.2.3/29
                          		service sesh sesh1
                          	interface ServiceApp 21
                          		description tms1 scrb ingress interface
                          		ipv4 address 204.0.0.1/24
                          		service sesh sesh1
                          	interface ServiceApp 22
                          		description tms1 scrb egress interface
                          		vrf arbor-tms
                          		ipv4 address 205.0.0.1/24
                          		service sesh sesh1
                          		end
                          
                          Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]:yes
                          
                          
                          

                          Configuring TMS–CGSE Service and Applications: Example

                          This example shows how to configure TMS–CGSE Service and Applications:

                          configure
                          	service sesh sesh1
                          		service-location preferred-active 0/1/CPU0
                          		service-type ddos-tms tms1
                          			description ddos TMS instance 1
                          			package arbor.rpm
                          			application tms-mgmt
                          			interface ServiceApp 11
                          			remote ipv4 address 10.10.76.17/29
                          			application tms-scrb
                          			map ingress-interface ServiceApp 21 egress-interface ServiceApp 22
                          			end
                          Uncommitted changes found, commit them before exiting(yes/no/cancel)? [cancel]:yes
                          
                          

                          This example shows the output of show run service sesh command:

                          show running-config service sesh
                          
                          service sesh sesh1
                          service-location preferred-active 0/1/CPU0
                          service-type ddos-tms tms1
                           description 'ddos TMS instance 1'
                           package arbor-cgse.rpm
                           application tms-mgmt
                            interface ServiceApp11
                             remote ipv4 address 10.10.76.17/29
                            !
                           !
                           application tms-scrb
                            map ingress-interface ServiceApp21 egress-interface ServiceApp22
                           !
                          
                          
                          

                          This example shows the output of show service sesh instance command:

                          
                          show services sesh instance all
                          
                          Service Infra instance sesh1
                          Application tms1 hosted on Location 0/1/CPU0
                                 Octeon 0
                                 State - UP - Application Spawned and Service App Interfaces Ready
                                 Error Messages - None
                          
                          
                          

                          Additional References

                          The following sections provide references related to implementing DDoS mitigation support on CGSE.

                          Related Documents

                          Related Topic

                          Document Title

                          DDoS Mitigation Support commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples

                          DDoS Mitigation Support commands on Cisco IOS XR System Security Command Reference for the Cisco CRS Router

                          Standards

                          Standards

                          Title

                          No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

                          MIBs

                          MIBs

                          MIBs Link

                          To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http:/​/​cisco.com/​public/​sw-center/​netmgmt/​cmtk/​mibs.shtml

                          RFCs

                          RFCs

                          Title

                          No new or modified RFCs are supported by this feature.

                          Technical Assistance

                          Description

                          Link

                          The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

                          http:/​/​www.cisco.com/​techsupport