Table Of Contents

Configuring the Detector Module on the Supervisor Module

Verifying the Detector Module Installation

Setting Up Detector Module Management

Configuring Traffic Sources for Capturing Traffic

Configuring VACLs

Configuring SPAN

Establishing a Session with the Detector Module

Rebooting the Detector Module

Verifying the Detector Module Configuration

Configuring the Detector Module on the Supervisor Module

---

This chapter describes how to configure the Cisco Traffic Anomaly Detector Module (Detector module) on the supervisor module.

To configure the Detector module you must have EXEC privileges and must be in configuration mode.

To save all configuration changes to Flash memory, you must enter the write memory command in privileged EXEC mode.

This chapter consists of the following sections:

•Verifying the Detector Module Installation

•Setting Up Detector Module Management

•Configuring Traffic Sources for Capturing Traffic

•Establishing a Session with the Detector Module

•Rebooting the Detector Module

•Verifying the Detector Module Configuration

Verifying the Detector Module Installation

Verify that the supervisor acknowledges the new Detector module and has brought it online.

---

Note For information on how to install the Detector module in the Catalyst 6500 Chassis, refer to the Cisco Traffic Anomaly Detector Module and Anomaly Guard Module Installation Note.

---

To verify the installation, follow these steps:

---

Step 1 Log into the console.

Step 2 Verify that the Detector module is online:

show module 

This example shows the output of the show module command:

Sup# show module 
Mod	 Ports	 Card	Type Model	Serial No.

—-	 ——-	 ———————————————————	—————————	—————-

1	 2	 Catalyst 6000 supervisor 2(Active)	WS-X6K-SUP2-2GE	SAL081230TJ

... ...

6	 3	 Anomaly Detector module Module	WS-SVC-ADM-1-K9	SAD081000GG

Mod	MAC addresses	Hw	Fw	Sw	Status

---	--------------------------------	----- ------- ----------- -------

...

6	000e.847f.fe04 to 000e.847f.fe0b	3.0	7.2(1)	4.0(0.10)	Ok

...

Sup# 

---

Note When the Detector module is first installed the status is usually other. Once the Detector module completes the diagnostics routines and comes online the status reads Ok. Allow at least 5 minutes for the Detector module to come online.

---

---

Setting Up Detector Module Management

To establish a remote management session with the Detector module, you must set the Detector module management port.

To select a VLAN for management, enter the following:

anomaly-detector module module_number management-port access-vlan vlan_number

Table 2-1 provides the arguments and keywords for theanomaly-detector module command.

Table 2-1 Arguments for the anomaly-detector Command 

Parameter	Description
module_number	The number of the slot in which the module is inserted in the chassis (1-9).
vlan_number	Sets the VLAN ID used for management.

This example shows how to select VLAN 5 for a module inserted in slot number 4 in the chassis for management.

Sup(config)# anomaly-detector module 4 management-port access-vlan 5

---

Note You must also configure the Detector module management port interface, eth1. See the "Configuring a Physical Interface" section on page 3-9 for further details.

---

Configuring Traffic Sources for Capturing Traffic

You must configure the switch to capture the traffic sent to the zone and pass a copy of it to the Detector module. The Detector module analyses the network traffic passing through it and monitors it for evolving attack patterns.

You can use one of the following methods to pass network traffic to the Detector module:

•SPAN—Capture received or sent (or both) traffic on one or more source ports to a destination port for analysis. The Detector provides a single destination port for SPAN sessions. See the "Configuring SPAN" section for further details.

•VLAN access list (VACL)—Forward traffic from either a WAN interface or VLANs to the Detector module data port. This is an alternative to using SPAN for the same purpose. You can set VACLs to capture traffic from a single VLAN or from multiple VLANs. See the "Configuring VACLs" section for further details.

For more information about SPAN, see the "Configuring SPAN and RSPAN" chapter in the Catalyst 6500 Series Switch Software Configuration Guide or in the Cisco 7600 Series Router Software Configuration Guide.

For more information about VACL, see the "Configuring VLAN ACLs" chapter in the Catalyst 6500 Series Switch Software Configuration Guide or in the Cisco 7600 Series Router Software Configuration Guide.

You can capture traffic for Detector module monitoring from a single VLAN or from multiple VLANs. If you want to monitor traffic from specific VLANs only, you need to clear the VLANs that you do not want to monitor from the capture feature.

Configuring VACLs

You can set VACLs to capture traffic for IDS from a single VLAN or from multiple VLANs.

To set VACLs to capture IDS traffic on VLANs, follow these steps:

---

Step 1 Define the access list (ACL) and add ACE entries through the permit and/or deny statements. Enter the following:

ip access-list {standard | extended} acl-name

Table 2-2 provides the arguments and keywords for the ip access-list command.

Table 2-2 Arguments and Keywords for the ip access-list Command 

Parameter	Description
standard	Specifies a standard IP access list.
extended	Specifies an extended IP access list.
acl-name	The name of the ACL. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists.

---

Note Alternatively, you can use the access-list command.

---

Step 2 Define a VLAN access map. Enter the following:

vlan access-map map_name [0-65535]

The argument map_name specifies the name tag of the access map. You can specify a sequence number. If you do not specify a sequence number, a number is automatically assigned. Once you execute the command, you enter VLAN access map configuration mode.

You can enter one match clause and one action clause per map sequence.

Step 3 Configure a match clause in the VLAN access map sequence. Enter the following:

match ip address {acl_number | acl_name}

Table 2-3 provides the arguments and keywords for the match ip address command.

Table 2-3 Arguments for the match ip address Command 

Parameter	Description
acl_number	Selects one or more IP ACLs for a VLAN access-map sequence. Valid values are from 1 to 199 and from 1300 to 2699.
acl_name	Selects an IP ACL by name.

Step 4 Configure an action clause in the VLAN access map sequence to forward the network traffic. Enter the following:

action forward capture

Step 5 Apply the VLAN access map to a VLAN interface. Enter the following:

vlan filter map_name vlan-list vlan_list

Table 2-4 provides the arguments for the match ip address command.

Table 2-4 Arguments for the vlan filter Command 

Parameter	Description
map_name	The VLAN access-map tag.
vlan_list	A VLAN list. Valid values are from 1 to 4094.

Step 6 Configure the Detector module data ports to capture the captured-flagged traffic.

---

Note This step is optional. By default, the Detector enables capturing traffic from all VLANs.

---

Type the following:

anomaly-detector module slot_number data-port port_number capture 
allowed-vlan vlan_range

Table 2-5 provides the arguments and keywords for the anomaly-detector module command.

Table 2-5 Arguments for the anomaly-detector module allowed-vlan Command 

Parameter	Description
slot_number	The number of the slot in which the module is inserted in the chassis (1-9).
port_number	The number of the port used for data. The Detector module supports port 2 for data.
vlan_range	A range of VLANs, or several VLANs in a comma-separated list (do not enter space characters).

Step 7 Enable the capture function on the Detector module.

Type the following:

anomaly-detector module module_number data-port port_number capture

Table 2-6 provides the arguments and keywords for the anomaly-detector module command.

Table 2-6 Arguments for the anomaly-detector module Command 

Parameter	Description
module_number	The number of the slot in which the module is inserted in the chassis (1-9).
port_number	The number of the port used for data. The Detector module supports port 1 for data.

---

Note You cannot configure a Detector module data port as both a SPAN destination port and a capture port.

---

For example:

Sup (config)# ip access-list extended 10

Sup (config-ext-nacl)# vlan access-map Detector 10

Sup (config-ext-nacl)# match ip address 10

Sup (config-ext-nacl)# action forward capture

Sup (config-ext-nacl)# exit

Sup (config)# vlan filter Detector vlan-list 85

Sup (config)# anomaly-detector module 8 data-port 2 capture

---

Configuring SPAN

From the privileged EXEC mode on the Supervisor console, follow these steps to create a SPAN session and specify the source (monitored) and destination (monitoring) ports:

---

Note You cannot use the Detector module ports as SPAN source ports.

---

---

Step 1 Specify the SPAN session and the source port (monitored port). Enter the following:

monitor session session_number source interface interface-id [, | -] [rx | tx]

Table 2-7 provides the arguments and keywords for the monitor session command.

Table 2-7 Arguments and Keywords for the monitor session source Command 

Parameter	Description
session_number	The session identification number.
interface-id	The source port to monitor. Valid interfaces include physical interfaces and port-channel logical interfaces (port-channel port-channel-number).
, | -	(Optional) Specify a series or range of interfaces. Enter a space before and after the comma; enter a space before and after the hyphen.
rx | tx	(Optional) Specify the direction of traffic to monitor. If you do not specify a traffic direction, the source interface sends both sent and received traffic. Caution The Detector module receives a capture of the traffic for every direction specified. Refrain from specifying both rx and tx because this can result in two copies of the packet being forwarded to the Detector module ports and therefore affect performance. •rx—Monitor received traffic. •tx—Monitor sent traffic.

Step 2 Specify the SPAN session and the destination port (monitoring port). Enter the following:

monitor session SPAN_session_number destination anomaly-detector-module module_number [data-port port]

Table 2-8 provides the arguments and keywords for the monitor session command.

Table 2-8 Arguments for the monitor session destination Command 

Parameter	Description
SPAN_session_number	The interface identification number. Specify 1.
slot-number	The number of the slot in which the module is inserted in the chassis (1-9).
port	The number of the port used to capture data. The Detector module supports port 1 for data.

Step 3 Return to privileged EXEC mode. Enter the following:

end

Step 4 Verify your entries. Enter the following:

show monitor [session session_number]

The argument session_number specifies the session identification number.

---

This example shows how to set up a SPAN session, session 1, for monitoring source port traffic to a destination port. Bidirectional traffic is mirrored from source port 1 to the Anomaly Detector module.

Sup(config)# monitor session 1 source interface GigabitEthernet 1/2 rx

Sup(config)# monitor session 1 destination anomaly-detector-module 4 data-port 2

.

Establishing a Session with the Detector Module

To login to the Detector module, perform the following steps:

---

Step 1 Telnet or console log into the switch.

Step 2 Type the following at the supervisor prompt:

session slot slot_number processor processor_number 

Table 2-9 provides the arguments and keywords for the session slot command.

Table 2-9 Arguments for the session slot Command 

Parameter	Description
slot-number	The number of the slot in which the module is inserted in the chassis (1-9).
processor_number	The number of the Detector module processor. The Detector module only supports management through processor 1.

Log in at the Detector module login prompt:

login: admin

Step 3 Enter the password.

---

Note If this is the first time you are establishing a session with the Detector module, you must choose a password. Passwords can contain up to 24 characters and cannot include spaces. You can change the password at any time. See the "Changing a Password" section on page 4-7 for further details.

---

After a successful login, the command-line prompt is represented as admin@DETECTOR#. This guide uses this prompt as its writing convention. You can change the prompt by changing the hostname. See the "Changing the Host Name" section on page 4-22 for further details.

Rebooting the Detector Module

The Cisco IOS provides the following commands to control the Detector module: boot, shutdown, power enable and reset:

---

Caution If you issue the reload command at the supervisor level, the reload occurs for the entire chassis and includes all the modules in the chassis. See the "Reloading the Detector Module" section on page 3-12 for information on how to reload the Detector module.

---

•shutdown—Brings the operating system down gracefully, ensuring that no data is lost. To prevent corruption of the Detector module, it is critical that you shut down the Detector module properly. Enter the following at the supervisor prompt:

hw-module module slot_number shutdown 

The argument slot_number specifies the number of slot in which the module is inserted in the chassis.

You must then enter the hw-module module module_number reset command to restart the Detector module.

For example:

Sup# hw-module module 8 shutdown

---

Note The Detector module reboots if the switch is rebooted.

---

•reset—Resets the module. This command is typically used in the upgrade process, to switch between AP and MP images, or to recover from a shutdown. The hw-module reset command resets the module by turning the power off and then on. The reset process requires several minutes. Enter the following at the supervisor prompt:

hw-module module slot_number reset [string] 

The argument slot_number specifies the number of slot in which the module is inserted in the chassis and string is an optional string for the PC boot sequence. Enter cf:1 to reset to the MP and cf:4 to reset to the AP. See the "Upgrading the Detector Module Version" section on page 10-25 for more information

For example:

Sup# hw-module module 8 reset

•no power enable—Shuts down the module so that it can be safely removed from the chassis. Enter the following at the supervisor prompt:

no power enable module slot_number

The argument slot_number specifies the number of slot in which the module is inserted in the chassis.

To switch the module on again, enter the following:

power enable module slot_number

For example:

Sup (config)# no power enable module 8 

•boot—Forces the Detector module to boot to the maintenance partition (MP) at the next power on. Enter the following at the supervisor prompt:

boot device module slot_number cf:1 

The argument slot_number specifies the number of slot in which the module is inserted in the chassis.

To enable the Detector module to boot to the default partition (AP) at the next boot cycle, enter the following:

no boot device module slot_number cf:1

For example:

Sup# boot device module 8 cf:1 

---

Caution The zone learning phase is restarted after reboot. See the "Rebooting the Detector module" section on page 3-13 for further details on the default behavior of the zones after reboot.

---

Verifying the Detector Module Configuration

To verify the Detector module configuration on the supervisor module, type the following at the supervisor prompt:

show anomaly-detector module slot_number {management-port | data-port port_number} [state | traffic]

Table 2-10 provides the arguments and keywords for the show module command.

Table 2-10 Arguments for the show module Command 

Parameter	Description
slot-number	The number of the slot in which the module is inserted in the chassis (1-9).
port_number	The port number. Only port 1 is in use.
state	Displays the configuration of the specified port.
traffic	Displays the traffic statistics of the specified port.

For example:

Sup# show anomaly-detector module 7 data-port 1 state