Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 4.0) - Initializing the Detector Module [Cisco Services Modules]

Table Of Contents

Initializing the Detector Module

Using the Command Line Interface

Issuing Commands in the CLI

Using the No Form of a Command

Show Command Syntax

CLI Error Messages

Tips for Using the CLI

Help

Tab Completion

Operation Direction Conventions

Abbreviating a Command

Wildcard Characters

Managing the Detector Module

Configuring the Detector Module Interfaces

Configuring a Physical Interface

Configuring the Default Gateway

Managing the Detector Module with Web Based Management

Accessing the Detector Module with SSH

Reloading the Detector Module

Rebooting the Detector module

Initializing the Detector Module

This chapter describes how to use the command line interface (CLI) and basic Detector module configuration procedures.

This chapter includes the following topics:

•Using the Command Line Interface

•Managing the Detector Module

•Configuring the Detector Module Interfaces

•Configuring the Default Gateway

•Managing the Detector Module with Web Based Management

•Accessing the Detector Module with SSH

•Reloading the Detector Module

•Rebooting the Detector module

Using the Command Line Interface

Using the CLI you can control the Detector module functions. The Detector module user interface is divided into many different command modes. The commands available to you at any given time depend on which mode you are currently in. Entering ? at the system prompt allows you to obtain a list of commands available for each command mode.

The access to the CLI is mapped according to user privilege levels. Each privilege level has its own group of commands.

Table 3-1 describes the user privilege levels.

Table 3-1 User Privilege Levels

User Privilege Level

Command Group

Administrator (admin)

Full access to all command groups

Configuration (config)

Full access to all command groups except the commands relating to user definition, deletion, and modification

Dynamic (dynamic)

Access to show commands, detect and learning related commands and Flex and Dynamic filter configuration (see the note below)

Show (show)

All the Global command group show commands

Note We recommend that Administrator and Configuration level users perform all filter configuration procedures. Lower level users can also add and remove dynamic filters.

Issuing Commands in the CLI

Table 3-2 summarizes the rules for entering CLI commands.

Table 3-2 CLI Rules

To

Keyboard Sequence

Scroll through and modify the command history

Use the arrow keys

Display commands available in a specific command mode

Shift + ?

Display a command completion

Type the beginning of the command and press TAB

Display a command syntax completion(s)

Type the command and press TAB twice

Scrolling using the more command

more number-of-lines

The more command configures number of additional lines displayed in the window once you press the SPACE bar. The default is two lines less than the terminal is capable of.

number-of-lines—configures the number of additional lines to be displayed once you press the SPACE bar.

Scrolling on a single screen (within a command output)

SPACE bar

Scrolling back a single screen (within a command output)

b

Stop scrolling movement

q

Search forward for a string

/ string

Search backward for a string

? string

Cancel the action or delete a parameter

Use the no form of a specific command

Display information relating to a current operation

show

To exit from a current command group level to a higher group level

exit

To exit all command group levels and return to the root level

end

Display command output from and including the first line that contains a string.

| begin string

To display command output lines that include a string

| include string

To display command output lines that do not include a string

| exclude string

Note If you issue the exit command at the root level, you will exit the CLI environment to the operating system login screen.

Using the No Form of a Command

Almost every configuration command also has a no form. In general, use the no form of a command to disable a feature or function. Use the command without the keyword no to enable a disabled feature or function. For example, the event monitor command turns on the event monitor, the no event monitor command turns it off.

Show Command Syntax

You can execute zone related show commands from the Zone command group level. Alternatively, you can execute these commands from the Global or Configuration command group levels.

The syntax for the show command in the Global or Configuration command group levels is:

show zone zone-name parameters...
The syntax for the show command in the Zone command group level is:

show parameters...

Note This guide uses the show command syntax from the zone command group level as its writing convention.

CLI Error Messages

The Detector module CLI displays error messages in the following cases:

•The syntax of the typed command is incomplete or incorrect.

•The typed command does not match the system configuration.

•The operation could not be performed due to a system failure - in this case, an entry is created in the system's log.

Tips for Using the CLI

Help

The CLI provides context-sensitive help at every level of the command hierarchy. The help information tells you which commands are available at the current level in the hierarchy and provides a brief description of each command.

To get help, type ?.

To display help for a command, type ? after the command.

Typing ? at the command prompt displays all commands available in that mode along with a short description.

The help displays only commands available in the current mode.

Tab Completion

You can type a portion of a command and press Tab to complete the command.

After entering a command that has a value with multiple options, press Tab twice to display a list of possible input parameters. This is true for system-defined parameters and user defined parameters.
For example, pressing Tab twice after entering the policy-template command at the zone prompt displays the list of policy template names. Pressing Tab twice after entering the zone command at the configuration prompt displays zones that are already defined.

If multiple commands match for a tab completion, nothing is displayed; the terminal repeats the current line you entered.

Tab completion and help display only commands available for the current mode.

Operation Direction Conventions

In general, when ftp comes before the command name, the direction of the command is to copy from the Detector module to the FTP server. When the command comes before the FTP, the direction of the command is to copy from the FTP server to the Detector module. For example, the copy log ftp command copies the log file to the FTP server. The copy ftp new-version command copies the new version from the FTP server to the Detector module.

Abbreviating a Command

You can abbreviate commands and keywords to the number of characters that allow a unique abbreviation.

For example, you can abbreviate the show command to sh.

Wildcard Characters

You can use an asterisk (*) as a wildcard.

For example:

If you issue the learning policy-construction * command, the policy construction phase is activated for all of the Detector module's zones.

If you issue the learning policy-construction scan* command, the policy construction phase is activated for all Detector module zones with names that begin with scan (such as scannet, scanserver and so on).

If you issue the no zone * command, all zones are removed.

Managing the Detector Module

Once you have established a session from the supervisor and configured the Detector module networking (see "Configuring the Detector Module on the Supervisor Module" and the "Configuring the Detector Module Interfaces" section), you can access and manage the Detector module using one of the following methods:

•Access using a Secured Shell (SSH) session. See the "Accessing the Detector Module with SSH" section for further details.

•Access the Detector module using Web-Based Management (WBM). See the "Managing the Detector Module with Web Based Management" section for further details.

•Access from a DDoS-sensing, network element to establish a connection and form a counter DDoS system. Refer to the appropriate documentation for further details.

Configuring the Detector Module Interfaces

This section describes the procedures to configure the Detector module interfaces. The Detector module has one management port and two data ports on the supervisor.

In the current version, only one data port is utilized.

You must configure Detector module interfaces for proper Detector module functioning. Interface characteristics include, but are not limited to, IP address and interface MTU.

Caution You must not configure two physical interfaces on the same subnet.

Many features are enabled on a per-interface basis. When you enter the interface command, you must specify the interface type and number.

The following general guidelines apply to all physical and virtual interface configuration processes:

•Each interface must be configured with an IP address and an IP subnet mask.

•You must activate each interface using the no shutdown command.

•After every interface major configuration change, you must reload the Detector module.

To display the configuration of an interface, use the show or show running-config commands.

Configuring a Physical Interface

To configure a physical interface, perform the following steps:

Step 1 Enter the interface configuration mode. Enter the following:
interface if-name
The argument if-name specifies the interface name.

Type one of the following:

•eth1—Management port

•giga2—Data port

Step 2 Set the interface IP address. Enter the following:
ip address ip-addr ip-mask 
The arguments ip-addr and ip-mask define the interface's IP address.

Step 3 (Optional) Define the interface MTU. Enter the following:
mtu integer 
where integer is an integer between 576 and 16384 bytes for eth1 interface and an integer between 576 and 1824 for giga2 interface.

The default MTU value is 1500 bytes.

Step 4 Activate the interface. Enter the following:
no shutdown
You must reload the Detector module configuration if you have made major changes.

Note If you do not reload the Detector module configuration, the configuration is modified, but the change does not take effect until the configuration is reloaded.

For example:
admin@DETECTOR-conf# interface eth1
admin@DETECTOR-conf-if-eth1#
admin@DETECTOR-conf-if-eth1# ip address 10.10.10.33 255.255.255.252
admin@DETECTOR-conf-if-eth1# no shutdown
Configuring the Default Gateway

You can assign a default Gateway to the Detector module. In most cases, the Detector module's default gateway IP address is the adjacent router, located between the Detector module and the Internet. The default gateway address must be on the same network as one of the IP addresses of the Detector module's network interfaces.

To assign a default Gateway address, enter the following:

default-gateway ip-addr
The argument ip-addr specifies the default Gateway IP address.

To modify the default Gateway address reissue the command.

For example:
admin@DETECTOR-conf# default-gateway 192.168.100.1
Managing the Detector Module with Web Based Management

You can manage the Detector module from the web using a web browser using web based management (WBM).

To enable the Detector module WBM perform the following steps:

Step 1 Enable the WBM service. Enter the following:
service wbm
Step 2 Permit access to the Detector module from the remote manager's IP address. Enter the following:
permit wbm ip-addr [ip-mask]
The arguments ip-addr and ip-mask define the remote manager's IP address.

Step 3 Open the browser and type the following address:
https://Detector module-ip-address/ 
The argument Detector module-ip-address is the IP address of the Detector module.

The Detector module WBM window appears.

Note Note that HTTPS and not HTTP is used to enable web based management control.

Step 4 Enter your username and password and click OK.

After you enter the user name and password correctly, the Detector's home page is displayed.

For example:
admin@DETECTOR-conf# service wbm
admin@DETECTOR-conf# permit wbm 192.168.30.32
Accessing the Detector Module with SSH

You can access the Detector module using a secured shell (SSH) connection. This section describes the Detector module SSH communication configuration.

Note The SSH service is enabled by default.

To enable SSH connection to the Detector module, perform the following steps:

Step 1 Permit access to the Detector module from the remote network address. Enter the following:
permit ssh ip-addr [ip-mask]
The arguments ip-addr and ip-mask define the remote network IP address.

Step 2 Establish a connection from the remote network address and enter the login and password. To enable SSH connection without the need to enter a login and password, add the remote connection SSH public key to the Detector module SSH key list. See the "Managing SSH Keys" section for further details.

Reloading the Detector Module

The reload command enables you to reload the Detector module's configuration without the need to reboot the machine.

Caution Issuing the reload command affects details in the Detector module configurations and deactivates the learning and the detection processes.

Use the reload command to reload the Detector module.

For the following changes to take effect, you must reload the Detector module:

•Interface IP address modification

•Interface activation/deactivation

•Default Gateway IP address modification

•Burning a new flash

Rebooting the Detector module

The default behavior of the Detector is to reactivate zones that were active prior to the reboot process.

You can change the default behavior to load all zones in an inactive mode. Enter the following:

no boot reactivate-zones

Caution The zone learning phase is restarted after reboot.