Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 5.0) - Initializing the Detector Module [Cisco Services Modules]

Table Of Contents

Initializing the Detector Module

Using the Command Line Interface

Understanding User Priviledge Levels

Understanding Command Modes

Entering CLI Commands

Using the No Form of a Command

show Command Syntax

CLI Error Messages

Tips for Using the CLI

Using Help

Using Tab Completion

Understanding Convention of Operation Direction

Abbreviating a Command

Using Wildcard Characters

Configuring the Detector Module Interfaces

Configuring a Physical Interface

Configuring the Default Gateway

Managing the Detector Module

Managing the Detector Module with a Web-Based Manager

Accessing the Detector Module with SSH

Initializing the Detector Module

This chapter describes the basic tasks required to initialize the Cisco Traffic Anomaly Detector Module (Detector module) in a network and how to manage it.

This chapter includes the following topics:

•Using the Command Line Interface

•Configuring the Detector Module Interfaces

•Configuring the Detector Module Interfaces

•Configuring the Default Gateway

•Managing the Detector Module

Using the Command Line Interface

You can control the Detector module functions by using the Command-Line Interface (CLI). The Detector module user interface is divided into many different command modes and the access to the CLI is mapped according to user privilege levels. The commands that are available to you depend on which mode you are currently in.

This section includes the following topics:

•Understanding User Priviledge Levels

•Understanding Command Modes

•Entering CLI Commands

•Tips for Using the CLI

Understanding User Priviledge Levels

The access to the CLI is mapped according to user privilege levels. Each privilege level has its own group of commands.

Table 3-1 describes the user privilege levels.

Table 3-1 User Privilege Levels

User Privilege Level

Description

Administration (admin)

Provides access to all operations.

Configuration (config)

Provides access to all operations except for operations relating to user definition, deletion, and modification.

Dynamic (dynamic)

Provides access to monitoring and diagnostics operations, detection, and learning-related operations. Users with Dynamic privileges can also configure Flex-Content filters and Dynamic filters.

Show (show)

Provides access to monitoring and diagnostic operations.

Note We recommend that users with Administration and Configuration privilege levels configure all filters. Users with lower privilege levels can add and remove Dynamic filters.

Understanding Command Modes

This section contains summaries of the command and configuration modes used in the Detector module Command-Line Interface (CLI). To obtain a list of commands available for each command mode, enter ? at the system prompt.

Table 3-2 lists and describes the Detector module command modes.
Table 3-2 Detector module Command Configuration Modes
Mode

Description
Global
Allows you to connect to remote devices and list system information.

The Global prompt is the default prompt when you log into the Detector module. The command prompt is as follows:
user@DETECTOR#
Configuration
Allows you to configure features that affect the Detector module as a whole and have restricted user access.

To enter configuration mode, use the configure command in global mode. The command prompt is as follows:
user@DETECTOR-conf#
Interface configuration
Allows you to configure the Detector module networking interfaces.

To enter interface configuration mode, use the interface command in configuration mode. The command prompt is as follows:
user@DETECTOR-conf-if-<interface-name>#
Zone configuration
Allows you to configure the zone attributes.

To enter zone configuration mode, use the zone command in configuration mode or use the configure command in global mode. The command prompt is as follows:
user@DETECTOR-conf-zone-<zone-name>#
Policy template configuration
Allows you to configure the zone policy templates.

To enter policy template configuration mode, use the policy-template command in zone configuration mode. The command prompt is as follows:
user@DETECTOR-conf-zone-<zone-name>-policy_template-<policy-template-nam
e>#
Policy configuration
Allows you to configure the zone policies.

To enter policy configuration mode, use the policy command in zone configuration mode. The command prompt is as follows:
user@DETECTOR-conf-zone-<zone-name>-policy-<policy-path>#
Guard configuration
Allows you to configure the zone definitions that are unique to the Cisco Anomaly Guard Module, such as user filters.

To enter guard configuration mode, use the guard-conf command in zone configuration mode. The command prompt is as follows:
user@DETECTOR-conf-zone-<zone-name>(guard)#
Entering CLI Commands

This sections describes the rules for entering CLI commands.

This section includes the following topics:

•Using the No Form of a Command

•show Command Syntax

•CLI Error Messages

Table 3-3 describes the rules for entering CLI commands.

Table 3-3 CLI Rules

Action

Keyboard Sequence

Scroll through and modify the command history

Use the arrow keys.

Display commands available in a specific command mode

Shift + ?

Display a command completion

Type the beginning of the command and press TAB.

Display a command syntax completion(s)

Type the command and press TAB twice.

Scroll using the more command

Enter the more number-of-lines command.

The more command configures the number of additional lines displayed in the window once you press the SPACE bar. The default is two lines less than the capability of the terminal.

The number-of-lines argument configures the number of additional lines to be displayed once you press the SPACE bar.

Scroll on a single screen (within a command output)

SPACE bar

Scroll back a single screen (within a command output)

b

Stop scroll movement

q

Search forward for a string

/ string

Search backward for a string

? string

Cancel the action or delete a parameter

Use the no form of a specific command.

Display information relating to a current operation

show

Exit from a current command group level to a higher group level

exit

Exit all command group levels and return to the root level

end

Display command output from and including the first line that contains a string

| begin string

Display command output lines that include a string

| include string

Display command output lines that do not include a string

| exclude string

Note If you enter the exit command at the root level, you exit the CLI environment to the operating system login screen.

Using the No Form of a Command

Almost every configuration command also has a no form. In general, use the no form of a command to disable a feature or function. Use the command without the keyword no to enable a disabled feature or function. For example, the event monitor command turns on the event monitor, and the no event monitor command turns it off.

show Command Syntax

You can execute zone-related show commands from the zone configuration mode. Alternatively, you can execute these commands from the global or configuration modes.

The following is the syntax for the show command in global or configuration modes:

show zone zone-name parameters...
The following is the syntax for the show command in zone configuration mode:

show parameters...

Note This publication uses the show command syntax from the zone configuration mode unless explicitly specified.

CLI Error Messages

The Detector module CLI displays error messages in the following situations:

•The syntax of the command is incomplete or incorrect.

•The command does not match the system configuration.

•The operation could not be performed due to a system failure. In this situation, an entry is created in the system log.

Tips for Using the CLI

This section provides tips for using the CLI and includes the following topics:

•Using Help

•Using Tab Completion

•Understanding Convention of Operation Direction

•Abbreviating a Command

•Using Wildcard Characters

Using Help

The CLI provides context-sensitive help at every mode of the command hierarchy. The help information tells you which commands are available at the current command mode and provides a brief description of each command.

To get help, type ?.

To display help for a command, type ? after the command.

To display all commands available in a mode along with a short description, enter ? at the command prompt.

The help displays commands available in the current mode only.

Using Tab Completion

You can use tab completion to reduce the number of characters you need to type for a command. Type the first few characters of a command and press Tab to complete the command.

After entering a command that has a value with multiple options, press Tab twice to display a list of possible input parameters, including system-defined parameters and user-defined parameters. For example, if you press Tab twice after entering the policy-template command in zone configuration mode, the list of policy template names is displayed. If you press Tab twice after entering the zone command in configuration mode, zones that are already defined are displayed.

If multiple commands match for a Tab completion action, nothing is displayed; the system repeats the current line you entered.

The tab completion feature displays only commands available for the current mode.

Understanding Convention of Operation Direction

The oder of keywords in the command syntax define the direction of the operation. When the keyword is entered before the command name, the Detector module copies data from the Detector module to the server. When the command name comes before the keyword, the Detector module copies data from the server to the Detector module. For example, the copy log ftp command copies the log file from the Detector module to the FTP server. The copy ftp new-version command copies the new software version file from the FTP server to the Detector module.

Abbreviating a Command

You can abbreviate commands and keywords to the number of characters that allow a unique abbreviation.

For example, you can abbreviate the show command to sh.

Using Wildcard Characters

You can use an asterisk (*) as a wildcard.

For example, if you enter the learning policy-construction * command, the policy construction phase is activated for all the zones that are configured on the Detector module.

If you enter the learning policy-construction scan* command, the policy construction phase is activated for all the zones that are configured on the Detector module with names that begin with scan (such as scannet, scanserver, and so on).

If you enter the no zone * command, all zones are removed.

Configuring the Detector Module Interfaces

The Detector module has one management port and two data ports on the supervisor engine. Only one data port is used.

Enter configuration mode to configure the Detector module by entering the following command:

configure [terminal]
The following example shows how to enter configuration mode:
user@DETECTOR# configure 
user@DETECTOR-conf#
You must configure the Detector module interfaces for proper Detector module functioning. Interface characteristics include, but are not limited to, the IP address and the interface MTU.

Many features are enabled on a per-interface basis. When you enter the interface command, you must specify the interface type and number.

The following guidelines apply to all physical and virtual interface configuration processes:

•Each interface must be configured with an IP address and an IP subnet mask.

•You must activate each interface using the no shutdown command.

To display the configuration of an interface, enter the show or show running-config commands.

Configuring a Physical Interface

To connect the Detector module to a network, configure a physical interface.

Caution Do not configure two physical interfaces on the same subnet or the Detector module routing may not work properly.

To configure a physical interface, perform the following steps:

Step 1 Enter interface configuration mode by entering the following command in configuration mode:
interface if-name
The if-name argument specifies the interface name.

The Detector module supports the following interfaces:

•eth1—Management port

•giga2—Data port

Caution

Step 2 Set the interface IP address by entering the following command:
ip address ip-addr ip-mask 
The ip-addr and ip-mask arguments define the interface IP address. Enter the IP address and subnet mask in dotted-decimal notation (for example, an IP address of 192.168.100.1 and a subnet mask of 255.255.255.0).

Step 3 (Optional) Define the interface MTU by entering the following command:
mtu integer 
The integer argument is an integer between 576 and 16384 bytes for eth1 interface and an integer between 576 and 1824 for giga2 interface.

The default MTU value is 1500 bytes.

Step 4 (Optional) Configure the interface speed and duplex mode by entering the following command:
speed {auto | half speed | full speed}
Table 3-4 provides the arguments and keywords for the speed command.

Table 3-4 Arguments and Keywords for the speed Command

Parameter

Description

auto

Turns on the interface auto-negotiation capability. The interface automatically operates at 10/100/1000 Mbps and half or full duplex, depending on environmental factors, such as the type of media and transmission speeds for the peer routers, hubs, and switches used in the network configuration.

This mode is the default.

half

Specifies half-duplex operation.

full

Specifies full-duplex operation.

speed

Interface speed. Enter 10, 100, or 1000 for 10 Mbps, 100 Mbps, and 1000 Mbps.

Step 5 Activate the interface by entering the following command:
no shutdown
You must reload the Detector module for the configuration change to take effect.

The following example shows how to configure and activate interface eth1:
user@DETECTOR-conf# interface eth1
user@DETECTOR-conf-if-eth1# ip address 10.10.10.33 255.255.255.252
user@DETECTOR-conf-if-eth1# no shutdown
To deactivate a physical interface, enter the shutdown command.

Configuring the Default Gateway

The default gateway is the IP address of a gateway (for example, a router connected to the network) that receives and forwards packets whose IP addresses are unknown to the local network. In most cases, the Detector module default gateway IP address is the adjacent router, located between the Detector module and the Internet. The default gateway address must be on the same network as one of the IP addresses of the Detector module network interfaces.

To assign a default gateway address, enter the following command in configuration mode:

default-gateway ip-addr
The ip-addr argument specifies the default gateway IP address. Enter the IP address in dotted-decimal notation (for example, enter an IP address of 192.168.100.1).

To modify the default gateway address, reenter the command.

The following example shows how to configure the default gateway:
user@DETECTOR-conf# default-gateway 192.168.100.1
Managing the Detector Module

After you establish a session from the supervisor engine and configure the Detector module networking (see "Configuring the Detector Module on the Supervisor Engine" and the "Configuring the Detector Module Interfaces" section), you can access and manage the Detector module using one of the following methods:

•Access using a secured shell (SSH) session.

•Access the Detector module using a Web-Based Manager (WBM).

•Access from a DDoS-sensing network element. Refer to the appropriate documentation for more information.

This section contains the following topics:

•Managing the Detector Module with a Web-Based Manager

•Accessing the Detector Module with SSH

Managing the Detector Module with a Web-Based Manager

You can manage the Detector module from the web with a web based manager (WBM) using a web browser.

To enable the Detector module WBM, perform the following steps:

Step 1 Enable the WBM service by entering the following command in configuration mode:
service wbm
Step 2 Permit access to the Detector module from the remote manager IP address by entering the following command in configuration mode:
permit wbm ip-addr [ip-mask]
The ip-addr and ip-mask arguments define the remote manager IP address. Enter the IP address and subnet mask in dotted-decimal notation.

Step 3 Open the browser and enter the following address:
https://Detector module-ip-address/ 
The Detector module-ip-address argument is the IP address of the Detector module.

The Detector module WBM window appears.

Note HTTPS, not HTTP, is used to enable web-based management control.

Step 4 Enter your username and password and click OK.

After you enter the username and password correctly, the Detector home page is displayed.

If TACACS+ authentication is configured, the TACACS+ user database is used for user authentication rather than the local database.

The following example show how toenable the Detector module WBM:
user@DETECTOR-conf# service wbm
user@DETECTOR-conf# permit wbm 192.168.30.32
Accessing the Detector Module with SSH

You can access the Detector module using a secured shell (SSH) connection.

The SSH service is enabled by default.

To enable SSH connection to the Detector module, perform the following steps:

Step 1 Permit access to the Detector module from the remote network IP address by entering the following command in configuration mode:
permit ssh ip-addr [ip-mask]
The ip-addr and ip-mask arguments define the remote network IP address. Enter the IP address and subnet mask in dotted-decimal notation.

Step 2 Establish a connection from the remote network address and enter the login and password.

To enable the SSH connection without entering a login and password, add the remote connection SSH public key to the Detector module SSH key list.

See the "Managing SSH Keys" section for more information.