Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 5.1)
Configuring the Detector Module on the Supervisor Engine
Download this chapter
Configuring the Detector Module on the Supervisor EngineConfiguring the Detector Module on the Supervisor Engine
Download the complete book
Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 5.1), Book-Length PDFCisco Traffic Anomaly Detector Module Configuration Guide (Software Version 5.1), Book-Length PDF (PDF - 3 MB)
give_us_feedback

Table Of Contents

Configuring the Detector Module on the Supervisor Engine

Verifying the Detector Module Installation

Setting Up Detector Module Management

Configuring Traffic Sources for Capturing Traffic

Configuring VACLs

Configuring SPAN

Establishing a Session with the Detector Module

Rebooting the Detector Module

Verifying the Detector Module Configuration


Configuring the Detector Module on the Supervisor Engine

This chapter describes how to configure the Cisco Traffic Anomaly Detector Module (Detector module) on the supervisor engine. You must configure the Detector module on the supervisor engine before you can establish a session with the Detector module to configure it.

You can install the Cisco Traffic Anomaly Detector Module (Detector module) in a Catalyst 6500 series switch or a 7600 series router. See the "Understanding the Cisco Traffic Anomaly Detector Module" section on page 1-1 for more information.

This chapter consists of the following sections:

Verifying the Detector Module Installation

Setting Up Detector Module Management

Configuring Traffic Sources for Capturing Traffic

Establishing a Session with the Detector Module

Rebooting the Detector Module

Verifying the Detector Module Configuration

To configure the Detector module on the supervisor engine, you must have EXEC privileges and must be in configuration mode.

To save all configuration changes to the Flash memory, use the write memory command in privileged EXEC mode.

Verifying the Detector Module Installation

Verify that the supervisor engine acknowledges the new Detector module and has brought it online.

Note For information on how to install the Detector module in the Catalyst 6500 series switch, refer to the Cisco Anomaly Guard Module and Traffic Anomaly Detector Module Installation Note.

To verify the installation, perform the following steps:

Step 1 Log into the supervisor engine console.

Step 2 Verify that the Detector module is online. Enter the following command: 

show module

This example shows the output of the show module command: 

Sup# show module 
Mod	 Ports	 Card	Type Model	Serial No.

—-	 ——-	 ———————————————————	—————————	—————-

1	 2	 Catalyst 6000 supervisor 2(Active)	WS-X6K-SUP2-2GE	SAL081230TJ

... ...

6	 3	 Anomaly Detector module Module	WS-SVC-adm-1-K9	SAD081000GG

Mod	MAC addresses	Hw	Fw	Sw	Status

---	--------------------------------	----- ------- ----------- -------

...

6	000e.847f.fe04 to 000e.847f.fe0b	3.0	7.2(1)	4.0(0.10)	Ok

...

Sup

#

Note When the Detector module is first installed, the status is usually "other." Once the Detector module completes the diagnostic routines and comes online, the status reads "OK." Allow at least 5 minutes for the Detector module to come online.

Setting Up Detector Module Management

To establish a remote management session with the Detector module, you must set the Detector module management port.

To select a VLAN for management, use the following command:

anomaly-detector module module_number management-port access-vlan vlan_number

Table 2-1 provides the arguments and keywords for the anomaly-detector module command.

Table 2-1 Arguments and Keywords for the anomaly-detector module
Command 

Parameter
Description

module_number

The number of the slot in which the module is inserted in the chassis (1-9).

vlan_number

Sets the VLAN ID used for management.


The following example shows how to select VLAN 5 for a module inserted in slot number 4 in the chassis for management: 

Sup(config)# anomaly-detector module 4 management-port access-vlan 5

To establish a remote management session with the Detector module, you must also configure the following on the Detector module:

Configure the Detector module management port interface, eth1. See the "Configuring a Physical Interface" section on page 3-11.

Enable the relevant services. See the "Managing the Detector" section on page 3-14.

Configuring Traffic Sources for Capturing Traffic

You must configure the switch to capture the traffic sent to the zone and pass a copy of it to the Detector module. The Detector module analyzes the network traffic passing through it and monitors it for evolving attack patterns.

You can use one of the following methods to pass network traffic to the Detector module:

SPAN—Capture received or sent (or both) traffic on one or more source ports to a destination port for analysis. The Detector module provides a single destination port for SPAN sessions. See the "Configuring SPAN" section for further details.

VLAN access list (VACL)—Forward traffic from either a WAN interface or VLANs to the Detector module data port. This is an alternative to using SPAN for the same purpose. You can set VACLs to capture traffic from a single VLAN or from multiple VLANs. See the "Configuring VACLs" section for further details.

For more information about SPAN, refer to the "Configuring SPAN and RSPAN" chapter in the Catalyst 6500 Series Switch Software Configuration Guide or in the Cisco 7600 Series Router Software Configuration Guide.

For more information about VACL, refer to the "Configuring VLAN ACLs" chapter in the Catalyst 6500 Series Switch Software Configuration Guide or in the Cisco 7600 Series Router Software Configuration Guide.

You can capture traffic for Detector module monitoring from a single VLAN or from multiple VLANs. If you want to monitor traffic from specific VLANs only, you need to clear the VLANs that you do not want to monitor from the capture feature.

Configuring VACLs

You can set VACLs to capture traffic for the Detector module from a single VLAN or from multiple VLANs.

To configure VACLs to capture Detector module traffic on VLANs, follow these steps:

Step 1 Define the access list (ACL) and add access-control entries (ACE) through the permit and/or deny statements. Enter the following command:

ip access-list {standard | extended} acl-name

Table 2-2 provides the arguments and keywords for the ip access-list command.

Table 2-2 Arguments and Keywords for the ip access-list Command 

Parameter
Description

standard

Specifies a standard IP access list.

extended

Specifies an extended IP access list.

acl-name

The name of the ACL. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists.


Note Alternatively, you can use the access-list command.

Step 2 Define a VLAN access map. Enter the following command:

vlan access-map map_name [0-65535]

The map_name argument specifies the name tag of the access map. You can specify a sequence number. If you do not specify a sequence number, a number is automatically assigned. Once you execute the command, you enter VLAN access map configuration mode.

You can enter one match clause and one action clause per map sequence.

Step 3 Configure a match clause in the VLAN access map sequence. Enter the following command:

match ip address {acl_number | acl_name}

Table 2-3 provides the arguments and keywords for the match ip address command.

Table 2-3 Arguments for the match ip address Command 

Parameter
Description

acl_number

Selects one or more IP ACLs for a VLAN access-map sequence. Valid values are from 1 to 199 and from 1300 to 2699.

acl_name

Selects an IP ACL by name.


Step 4 Configure an action clause in the VLAN access map sequence to forward the network traffic. Enter the following command:

action forward capture

Step 5 Apply the VLAN access map to a VLAN interface. Enter the following command:

vlan filter map_name vlan-list vlan_list

Table 2-4 provides the arguments and keywords for the vlan filter command.

Table 2-4 Arguments and Keywords for the vlan filter Command 

Parameter
Description

map_name

The VLAN access-map tag.

vlan-list vlan_list

A VLAN list. Valid values are from 1 to 4094.


Step 6 (Optional) Configure the Detector module data ports to capture the captured-flagged traffic. If you do not specify the data ports, the Detector enables capturing traffic from all VLANs.

Enter the following command: 

anomaly-detector module slot_number data-port port_number capture 
allowed-vlan vlan_range

Table 2-5 provides the arguments and keywords for the anomaly-detector module capture command.

Table 2-5 Arguments and Keywords for the anomaly-detector module capture Command 

Parameter
Description

slot_number

The number of the slot in which the module is inserted in the chassis (1-9).

data-port port_number

The number of the port used for data. The Detector module supports port 1 for data.

allowed-vlan vlan_range

A range of VLANs, or several VLANs in a comma-separated list (do not enter space characters).


Step 7 Enable the capture function on the Detector module.

Enter the following command: 

anomaly-detector module module_number data-port port_number capture

Table 2-6 provides the arguments and keywords for the anomaly-detector module capture command.

Table 2-6 Arguments and Keywords for the anomaly-detector module capture Command 

Parameter
Description

module_number

The number of the slot in which the module is inserted in the chassis (1-9).

data-port port_number

The number of the port used for data. The Detector module supports port 1 for data.


Note You cannot configure a Detector module data port as both a SPAN destination port and a capture port.

The following example shows how to configure VACLs to capture Detector module traffic on VLANs: 

Sup (config)# ip access-list extended 10

Sup (config-ext-nacl)# vlan access-map Detector 10

Sup (config-ext-nacl)# match ip address 10

Sup (config-ext-nacl)# action forward capture

Sup (config-ext-nacl)# exit

Sup (config)# vlan filter Detector vlan-list 85

Sup (config)# anomaly-detector module 8 data-port 1 capture

Configuring SPAN

From the privileged EXEC mode on the supervisor engine console, perform the following steps to create a SPAN session and specify the source (monitored) and destination (monitoring) ports:

Note You cannot use the Detector module ports as SPAN source ports.

Step 1 Specify the SPAN session and the source port (monitored port). Enter the following command:

monitor session session_number source interface interface-id [, | -] [rx | tx]

Table 2-7 provides the arguments and keywords for the monitor session command.

Table 2-7 Arguments and Keywords for the monitor session source Command 

Parameter
Description
session_number

The session identification number.

interface interface-id

The source port to monitor. Valid interfaces include physical interfaces and port-channel logical interfaces (port-channel port-channel-number).

, | -

(Optional) Specify a series or range of interfaces. Enter a space before and after the comma; enter a space before and after the hyphen.

rx | tx

(Optional) Specify the direction of traffic to monitor. If you do not specify a traffic direction, the source interface sends both sent and received traffic.

Caution The Detector module receives a capture of the traffic for every direction specified. Refrain from specifying both rx and tx because this can result in two copies of the packet being forwarded to the Detector module ports and affect performance.

rx—Monitor received traffic.

tx—Monitor sent traffic.


Step 2 Specify the SPAN session and the destination port (monitoring port). Enter the following command:

monitor session SPAN_session_number destination anomaly-detector-module module_number [data-port port]

Table 2-8 provides the arguments and keywords for the monitor session destination command.

Table 2-8 Arguments and Keywords for the monitor session destination Command 

Parameter
Description

SPAN_session_number

The interface identification number. Specify 1.

anomaly-detector-module module-number

The number of the slot in which the module is inserted in the chassis (1-9).

data-port port

The number of the port used to capture data. The Detector module supports port 1 for data.


Step 3 Return to privileged EXEC mode. Enter the following command:

end


Step 4 Verify your entries. Enter the following command:

show monitor [session session_number]

The session_number argument specifies the session identification number.

The following example shows how to set up a SPAN session, session 1, for monitoring source port traffic to a destination port. Bidirectional traffic is mirrored from source port 1 to the Detector module.

Sup(config)# monitor session 1 source interface GigabitEthernet 1/2 rx

Sup(config)# monitor session 1 destination anomaly-detector-module 4 data-port 1

Establishing a Session with the Detector Module

To log in to the Detector module, perform the following steps:

Step 1 Establish a Telnet session or console log session into the switch.

Step 2 Enter the following command at the supervisor engine prompt: 

session slot slot_number processor processor_number

Table 2-9 provides the arguments and keywords for the session slot command.

Table 2-9 Arguments and Keywords for the session slot Command 

Parameter
Description

slot-number

The number of the slot in which the module is inserted in the chassis (1-9).

processor processor_number

The number of the Detector module processor. The Detector module supports only management through processor 1.


Step 3 Log in at the Detector module login prompt: 

login: admin

Step 4 Enter the password.

If this is the first time that you are establishing a session with the Detector module, you must choose a password for the admin and the riverhead user accounts. The password must be between 6 to 24 characters with no spaces. You can change the password at any time. See the "Changing Your Password" section on page 4-10 for more information.

After a successful login, the command-line prompt is represented as user@DETECTOR#. You can change the prompt by entering the hostname command.

Rebooting the Detector Module

Cisco IOS software provides the following commands to control the Detector module: boot, shutdown, power enable and reset:

Caution If you enter the reload command at the supervisor engine prompt, the reload occurs for the entire chassis and includes all the modules in the chassis. See the "Reloading the Detector Module" section on page 13-11 for information on how to reload the Detector module.

shutdown—Brings the operating system down gracefully, ensuring that no data is lost. To prevent corruption of the Detector module, it is critical that you shut down the Detector module properly. Enter the following command at the supervisor engine prompt: 

hw-module module slot_number shutdown

The slot_number argument specifies the number of the slot in which the module is inserted in the chassis.

You must then enter the hw-module module module_number reset command to restart the Detector module.

The following example shows how to shut down the Detector module: 

Sup# hw-module module 8 shutdown

Note The Detector module reboots if you reboot the switch.

reset—Resets the module. This command is typically used in the upgrade process to switch between Application Partition (AP) and Maintenance Partition (MP) images or to recover from a shutdown. The hw-module reset command resets the module by turning the power off and then on. The reset process requires several minutes. Enter the following command at the supervisor engine prompt: 

hw-module module slot_number reset [string]

The slot_number argument specifies the number of the slot in which the module is inserted in the chassis. The string argument is an optional string for the PC boot sequence. Enter cf:1 to reset to the MP and cf:4 to reset to the AP. See the "Upgrading the Detector Module Software" section on page 13-11 for more information.

The following example shows how to reset the Detector module: 

Sup# hw-module module 8 reset

no power enable—Shuts down the module so that it can be safely removed from the chassis. Enter the following command at the supervisor engine prompt: 

no power enable module slot_number

The slot_number argument specifies the number of the slot in which the module is inserted in the chassis.

To switch the module on again, use the following command: 

power enable module slot_number

The following example shows how to shut down the Detector module: 

Sup (config)# no power enable module 8

boot—Forces the Detector module to boot to the MP at the next power on. Enter the following command at the supervisor engine prompt: 

boot device module slot_number cf:1

The slot_number argument specifies the number of the slot in which the module is inserted in the chassis.

To enable the Detector module to boot to the default partition, which is the AP, at the next boot cycle, use the following command at the supervisor engine prompt: 

no boot device module slot_number cf:1

The following example shows how to configure the Detector module to boot to the AP at the next boot cycle: 

Sup# boot device module 8 cf:1

Caution The zone learning phases are restarted after reboot. See the "Rebooting the Detector Module and Inactivating Zones" section on page 13-11 for more information on the default behavior of the zones after reboot.

Verifying the Detector Module Configuration

To verify the Detector module configuration on the supervisor engine, use the following command at the supervisor engine prompt:

show anomaly-detector module slot_number {management-port | data-port port_number} [state | traffic]

Table 2-10 provides the arguments and keywords for the show module command.

Table 2-10 Arguments and Keywords for the show module Command 

Parameter
Description

slot-number

The number of the slot in which the module is inserted in the chassis (1-9).

management-port

Information on the management port.

data-port port_number

The port number. Only port 1 is in use.

state

The configuration of the specified port.

traffic

The traffic statistics of the specified port.


The following example shows how to display the Detector module configuration on the supervisor engine: 

Sup# show anomaly-detector module 7 data-port 1 state