Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 5.1) - Performing Maintenance Tasks [Cisco Services Modules]

Table Of Contents

Performing Maintenance Tasks

Configuring File Servers

Exporting the Configuration

Importing and Updating the Configuration

Exporting Files Automatically

Reloading the Detector Module

Rebooting the Detector Module and Inactivating Zones

Upgrading the Detector Module Software

Supervisor Engine 2 or Supervisor Engine 720 IOS Software

Detector Module Software

Upgrading Operation Notes

Upgrading the AP Image

Upgrading the MP Image

Upgrading the AP and MP Images Inline

Burning a New Flash Version

Using MP Commands

Recovering a Lost Password

Resetting the Configuration to Factory Defaults

Performing Maintenance Tasks

This chapter describes how to perform tasks used for general care and maintenance of the Cisco Traffic Anomaly Detector Module (Detector module) and contains the following sections:

•Configuring File Servers

•Exporting the Configuration

•Importing and Updating the Configuration

•Exporting Files Automatically

•Reloading the Detector Module

•Rebooting the Detector Module and Inactivating Zones

•Upgrading the Detector Module Software

•Using MP Commands

•Recovering a Lost Password

•Resetting the Configuration to Factory Defaults

Configuring File Servers

Configuring a network server to which to can export the Detector module files or from where import files to the Detector module allows you to configure the network server attributes such as the IP address, the communication method, and the login details one time, and then use the name of the network server without specifying the network server attributes in later operations.

After you configure the network server, you must configure the export or the import commands. For example, use the export reports commands to configure the Detector module to export attack reports to a network server.

To configure a network server, use one of the following commands in configuration mode:

•file-server file-server-name description ftp server remote-path login password

•file-server file-server-name description [sftp | scp] server remote-path login

Because Secure FTP (SFTP) and Secure Copy (SCP) rely on Secure Shell (SSH) for secure communication, you must configure the SSH key that the Detector module uses for SFTP and SCP communication. See the "Configuring the Keys for SFTP and SCP Connections" section for more information on how to configure the key that the Detector module uses for secure communication.

Table 13-1 provides the arguments and keywords for the file-server command.

Table 13-1 Arguments and Keywords for the file-server
Command

Parameter

Description

file-server-name

A name for the network server. Enter an alphanumeric string from 1 to 63 characters. The string can contain underscores but cannot contain any spaces.

description

A string to describe the network server. The maximum string length is 80 characters. If you use spaces in the expression, enclose the expression in quotation marks (" ").

ftp

Defines the network server to use FTP.

sftp

Defines the network server to use SFTP.

scp

Defines the network server to use SCP.

server

The IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).

remote-path

The complete path of the directory in which to save the files or from which to import the files.

login

The login name for the network server.

password

The password for the network server.

This option is valid only for an FTP server. The Detector module authenticates network servers that use SFTP and SCP using a public key.

The following example shows how to define an FTP server with the IP address 10.0.0.191:
user@DETECTOR-conf# file-server CorpFTP-Server "Corp's primary FTP 
server" ftp 10.0.0.191 /root/ConfigFiles <user> <password>
To delete a network server, use the no file-server [file-server-name | *] command in configuration mode.

To display the list of network servers, use the show file-servers command in global or configuration mode.

Exporting the Configuration

You can export the Detector module configuration file or a zone configuration file (running-config) to a network server. By exporting the Detector module or zone configuration file to a remote server, you can do the following:

•Implement the Detector module configuration parameters on another Detector module

•Back up the Detector module configuration

To export the Detector module configuration file, use one of the following commands in global mode:

•copy [zone zone-name] running-config ftp server full-file-name [login [password]]

•copy [zone zone-name] running-config {sftp | scp} server full-file-name login

•copy [zone zone-name] running-config file-server-name dest-file-name

To export the portion of the zone configuration that is required to configure the zone on a Cisco Anomaly Guard Module, use the copy guard-running-config command. See the "Exporting the Zone Configuration Manually" section on page 5-25 for more information.

Because SFTP and SCP rely on SSH for secure communication, if you do not configure the key that the Detector module uses before you enter the copy command with the sftp or scp option, the Detector module prompts you for the password. See the "Configuring the Keys for SFTP and SCP Connections" section for more information on how to configure the key that the Detector module uses for secure communication.

Table 13-2 provides the arguments and keywords for the copy running-config ftp command.

Table 13-2 Arguments and Keywords for the copy running-config ftp
Command

Parameter

Description

zone zone-name

(Optional) The zone name. If you specify the zone name, the Detector module exports the zone configuration file. The default is to export the Detector module configuration file.

running-config

Exports the complete Detector module configuration or the configuration of the specified zone.

ftp

Exports the configuration to a network server using FTP.

sftp

Exports the configuration to a network server using SFTP.

scp

Exports the configuration to a network server using SCP.

server

IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).

full-file-name

Complete name of the file. If you do not specify a path, the server saves the file in your home directory.

login

Server login name.

The login argument is optional when you define an FTP server. When you do not enter a login name, the FTP server assumes an anonymous login and does not prompt you for a password.

password

(Optional) Password for the remote FTP server. If you do not enter the password, the Detector module prompts you for one.

file-server-name

Name of a network server to which to export the configuration file. You must configure the network server using the file-server command.

If you configured the network server using SFTP or SCP, you must configure the SSH key that the Detector module uses for SFTP and SCP communication.

See the "Configuring File Servers" section for more information.

destination-file-
name

Name of the configuration file on the remote server. The Detector module saves the configuration file on the network server using the destination filename in the directory that you defined for the network server by using the file-server command.

The following example shows how to export the Detector module configuration file to an FTP server:
user@DETECTOR# copy running-config ftp 10.0.0.191 run-conf.txt <user> 
<password>
The following example shows how to export the Detector module configuration file to a network server:
user@DETECTOR# copy running-config CorpFTP Configuration-12-11-05
Importing and Updating the Configuration

You can import a Detector module or zone configuration file from an FTP server and reconfigure the Detector module according to the newly transferred file. Import the configuration to do one of the following tasks:

•Configure the Detector module based on an existing Detector module configuration file

•Restore the Detector module configuration

Zone configuration is a partial Detector module configuration. To copy both types of configuration files to the Detector module and reconfigure it accordingly, use the copy ftp running-config command.

Note The new configuration replaces the existing configuration. You must reload the Detector module for the new configuration to take effect.

We recommend that you deactivate all zones before you initiate the import process. The Detector module deactivates a zone before importing the zone configuration.

To import a Detector module configuration file, use one of the following commands in global mode:

•copy ftp running-config server full-file-name [login [password]]

•copy {sftp | scp} running-config server full-file-name login

•copy file-server-name running-config source-file-name

Because SFTP and SCP rely on SSH for secure communication, if you do not configure the key that the Detector module uses before you enter the copy command with the sftp or scp option, the Detector module prompts you for the password. See the "Configuring the Keys for SFTP and SCP Connections" section for more information on how to configure the key that the Detector module uses for secure communication.

Table 13-3 provides the arguments for the copy ftp running-config command.

Table 13-3 Arguments for the copy ftp running-config
Command

Parameter

Description

ftp

Imports the configuration from a network server using FTP.

sftp

Imports the configuration from a network server using SFTP.

scp

Imports the configuration from a network server using SCP.

server

IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).

remote-path

Complete name of the file. If you do not specify a path, the server searches for the file in your home directory.

login

Server login name.

The login argument is optional when you define an FTP server. When you do not enter a login name, the FTP server assumes an anonymous login and does not prompt you for a password.

password

(Optional) Password for the remote FTP server. If you do not enter the password, the Detector module prompts you for one.

file-server-name

Name of a network server. You must configure the network server using the file-server command.

If you configured the network server using SFTP or SCP, you must configure the SSH key that the Detector module uses for SFTP and SCP communication.

See the "Configuring File Servers" section for more information.

source-file-name

Name of the file to import. The Detector module appends the name of the file to the path that you defined for the network server by using the file-server command.

The following example shows how to import the Detector module configuration file from an FTP server:
user@DETECTOR# copy ftp running-config 10.0.0.191 
/root/backup/conf/scannet-conf <user> <password>
The following example shows how to import the Detector module configuration file from a network server:
user@DETECTOR# copy CorpFTP running-config scannet-conf
Exporting Files Automatically

You can configure the Detector module to export automatically the following files to a network server:

•Packet-dump capture files

The Detector module exports the packet-dump capture files when the capture buffer size reaches 50 MB or after 10 minutes have elapsed. See the "Exporting Packet-Dump Capture Files Automatically" section for more information.

•Attack reports

The Detector module exports the reports of any one of the zones when an attack on the zone ends. See the "Exporting Attack Reports Automatically" section for more information.

•Zone configuration

The Detector module exports the zone configuration file each time the results of the threshold-tuning phase of the learning process are accepted. See the "Exporting a Zone Configuration Automatically" section on page 5-23 for more information.

The Detector module exports the packet-dump capture files and the attack reports in Extensible Markup Language (XML) format. The software version is accompanied by xsd files that describe the XML schema. You can download the xsd files from the Cisco website (www.cisco.com).

To export files automatically to a network server, perform the following steps:

Step 1 Define the network server to which you can export files.

See the "Configuring File Servers" section for more information.

Step 2 Configure the Detector module to export files automatically by entering the following command:
export {packet-dump | reports | sync-config} file-server-name
Table 13-4 provides the arguments and keywords for the export command.

Table 13-4 Arguments and Keywords for the export Command

Parameter

Description

packet-dump

Exports packet-dump capture files each time the contents of the packet-dump buffer are saved to a local file. The Detector module exports the packet-dump capture files in PCAP format, which is compressed and encoded by the gzip (GNU zip) program, with an accompanying file in Extensible Markup Language (XML) that describes the recorded data. See the Capture.xsd file that accompanies the version for a description of the XML schema. See the "Monitoring Network Traffic and Extracting Attack Signatures" section for more information on packet-dump capture files.

reports

Exports attack reports in XML format at the end of an attack. The Detector module exports the reports of any one of the zones when an attack on the zone ends. See the ExportedReports.xsd file that accompanies the version for a description of the XML schema. See the "Exporting Attack Reports" section for more information.

sync-config

Exports the zone configuration each time the results of the threshold-tuning phase of the learning process are accepted. You can then import the configuration to a Guard module and activate it to protect the zone.

To enable the Detector module to export the zone configuration to a network server automatically, you must configure the server in either the Detector module default remote server list or the zone remote server list. See the "Exporting a Zone Configuration Automatically" section on page 5-23 for more information.

file-server-name

The name of the network server on which you can save files. You must configure the network server using the file-server command.

The following example shows how to define an FTP server with the IP address 10.0.0.191, and then to configure the Detector module to automatically export reports (in XML) at the end of an attack to that server:
user@DETECTOR-conf# file-server CorpFTP-Server "Corp's primary FTP 
server" ftp 10.0.0.191 /root/ConfigFiles <user> <password>
user@DETECTOR-conf# export reports CorpFTP-Server
To disable the automatic export of files to a network server, use the no form of the command.

To display the default list of network servers to which the Detector module exports zone configuration, use the show sync-config file-servers command in configuration mode.

To display the zone remote server list, use the show sync-config file-servers command in zone configuration mode.

Reloading the Detector Module

You can reload the Detector module configuration without rebooting the machine by using the reload command.

For the following changes to take effect, you must reload the Detector module:

•Deactivating or activating a physical interface using the shutdown command

•Burning a new flash

Rebooting the Detector Module and Inactivating Zones

The default behavior of the Detector module is to reactivate zones that were active before the reboot process.

To change the default behavior so that the Detector module loads all zones in an inactive operation state, enter the following command in configuration mode:

no boot reactivate-zones

Caution The zone learning phase is restarted after reboot.

Upgrading the Detector Module Software

The Detector module requires two software components for its operation:

•Supervisor Engine 2 Or Supervisor Engine 720 Cisco IOS software

•Detector module software

Note To upgrade the Detector module software, you must log on to the supervisor engine.

Supervisor Engine 2 or Supervisor Engine 720 IOS Software

The first software component is the Cisco IOS software image on the Catalyst 6500 Supervisor Engine 2 or the Supervisor Engine 720. The image on the supervisor engine recognizes and initializes the Detector module and its processor. You must use a Cisco IOS software release that supports the Detector module.

Detector Module Software

The Detector module software resides on a compact flash (CF) card that is integrated with the processor control complex. The compact flash has two partitions for software images, each with its own operating system (image):

•Maintenance Partition (MP)—The software required for base module initialization and daughter card control functions (identified as cf:1)

•Application Partition (AP)—The image with the Detector module application (identified as cf:4)

You can upgrade the Detector module software on the compact flash card through the supervisor engine console. The upgrade process involves downloading the latest versions of the AP and MP images from the Cisco Software Center to an FTP or a TFTP server and installing them to the compact flash card.

The following three upgrade procedures are available for the Detector module:

•AP upgrade procedure—Upgrades an application image to the latest available version. You must perform this procedure from the MP and reset the module. See the "Upgrading the AP Image" section.

•MP upgrade procedure—Upgrades the maintenance partition. The MP image rarely requires upgrading. Use this procedure only when instructed in the release note that corresponds with the software release. See the "Upgrading the MP Image" section.

•Inline image upgrade procedure—Upgrades the application or the maintenance image. Perform this procedure from the MP. See the "Upgrading the AP and MP Images Inline" section.

Upgrading Operation Notes

This section provides guidelines for upgrading the AP and MP versions:

•To upgrade the AP and MP versions, log into the supervisor engine. To upgrade the Detector module flash (CFE), log into the Detector module.

•If you need to upgrade both AP and MP images, you must upgrade the MP image first.

•Use the hw-module module slot_number reset cf:1 command to switch to the MP. The main purpose for operating in the MP mode is to upgrade the AP image.

•Use the hw-module module slot_number reset cf:4 command to switch to the AP. The AP is the normal operating mode.

•The show module command displays the software version of the partition image that you are running. If you are running the AP image, the show module command displays the AP image version. A sample format of the AP image version is 5.1(0.12). If you are running the MP image, it displays the MP image version. A sample format of the MP image version is 5.1(0.0)m.

•The MP image filename uses the c6svc-mp.5-0-3.bin format.

•The AP image filename uses the c6svc-adm-k9.5-0-3.bin format.

•The MP uses the same network settings as the Detector module. You must configure the network settings before you can upgrade the Detector module images. See "Configuring the Detector Module on the Supervisor Engine" and "Initializing the Detector"for more information.

Note We recommend that you globally configure the logging console command on the supervisor engine to display the output details of the upgrade procedure. If you are connected from a Telnet session and not from the console, use the terminal monitor command to display console messages.

Upgrading the AP Image

To upgrade the application image, perform the following steps:

Step 1 Back up the Detector module configuration before initiating the upgrade process by using the copy running-config command. Backing up enables you to save your existing configuration so that you can can quickly restore the configuration to the current state if needed. See the "Exporting the Configuration" section for more information.

Step 2 Export files that you want to save. You can export the following files:

•Export attack reports that you want to save by using the copy reports command or the copy zone zone-name reports command. See the "Exporting Attack Reports of All Zones" section and the "Exporting Zone Reports" section for more information.

•Export logs that you want to save by using the copy log command. See the "Exporting the Log File" section for more information.

•Export the packet-dump capture files that you want to save by using the copy zone zone-name packet-dump captures command. See the "Exporting Packet-Dump Capture Files Manually" section for more information.

Step 3 To upgrade an application image to the latest available software release, locate the image on the Cisco website (www.cisco.com).

Copy the software image to a directory accessible to FTP or TFTP.

Step 4 Reset the Detector module and load the MP image (this operation takes approximately 3 minutes). Skip this step if you are already running the MP image.

Enter the following command on the supervisor engine:
hw-module module slot_number reset cf:1
The slot_number argument is the number of the slot in which the module is inserted in the chassis.

Step 5 Verify that the MP has booted and that the Detector module status is OK. Enter the following command:
show module slot_number
Step 6 Install the AP image on the compact flash. This operation could last several minutes. Enter the following command:
copy tftp://path/filename pclc#slot_number-fs:
The path/filename argument specifies the FTP location and the name of the image file. If the FTP server does not allow anonymous users, use the following syntax for the ftp-url value: ftp://user@host/absolute-path/filename. Enter your password when prompted.

You can also download the version from an FTP server.

It can take up to 30 minutes to download an application image depending on the connection speed.

Caution Do not reset the module until the Detector module displays the following message on the console: "You can now reset the module." Resetting the module before this message displays will cause the upgrade to fail.

Step 7 Reset the Detector module to the AP by entering the following command:
hw-module module slot_number reset cf:4
Step 8 Verify that the AP image that you copied displays in the output of the show module command by entering the following command:
show module slot_number
Note A new version may require updating the common firmware environment (CFE). See the release note that corresponds with each software release for more information. If there is a CFE mismatch, the Detector module displays the following message when you establish the first session to the Detector module after upgrading the AP image: "Bad CFE version (X). This version requires version Y."

See the "Burning a New Flash Version" section for more information.

The following example shows how to upgrade the AP image:
Sup# hw-module module 8 reset cf:1
Device BOOT variable for reset = <cf:1>
Warning:Device list is not verified. <<< This message is informational
Proceed with reload of module? [confirm]
% reset issued for module 8
Sup# copy tftp:images/ap/adm-APUpgrade-4.0.0.x.bin pclc#8-fs:
Address or name of remote host [10.56.36.2]?          
Source filename [images/ap/adm-APUpgrade-4.0.0.x.bin]? 
Destination filename [adm-APUpgrade-4.0.0.x.bin]? 
.
.
.
19:50:06: %SVCLC-SP-5-STRRECVD: mod 8: <Application upgrade has 
started>
19:50:06: %SVCLC-SP-5-STRRECVD: mod 8: <Do not reset the module till 
upgrade completes!!>
......<<< Wait
19:59:58: %SVCLC-SP-5-STRRECVD: mod 8: <Application upgrade has 
succeeded>
19:59:58: %SVCLC-SP-5-STRRECVD: mod 8: <You can now reset the module>
Sup# hw-module module 8 reset cf:4 <<<<< Resets Detector module to AP
Device BOOT variable for reset = <cf:4>
Proceed with reload of module? [confirm]
...
%OIR-SP-6-INSCARD:Card inserted in slot 8, interfaces are now online
Upgrading the MP Image

The MP image rarely requires upgrading. If you are instructed to update the MP software in the release note that corresponds with the software release, perform the following steps:

Step 1 To upgrade to the latest software release, locate the software image on the Cisco website (www.cisco.com).

Copy the software image to a directory that is accessible to FTP or TFTP.

To reset the Detector module and load the MP image (this operation takes approximately 3 minutes), enter the following command on the supervisor engine:
hw-module module slot_number reset cf:1
Disregard this step if you are running the MP image already.

The slot_number argument is the number of the slot in which the module is inserted in the chassis.

Step 2 Verify that the MP has booted and that the Detector module status is OK by entering the following command:
show module slot_number
Step 3 Copy the MP image to the compact flash. You can copy the MP image when the Detector module is reset to the MP or to the AP by entering the following command on the supervisor engine:
copy tftp://path/filename pclc#slot_number-fs:
The path/filename argument specifies the FTP location and name of the image file.

If the FTP server does not allow anonymous users, use the following syntax for the ftp-url value: ftp://user@host/absolute-path/filename. Enter your password when prompted.

It can take up to 30 minutes to download an application image depending on the connection speed.

Caution Do not reset the module until the Detector module displays the following message on the console: "You can now reset the module." Resetting the module before this message displays will cause the upgrade to fail.

You can also download the version from an FTP server.

See the "Using MP Commands" section for more information about the MP commands.

Step 4 Verify that the MP image that you copied is displayed in the output of the show module command by entering the following command:
show module slot_number
Step 5 Reset the Detector module to the AP by entering the following command:
hw-module module slot_number reset cf:4
The following example shows how to upgrade the MP image:
Sup# hw-module module 8 reset cf:1
Device BOOT variable for reset = <cf:1>
Warning:Device list is not verified. <<< This message is informational
Proceed with reload of module? [confirm]
% reset issued for module 8
Sup# copy tftp:images/mp/MPUpgrade-4.0.0.0.bin pclc#8-fs:
Address or name of remote host [10.56.36.2]?          
Source filename [images/ap/MPUpgrade-4.0.0.0.bin]? 
Destination filename [MPUpgrade-4.0.0.0.bin]? 
.
.
.
3d19h:%SVCLC-SP-5-STRRECVD:mod 8:<Upgrade of MP was successful.>
3d19h:%SVCLC-SP-5-STRRECVD:mod 8:<You can now reset the module>
Sup# show module 8
.
The Following output shows MP image name because Detector module is 
reset to MP (cf:1)
. 
Mod	MAC addresses	Hw	Fw	Sw	Status
---	--------------------------------	----- ------- ----------- -------
8	000f.348d.d7f0 to 000f.348d.d7f7	0.301	7.2(1)	4.0(0.0)m	Other 
...
Sup# hw-module module 8 reset cf:4 <<< Resets Detector module to AP 
(normal operation)
Device BOOT variable for reset = <cf:4>
Proceed with reload of module? [confirm]
...
%OIR-SP-6-INSCARD:Card inserted in slot 8, interfaces are now online
Upgrading the AP and MP Images Inline

The inline image upgrade procedure provides an alternative method to upgrading the AP and MP images.

To upgrade the software image, perform the following steps:

Step 1 Back up the Detector module configuration before initiating the upgrade process by using the copy running-config command. Backing up enables you to save your existing configuration so that you can can quickly restore the configuration to the current state if needed. See the "Exporting the Configuration" section for more information.

Step 2 Export files that you want to save. You can export the following files:

•Export attack reports that you want to save by using the copy reports command or the copy zone zone-name reports command. See the "Exporting Attack Reports of All Zones" section and the "Exporting Zone Reports" section for more information.

•Export logs that you want to save by using the copy log command. See the "Exporting the Log File" section for more information.

•Export the packet-dump capture files that you want to save by using the copy zone zone-name packet-dump captures command. See the "Exporting Packet-Dump Capture Files Manually" section for more information.

Step 3 To upgrade an image to the latest available version, locate the image on the Cisco website (www.cisco.com).

Copy the software image to a directory accessible to FTP.

See the "Burning a New Flash Version" section for more information on the MP commands.

Step 4 Log in to the supervisor engine through the console port or through a Telnet session.

Step 5 If the Detector module is running in the maintenance image, proceed to Step 7. If the Detector module is not running in the maintenance image, enter the following command on the supervisor engine:
hw-module module slot_number reset cf:1
The slot_number argument is the number of the slot in which the module is inserted into the chassis.

Step 6 After the Detector module is back online, establish a console session with the Detector module and log into the root account. The default password for the account is cisco.

Step 7 Upgrade the software image by entering the following command:
upgrade ftp://path/filename 
The path/filename argument specifies the FTP location and the name of the image file.

If the FTP server does not allow anonymous users, use the following syntax for the ftp-url value: ftp://user@host/absolute-path/filename. Enter your password when prompted.

To upgrade the AP software image, enter the AP software image filename. To upgrade the MP software image, enter the MP software image filename. See the "Upgrading Operation Notes" section for more information.

Caution Do not reset the module until the Detector module displays the following message on the console: "Application image upgrade complete. You can boot the image now." Resetting the module before this message displays will cause the upgrade to fail.

Step 8 After completing the upgrade, log out of the Detector module by entering the exit command.

Step 9 Reset the Detector module to the AP software image by entering the following command:
hw-module module slot_number reset cf:4
Note Upgrading to a new software release might require updating the common firmware environment (CFE). See the release note that corresponds with each software release for more information. If there is a CFE mismatch, the Detector module displays the following message when you establish the first session to the Detector module after upgrading the AP image: "Bad CFE version (X). This version requires version Y." See the "Burning a New Flash Version" section for more information.

Step 10 When the Detector module has rebooted, verify the software version by entering the show version command.

The following example shows how to upgrade the Detector module application software:
Sup# hw-module module 8 reset cf:1
.
.
.
Proceed with reload of module? [confirm]
% reset issued for module 9
.
.
.
Sup# session slot 8 proc 1
.
.
.
login:root
Password: 
.
.
.
root@localhost.cisco.com# upgrade 
ftp://psdlab-pc1/pub/images/ap/adm-APUpgrade-4.0.0.x.bin
Downloading the image. This may take several minutes...
.
.
.
Upgrading will wipe out the contents on the storage media.
Do you want to proceed installing it [y|N]:
Proceeding with upgrade. Please do not interrupt.
If the upgrade is interrupted or fails, boot into
Maintenance image again and restart upgrade.
.
.
.
Application image upgrade complete. You can boot the image now.
root@hostname.cisco.com# exit
logout
                                                           [  OK  ]
[Connection to 127.0.0.91 closed by foreign host]
Sup# hw-module module 8 reset cf:4
Burning a New Flash Version

You can burn a new flash version only when there is a mismatch between the current Common Firmware Environment (CFE) and the software release. A mismatch condition can occur when you update the Detector module software.

When a CFE mismatch is detected, the Detector module displays the following message when you establish the first session with the Detector module after upgrading the software release (X denotes the old flash version and Y denotes the new flash version): "Bad CFE version (X). This version requires version Y."

Caution You must be sure that there is a stable power supply to the Detector module and avoid performing any Detector module operations while you burn a new flash version. If you fail to adhere to these restrictions, the upgrade may fail and cause the Detector module to become inaccessible.

To burn a new flash version, perform the following steps:

Step 1 Enter the following command in configuration mode:
flash-burn
If you try to burn a new flash version when the CFE and the Detector module software versions match, the operation fails.

Step 2 Reload the Detector module by entering the following command:
reload
You must enter the reload command after burning a new flash version. The Detector module is not fully functional until you enter the reload command.

The following example shows how to burn a new flash version:
user@DETECTOR-conf# flash-burn 
Please note: DON'T PRESS ANY KEY WHILE IN THE PROCESS! 
. . .
Burned firmware successfully 
SYSTEM IS NOT FULLY OPERATIONAL. Type 'reload' to restart the system 
Using MP Commands

You can boot the Detector module to the MP. A set of interfaces is available on the MP to administer and diagnose the Detector module. One of the key features of the MP is to provide the ability to install a new AP image.

To boot to the MP, use the hw_module module reset command, and then enter the session slot command to log into the MP.

Table 13-5 summarizes the MP commands.
Table 13-5 MP Commands
Command

Description
clear ap password
Clears all passwords that are defined on the Detector module.
clear ap config
Returns the Detector module to its default configuration. This command deletes all Detector module configuration, logs, and reports.
ip address [ip 
address] [subnet]
Configures the IP address that the Detector module uses to access the external network.
ip gateway 
[default-gateway]
Specifies the default gateway for the network.
passwd
Changes the password for the current user.
passwd-guest
Changes the password for the guest account.
ping {host-name | 
ip address}
Pings a specified host on the network and verifies that the network parameters are configured correctly.
show images
Displays the images stored in the application partition.
show ip
Displays the network parameters of the Detector module.
upgrade ftp-url 
Upgrades the image where ftp-url is the URL specifying the FTP server containing the image and the path to the image. The path format is as follows: ftp://user:password@server-name/path.

You can specify the name of the FTP server or its IP address.
Recovering a Lost Password

To recover lost passwords, perform the following steps:

Step 1 Reset the Detector module to the MP by entering the following command on the supervisor engine:
hw-module module slot_number reset cf:1
The slot_number argument is the number of the slot in which the module is inserted into the chassis.

Step 2 After the Detector module is back online, establish a session with the Detector module, and log in to the root account.

Step 3 Delete all passwords that are configured on the Detector module by entering the following command:
clear ap password
Step 4 Reset the Detector module to the AP by entering the following command:
hw-module module slot_number reset cf:4
Step 5 Configure a new password for users that are configured on the Detector module. (See the "Changing Your Password" section.) To view a list of Detector module users, use the show running-config command.

Tip To narrow the display of the show running-config command output to include only the list of Detector module users, use the show running-config | include username command.

Resetting the Configuration to Factory Defaults

In certain situations, you may want to restore the Detector module configuration to the original default factory settings, Resetting the configuration to factory defaults is useful when you want to remove an undesirable configuration in the Detector module, if the configuration has become complex, or if you want to move the Detector module from one network to another network. You can reset the Detector module to the factory defaults and configure it as a new Detector module.

We recommend that you back up the Detector module configuration by using the copy running-config command before you reset it to the default factory settings. See the "Exporting the Configuration" section.

The management interface configuration (eth1) is available until you reload the Detector module.

Caution If you reset the Detector module configuration to the factory defaults, and then reload the Detector module while you are not connected from a console, you will lose connectivity to the Detector module.

To reset the Detector module to the factory defaults settings, use the following command in configuration mode:

clear config all
The configuration change takes effect only after a reset.

The following example shows how to reset the Detector module to the factory defaults settings:
user@DETECTOR-conf# clear config all