Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 6.0)
Performing Maintenance Tasks

Table Of Contents

Performing Maintenance Tasks

Configuring File Servers

Exporting the Configuration

Importing and Updating the Configuration

Exporting Files Automatically to a Network Server

Reloading the Detector Module

Rebooting the Detector Module and Inactivating Zones

Upgrading the Detector Module Software

Supervisor Engine 2 or Supervisor Engine 720 Cisco IOS Software

Detector Module Software

Upgrading Operation Notes

Upgrading the AP Image

Upgrading the MP Image

Upgrading the AP and MP Images Inline

Burning a New Flash Version to Upgrade the CFE

Upgrading the Bandwidth Performance from 1 Gbps to 2 Gbps

Obtaining and Installing the XG Software Image for the 2-Gbps Operation

Obtaining and Installing the XG Software Image License Key

Activating the Additional Data Port for the 2-Gbps Operation

Regenerating the SSL Certificates for the 2-Gbps Operation

Using MP Commands

Recovering from a Lost Password Condition

Resetting the Default admin User Account Password

Resetting All User Account Information

Resetting the User Account Information Using the MP root User Account

Resetting the User Account Information Using the AP root User Account

Resetting the Detector Module Configuration to Factory Default Values


Performing Maintenance Tasks


This chapter describes how to perform tasks used for general care and maintenance of the Cisco Traffic Anomaly Detector Module (Detector module).


Note Operational and configuration differences exist between a Detector module operating at 1 Gbps and a Detector module operating at 2 Gbps. This chapter discusses the differences between the 1-Gbps operation and the 2-Gbps operation. Unless stated, the information in this chapter applies to both modes of operation. For more information, see the "Understanding the 1-Gbps and 2-Gbps Bandwidth Options" section on page 1-6.


This chapter refers to the Cisco Guard (Guard), the companion product of the Detector module. The Guard is a Distributed Denial of Service (DDoS) attack detection and mitigation device that cleans the zone traffic as the traffic flows through it, dropping the attack traffic and injecting the legitimate traffic back into the network. When the Detector module determines that the zone is under attack, it can activate the Guard attack mitigation services. The Detector module can also synchronize zone configurations with the Guard. For more information about the Guard, see the Cisco Anomaly Guard Module Configuration Guide or the Cisco Guard Configuration Guide.

This chapter contains the following sections:

Configuring File Servers

Exporting the Configuration

Importing and Updating the Configuration

Exporting Files Automatically to a Network Server

Reloading the Detector Module

Rebooting the Detector Module and Inactivating Zones

Upgrading the Detector Module Software

Upgrading the Bandwidth Performance from 1 Gbps to 2 Gbps

Using MP Commands

Recovering from a Lost Password Condition

Resetting the Detector Module Configuration to Factory Default Values

Configuring File Servers

You can define a network server on the Detector module for importing and exporting files between the Detector module and the server. The Detector module allows you to create a network server profile in which you define the network server attributes such as the IP address, the communication method, and the login details. Creating a network server profile allows you to specify just the server name when importing or exporting files.

After you configure the network server, you must configure the export or the import commands. For example, use the export reports command to configure the Detector module to export attack reports to a network server.

To configure a network server, use one of the following commands in configuration mode:

file-server file-server-name description ftp server remote-path login password

file-server file-server-name description [sftp | scp] server remote-path login

Table 13-1 provides the arguments and keywords for the file-server command.

Table 13-1 Arguments and Keywords for the file-server Command 

Parameter
Description

file-server-name

Name for the network server. Enter an alphanumeric string from 1 to 63 characters. The string can contain underscores but cannot contain any spaces.

description

String to describe the network server. The maximum string length is 80 alphanumeric characters. If you use spaces in the expression, enclose the expression in quotation marks (" ").

ftp

Specifies File Transfer Protocol (FTP).

sftp

Specifies Secure File Transfer Protocol (SFTP).

scp

Specifies Secure Copy Protocol (SCP).

server

IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).

remote-path

Complete path of the directory in which to save the files or from which to import the files.

login

Login name for the network server.

password

Password for the network server.

This option is valid only for an FTP server. The Detector module authenticates network servers that use SFTP and SCP using a public key.



Note Because SFTP and SCP rely on Secure Shell (SSH) for secure communication, you must configure the SSH key that the Detector module uses for SFTP and SCP communication. See the "Configuring the Keys for SFTP and SCP Connections" section on page 4-24 for more information about how to configure the key that the Detector module uses for secure communication.


The following example shows how to define an FTP server with the IP address 10.0.0.191:

user@DETECTOR-conf# file-server CorpFTP-Server "Corp's primary FTP server" ftp 10.0.0.191 
/root/ConfigFiles <user> <password>

To delete a network server, use the no file-server [file-server-name | *] command in configuration mode.

To display the list of network servers, use the show file-servers command in global or configuration mode.

Exporting the Configuration

You can export the Detector module configuration file or a zone configuration file (running-config) to a network server. By exporting the Detector module or zone configuration file to a remote server, you can do the following:

Implement the Detector module configuration parameters on another Detector module

Back up the Detector module configuration

To export the Detector module configuration file, use one of the following commands in global mode:

copy [zone zone-name] running-config ftp server full-file-name [login [password]]

copy [zone zone-name] running-config {sftp | scp} server full-file-name login

copy [zone zone-name] running-config file-server-name dest-file-name

To export the portion of the zone configuration that is required to configure the zone on a Cisco Anomaly Guard Module, use the copy guard-running-config command. See the "Exporting a Zone Configuration Manually to a Network Server" section on page 5-16 for more information.

Table 13-2 provides the arguments and keywords for the copy running-config ftp command.

Table 13-2 Arguments and Keywords for the copy running-config ftp Command 

Parameter
Description

zone zone-name

(Optional) Specifies the zone name. If you specify the zone name, the Detector module exports the zone configuration file. The default is to export the Detector module configuration file.

running-config

Exports the complete Detector module configuration or the configuration of the specified zone.

ftp

Specifies FTP.

sftp

Specifies SFTP.

scp

Specifies SCP.

server

IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).

full-file-name

Complete name of the file. If you do not specify a path, the server saves the file in your home directory.

login

(Optional) Server login name. The login argument is optional when you define an FTP server. When you do not enter a login name, the FTP server assumes an anonymous login and does not prompt you for a password.

password

(Optional) Password for the remote FTP server. If you do not enter the password, the Detector module prompts you for one.

file-server-name

Name of a network server to which to export the configuration file. You must configure the network server using the file-server command (see the "Configuring File Servers" section).

dest-file-name

Name of the configuration file on the remote server.

The Detector module saves the configuration file on the network server using the destination filename in the directory that you defined for the network server by using the file-server command.



Note If you configured the network server using SFTP or SCP, you must configure the SSH key that the Detector module uses for SFTP and SCP communication. If you do not configure the key that the Detector module uses before you enter the copy command with the sftp or scp option, the Detector module prompts you for the password. See the "Configuring the Keys for SFTP and SCP Connections" section on page 4-24 for more information


The following example shows how to export the Detector module configuration file to an FTP server:

user@DETECTOR# copy running-config ftp 10.0.0.191 run-conf.txt <user> <password>

The following example shows how to export the Detector module configuration file to a network server:

user@DETECTOR# copy running-config CorpFTP Configuration-12-11-05

Importing and Updating the Configuration

You can import a Detector module or zone configuration file from an FTP server and reconfigure the Detector module according to the newly transferred file. Import the configuration to do one of the following tasks:

Configure the Detector module based on an existing Detector module configuration file

Restore the Detector module configuration

Zone configuration is a partial Detector module configuration. To copy both types of configuration files to the Detector module and reconfigure it accordingly, use the copy ftp running-config command.


Note The new configuration replaces the existing configuration. You must reload the Detector module for the new configuration to take effect.


We recommend that you deactivate all zones before you initiate the import process. The Detector module deactivates a zone before importing the zone configuration.

To import a Detector module configuration file, use one of the following commands in global mode:

copy ftp running-config server full-file-name [login [password]]

copy {sftp | scp} running-config server full-file-name login

copy file-server-name running-config source-file-name

Table 13-3 provides the arguments for the copy ftp running-config command.

Table 13-3 Arguments for the copy ftp running-config Command 

Parameter
Description

ftp

Specifies FTP.

sftp

Specifies SFTP.

scp

Specifies SCP.

server

IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).

full-file-name

Complete name of the file. If you do not specify a path, the server searches for the file in your home directory.

login

(Optional) Server login name. The login argument is optional when you define an FTP server. When you do not enter a login name, the FTP server assumes an anonymous login and does not prompt you for a password.

password

(Optional) Password for the remote FTP server. If you do not enter the password, the Detector module prompts you for one.

file-server-name

Name of a network server. You must configure the network server using the file-server command (see the "Configuring File Servers" section).

source-file-name

Name of the file to import. The Detector module appends the name of the file to the path that you defined for the network server by using the file-server command.



Note If you configured the network server using SFTP or SCP, you must configure the SSH key that the Detector module uses for SFTP and SCP communication. If you do not configure the key that the Detector module uses before you enter the copy command with the sftp or scp option, the Detector module prompts you for the password. See the "Configuring the Keys for SFTP and SCP Connections" section on page 4-24 for more information.


The following example shows how to import the Detector module configuration file from an FTP server:

user@DETECTOR# copy ftp running-config 10.0.0.191 /root/backup/conf/scannet-conf <user> 
<password>

The following example shows how to import the Detector module configuration file from a network server:

user@DETECTOR# copy CorpFTP running-config scannet-conf

Exporting Files Automatically to a Network Server

You can configure the Detector module to export the following files automatically to a network server:

Packet-dump capture files—The Detector module exports the packet-dump capture files when the capture buffer size reaches 50 MB or after 10 minutes have elapsed. See the "Exporting Packet-Dump Capture Files Automatically" section on page 12-15 for more information.

Attack reports—The Detector module exports the reports of any one of the zones when an attack on the zone ends. See the "Exporting Attack Reports Automatically" section on page 11-6 for more information.

Zone configuration —The Detector module exports the zone configuration file each time that the results of the threshold-tuning phase of the learning process are accepted. See the "Exporting a Zone Configuration Automatically to a Network Server" section on page 5-15 for more information.

The Detector module exports the packet-dump capture files and the attack reports in Extensible Markup Language (XML) format. The software version is accompanied by xsd files that describe the XML schema. You can download the xsd files from www.cisco.com.

To export files automatically to a network server, perform the following steps:


Step 1 Define the network server to which you can export files.

See the "Configuring File Servers" section for more information.

Step 2 Configure the Detector module to export files automatically by entering the following command:

export {packet-dump | reports | sync-config} file-server-name

Table 13-4 provides the arguments and keywords for the export command.

Table 13-4 Arguments and Keywords for the export Command 

Parameter
Description

packet-dump

Exports packet-dump capture files each time that the contents of the packet-dump buffer are saved to a local file. The Detector module exports the packet-dump capture files in PCAP format, which is compressed and encoded by the gzip (GNU zip) program, with an accompanying file in XML that describes the recorded data. See the Capture.xsd file that accompanies the version for a description of the XML schema. See the "Monitoring Network Traffic and Extracting Attack Signatures" section on page 12-11 for more information about packet-dump capture files.

reports

Exports attack reports in XML format at the end of an attack. The Detector module exports the reports of any one of the zones when an attack on the zone ends. See the ExportedReports.xsd file that accompanies the version for a description of the XML schema. See the "Exporting Attack Reports" section on page 11-6 for more information.

sync-config

Exports the zone configuration each time that the results of the threshold-tuning phase of the learning process are accepted. You can then import the configuration to a Guard module and activate it to protect the zone.

To enable the Detector module to export the zone configuration to a network server automatically, you must configure the server in either the Detector module default remote server list or the zone remote server list. See the "Exporting a Zone Configuration Automatically to a Network Server" section on page 5-15 for more information.

file-server-name

Name of the network server on which you can save files. You must configure the network server using the file-server command (see the "Configuring File Servers" section).



The following example shows how to define an FTP server with the IP address 10.0.0.191 and then to configure the Detector module to automatically export reports (in XML) at the end of an attack to that server:

user@DETECTOR-conf# file-server CorpFTP-Server "Corp's primary FTP server" ftp 10.0.0.191 
/root/ConfigFiles <user> <password>
user@DETECTOR-conf# export reports CorpFTP-Server

To disable the automatic export of files to a network server, use the no form of the command.

To display the default list of network servers to which the Detector module exports zone configuration, use the show sync-config file-servers command in configuration mode.

To display the zone remote server list, use the show sync-config file-servers command in zone configuration mode.

Reloading the Detector Module

You can reload the Detector module configuration without rebooting the machine by using the reload command.

For the following changes to take effect, you must reload the Detector module:

Deactivating or activating a physical interface using the shutdown command

Burning a new flash

Rebooting the Detector Module and Inactivating Zones

By default, the Detector module reactivates zones that were active before the reboot process.

To change the default behavior so that the Detector module loads all zones in an inactive operation state, enter the following command in configuration mode:

no boot reactivate-zones


Caution The zone learning phase is restarted after reboot.

Upgrading the Detector Module Software

This section describes the following software components that the Detector module requires for its operation:

Cisco IOS release that supports the Supervisor Engine 2 or Supervisor Engine 720.

Detector module software (maintenance partition image and application partition image)

To upgrade the Detector module software, you must log on to the supervisor engine.

This section contains the following topics:

Supervisor Engine 2 or Supervisor Engine 720 Cisco IOS Software

Detector Module Software

Supervisor Engine 2 or Supervisor Engine 720 Cisco IOS Software

The Cisco IOS software image resides on the Supervisor Engine 2 or the Supervisor Engine 720 of the Cisco Catalyst 6500 series switch or the Cisco 7600 series router. The image on the supervisor engine recognizes and initializes the Detector module and its processor. You must use a Cisco IOS software release that supports the Detector module.

Detector Module Software

The Detector module software resides on a compact flash (CF) card that is integrated with the processor control complex. The compact flash has two partitions for software images, each with its own Detector module software image:

Maintenance Partition (MP)—Contains the Detector module maintenance software image required for base module initialization and daughter card control functions. The supervisor engine identifies the MP as cf:1.

Application Partition (AP)—Contains the Detector module application software image. The supervisor engine identifies the AP as cf:4.

You can upgrade the Detector module software on the compact flash card through the supervisor engine console. The upgrade process involves downloading the latest versions of the AP and MP images from the Cisco Software Center to an File Transfer Protocol (FTP) or a Trivial File Transfer Protocol (TFTP) server and installing them to the compact flash card.


Note If you are upgrading the Detector module software to increase the bandwidth performance from 1 Gbps to 2 Gbps, see the "Upgrading the Bandwidth Performance from 1 Gbps to 2 Gbps" section.


The following upgrade procedures are available for the Detector module:

AP upgrade procedure—Upgrades an AP image using the supervisor engine CLI. See the "Upgrading the AP Image" section.

MP upgrade procedure—Upgrades the MP image using the supervisor engine CLI. The MP image rarely requires upgrading. Use this procedure only when instructed to do so in the release note that corresponds with the software release. See the "Upgrading the MP Image" section.

Inline image upgrade procedure—Upgrades the AP or MP image using the Detector module CLI. See the "Upgrading the AP and MP Images Inline" section.

Common Firmware Environment (CFE)—Upgrades the CFE on the Detector module. The CFE rarely requires upgrading because the process of installing a new AP or MP image also upgrades the CFE. You need to upgrade the CFE only when the Detector module displays an error message that indicates a mismatch between the current CFE and the new MP or AP image. See the "Burning a New Flash Version to Upgrade the CFE" section.

Upgrading Operation Notes

Follow these guidelines when upgrading the AP and MP software images and CFE:

To upgrade the AP and MP versions, log into the supervisor engine.

To upgrade the CFE, log into the Detector module.

If you need to upgrade both AP and MP images, you must upgrade the MP image first.

Use the hw-module module slot_number reset cf:1 command to switch to the MP. The main purpose for operating in the MP mode is to upgrade the AP image.

Use the hw-module module slot_number reset cf:4 command to switch to the AP. The AP is the normal operating mode.

The show module command displays the software version of the partition image that you are running. If you are running the AP image, the show module command displays the AP image version. A sample format of the AP image version is 5.1(0.12). If you are running the MP image, it displays the MP image version. A sample format of the MP image version is 5.1(0.0)m.

The MP image filename uses the c6svc-mp.5-0-3.bin format.

The AP image filename uses the c6svc-adm-k9.5-0-3.bin format.

The MP uses the same network settings as the Detector module. You must configure the network settings before you can upgrade the Detector module images. See Chapter 2, "Configuring the Detector Module on the Supervisor Engine" and Chapter 3, "Initializing the Detector Module"for more information.

When you upgrade a 5.x version of the AP image to a 6.x version with a 1-Gbps bandwidth operation, the installation process changes all instances of the management port designator from eth1 to mng.


Note We recommend that you globally configure the logging console command on the supervisor engine to display the output details of the upgrade procedure. If you are connected from a Telnet session and not from the console, use the terminal monitor command to display console messages.


Upgrading the AP Image

To upgrade the AP image, perform the following steps:


Step 1 Back up the Detector module configuration before initiating the upgrade process by using the copy running-config command. Backing up enables you to save your existing configuration so that you can quickly restore the configuration to the current state if needed. See the "Exporting the Configuration" section for more information.

Step 2 Export files that you want to save. You can export the following files:

Export attack reports that you want to save by using the copy reports command or the copy zone zone-name reports command. See the "Exporting Attack Reports of All Zones" section on page 11-7 and the "Exporting Zone Reports" section on page 11-8 for more information.

Export logs that you want to save by using the copy log command. See the "Exporting the Log File" section on page 12-9 for more information.

Export the packet-dump capture files that you want to save by using the copy zone zone-name packet-dump captures command. See the "Exporting Packet-Dump Capture Files Manually" section on page 12-15 for more information.

Step 3 Upgrade an application image to the latest available software release by locating the image on www.cisco.com.

Copy the software image to a directory accessible to FTP or TFTP.

Step 4 Reset the Detector module and load the MP image (this operation takes approximately 3 minutes). Skip this step if you are already running the MP image.

Enter the following command on the supervisor engine:

hw-module module slot_number reset cf:1

The slot_number argument is the number of the slot in which the module is inserted in the chassis.

Step 5 Verify that the MP has booted and that the Detector module status is OK. Enter the following command:

show module slot_number

Step 6 Install the AP image on the compact flash. This operation can take up to 30 minutes depending on the connection speed. Enter the following command:

copy ftp://path/filename pclc#slot_number-fs:

The path/filename argument specifies the FTP location and the name of the image file. If the FTP server does not allow anonymous users, use the following syntax for the ftp-url value: ftp://user@host/absolute-path/filename. Enter your password when prompted.

You can also download the version from a TFTP server.


Caution Do not reset the Detector module until you see this message on the console: "You can now reset the module." Resetting the module before this message displays will cause the upgrade to fail.

Step 7 Reset the Detector module to the AP by entering the following command:

hw-module module slot_number reset cf:4

Step 8 Verify that the AP image that you copied displays in the output of the show module command by entering the following command:

show module slot_number



Note A new version may require updating the common firmware environment (CFE). See the release note that corresponds with each software release for more information (release notes can be found on www.cisco.com). If there is a CFE mismatch, the Detector module displays the following message when you establish the first session to the Detector module after upgrading the AP image: "Bad CFE version (X). This version requires version Y."

See the "Burning a New Flash Version to Upgrade the CFE" section for more information.


The following example shows how to upgrade the AP image:

Sup# hw-module module 8 reset cf:1
Device BOOT variable for reset = <cf:1>
Warning:Device list is not verified. <<< This message is informational

Proceed with reload of module? [confirm]

% reset issued for module 8
Sup# copy tftp:images/ap/adm-APUpgrade-4.0.0.x.bin pclc#8-fs:
Address or name of remote host [10.56.36.2]?          
Source filename [images/ap/adm-APUpgrade-4.0.0.x.bin]? 
Destination filename [adm-APUpgrade-4.0.0.x.bin]? 
.
.
.
19:50:06: %SVCLC-SP-5-STRRECVD: mod 8: <Application upgrade has started>
19:50:06: %SVCLC-SP-5-STRRECVD: mod 8: <Do not reset the module till upgrade completes!!>

......<<< Wait

19:59:58: %SVCLC-SP-5-STRRECVD: mod 8: <Application upgrade has succeeded>
19:59:58: %SVCLC-SP-5-STRRECVD: mod 8: <You can now reset the module>

Sup# hw-module module 8 reset cf:4 <<<<< Resets Detector module to AP
Device BOOT variable for reset = <cf:4>
Proceed with reload of module? [confirm]
...
%OIR-SP-6-INSCARD:Card inserted in slot 8, interfaces are now online

Upgrading the MP Image

The MP image rarely requires upgrading. If you are instructed to update the MP software in the release note that corresponds with the software release, perform the following steps:


Step 1 Upgrade to the latest software release by locating the software image on www.cisco.com.

Copy the software image to a directory that is accessible to FTP or TFTP.

To reset the Detector module and load the MP image (this operation takes approximately 3 minutes), enter the following command on the supervisor engine:

hw-module module slot_number reset cf:1

Skip this step if you are running the MP image already.

The slot_number argument is the number of the slot in which the module is inserted in the chassis.

Step 2 Verify that the MP has booted and that the Detector module status is OK by entering the following command:

show module slot_number

Step 3 Copy the MP image to the compact flash by entering the following command on the supervisor engine:

copy ftp://path/filename pclc#slot_number-fs:

The path/filename argument specifies the FTP location and name of the image file.

If the FTP server does not allow anonymous users, use the following syntax for the ftp-url value: ftp://user@host/absolute-path/filename. Enter your password when prompted.

It can take up to 30 minutes to download an application image depending on the connection speed.


Caution Do not reset the Detector module until you see this message on the console: "You can now reset the module." Resetting the module before this message displays will cause the upgrade to fail.

You can also download the version from a TFTP server.

See the "Using MP Commands" section for more information about the MP commands.

Step 4 Verify that the MP image that you copied is displayed in the output of the show module command by entering the following command:

show module slot_number

Step 5 Reset the Detector module to the AP by entering the following command:

hw-module module slot_number reset cf:4


The following example shows how to upgrade the MP image:

Sup# hw-module module 8 reset cf:1
Device BOOT variable for reset = <cf:1>
Warning:Device list is not verified. <<< This message is informational

Proceed with reload of module? [confirm]

% reset issued for module 8
Sup# copy tftp:images/mp/MPUpgrade-4.0.0.0.bin pclc#8-fs:
Address or name of remote host [10.56.36.2]?          
Source filename [images/ap/MPUpgrade-4.0.0.0.bin]? 
Destination filename [MPUpgrade-4.0.0.0.bin]? 
.
.
.
3d19h:%SVCLC-SP-5-STRRECVD:mod 8:<Upgrade of MP was successful.>
3d19h:%SVCLC-SP-5-STRRECVD:mod 8:<You can now reset the module>
Sup# show module 8
.
The Following output shows MP image name because Detector module is reset to MP (cf:1)
. 
Mod	MAC addresses	Hw	Fw	Sw	Status
---	--------------------------------	----- ------- ----------- -------
8	000f.348d.d7f0 to 000f.348d.d7f7	0.301	7.2(1)	4.0(0.0)m	Other 
...
Sup# hw-module module 8 reset cf:4 <<< Resets Detector module to AP (normal operation)
Device BOOT variable for reset = <cf:4>
Proceed with reload of module? [confirm]
...
%OIR-SP-6-INSCARD:Card inserted in slot 8, interfaces are now online

Upgrading the AP and MP Images Inline

The inline image upgrade procedure provides an alternative method to upgrading the AP and MP images. When performing the inline image upgrade, you execute the upgrade from the Detector module rather than from the supervisor engine.

To upgrade the software image, perform the following steps:


Step 1 Back up the Detector module configuration before initiating the upgrade process by using the copy running-config command. Backing up enables you to save your existing configuration so that you can quickly restore the configuration to the current state if needed. See the "Exporting the Configuration" section for more information.

Step 2 Export files that you want to save. You can export the following files:

Export attack reports that you want to save by using the copy reports command or the copy zone zone-name reports command. See the "Exporting Attack Reports of All Zones" section on page 11-7 and the "Exporting Zone Reports" section on page 11-8 for more information.

Export logs that you want to save by using the copy log command. See the "Exporting the Log File" section on page 12-9 for more information.

Export the packet-dump capture files that you want to save by using the copy zone zone-name packet-dump captures command. See the "Exporting Packet-Dump Capture Files Manually" section on page 12-15 for more information.

Step 3 Upgrade an image to the latest available version by locating the image on www.cisco.com.

Copy the software image to a directory accessible to FTP.

Step 4 Log in to the supervisor engine through the console port or through a Telnet session.

Step 5 If the Detector module is operating from the maintenance image, proceed to Step 7. If the Detector module is not operating from the maintenance image, enter the following command on the supervisor engine:

hw-module module slot_number reset cf:1

The slot_number argument is the number of the slot in which the module is inserted into the chassis.

Step 6 After the Detector module is back online, establish a console session with the Detector module and log into the root account. The default password for the root account is cisco. To establish the console session, enter the following command at the supervisor engine prompt:

session slot slot_number processor processor_number 

The slot-number is the number of the slot in which the Detector module is inserted in the chassis (1-13 depending on the model of your switch or router). The processor_number is the number of the Detector module processor. The Detector module supports management through processor 1 only.

Step 7 Upgrade the software image by entering the following command:

upgrade ftp://path/filename 

The path/filename argument specifies the FTP location and the name of the image file.

If the FTP server does not allow anonymous users, use the following syntax for the ftp-url value: ftp://user@host/absolute-path/filename. Enter your password when prompted.

To upgrade the AP software image, enter the AP software image filename. To upgrade the MP software image, enter the MP software image filename. See the "Upgrading Operation Notes" section for more information.


Caution Do not reset the Detector module until you see this message on the console: "Application image upgrade complete. You can boot the image now." Resetting the module before this message displays will cause the upgrade to fail.

Step 8 Log out of the Detector module by entering the exit command after completing the upgrade.

Step 9 Reset the Detector module to the AP software image by entering the following command:

hw-module module slot_number reset cf:4


Note Upgrading to a new software release might require updating the common firmware environment (CFE). See the release note that corresponds with each software release for more information. If there is a CFE mismatch, the Detector module displays the following message when you establish the first session to the Detector module after upgrading the AP image: "Bad CFE version (X). This version requires version Y." See the "Burning a New Flash Version to Upgrade the CFE" section for more information.


Step 10 When the Detector module has rebooted, verify the software version by entering the show version command.


The following example shows how to upgrade the Detector module application software:

Sup# hw-module module 8 reset cf:1
.
.
.
Proceed with reload of module? [confirm]
% reset issued for module 9
.
.
.
Sup# session slot 8 proc 1
.
.
.
login:root
Password: 
.
.
.
root@localhost.cisco.com# upgrade ftp://psdlab-pc1/pub/images/ap/adm-APUpgrade-4.0.0.x.bin


Downloading the image. This may take several minutes...
.
.
.
Upgrading will wipe out the contents on the storage media.
Do you want to proceed installing it [y|N]:



Proceeding with upgrade. Please do not interrupt.
If the upgrade is interrupted or fails, boot into
Maintenance image again and restart upgrade.
.
.
.
Application image upgrade complete. You can boot the image now.
root@hostname.cisco.com# exit
logout
                                                           [  OK  ]
[Connection to 127.0.0.91 closed by foreign host]
Sup# hw-module module 8 reset cf:4

Burning a New Flash Version to Upgrade the CFE

You can burn a new flash version only when there is a mismatch between the current CFE and the software release. A mismatch condition can occur when you update the Detector module AP or MP software.

When a CFE mismatch is detected, the Detector module displays the following message when you establish the first session with the Detector module after upgrading the software release (X denotes the old flash version and Y denotes the new flash version): "Bad CFE version (X). This version requires version Y."


Note If you try to burn a new flash version when the CFE and the Detector module software versions match, the operation fails.



Caution You must be sure that there is a stable power supply to the Detector module and avoid performing any Detector module operations while you burn a new flash version. If you fail to adhere to these restrictions, the upgrade may fail and cause the Detector module to become inaccessible.

To burn a new flash version, perform the following steps:


Step 1 Enter the following command in configuration mode:

flash-burn

Step 2 Reload the Detector module by entering the following command:

reload

You must enter the reload command after burning a new flash version. The Detector module is not fully functional until you enter the reload command.


The following example shows how to burn a new flash version:

user@DETECTOR-conf# flash-burn 
Please note: DON'T PRESS ANY KEY WHILE IN THE PROCESS! 
. . .
Burned firmware successfully 
SYSTEM IS NOT FULLY OPERATIONAL. Type 'reload' to restart the system 

Upgrading the Bandwidth Performance from 1 Gbps to 2 Gbps

If your Detector module currently operates with a maximum bandwidth of 1 Gbps, you can upgrade the bandwidth performance to 2 Gbps by installing the XG version of the software image and corresponding software license key. The XG software image activates an additional interface port between the Detector module and the supervisor engine to data traffic. (The 1-Gbps software image uses only one interface port for data traffic.) The software license key activates the installed XG software image. For more information, see the "Understanding the 1-Gbps and 2-Gbps Bandwidth Options" section on page 1-6.

When you install the XG software image, the Detector module is not operational until you install the corresponding software license and make the necessary configuration modifications that are required for the 2-Gbps operation. The configuration changes include the following items:

Interface configurations—Configure the new interface on the supervisor engine.

SSL Certificates—Generate a new SSL certificate on the Detector module and any associated Guard.

Installing the XG software image and license does not affect the following Detector module items:

Zone configurations—Existing zone configuration information is untouched.

Management access—Configuration parameters that you had configured on mng for the 1-Gbps operation remain for the same for the 2-Gbps operation.

This section contains the following topics:

Obtaining and Installing the XG Software Image for the 2-Gbps Operation

Obtaining and Installing the XG Software Image License Key

Activating the Additional Data Port for the 2-Gbps Operation

Regenerating the SSL Certificates for the 2-Gbps Operation

Obtaining and Installing the XG Software Image for the 2-Gbps Operation

To obtain a copy of the XG software image and install the software on the Detector module, see the "Upgrading the AP Image" section.

To verify that the XG software image is loaded, use the show version command. With the XG software image loaded, XG displays after the software version number (for example, version 6.0(.0.39)-XG).

Obtaining and Installing the XG Software Image License Key

The license key that is required to activate the XG software image is tied to the Media Access Control (MAC) address of the Detector module where the XG software image resides. This section describes the process that you use to order the XG software license key.


Note You must have the XG version of the 6.0 operating software (or newer) loaded on your Detector module before ordering and installing the corresponding license. To verify the version of software currently loaded on your Detector module, use the show version command. When the XG software image is loaded, the software version number has a -XG suffix (for example, version 6.0(0.39)-XG).


To obtain and install the 2-Gbps license, perform the following steps:


Step 1 From the Detector module, enter the show license-key unique-identifier command (this command requires the admin privilege level) to view the Detector module MAC address.

Step 2 Record the MAC address information because you will need this information when placing your order for the 2-Gbps operation license.

Step 3 Order the lic-adm-2g-k9 license using any of the available Cisco ordering tools on www.cisco.com.

Step 4 When you receive the Software License Claim Certificate from Cisco, follow the instructions that direct you to the following Cisco.com website:

http://www.cisco.com/go/license

Step 5 Enter the Product Authorization Key (PAK) number found on the Software License Claim Certificate as your proof of purchase.

Step 6 Provide all of the requested information to generate a license key.

Once the system generates the license key, you will receive a license key e-mail with an attached license file and installation instructions. Save the license key e-mail in a safe place in case you need it in the future.

Step 7 Open the license key file using a text editor and copy its contents into your desktop computer's clipboard.

Step 8 From the Detector module, enter the license-key add command in configuration mode. The CLI prompts you to enter the key lines.

Step 9 Paste the contents of your desktop computer's clipboard (containing the license key) and press Enter.

Step 10 Enter an empty line and press Enter. If the Detector module contains a previously installed license, a confirmation message displays that asks if you want to install the new license.

Step 11 Type y (yes). The XG software image is now active and ready for the 2-Gbps operation.

Step 12 (Optional) Enter the show license-key command to verify that the key loaded properly and is valid.


Activating the Additional Data Port for the 2-Gbps Operation

Installing and activating the XG software image allows data traffic between the supervisor engine and the Detector module to travel over two interface ports rather than just one interface port. To activate the additional data port on the Detector module for the 2-Gbps operation, use the no shutdown command in the interface configuration mode.

For more information, see the "Configuring a Physical Interface" section on page 3-8.

Regenerating the SSL Certificates for the 2-Gbps Operation

The Detector module uses an Secure Sockets Layer (SSL) certificate to establish a secure communication channel with its associated Guard devices. Upgrading from the 1-Gbps software image to the 2-Gbps software image deletes any existing SSL certificate from the Detector module. After installing the 2-Gbps software image and license, you must regenerate the SSL certificates that the Detector module and associated Guards use to establish a secure communication channel between them. For any associated Guard, you must first delete the existing SSL certificate before you can generate a new certificate.

For more information, see the "Regenerating SSL Certificates" section on page 4-19.

Using MP Commands

You can boot the Detector module to the MP and access the set of interfaces available on the MP to administer and diagnose the Detector module. One of the key features of the MP is to provide the ability to install a new AP image.

To boot to the MP, perform the following steps:


Step 1 Reset the Detector module to the MP by entering the following command on the supervisor engine:

hw-module module slot_number reset cf:1

The slot_number argument is the number of the slot in which the module is inserted into the chassis.

Step 2 After the Detector module is back online, establish a session with the Detector module and log in to the MP using the MP root user account (username: root, password (default): cisco).


Table 13-5 summarizes the MP commands.

Table 13-5 MP Commands 

Command
Description

clear ap password

Clears the following information that you have defined on the Detector module:

All user passwords

All TACACS+ login authentication method (reset to local)


Note This command does not reset the MP root user account.


clear ap config

Returns the Detector module to its default configuration. This command deletes all Detector module configuration, logs, reports, and license key (if installed).

ip address [ip address] [subnet]

Configures the IP address that the Detector module uses to access the external network.

ip gateway [default-gateway]

Specifies the default gateway for the network.

passwd

Changes the password for the current user.

passwd-guest

Changes the password for the guest account.

ping {host-name | ip address}

Pings a specified host on the network and verifies that the network parameters are configured correctly.

show images

Displays the images stored in the application partition.

show ip

Displays the network parameters of the Detector module.

upgrade ftp-url

Upgrades the image where ftp-url is the URL specifying the FTP server containing the image and the path to the image. The path format is as follows: ftp://user:password@server-name/path.

You can specify the name of the FTP server or its IP address.


Recovering from a Lost Password Condition

You can reset the forgotten password of the Detector module default admin user account using one of the following methods:

Using a user account with administrative privileges—Enables you to use the Detector module CLI to configure the default admin user account with a new password without affecting the other user accounts. For more information, see the "Changing the Passwords of Other Users" section on page 4-7.

Reviewing the TACACS server configuration—Enables you to determine the current password associated with the default admin user account. This method requires that you currently have the Detector module configured to perform login authentication on a TACACS server first.

Using the Linux tac-cli user account—Enables you to use Linux to configure the Detector module default admin user account with a new password without affecting the other user accounts. For more information, see the "Resetting the Default admin User Account Password" section.

Resetting all user account information—Deletes all configured user account information (usernames and associated passwords) and deletes the passwords associated with the following Detector module default user accounts: admin, riverhead, tac-cli, and root. After resetting the user account information, you access the Detector module as if you were accessing it for the first time and the CLI prompts you to configure the default user account passwords. For more information, see the "Resetting All User Account Information" section.

This section contains the following topics:

"Resetting the Default admin User Account Password"

"Resetting All User Account Information"

Resetting the Default admin User Account Password

You can reset the password of the Detector module default admin user account by using the Linux tac-cli user account.

To reset the Detector module default admin user account password, perform the following steps:


Step 1 Log in to the Detector module as the Linux tac-cli user.

Step 2 Switch to the admin username by using the su - admin command.

Step 3 Configure the password for the Detector module default admin user account by using one of the following commands:

username admin admin password—The password argument consists of 6 to 24 characters.

password admin—The CLI prompts you to enter a password and reenter it for verification as shown in the following example:

@PGuardR3#password admin
New Password: 
Retype New Password: 
finished successfully
Password was changed successfully

The password consists of 6 to 24 characters.

Step 4 Switch back to the tac-cli prompt by using the exit command.

Step 5 Log out of tac-cli using the exit command.

Step 6 Log in to the Detector module using the admin username and the new password.

Step 7 (Optional) If the login authentication method is configured for local authentication, configure the other Detector module user account names and passwords (see the "Adding a User" section on page 4-6).


Resetting All User Account Information

The procedure in this section shows how to reset the Detector module user account information when you forget the password to all Detector module administrative user accounts and the Linux tac-cli user account.


Caution The process of resetting the Detector module user account information deletes all configured user account information, including all usernames and associated passwords. After the user account information is reset, only the default user account names (admin, riverhead, tac-cli, and root) remain, requiring you to log on using the procedure in the "Accessing the Detector Module for the First Time" section on page 2-9 and assign new passwords to these four user accounts.


Caution Resetting the user account information requires rebooting the Detector module, which will interrupt network traffic processing. We recommend that you avoid using this procedure while the Detector module is in service.

There are two methods for resetting all user account information as follows:

Using the MP root user account—Uses the root user account that is built into the MP. The default password for this root account is cisco. You must boot the Detector module to the MP to use this method. This method also resets the login authentication method to "local" to avoid a lockout condition due to an invalid TACACS login authentication configuration. Resetting the user account information using this method does not reset the MP root user account.

Using the AP root user account—Uses the root user account that is built into the AP. This user account is accessible from the supervisor engine only and is authenticated locally only, even if you have the Detector configured to use TACACS as the authentication method. To use this method, you must know the AP root user account password, which you configured when you first installed the Detector module and established the initial session. Resetting the user account information using this method does not reset the MP root user account.

Using the AP root user account to reset all user account information is useful if you are locked out due to an invalid TACACS login authentication configuration and there is no way to recover from it because you do not have access the TACACS configuration. Because the AP root user account is always authenticated locally, you can avoid TACACS authentication.


Note The main advantage of clearing all configured user account information using the AP rather than the MP is reduced downtime. Using the MP requires two reboots of the Detector module whereas using the AP requires only one reboot.


This section contains the following topics:

Resetting the User Account Information Using the MP root User Account

Resetting the User Account Information Using the AP root User Account

Resetting the User Account Information Using the MP root User Account

To reset the Detector module user account information and change the login authentication method to "local" using the MP root user account, perform the following steps:


Step 1 Reset the Detector module to the MP by entering the following command on the supervisor engine:

hw-module module slot_number reset cf:1

The slot_number argument is the number of the slot in which the module is inserted into the chassis.

Step 2 After the Detector module is back online, establish a session with the Detector module and log in to the MP using the MP root user account (username: root, password (default): cisco).

Step 3 Delete all user account information that is configured on the Detector module by entering the following command:

clear ap password

Step 4 Reset the Detector module to the AP by entering the following command:

hw-module module slot_number reset cf:4

Step 5 Access the Detector module using the procedure in the "Accessing the Detector Module for the First Time" section on page 2-9 and assign new passwords to the following default user accounts: admin, riverhead, tac-cli, and root.

Step 6 (Optional) Configure new user accounts for accessing the Guard module (see the "Adding a User" section on page 4-6).


Resetting the User Account Information Using the AP root User Account

To reset the Detector module user account information using the AP root user account, perform the following steps:


Step 1 Log on to the Detector module from supervisor engine using the AP root username and password.

Step 2 Clear the user account information by entering the clear password command as follows:

root@DETECTOR#clear password
WARNING: this will reset all user passwords (reboot required), are you sure? '[Y/N]: 'Y
Reboot is required after clear password. Please use the 'hw-module module [slot #] reset' 
command via the Cisco Catalyst CLI to reboot the blade

Step 3 Press Y to approve the reset request.

Step 4 Use the exit command to log out of root as follows:

.root@DETECTOR#exit
logout

[Connection to 127.0.0.31 closed by foreign host]

Step 5 Reboot the Detector module by entering the hw-module module X reset cf:4 command.

Resetting the Detector Module Configuration to Factory Default Values

You can reset the Detector module to the factory-default values and configure it as a new Detector module by using the following command in configuration mode:

clear config all

Resetting the configuration to factory defaults is useful when you want to remove an undesirable configuration in the Detector module, if the configuration has become complex, or if you want to move the Detector module from one network to another network. You can also use the clear ap config MP command to reset the Detector module to the factory-default values (see the "Using MP Commands" section).


Caution Resetting the Detector module configuration deletes all configured user account information, including all usernames and associated passwords. After you reset the Detector module configuration, the default user account names (admin, riverhead, tac-cli (Linux), and root) are the only user account information that remain, requiring you to log on using the procedure in the "Accessing the Detector Module for the First Time" section on page 2-9.

You should back up the Detector module configuration by using the copy running-config command before you reset it to the factory-default settings. See the "Exporting the Configuration" section.


Caution Execute the clear config all command using either an out-of-band management interface connection (if available) or a connection through the supervisor. When the Detector module executes the clear config command, it clears the configuration and then performs a reboot after you confirm the reboot request. If you execute the clear config all command using an inline SSH connection, you are disconnected during the clear configuration process and the Detector module does not reboot. You must then connect to the supervisor engine and reboot the Detector module manually.

To reset the Detector module to the factory-default settings, perform the following steps using an out-of-band console connection:


Step 1 Enter the clear config all command from the configuration mode. The CLI displays a verification prompt that asks you to verify that you want to clear all of the configuration information.

Step 2 Enter yes. The CLI displays a prompt stating that a reboot is required and to press the Enter key.


Caution You must reboot the Detector module at this time (using the current session) or it will not operate correctly.

Step 3 Press the Enter key.

Step 4 Access the Detector module by following the procedure in the "Accessing the Detector Module for the First Time" section on page 2-9 and assign new passwords to the following default user accounts: admin, riverhead, tac-cli, and root.

Step 5 Reconfigure the Detector module.


The following example shows how to reset the Detector module to the factory-default settings using an out-of-band console connection:

user@DETECTOR-conf# clear config all
Are you sure you want to clear ALL configuration and logging information?
Type 'yes' to clear config, or any other key to cancel
yes
Reboot is required after clear config. Please press Enter to continue