Cisco Anomaly Guard Module Configuration Guide (Software Version 4.0) - Guard Module Diagnostics and Maintenance [Cisco Services Modules]

Table Of Contents

Guard Module Diagnostics and Maintenance

Viewing the Zones

Viewing the Guard Module Logs

Displaying On-line Event Logs

Exporting On-line Event Logs

Displaying the Log File

Exporting the Log-file

Clearing the Log-file

Copying Guard Module Configuration

Exporting Configuration

Importing and Updating Configuration

Guard Module Diagnostics

Displaying General Diagnostics Data

Displaying the Memory Consumption

Displaying the CPU Utilization

Manipulating the ARP Cache

Netstat

Traceroute

Ping

Monitoring Network Traffic

Exporting Captured Traffic

Obtaining Debug Information

Upgrading the Guard Module Version

Upgrading Operation Notes

AP Upgrade Procedure

MP Upgrade Procedure

Inline Upgrade Procedure

Burning a New Flash Version

MP Commands

Recovering a Lost Password

Guard Module Diagnostics and Maintenance

This chapter describes how to perform tasks used for general care and upkeep of the Guard module and how to display statistics and diagnostics on the Cisco Anomaly Guard Module (Guard module). It includes the following sections:

•Viewing the Zones

•Copying Guard Module Configuration

•Guard Module Diagnostics

•Upgrading the Guard Module Version

•MP Commands

•Recovering a Lost Password

Viewing the Zones

You can display an overview of the zones in the Guard to see which zones are active and what their current status is. Use the show command in global mode to display a list of zones. Table 11-1 describes the different zone statuses.

Table 11-1 Zone Status

Status

Description

Auto protect mode

The zones are in automatic protect modes and the Dynamic filters are activated without user intervention.

Interactive protect mode

The zones are in interactive protect modes and the Dynamic filters are activated manually.

Threshold Tuning phase

The zones are in the threshold tuning phase. The Guard analyses the zone traffic and defines thresholds for the policies constructed during the policy construction phase.

Policy Construction phase

The zones are in the policy construction phase and the zone policies are created.

Standby

The zones are not active.

For example:
admin@GUARD# show
Viewing the Guard Module Logs

The Guard module automatically logs system activity and events. You can display the Guard module logs to review and track the Guard module activity.

Table 11-2 displays the event log levels.

Table 11-2 Event Log Levels

Event Level

Numeric code

Description

Emergencies

0

System is unusable

Alerts

1

Immediate action required

Critical

2

Critical condition

Errors

3

Error condition

Warnings

4

Warning condition

Notifications

5

Normal but significant condition

Informational

6

Informational messages

Debugging

7

Debugging messages

The log file displays all log levels (emergencies, alerts, critical, errors, warnings, notification, informational, debugging). The Guard module log file includes zone events with severity levels: emergencies, alerts, critical, errors, warnings and notification.

You can view the event log locally or from a remote server:

•Real-time logging of events—See the "Displaying On-line Event Logs" section

•The log file—See the "Displaying the Log File" section

Displaying On-line Event Logs

You can activate the Guard module monitoring mechanism and view a real time event log. This enables you to view the online logging of the Guard module events. Enter the following command:

event monitor
For example:
admin@GUARD# event monitor
The screen constantly updates with events.

Note To deactivate the monitoring mechanism, use the no event monitor command.

Exporting On-line Event Logs

You can export the Guard module online event logs in order to view the Guard module operations that are registered in the log file. You can view the Guard module events from a remote host as they are registered, online, in the Guard module log file. The Guard module log file is exported using the syslog mechanism. You can export the Guard module log file to several syslog servers. You can specify additional servers so that should one go offline, another will be available to receive messages.

Note You can only export Guard module online event logs to a syslog server. If a remote syslog server is not available, use the copy log command to export the Guard module log file.

The format of the syslog message is as follows:

<event date> <event time> <Guard module IP address> <protection module> <zone name><event severity level> <event type> <event description>

An example of an event log is:

Sep 11 16:34:40 10.4.4.4 cm: scannet, 5 threshold-tuning-start: Zone activation completed successfully.

To export online event logs, perform the following steps:

Step 1 (Optional) Configure the logging parameters. Enter the following command:
logging {facility | trap}
Table 11-3 provides the keywords for the logging command.

Table 11-3 Keywords for the logging Command

Parameter

Description

facility

The export syslog facility. The available facilities are local0 through local7. The default is local4.

trap

The severity level of the syslog traps sent to the remote syslog. Trap levels of lower severity include levels of higher severity. For example, if the trap level is set to warning - error, critical, alerts and emergencies are also sent. The available trap levels from the highest to the lowest severity level are: emergencies, alerts, critical, errors, warnings, notification, informational, debugging. The default is notification.

Note To receive events on Dynamic filters addition and removal, change the trap level to informational.

Step 2 Configure the remote syslog server IP address. Enter the following command:
logging host remote-syslog-server-ip
OR
export log remote-syslog-server-ip
The remote-syslog-server-ip argument specifies the remote syslog server IP address.

To build a list of syslog servers that receive logging messages, enter this command more than once.

The following example show how to configure the Guard module to traps from severity level notification, using the facility local3, to a syslog server with IP address 10.0.0.191.
admin@GUARD-conf# logging facility local3
admin@GUARD-conf# logging trap notifications
admin@GUARD-conf# logging host 10.0.0.191
To view the export online event logs configuration, use the show logging command or the show log export-ip command.

Displaying the Log File

You can display the Guard module log for diagnostic or monitoring purposes. The Guard module log file includes zone events with severity levels: emergencies, alerts, critical, errors, warnings and notification.

To display the Guard module log, enter the following command:

show log
You can display a zone log to view events that relate only to the specified zone.

For example:
admin@GUARD# show log
Exporting the Log-file

You can export the Guard module log file to an FTP server for monitoring or diagnostic purposes. Enter the following command:

copy [zone zone-name] log ftp server full-file-name [login] [password]
Table 11-4 provides the arguments and keywords for the copy log ftp command.

Table 11-4 Arguments for the copy log ftp Command

Parameter

Description

zone-name

(Optional) The zone name. Export the zone log file. The default is to export the Guard module log file.

server

The IP address of the FTP server.

full-file-name

The full name of the file. If you do not specify a path the server will save the file in your home directory.

login

(Optional) The FTP server login name.

The FTP server assumes an anonymous login when you do not insert a login name. The server will not prompt you for a password.

password

(Optional) The password for the remote FTP server.

If you do not enter a password, you will be prompted for it.

For example:
admin@GUARD# copy log ftp 10.0.0.191 log.txt <user> <password>
Clearing the Log-file

You can clear the Guard module or zone log file of all entries.

Tip Clear the Guard module or zone log file if it is large, or if you are going to perform testing and want to be sure that the log file only reflects information from the testing session.

Enter the following command:

clear [zone zone-name] log
The zone-name argument specifies the zone name. The default is to clear the Guard module log file.

Copying Guard Module Configuration

You can export the Guard module configuration file to an FTP server. Exporting the Guard module or zone configuration file (running-config) to a remote FTP server enables you to:

•Implement the Guard module configuration parameters on another Guard module

•Back up the Guard module configuration

Exporting Configuration

To export the Guard module configuration file, enter the following command:

copy [zone zone-name] running-config ftp server full-file-name [login] [password]
Table 11-5 provides the arguments for the copy running-config ftp command.

Table 11-5 Arguments for the copy running-config ftp Command

Parameter

Description

zone-name

(Optional) The zone name. Export the zone configuration file. The default is to export the Guard module configuration file.

server

The IP address of the FTP server.

full-file-name

The full name of the file. If you do not specify a path the server will save the file in your home directory.

login

(Optional) The FTP server login name.

The FTP server assumes an anonymous login when you do not insert a login name. The server will not prompt you for a password.

password

(Optional) The password for the remote FTP server.

If you do not enter a password, you will be prompted for it.

For example:
admin@GUARD# copy running-config ftp 10.0.0.191 run-conf.txt <user> 
<password>
Importing and Updating Configuration

You can import a Guard module or zone configuration file from an FTP server and reconfigure the Guard module according to the newly transferred file. Import configuration to:

•Configure the Guard module based on an existing Guard module configuration file

•Restore Guard module configuration

The new configuration overrides the existing one. For the new configuration to take effect, you must reload the Guard module.

Note Zone configuration is a partial Guard module configuration. Use the copy ftp running-config command to copy both types of configuration files to the Guard module and reconfigure it accordingly.

To import a Guard module configuration file, enter the following command:

copy ftp running-config server full-file-name [login] [password]
Table 11-6 provides the arguments for the copy ftp running-config command.

Table 11-6 Arguments for the copy ftp running-config Command

Parameter

Description

zone-name

(Optional) The zone name. Export the zone configuration file. The default is to export the Guard module configuration file.

server

The IP address of the FTP server.

full-file-name

The full name of the file. If you do not specify a path the server will save the file in your home directory.

login

(Optional) The FTP server login name. The FTP server assumes an anonymous login when you do not insert a login name. The server will not prompt you for a password.

password

(Optional) The password for the remote FTP server. If you do not enter a password, you will be prompted for it.

For example:
admin@GUARD# copy ftp running-config 10.0.0.191 scannet-conf 
Guard Module Diagnostics

This section describes a group of commands designed to help in Guard module diagnostics. These commands consist of the following:

•Displaying General Diagnostics Data

•Displaying the Memory Consumption

•Displaying the CPU Utilization

•Manipulating the ARP Cache

•Netstat

•Traceroute

•Ping

•Monitoring Network Traffic

•Obtaining Debug Information

Displaying General Diagnostics Data

You can view general Guard module diagnostics data. To view a general display of the diagnostics data, enter the following command:

show diagnostic-info
The diagnostics data consists of the following:

•Line Card Number—An identifier string for the Guard.

•Number of Pentium-class Processors—The number of the Guard module processor. The Guard module supports processor 1.

•BIOS Vendor—The vendor of the BIOS on the Guard.

•BIOS Version—The BIOS version on the Guard.

•Total available memory—The total memory available on the Guard.

•Size of compact flash—The size of the compact flash on the Guard.

•Slot Num—The number of the slot in which the module is inserted in the chassis (1-9).

•CFE version—The CFE version number. To change the CFE version you must install a new flash version. Use the flash-burn command to burn a new CFE version. See the "Burning a New Flash Version" section for further details.

•Recognition Average Sample Loss—The calculated Recognition module packet sample loss.

•Forward failures (no resources)—The number of packets that were not forwarded due to lack of system resources.

Note A high Recognition Average Sample Loss or a large number of Forward Failures indicate that the Guard is overloaded with traffic. We recommend that you install more than one Guard in a load-sharing configuration.

Displaying the Memory Consumption

You can view the Guard module memory consumption. The Guard module displays the memory usage in kilobytes. In addition, the Guard module displays the percentage of memory that the Recognition protection module uses. The Recognition protection module memory usage is affected by the number of active zones and the number of services each of the zones monitors.

If the Recognition protection module memory usage is higher than 90%, we recommend that you lower the number of active zones.

Enter the following command:

show memory
For example:
admin@GUARD# show memory
              total    used    free    shared   buffers   cached
  In KBytes:  2065188  146260  1918928    0     2360      69232
  Recognition Used Memory: 0.3%
Note The total amount of free memory the Guard module has is equal to the sum of the free memory and the cached memory.

Displaying the CPU Utilization

You can display the current percentage of CPU utilization. The Guard module displays the percentage of CPU time in user mode, system mode, niced tasks, and idle. Niced tasks are also counted in system and user time, thus the total CPU utilization can be more than 100%.

Enter the following command:

show cpu
For example:
admin@GUARD# show cpu
Host CPU:  0.0% user,  0.1% system,  0.0% nice, 99.0% idle
Manipulating the ARP Cache

You can view or manipulate the ARP cache to clear an address mapping entry or to manually define one. Enter one of the following commands:

arp [-evn] [-H type] [-i if] -a [hostname]
arp [-v] [-i if] -d hostname [pub]
arp [-v] [-H type] [-i if] -s hostname hw_addr [temp]
arp [-v] [-H type] [-i if] -s hostname hw_addr [netmask nm] pub
arp [-v] [-H type] [-i if] -Ds hostname ifa [netmask nm] pub
arp [-vnD] [-H type] [-i if] -f [filename]
Table 11-7 provides arguments and keywords for the arp command.

Table 11-7 Arguments and Keywords for the arp Command

Parameter

Description

-v, --verbose

Displays the output in verbose.

-n, --numeric

Displays numerical addresses.

-H type, --hw-type type, -t type

Specifies which class of entries the Guard module checks for. The default value of this parameter is ether (hardware code 0x01 for IEEE 802.3 10Mbps Ethernet).

-a [hostname], --display [hostname]

Displays the entries of the specified hosts in alternate (BSD) style. The default is to display all entries.

-d hostname, --delete hostname

Remove any entry for the specified host.

-D, --use-device

Use the interface ifa's hardware address.

-e

Displays the entries in default style.

-i If, --device If

Specifies an interface. When dumping the ARP cache only entries that match the specified interface are printed. If you set a permanent or temporary ARP entry this interface is associated with the entry. If you do not use this option, the Guard module guesses based on the routing table. For pub entries this is the interface on which ARP requests are answered. This has to be different from the interface to which the IP datagrams will be routed.

-s hostname hw_addr, --set hostname

Creates an ARP address mapping entry for host hostname with hardware address set to hw_addr class. For most classes you can use the usual presentation.

-f filename, --file filename

Creates an ARP address mapping entry. The information is taken from the file filename. The file format is ASCII text lines with a hostname, and a hardware address separated by white space. You can also use the pub, temp and netmask flags. In all places where a hostname is expected, you can also enter an IP address in dotted-decimal notation.

Caution To configure the Guard module ARP cache, you need knowledge of the Guard module software and the network.

For example:
admin@GUARD# arp -e
Address        HWtype  HWaddress           Flags Mask  Iface
10.10.1.254    ether   00:02:B3:C0:61:67   C           eth1
10.10.8.11     ether   00:02:B3:45:B9:F1   C           eth1
10.10.8.253    ether   00:D0:B7:46:72:37   C           eth1
10.10.10.54    ether   00:03:47:A6:44:CA   C           eth1
Netstat

You can display the network connections, routing tables, interface statistics, masquerade connections and multicast memberships to dubug network problems. Enter one the following commands:

netstat [address_family_options] [--tcp|-t] [--udp|-u] [--raw|-w] [--listening|-l] [--all|-a] [--numeric|-n] [--numeric-hosts][--numeric-ports][--numeric-ports] [--symbolic|-N] [--extend|-e[--extend|-e]][--timers|-o] [--program|-p] [--verbose|-v] [--continuous|-c] [delay]
netstat {--route|-r} [address_family_options] [--extend|-e[--extend|-e]] [--verbose|-v] [--numeric|-n] [--numeric-hosts][--numeric-ports][--numeric-ports] [--continuous|-c] [delay]
netstat {--interfaces|-i} [iface] [--all|-a] [--extend|-e[--extend|-e]] [--verbose|-v] [--program|-p] [--numeric|-n] [--numeric-hosts][--numeric-ports][--numeric-ports] [--continuous|-c] [delay]
netstat {--groups|-g} [--numeric|-n] [--numeric-hosts][--numeric- ports][--numeric-ports] [--continuous|-c] [delay]
netstat {--masquerade|-M} [--extend|-e] [--numeric|-n] [--numeric- hosts][--numeric-ports][--numeric-ports] [--continuous|-c] [delay]
netstat {--statistics|-s} [--tcp|-t] [--udp|-u] [--raw|-w] [delay]
netstat {--version|-V}
netstat {--help|-h}

Note If you do not specify any address families, the Guard module displays the active sockets of all configured address families.

Table 11-8 provides arguments and keywords for the netstat command

Table 11-8 Arguments and Keywords for the netstat
Command

Parameter

Description

address_family_options

[--protocol={inet,unix,ipx,ax25,netrom,ddp}[,...]] [--unix|-x][--inet|--ip] [--ax25] [--ipx] [--netrom] [--ddp]

--route, -r

Displays the Guard module routing tables.

--groups, -g

Displays multicast group membership information for IPv4 and IPv6.

--interface, -i iface

Displays a table of all network interfaces, or of the interface iface.

--masquerade, -M

Displays a list of masqueraded connections.

--statistics, -s

Displays summary statistics for each protocol.

-v, --verbose

Displays the output in verbose.

-n, --numeric

Dispalys numerical addresses.

--numeric-hosts

Displays numerical host addresses. This does not affect the resolution of port or user names.

--numeric-ports

Displays numerical port numbers. This does not affect the resolution of host or user names.

--numeric-users

Displays numerical user IDs. This does not affect the resolution of host or port names.

--protocol, -A family

A comma separated list that specifies the address low level protocols (family) for which connections are displayed. The address family inet includes raw, udp and tcp protocol sockets.

-c, --continuous

Displays the selected information every second, continuously.

-e, --extend

Displays additional information. Use this option twice for maximum detail.

-o, --timers

Displays information related to networking timers.

-p, --program

Displays the PID and name of the program to which each socket belongs.

-l, --listening

Displays only listening sockets. These are omitted by default.

-a, --all

Displays both listening and non-listening sockets.

-F

Displays routing information from the FIB.

-C

Displays routing information from the route cache.

delay

Netstat will cycle printing through statistics every delay seconds.

You can enter up to 13 arguments and keywords in one command.

For example:
admin@GUARD# netstat -v
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address   Foreign Address         State
tcp        0      0 localhost:1111  localhost:32777    ESTABLISHED
tcp        0      0 localhost:8200  localhost:32772    ESTABLISHED
.
.
.
tcp        0      0 localhost:33464 localhost:8200     TIME_WAIT
tcp        1      0 localhost:1113  localhost:33194    CLOSE_WAIT
.
.
.
Active UNIX domain sockets (w/o servers)
unix  2      [ ]         STREAM     CONNECTED     928
unix  3      [ ]         STREAM     CONNECTED     890  /tmp/.zserv
.
.
.
admin@GUARD#
Traceroute

You can print the route packets take to a network host to debug network problems. Enter the following command:

traceroute ip-address [-F] [-f first_ttl] [-g gateway] [-i iface]
[-m max_ttl] [-p port] [-q nqueries] [-s src_addr] [-t tos] [-w waittime] [packetlen]

Note The traceroute command displays only IP addresses and not names.

Table 11-9 provides the arguments and keywords for the traceroute command.

Table 11-9 Arguments and Keywords for the traceroute Command

Parameter

Description

ip-address

The IP address to trace the route to.

-f

Set the initial time-to-live used in the first outgoing probe packet.

-F

Set the don't fragment bit.

-g

Specify a loose source route gateway (8 maximum).

-i

Specify a network interface to obtain the source IP address for outgoing probe packets. This is normally only useful on a multi-homed host.

-m

Set the maximum time-to-live (maximum number of hops) used in outgoing probe packets. The default is 30 hops.

-p

Set the base UDP port number used in probes. The default is 33434.

packetlen

Set the packet length of the probe.

-s

Use the following IP address as the source IP address in outgoing probe packets.

-t

Set the type-of-service in probe packets to the following value. The default is zero.

-w

Set the time (in seconds) to wait for a response to a probe. The default is 5 seconds.

For example:
admin@GUARD# traceroute 10.10.10.34
traceroute to 10.10.10.34 (10.10.10.34), 30 hops max, 38 byte packets
 1 10.10.10.34 (10.10.10.34) 0.577 ms  0.203 ms  0.149 ms
Ping

You can send ICMP ECHO_REQUEST packets to network hosts and verify connectivity. Enter the following command:

ping ip-address [-c count] [-i interval] [-l preload] [-s packetsize] [-t ttl] [-w deadline] [-F flowlabel] [-I interface]
[-Q tos] [-T timestamp option] [-W timeout]
Table 11-10 provides arguments and keywords for the ping command

Table 11-10 Arguments and Keywords for the ping Command

Parameter

Description

ip-address

The destination IP address.

-c count

Send count ECHO_REQUEST packets. With deadline option, ping waits for count ECHO_REPLY packets, until the timeout expires.

-F flow label

Allocate and set 20 bit flow label on echo request packets. (Only ping6). If the value is zero, a random flow label is used.

-i interval

Wait interval seconds between packets. The default is to wait for one second.

-I interface

Set the source IP address to the specified interface address.

-l preload

Sends preload packets without waiting for a reply.

-Q tos

Set Quality of Service -related bits in ICMP datagrams.

-s packetsize

Specifies the number of data bytes to send. The default is 56.

-t ttl

Set the IP Time to Live.

-T timestamp option

Set special IP timestamp options.

-w deadline

Specify a timeout, in seconds, before ping exits regardless of how many packets have been sent or received.

-W timeout

Time to wait for a response, in seconds.

You can enter up to ten arguments and keywords in one command.

For example:
admin@GUARD# ping 10.10.10.30 -n 1
Monitoring Network Traffic

You can capture and observe network traffic patterns and problems. You can filter the information and capture and view only relevant traffic.

The Guard module captures the traffic in PCAP format.

A new capture replaces the previous one. To save the captured traffic, export it to an FTP server before you initiate a new capture. See the "Exporting Captured Traffic" section for further details.

Use the packet-dump command to monitor network traffic. This command provides the following options:

•packet-dump capture [view] zone-name sample-rate pdump-count {all | dropped | forwarded | replied} [filter-exp]—Capture network traffic. Use the view option to display the traffic while it is being dumped.

•packet-dump view—View a previously captured packet dump.

Note The CLI session halts while the traffic is captured. To continue working while the capture is in process, establish an additional session with the Guard module.

Table 11-11 provides the arguments and keywords for the packet-dump command.

Table 11-11 Arguments and Keywords for the packet-dump Command

Parameters

Description

view

View the captured traffic.

zone-name

Capture traffic destined to the specific zone. Specify the name of an existing zone.

sample-rate

An integer from 1 that specifies the capture rate. The Guard module captures 1 out of every sample-rate packets.

Note A low value is resource consuming. Therefore, we recommend that you use it cautiously due to its potential performance penalty.

pdump-count

An integer from 1 to 5000 that specifies the number of packets to capture.

all

Captures all traffic.

dropped

Captures only traffic that the Guard module dropped.

forwarded

Captures only legitimate traffic that the Guard module forwarded on to the zone.

replied

Captures only the traffic that the Guard module anti-spoofing and anti-zombie mechanisms sent back to the source in a verification attempt.

filter-exp

Captures only traffic that complies with the filter expression. The expression rules are identical to the Flex filter expression rules. See the "Configuring the Flex Filter" section for further details.

For example:

admin@GUARD# packet-dump capture view scannet 10 1000 all

Exporting Captured Traffic

You can capture and observe network traffic patterns and problems. A new capture replaces the older one. To save the captured traffic, export it to an FTP server before you initiate a new capture.

To export a capture to an FTP server, enter the following command:

copy packet-dump ftp server full-file-name [login] [password]
Table 11-12 provides arguments for the copy packet-dump command.

Table 11-12 Arguments for the copy packet-dump Command

Parameters

Description

server

The IP address of the FTP server.

full-file-name

The full file path name. If you do not specify a path, the server will save the file in your home directory.

login

(Optional) The FTP server login name.

The FTP server assumes an anonymous login when you do not insert a login name. The server will not prompt you for a password.

password

(Optional) The password for the remote FTP server.

If you do not enter a password, you will be prompted for it.

For example:

admin@GUARD# copy packet-dump ftp 10.0.0.191 dump <user> <password>

Obtaining Debug Information

In case of an operational problem in the Guard module, Cisco Technical Support can require you to send internal debug information. The debug core file contains information for troubleshooting system malfunctions. The file output is encrypted and intended for use by Cisco TAC personnel only.

The debug core file contains information for troubleshooting system malfunctions that occured during the specified time. To extract the debug information to an FTP server, perform the following steps:

Step 1 View the log file of the Guard module log file. See the "Displaying the Log File" section for further details.

Step 2 Determine the time from which to collect the debug information. Identify the first log message that indicate on a problem.

Step 3 Extract the debug information to an FTP server. Enter the following command:
copy debug-core time ftp server full-file-name [login] [password]
Table 11-13 provides the arguments for the copy debug-core command.

Table 11-13 Arguments for the copy debug-core Command

Parameter

Description

time

The time of the event that triggers the need for debug information. The time string uses the format MMDDhhmm[[CC]YY][.ss]

•MM—The month in numeric figures

•DD—The day of the month

•hh—The hour in a 24 hour clock

•mm—The minutes

•CC—(Optional) The first two digits of the year (for example, 2005)

•YY—(Optional) The last two digits of the year (for example, 2005)

•.ss—(Optional) The seconds (the period must be present)

server

The IP address of the FTP server.

full-file-name

The full name of the version file. If you do not specify a path, the server will save the file in your home directory.

login

(Optional) The FTP server login name. The FTP server assumes an anonymous login when you do not insert a login name. The server will not prompt you for a password.

password

(Optional) The FTP server password. If you do not enter a password, you will be prompted for it.

For example:
admin@GUARD# copy debug-core 11090645 ftp 10.0.0.191 
/home/debug/debug-file <user> <password>
Upgrading the Guard Module Version

The Guard module requires two software components for its operation:

•Supervisor 2 engine or Supervisor 720 engine Cisco IOS image

•Guard module software

Note To upgrade the version, you must log on to the Supervisor Engine module.

Supervisor 2 or Supervisor 720 IOS Software Image

The first software component is the Cisco IOS image on the Catalyst 6500 Supervisor 2 engine or the Supervisor 720 engine (supervisor). This image on the Supervisor module recognizes and initializes the Guard module and its processors. You must use a Cisco IOS image that supports the Guard module.

Guard Module Software

The Guard module software resides on a compact flash (CF) card that is integrated with the processor control complex. The compact flash has two partitions for software images, each with its own operating system (image):

•Maintenance Partition (MP)—The Software required for base module initialization and daughter card control functions (identified as cf:1)

•Application Partition (AP)—The image with the Guard module application (identified as cf:4)

You can upgrade the Guard module software on the compact flash card through the supervisor console. The upgrade process involves downloading the latest versions of the AP and MP images from the Cisco Software Center to an FTP or a TFTP server and installing them to the compact flash card.

The standard upgrade procedures involve upgrading the AP and MP images on the compact flash of the Guard module from the supervisor.

The following upgrade procedures are available for the Guard module:

•AP Upgrade procedure—Upgrades an application image to the latest available version. You must perform this procedure from the MP and reset the module. See the "AP Upgrade Procedure" section.

•MP Upgrade procedure—Upgrades the maintenance partition. The MP image rarely requires upgrading. Use this procedure only when instructed in the Release Note that accompanies the version release. See the "MP Upgrade Procedure" section.

•Inline image upgrade procedure—Upgrades the application or the maintenance image. Perform this procedure from the MP. See the "Inline Upgrade Procedure" section.

Upgrading Operation Notes

This section provides guidelines for upgrading the AP and MP versions.

•To upgrade the AP and MP versions, log into the supervisor. To upgrade the Guard module flash (CFE), log into the Guard module.

•If you need to upgrade both AP and MP images, you must upgrade the MP image first.

•Use the hw-module module slot_number reset cf:1 command to switch to the MP. The main purpose for operating in the MP mode is to upgrade the AP image.

•Use the hw-module module slot_number reset cf:4 command to switch to the AP. The AP is the normal operating mode.

•The show module command displays the software version of the partition image you are running. If you are running the AP image, show module command displays the AP image version. The format of the AP image version is, for example, 4.0(0.12). If you are running the MP image, it displays the MP image version. The format of the MP image version is, for example, 4.0(0.0)m.

•The MP image file name uses this format: MPUpgrade-4.0.0.0.bin.

•The AP image file name uses this format: AGM-APUpgrade-4.0.0.12.bin.

•The MP uses the same network settings as the Guard module. You must configure the network settings before you can upgrade the Guard module images. See "Configuring the Guard Module on the Supervisor Engine Module" and "Initializing the Guard Module" for further details.

Note We strongly recommend that you globally configure the logging console command on the supervisor to display the output details of the upgrade procedure. If you are connected from a Telnet session and not from the console, use the terminal monitor command to display console messages.

AP Upgrade Procedure

To upgrade the application image, perform the following steps:

Step 1 To upgrade an application image to the latest available version, first locate the image in the Software Center at Cisco.com,

http://www.cisco.com/public/sw-center/.

Copy the software image to a directory accessible to FTP or TFTP.

Step 2 Reset the Guard module and load the MP image (this takes about 3 minutes). Skip this step if you are already running the MP image.

Enter the following command on the supervisor:
hw-module module slot_number reset cf:1
The slot_number argument is the number of slot in which the module is inserted in the chassis.

Step 3 Verify that the MP has booted and that the Guard module status is OK. Enter the following command:
show module slot_number
Step 4 Install the AP image on the compact flash. This operation could last several minutes. Enter the following command:
copy tftp://path/filename pclc#slot_number-fs:
The path/filename argument specifies the FTP location and the name of the image file. If the FTP server does not allow anonymous users, use the following syntax for the ftp-url value: ftp://user@host/absolute-path/filename. Enter your password when prompted.

Alternatively, you can download the version from an FTP server.

It can take up to 30 minutes to download an application image depending on the connection speed.

Caution Do not reset the module until the Guard module displays the following message on the console:
You can now reset the module

Resetting the module before this message is displayed will cause the upgrade to fail.

Step 5 Reset the Guard module to the AP. Enter the following command:
hw-module module slot_number reset cf:4
Step 6 Verify that the AP image you copied is displayed in the output of the show module command. Enter the following command:
show module slot_number
Note A new version may require updating the common firmware environment (CFE). See the Release Note accompanying each version release for further details. In case of a CFE mismatch, the Guard module displays the following message when you establish the first session to the Guard module after upgrading the AP image:
Bad CFE version (X). This version requires version Y
See the "Burning a New Flash Version" section for further details.

The following example shows how to upgrade the AP image:
Sup# hw-module module 8 reset cf:1
Device BOOT variable for reset = <cf:1>
Warning:Device list is not verified. <<< This message is informational
Proceed with reload of module? [confirm]
% reset issued for module 8
Sup# copy tftp:images/ap/AGM-APUpgrade-4.0.0.x.bin pclc#8-fs:
Address or name of remote host [10.56.36.2]?          
Source filename [images/ap/AGM-APUpgrade-4.0.0.x.bin]? 
Destination filename [AGM-APUpgrade-4.0.0.x.bin]? 
.
.
.
19:50:06: %SVCLC-SP-5-STRRECVD: mod 8: <Application upgrade has 
started>
19:50:06: %SVCLC-SP-5-STRRECVD: mod 8: <Do not reset the module till 
upgrade completes!!>
......<<< Wait
19:59:58: %SVCLC-SP-5-STRRECVD: mod 8: <Application upgrade has 
succeeded>
19:59:58: %SVCLC-SP-5-STRRECVD: mod 8: <You can now reset the module>
Sup# hw-module module 8 reset cf:4 <<<<< Resets Guard module to AP
Device BOOT variable for reset = <cf:4>
Proceed with reload of module? [confirm]
...
%OIR-SP-6-INSCARD:Card inserted in slot 8, interfaces are now online
MP Upgrade Procedure

The MP image rarely requires upgrading. If you are instructed to update the MP image in the Release Note that accompanies the version release, perform the following steps:

Step 1 To upgrade an image to the latest available version, first locate the image in the Software Center at Cisco.com,

http://www.cisco.com/public/sw-center/.

Copy the software image to a directory accessible to FTP or TFTP.

Step 2 Reset the Guard module and load the MP image (this takes about 3 minutes). Skip this step if you are already running the MP image.

Enter the following command on the supervisor:
hw-module module slot_number reset cf:1
The slot_number argument is the number of slot in which the module is inserted in the chassis.

Step 3 Verify that the MP has booted and that the Guard module status is OK. Enter the following command:
show module slot_number
Step 4 Copy the MP image to the compact flash. You can copy the MP image when the Guard module is reset to the MP or to the AP.

Enter the following command on the supervisor:

copy tftp://path/filename pclc#slot_number-fs:

The path/filename argument specifies the FTP location and name of the image file.

If the FTP server does not allow anonymous users, use the following syntax for the ftp-url value: ftp://user@host/absolute-path/filename. Enter your password when prompted.

It can take up to 30 minutes to download an application image depending on the connection speed.

Caution Do not reset the module until the Guard module displays the following message on the console:
You can now reset the module

Resetting the module before this message is displayed will cause the upgrade to fail.

Alternatively, you can download the version from an FTP server.

See the "MP Commands" section for further details on the MP commands.

Step 5 Verify that the MP image you copied is displayed in the output of the show module command.
show module slot_number
Step 6 Reset the Guard module to the AP. Enter the following command:
hw-module module slot_number reset cf:4
The following example shows how to upgrade the MP image:
Sup# hw-module module 8 reset cf:1
Device BOOT variable for reset = <cf:1>
Warning:Device list is not verified. <<< This message is informational
Proceed with reload of module? [confirm]
% reset issued for module 8
Sup# copy tftp:images/mp/MPUpgrade-4.0.0.0.bin pclc#8-fs:
Address or name of remote host [10.56.36.2]?          
Source filename [images/ap/MPUpgrade-4.0.0.0.bin]? 
Destination filename [MPUpgrade-4.0.0.0.bin]? 
.
.
.
3d19h:%SVCLC-SP-5-STRRECVD:mod 8:<Upgrade of MP was successful.>
3d19h:%SVCLC-SP-5-STRRECVD:mod 8:<You can now reset the module>
Sup# show module 8
.
The Following output shows MP image name because Guard module is reset 
to MP (cf:1)
. 
Mod	MAC addresses	Hw	Fw	Sw	Status
---	--------------------------------	----- ------- ----------- -------
8	000f.348d.d7f0 to 000f.348d.d7f7	0.301	7.2(1)	4.0(0.0)m	Other 
...
Sup# hw-module module 8 reset cf:4 <<< Resets Guard module to AP 
(normal operation)
Device BOOT variable for reset = <cf:4>
Proceed with reload of module? [confirm]
...
%OIR-SP-6-INSCARD:Card inserted in slot 8, interfaces are now online
Inline Upgrade Procedure

The inline image upgrade procedure provides an alternative method to upgrading the AP and MP images.

To upgrade the image, perform the following steps:

Step 1 To upgrade an image to the latest available version, first locate the image in the Software Center at Cisco.com,

http://www.cisco.com/public/sw-center/.

Copy the software image to a directory accessible to FTP.

See the "Burning a New Flash Version" section for further details on the MP commands.

Step 2 Log into the supervisor through the console port or through a Telnet session.

Step 3 If the Guard module is running in the maintenance image, go to Step 5. If the Guard module is not running in the maintenance image, enter the following command on the supervisor:
hw-module module slot_number reset cf:1
The slot_number argument is the number of slot in which the module is inserted in the chassis.

Step 4 After the Guard module is back online, establish a console session with the Guard module and log into the root account. The default password for the account is cisco.

Step 5 Upgrade the image. Enter the following command:
upgrade ftp://path/filename 
The path/filename argument specifies the FTP location and name of the image file.

If the FTP server does not allow anonymous users, use the following syntax for the ftp-url value: ftp://user@host/absolute-path/filename. Enter your password when prompted.

To upgrade the AP image, enter the AP image filename. To upgrade the MP image, enter the MP image filename. See the "Upgrading Operation Notes" section for further details.

Caution Do not reset the module until the Guard module displays the following message on the console:
Application image upgrade complete. You can boot the image now.

Resetting the module before this message is displayed will cause the upgrade to fail.

Step 6 After completing the upgrade, log out of the Guard module. Use the exit command.

Step 7 Reset the Guard module to the AP image. Enter the following command:
hw-module module slot_number reset cf:4
Note A new version may require updating the common firmware environment (CFE). See the Release Note accompanying each version release for further details. In case of a CFE mismatch, the Guard module displays the following message when you establish the first session to the Guard module after upgrading the AP image:
Bad CFE version (X). This version requires version Y
See the "Burning a New Flash Version" section for further details.

Step 8 When the Guard module has rebooted, check the software version. Use the show version command.

The following example shows how to upgrade the Guard module application software:
Sup# hw-module module 8 reset cf:1
.
.
Proceed with reload of module? [confirm]
% reset issued for module 9
.
.
Sup# session slot 8 proc 1
.
.
login:root
Password: 
.
.
root@localhost.cisco.com# upgrade 
ftp://psdlab-pc1/pub/images/ap/AGM-APUpgrade-4.0.0.x.bin
Downloading the image. This may take several minutes...
.
.
Upgrading will wipe out the contents on the storage media.
Do you want to proceed installing it [y|N]:
Proceeding with upgrade. Please do not interrupt.
If the upgrade is interrupted or fails, boot into
Maintenance image again and restart upgrade.
.
.
Application image upgrade complete. You can boot the image now.
root@hostname.cisco.com# exit
logout
                                                           [  OK  ]
[Connection to 127.0.0.91 closed by foreign host]
Sup# hw-module module 8 reset cf:4
Burning a New Flash Version

You can burn a new flash version only when there is a mismatch between the current common firmware environment (CFE) and the software version.

In case of a CFE mismatch, the Guard module displays the following message when you establish the first session with the Guard module after upgrading the software version:
Bad CFE version (X). This version requires version Y
Caution You must ensure that there is a stable power supply to the Guard module and refrain from any Guard module operations while burning a new flash version.

To burn a new flash version, perform the following steps:

Step 1 Enter the following command in configuration mode:
flash-burn
If you try to burn a new flash when the CFE and the Guard module software versions match, the operation will fail.

Step 2 Reload the Guard module. Enter the following command:
reload
You must issue the reload command after burning a new flash version. The Guard will not be fully functional until the reload command is executed.
For example:
admin@GUARD-conf# flash-burn 
Please note: DON'T PRESS ANY KEY WHILE IN THE PROCESS! 
.
.
.
Burned firmware successfully 
SYSTEM IS NOT FULLY OPERATIONAL. Type 'reload' to restart the system 
MP Commands

Administrators can boot the Guard module to the MP. A set of interfaces is available on the MP to administer and diagnose the Guard module. One of the key features of the MP is to provide the ability to install a new AP image.

To boot to the MP use the hw_module module reset command. Then use the session slot command to log into the MP.

Table 11-14 summarizes the MP commands.
Table 11-14 MP Commands
Command

Description
clear ap password
Clears all passwords that are defined on the Guard module.
clear ap config
Returns the Guard module to its default configuration. This commands deletes all the Guard module configuration, logs, and reports.
ip address [ip 
address] [subnet]
Configures the IP address that the Guard module uses to access the external network.
ip gateway 
[default-gateway]
Specifies the default gateway for the network.
passwd
Changes the password for the current user.
passwd-guest
Changes the password for the guest account
ping {host-name | ip 
address}
Pings a specified host on the network and verifies that the network parameters are configured correctly.
show images
Displays the images stored in the application partition.
show ip
Displays the network parameters of the Guard module.
upgrade ftp-url 
Upgrades the image where ftp-url is the URL specifying the FTP server containing the image and the path to the image. It will be of the form: ftp://user:password@server-name/path.

You can specify the name of the FTP server or its IP address.
Recovering a Lost Password

This section describes how to recover a lost password.

To recover lost passwords, perform the following steps:

Step 1 Reset the Guard module to the MP. Enter the following command on the supervisor:
hw-module module slot_number reset cf:1
The slot_number argument is the number of slot in which the module is inserted in the chassis.

Step 2 After the Guard module is back online, establish a session with the Guard module and log into the root account.

Step 3 Erase all passwords that are configured on the Guard module. Enter the following command:
clear ap password
Step 4 Reset the Guard module to the AP. Enter the following command:
hw-module module slot_number reset cf:4
Step 5 Set a new password for users that are configured on the Guard module. See the "Changing a Password" section. To view a list of the Guard module users, use the show running-config command.

Tip To narrow down the display of the show running-config command output to include only the list of Guard module users, use the show running-config | include username command.