Cisco Anomaly Guard Module Configuration Guide (Software Version 4.0)
Configuring the Guard Module on the Supervisor Engine Module
Download this chapter
Configuring the Guard Module on the Supervisor Engine ModuleConfiguring the Guard Module on the Supervisor Engine Module
Download the complete book
Cisco Anomaly Guard Module Configuration Guide (Software Version 4.0) Book-Length PDFCisco Anomaly Guard Module Configuration Guide (Software Version 4.0) Book-Length PDF (PDF - 2 MB)
give_us_feedback

Table Of Contents

Configuring the Guard Module on the Supervisor Engine Module

Verifying the Guard Module Installation

Setting Up Guard Module Management

Configuring VLANs

Configuring VLANs on the Supervisor Engine Module

Assigning VLANs to the Guard Module

Configuring Layer 3 Interfaces on the VLANs

Establishing a Session with the Guard Module

Rebooting the Guard Module

Verifying the Guard Module Configuration

Configuring Multiple Guard Modules on One Switch

Load Sharing

Redundancy and High Availability


Configuring the Guard Module on the Supervisor Engine Module

This chapter describes how to configure the Cisco Anomaly Guard Module (Guard module) on the Supervisor Engine module (supervisor).

The Cisco Anomaly Guard Module (Guard module) is a Cisco IOS application module that you can install in the Catalyst 6500 series switch with a Supervisor Engine 2 with a Multilayer Switch Feature Card (MSFC) or Supervisor Engine 720.

To configure the Guard module on the supervisor you must have EXEC privileges and must be in configuration mode.

To save all configuration changes to Flash memory, you must enter the write memory command in privileged EXEC mode.

This chapter consists of the following sections:

Verifying the Guard Module Installation

Setting Up Guard Module Management

Configuring VLANs

Assigning VLANs to the Guard Module

Configuring Layer 3 Interfaces on the VLANs

Establishing a Session with the Guard Module

Rebooting the Guard Module

Verifying the Guard Module Configuration

Configuring Multiple Guard Modules on One Switch

Verifying the Guard Module Installation

Verify that the Supervisor Engine module acknowledges the new Guard module and has brought it online.

Note For information on how to install the Guard module in the Catalyst 6500 Chassis, refer to the Cisco Anomaly Guard Module and Traffic Anomaly Detector Module Installation Note.

To verify the installation, perform the following steps:

Step 1 Log into the Supervisor Engine module console.

Step 2 Verify that the Guard module is online. Enter the following command: 

show module

This example shows the output of the show module command: 

Sup# show module 
Mod	 Ports	 Card	Type Model	Serial No.

—-	 ——-	 ———————————————————	—————————	—————-

1	 2	 Catalyst 6000 supervisor 2(Active)	WS-X6K-SUP2-2GE	SAL081230TJ

... ...

6	 3	 Anomaly Guard module Module	WS-SVC-AGM-1-K9	SAD081000GG

Mod	MAC addresses	Hw	Fw	Sw	Status

---	--------------------------------	----- ------- ----------- -------

...

6	000e.847f.fe04 to 000e.847f.fe0b	3.0	7.2(1)	4.0(0.10)	Ok

...

Sup#

Note When the Guard module is first installed the status is usually other. Once the Guard module completes the diagnostics routines and comes online, the status reads Ok. Allow at least 5 minutes for the Guard module to come online.

Setting Up Guard Module Management

To establish a remote management session with the Guard module, you must set the Guard module management port.

To select a VLAN for management, enter the following command:

anomaly-guard module module_number port port_number [allowed-vlan vlan_range | native-vlan vlan_id]

Table 2-1 provides the arguments and keywords for the anomaly-guard module command.

Table 2-1 Arguments for the anomaly-guard Command 

Parameter
Description

module_number

The number of the slot in which the module is inserted in the chassis (1-9).

port_number

The number of the port used for management. The Guard module supports port 1 for management.

vlan_range

A range of VLANs, or several VLANs in a comma-separated list (do not enter space characters).

vlan_id

Sets the native VLAN for the trunk in 802.1Q trunking mode. The default native VLAN is 1.


This example shows how to select VLAN 5 for a module inserted in slot number 4 in the chassis for management. 

Sup(config)# anomaly-guard module 4 port 1 allowed-vlan 5

To establish a remote management session with the Guard module, you must also configure the following on the Guard module:

Configure the Guard module management port interface, eth1. See the "Configuring a Physical Interface" section for further details.

Enable the relevant services. See the "Configuring the Guard Module Interfaces" section for further details.

Configuring VLANs

To configure VLANs on the Supervisor Engine module to forward traffic to the Guard module, perform the following steps:

Step 1 Configure VLANs on the Supervisor Engine module to forward traffic to the Guard module. See the "Configuring VLANs on the Supervisor Engine Module" section for further details.

Step 2 Assign VLANs to the Guard module. See the "Assigning VLANs to the Guard Module" section for further details.

Step 3 (Optional) Configure layer 3 interfaces on the VLANs. See the "Configuring Layer 3 Interfaces on the VLANs" section for further details.

Step 4 Configure the Guard module interfaces. See the "Configuring the Guard Module Interfaces" section for further details.

Configuring VLANs on the Supervisor Engine Module

You must configure VLANs on the Supervisor Engine module to forward traffic to the Guard module.

To create a VLAN on the Supervisor Engine module, enter the vlan command and define the VLAN range that you plan to assign to the Guard module. Enter the following command:

vlan vlan_range

The vlan_range argument specifies a single number, a range of VLANs, or several VLANs in a comma-separated list (do not enter space characters). The vlan range can be one or more VLANs (from 1 to 4094).

For example: 

Sup(config)# vlan 86-89,99

See the "Configuring a VLAN" section for information on how to configure VLANs on the Guard module.

Assigning VLANs to the Guard Module

Assigning VLANs to the Guard module requires that you understand the mapping between the Guard module and the Ethernet ports that connect the Guard module to the switch fabric.

To assign VLANs to the Guard module, enter the following command at the Supervisor Engine module prompt:

anomaly-guard module module_number port port_number [allowed-vlan vlan_range | native-vlan vlan_id]

Table 2-2 provides the arguments for the anomaly-guard module command.

Table 2-2 Arguments for the anomaly-guard module Command 

Parameter
Description

module_number

The number of the slot in which the module is inserted in the chassis (1-9).

port_number

The port number (1-3). Port 1 is used for management and port 2 is used for data. Port 3 is not currently in use.

vlan_range

A range of VLANs, or several VLANs in a comma-separated list (do not enter space characters).

vlan_id

Sets the native VLAN for the trunk in 802.1Q trunking mode. The default native VLAN is 1.

One of the allowed VLANs must be the administrative VLAN. By default this is VLAN 1.


For example: 

Sup# anomaly-guard module 7 port 2 allowed-vlan 1,3,6-15

Note You must also configure the management port and the data port on the Guard module. See "Configuring a Physical Interface" section for further details.

Configuring Layer 3 Interfaces on the VLANs

You can configure layer 3 interfaces on the VLANs if required by the application.

Note You must assign the VLANs to the Guard module before you can configure the layer 3 interfaces.

To configure a Layer 3 VLAN interface, perform the following steps:

Step 1 Enter the VLAN interface configuration mode.

Enter the following command at the Supervisor Engine module prompt: 

interface vlan vlan-id

The vlan-id argument specifies the number of the VLAN; valid values are from 1 to 4094.

Step 2 Set the VLAN IP address. Enter the following command: 

ip address ip_address subnet_mask

The ip-addr and subnet-mask arguments define the interface IP address.

Step 3 Activate the interface. Enter the following command: 

no shutdown

For example: 

sup (config)# interface vlan 5

sup (config-if)# ip address 192.168.89.100 255.255.255.0

sup (config-if)# no shutdown

Establishing a Session with the Guard Module

To login to the Guard module, perform the following steps:

Step 1 Telnet or console log into the switch.

Step 2 Enter the following command at the Supervisor Engine module prompt: 

session slot slot_number processor processor_number

Table 2-3 provides the arguments for the session slot command.

Table 2-3 Arguments for the session slot Command 

Parameter
Description

slot-number

The number of the slot in which the module is inserted in the chassis (1-9).

processor_number

The number of the Guard module processor. The Guard module only supports management through processor 1.


Log in at the Guard module login prompt: 

login: admin

Step 3 Enter the password.

If this is the first time you are establishing a session with the Guard module, you must choose a password. The password must be 6 to 24 characters long with no spaces. You can change the password at any time. See the "Changing a Password" section for further details.

After a successful login, the command-line prompt is represented as admin@GUARD#. This guide uses this prompt as its writing convention. You can change the prompt by changing the hostname. See the "Changing the Host Name" section for further details.

Rebooting the Guard Module

The Cisco IOS provides the following commands to control the Guard module: boot, shutdown, power enable and reset:

Caution If you issue the reload command at the Supervisor Engine module level, the reload occurs for the entire chassis and includes all the modules in the chassis. See the "Reloading the Guard Module" section for information on how to reload the Guard module.

shutdown—Brings the operating system down gracefully, ensuring that no data is lost. To prevent corruption of the Guard module, it is critical that you shut down the Guard module properly. Enter the following command at the Supervisor Engine module prompt: 

hw-module module slot_number shutdown

The slot_number argument specifies the number of slot in which the module is inserted in the chassis.

You must then enter the hw-module module module_number reset command to restart the Guard module.

For example: 

Sup# hw-module module 8 shutdown

Note The Guard module reboots if the switch is rebooted.

reset—Resets the module. This command is typically used in the upgrade process, to switch between AP and MP images, or to recover from a shutdown. The hw-module reset command resets the module by turning the power off and then on. The reset process requires several minutes. Enter the following command at the Supervisor Engine module prompt: 

hw-module module slot_number reset [string]

The slot_number argument specifies the number of slot in which the module is inserted in the chassis and the string argument is an optional string for the PC boot sequence. Enter cf:1 to reset to the MP and cf:4 to reset to the AP. See the "Upgrading the Guard Module Version" section for more information

For example: 

Sup# hw-module module 8 reset

no power enable—Shuts down the module so that it can be safely removed from the chassis. Enter the following command at the Supervisor Engine module prompt: 

no power enable module slot_number

The slot_number argument specifies the number of slot in which the module is inserted in the chassis.

To switch the module on again, enter the following command: 

power enable module slot_number

For example: 

Sup (config)# no power enable module 8

boot—Forces the Guard module to boot to the maintenance partition (MP) at the next power on. Enter the following command at the Supervisor Engine module prompt: 

boot device module slot_number cf:1

The slot_number argument specifies the number of slot in which the module is inserted in the chassis.

To enable the Guard module to boot to the default partition (AP) at the next boot cycle, enter the following command: 

no boot device module slot_number cf:1

For example: 

Sup# boot device module 8 cf:1

Caution The zone learning phases are restarted after reboot. See the "Rebooting the Guard module" section for further details on the default behavior of the zones after reboot.

Verifying the Guard Module Configuration

To verify the Guard module configuration on the Supervisor Engine module, type the following command at the Supervisor Engine module prompt:

show anomaly-guard module slot_number port port_number [state | traffic]

Table 2-4 provides the arguments and keywords for the show module command.

Table 2-4 Arguments for the show module Command 

Parameter
Description

slot-number

The number of the slot in which the module is inserted in the chassis (1-9).

port_number

The port number (1-3). Port 1 is used for management and port 2 is used for data.

state

Displays the configuration of the specified port.

traffic

Displays the traffic statistics of the specified port.


For example: 

Sup# show anomaly-guard module 8 port 2 state

Configuring Multiple Guard Modules on One Switch

You can install several Guard modules in a Catalyst 6500 series switch as long as at least one Supervisor Engine module is installed. Refer to the relevant version Release Note for the exact number of modules.

You can configure the multiple Guard modules in one of the following configurations:

Load Sharing

Redundancy and High Availability

Load Sharing

You can configure several Guard modules to handle the zone traffic. The Supervisor Engine module will distribute the zone traffic equally between the Guard modules. The Supervisor Engine module distributes the traffic equally between the Guard modules whenever it has more than one equal cost route to the same destination.

To configure more than one Guard module for load sharing, perform the following:

Define the zone on all Guard modules. See the "Basic Zone Configuration" section for further details.

Assign the same weight for diversion hijacking on all Guard modules. See the "Hijacking" section for further details.

Activate the Guard module learning process for the zone on all Guard modules simultaneously. See the "Learning the Zone Traffic Characteristics" section for further details.

Activate protection for the zone on all Guard modules. See the "Protecting the Zone" section for further details.

Note If more than half the Guard modules stop functioning, the remaining Guard modules might regard the legitimate traffic as an attack on the zone.

Redundancy and High Availability

You can configure two Guard modules (or groups of Guard modules) for high availability. This way, if the active Guard module is not available, the Supervisor Engine module will divert the zone traffic to the Guard module in standby.

The Supervisor Engine module forwards the traffic to the lower cost routes (the routes with the lowest weight). It only forwards the traffic to the redundant routes if it detects that the routes to the active Guard are down.

To configure Guard modules in redundancy, perform the following:

Define the same zone on both Guard modules. See the "Basic Zone Configuration" section for further details.

Assign a lower weight for diversion hijacking to the active Guard module. See the "Hijacking" section for further details.

Assign a higher weight for diversion hijacking to the redundant Guard module. See the "Hijacking" section for further details.

Activate the Guard module learning process on the active Guard. See the "Learning the Zone Traffic Characteristics" section for further details.

Copy the zone configuration to the redundant Guard. See the "Copying Guard Module Configuration" section for further details.

Activate protection for the zone on both Guard modules. See the "Protecting the Zone" section for further details.