Table Of Contents

Performing Maintenance Tasks

Exporting Configuration

Importing and Updating Configuration

Reloading the Guard Module

Rebooting the Guard Module and Inactivating Zones

Upgrading the Guard Module Software

Upgrading Operation Notes

Upgrading the AP Image

Upgrading the MP Image

Upgrading the AP and MP Images Inline

Burning a New Flash Version

Using MP Commands

Recovering a Lost Password

Resetting the Configuration to Factory Defaults

Performing Maintenance Tasks

---

This chapter describes how to perform tasks used for general care and maintenance of the Cisco Anomaly Guard Module (Guard module) and contains the following sections:

•Exporting Configuration

•Importing and Updating Configuration

•Reloading the Guard Module

•Rebooting the Guard Module and Inactivating Zones

•Upgrading the Guard Module Software

•Using MP Commands

•Recovering a Lost Password

•Resetting the Configuration to Factory Defaults

Exporting Configuration

You can export the Guard module configuration file or a zone configuration file (running-config) to an FTP or SFTP server. By exporting the Guard module or zone configuration file to a remote server you can do the following:

•Implement the Guard module configuration parameters on another Guard module

•Back up the Guard module configuration

To export the Guard module configuration file, enter one of the following commands in global mode:

•copy [zone zone-name] running-config ftp server full-file-name [login [password]]

•copy [zone zone-name] running-config sftp server full-file-name login

---

Note You must configure the SSH key that the Guard module uses for SFTP communication before you enter the copy command with the sftp option. See the "Configuring the Key for SFTP Connections" section for more information.

---

Table 12-1 provides the arguments for the copy running-config ftp command.

Table 12-1 Arguments for the copy running-config ftp
Command 

Parameter	Description
zone-name	(Optional) The zone name. Export the zone configuration file. The default is to export the Guard module configuration file.
running-config	Exports the complete Guard module configuration, or the configuration of the specified zone.
ftp	Exports the configuration to an FTP server.
sftp	Exports the configuration to an SFTP server.
server	The IP address of the server.
full-file-name	The complete name of the file. If you do not specify a path, the server saves the file in your home directory.
login	The server login name. The login argument is optional when you define an FTP server. When you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.
password	(Optional) The password for the remote FTP server. If you do not insert the password the Guard module prompts you for it.

The following example shows how to export the Guard module configuration file to an FTP server:

user@GUARD# copy running-config ftp 10.0.0.191 run-conf.txt <user> 
<password>

Importing and Updating Configuration

You can import a Guard module or zone configuration file from an FTP server and reconfigure the Guard module according to the newly transferred file. Import the configuration to do one of the following:

•Configure the Guard module based on an existing Guard module configuration file

•Restore the Guard module configuration

Zone configuration is a partial Guard module configuration. To copy both types of configuration files to the Guard module and reconfigure it accordingly, use the copy ftp running-config command.

---

Note The new configuration replaces the existing one. You must reload the Guard module for the new configuration to take effect.

---

We recommend that you deactivate all zones before you initiate the import process. The Guard module deactivates a zone before importing the zone configuration.

The Guard module, by-default, ignores older versions of self-protection configuration. We recommend that you do not overwrite the self-protection configuration with an older configuration, because the older configuration may not be compatible with the current version.

To import a Guard module configuration file, enter one of the following commands in global mode:

•copy ftp running-config server full-file-name [login [password]]

•copy sftp running-config server full-file-name login

---

Note You must configure the SSH key that the Guard module uses for SFTP communication before you enter the copy sftp command. See the "Configuring the Key for SFTP Connections" section for more information.

---

Table 12-2 provides the arguments for the copy ftp running-config command.

Table 12-2 Arguments for the copy ftp running-config
Command 

Parameter	Description
ftp	Import the configuration from an FTP server.
sftp	Import the configuration from an SFTP server.
server	The IP address of the server.
remote-path	The complete name of the file. If you do not specify a path, the server searches for the file in your home directory.
login	The server login name. The login argument is optional when you define an FTP server. When you do not insert a login name, the FTP server assumes an anonymous login and does not prompt you for a password.
password	(Optional) The password for the remote FTP server. If you do not insert the password the Guard module prompts you for it.

The following example shows how to import the Guard module configuration file from an FTP server:

user@GUARD# copy ftp running-config 10.0.0.191 scannet-conf <user> 
<password>

When you import a configuration that was exported from an older version, the Guard module displays the following message:

WARNING: The configuration file includes a self-protection definition 
that is incompatible with the current version and will be ignored. 

Continue? [yes|no]

Enter one of the following options:

•yes—Ignores the old self-protection configuration. The Guard module performs the following:

–Ignores the old self-protection configuration and does not import it

–Imports all other configuration, such as zone, interface, and services configuration

•no—Enables you to import the old self-protection configuration. The Guard module displays the following message:

You can abort the import process or import the old self-protection 
definition as-is. 

WARNING: The self-protection definitions are incompatible with the 
current version.

Abort? [yes|no]

---

Caution We recommend that you do not overwrite the self-protection configuration with an older configuration because the older configuration may not be compatible with the current software version.

---

To import the older self-protection configuration, enter no.

To abort the import process, enter yes.

Reloading the Guard Module

You can reload the Guard module configuration without rebooting the machine by using the reload command.

For the following changes to take effect, you must reload the Guard module:

•Deactivating or activating a physical interface by using the shutdown command

•Burning a new flash

Rebooting the Guard Module and Inactivating Zones

The default behavior of the Guard module is to load all zones in an inactive operation state. Therefore, the Guard module does not enable zone protection or the learning process after reboot, regardless of the zone operation state prior to the reboot.

To change the default behavior so that the Guard module automatically activates zones that were active prior to the reboot process, enter the following command in configuration mode:

boot reactivate-zones

---

Caution The zone learning phase is restarted after reboot.

---

Upgrading the Guard Module Software

The Guard module requires two software components for its operation:

•Supervisor Engine 2 Or Supervisor Engine 720 Cisco IOS software

•Guard module software

---

Note To upgrade the Guard module software, you must log on to the supervisor engine.

---

Supervisor Engine 2 or Supervisor Engine 720 IOS Software

The first software component is the Cisco IOS software image on the Catalyst 6500 Supervisor Engine 2 or the Supervisor Engine 720. The image on the supervisor engine recognizes and initializes the Guard module and its processor. You must use a Cisco IOS software release that supports the Guard module.

Guard Module Software

The Guard module software resides on a compact flash (CF) card that is integrated with the processor control complex. The compact flash has two partitions for software images, each with its own operating system (image):

•Maintenance Partition (MP)—The software required for base module initialization and daughter card control functions (identified as cf:1)

•Application Partition (AP)—The image with the Guard module application (identified as cf:4)

You can upgrade the Guard module software on the compact flash card through the supervisor engine console. The upgrade process involves downloading the latest versions of the AP and MP images from the Cisco Software Center to an FTP or a TFTP server and installing them to the compact flash card.

The following three upgrade procedures are available for the Guard module:

•AP upgrade procedure—Upgrades an application image to the latest available version. You must perform this procedure from the MP and reset the module. See the "Upgrading the AP Image" section.

•MP upgrade procedure—Upgrades the maintenance partition. The MP image rarely requires upgrading. Use this procedure only when instructed in the release note that corresponds with the software release. See the "Upgrading the MP Image" section.

•Inline image upgrade procedure—Upgrades the application or the maintenance image. Perform this procedure from the MP. See the "Upgrading the AP and MP Images Inline" section.

Upgrading Operation Notes

This section provides guidelines for upgrading the AP and MP versions.

•To upgrade the AP and MP versions, log into the supervisor engine. To upgrade the Guard module flash (CFE), log into the Guard module.

•If you need to upgrade both AP and MP images, you must upgrade the MP image first.

•Use the hw-module module slot_number reset cf:1 command to switch to the MP. The main purpose for operating in the MP mode is to upgrade the AP image.

•Use the hw-module module slot_number reset cf:4 command to switch to the AP. The AP is the normal operating mode.

•The show module command displays the software version of the partition image you are running. If you are running the AP image, the show module command displays the AP image version. A sample format of the AP image version is 4.0(0.12). If you are running the MP image, it displays the MP image version. A sample format of the MP image version is 4.0(0.0)m.

•The MP image file name uses this format: MPUpgrade-4.0.0.0.bin.

•The AP image file name uses this format: AGM-APUpgrade-4.0.0.12.bin.

•The MP uses the same network settings as the Guard module. You must configure the network settings before you can upgrade the Guard module images. See "Configuring the Guard Module on the Supervisor Engine" and "Initializing the Guard Module"for more information.

•When you upgrade the AP, the Guard module updates the self-protection configuration with a new one. We recommend that you do not overwrite the self-protection configuration with an older configuration, because the older configuration may not be compatible with the current version.

---

Note We recommend that you globally configure the logging console command on the supervisor engine to display the output details of the upgrade procedure. If you are connected from a Telnet session and not from the console, use the terminal monitor command to display console messages.

---

Upgrading the AP Image

To upgrade the application image, perform the following steps:

---

Step 1 Back up the Guard module configuration before initiating the upgrade process by using the copy running-config command. See the "Exporting Configuration" section for more information.

Step 2 To upgrade an application image to the latest available software release, first locate the image in the Software Center at Cisco.com:

http://www.cisco.com/public/sw-center/.

Copy the software image to a directory accessible to FTP or TFTP.

Step 3 Reset the Guard module and load the MP image (this takes about 3 minutes). Skip this step if you are already running the MP image.

Enter the following command on the supervisor:

hw-module module slot_number reset cf:1

The slot_number argument is the number of slot in which the module is inserted in the chassis.

Step 4 Verify that the MP has booted and that the Guard module status is OK. Enter the following command:

show module slot_number

Step 5 Install the AP image on the compact flash. This operation could last several minutes. Enter the following command:

copy tftp://path/filename pclc#slot_number-fs:

The path/filename argument specifies the FTP location and the name of the image file. If the FTP server does not allow anonymous users, use the following syntax for the ftp-url value: ftp://user@host/absolute-path/filename. Enter your password when prompted.

You can also download the version from an FTP server.

It can take up to 30 minutes to download an application image depending on the connection speed.

---

Caution Do not reset the module until the Guard module displays the following message on the console:

You can now reset the module

Resetting the module before this message displays will cause the upgrade to fail.

---

Step 6 Reset the Guard module to the AP by entering the following command:

hw-module module slot_number reset cf:4

Step 7 Verify that the AP image you copied displays in the output of the show module command by entering the following command:

show module slot_number

---

---

Note A new version may require updating the common firmware environment (CFE). See the release note that corresponds with each software release for more information. In case of a CFE mismatch, the Guard module displays the following message when you establish the first session to the Guard module after upgrading the AP image:

Bad CFE version (X). This version requires version Y

See the "Burning a New Flash Version" section for more information.

---

The following example shows how to upgrade the AP image:

Sup# hw-module module 8 reset cf:1

Device BOOT variable for reset = <cf:1>

Warning:Device list is not verified. <<< This message is informational

Proceed with reload of module? [confirm]

% reset issued for module 8

Sup# copy tftp:images/ap/AGM-APUpgrade-4.0.0.x.bin pclc#8-fs:

Address or name of remote host [10.56.36.2]?          

Source filename [images/ap/AGM-APUpgrade-4.0.0.x.bin]? 

Destination filename [AGM-APUpgrade-4.0.0.x.bin]? 

.

.

.

19:50:06: %SVCLC-SP-5-STRRECVD: mod 8: <Application upgrade has 
started>

19:50:06: %SVCLC-SP-5-STRRECVD: mod 8: <Do not reset the module till 
upgrade completes!!>

......<<< Wait

19:59:58: %SVCLC-SP-5-STRRECVD: mod 8: <Application upgrade has 
succeeded>

19:59:58: %SVCLC-SP-5-STRRECVD: mod 8: <You can now reset the module>

Sup# hw-module module 8 reset cf:4 <<<<< Resets Guard module to AP

Device BOOT variable for reset = <cf:4>

Proceed with reload of module? [confirm]

...

%OIR-SP-6-INSCARD:Card inserted in slot 8, interfaces are now online

Upgrading the MP Image

The MP image rarely requires upgrading. If you are instructed to update the MP software in the release note that corresponds with the software release, perform the following steps:

---

Step 1 To upgrade to the latest software release, first locate the software image in the Software Center at Cisco.com:

http://www.cisco.com/public/sw-center/.

Copy the software image to a directory accessible to FTP or TFTP.

To reset the Guard module and load the MP image (which takes about 3 minutes), enter the following command on the supervisor engine:

hw-module module slot_number reset cf:1

Disregard this step if you are running the MP image already.

The slot_number argument is the number of slot in which the module is inserted in the chassis.

Step 2 Verify that the MP has booted and that the Guard module status is OK by entering the following command:

show module slot_number

Step 3 Copy the MP image to the compact flash. You can copy the MP image when the Guard module is reset to the MP or to the AP by entering the following command on the supervisor engine:

copy tftp://path/filename pclc#slot_number-fs:

The path/filename argument specifies the FTP location and name of the image file.

If the FTP server does not allow anonymous users, use the following syntax for the ftp-url value: ftp://user@host/absolute-path/filename. Enter your password when prompted.

It can take up to 30 minutes to download an application image depending on the connection speed.

---

Caution Do not reset the module until the Guard module displays the following message on the console:

You can now reset the module

Resetting the module before this message displays will cause the upgrade to fail.

---

You can also download the version from an FTP server.

See the "Using MP Commands" section for more information about the MP commands.

Step 4 Verify that the MP image you copied is displayed in the output of the show module command by entering the following command:

show module slot_number

Step 5 Reset the Guard module to the AP by entering the following command:

hw-module module slot_number reset cf:4

---

The following example shows how to upgrade the MP image:

Sup# hw-module module 8 reset cf:1

Device BOOT variable for reset = <cf:1>

Warning:Device list is not verified. <<< This message is informational

Proceed with reload of module? [confirm]

% reset issued for module 8

Sup# copy tftp:images/mp/MPUpgrade-4.0.0.0.bin pclc#8-fs:

Address or name of remote host [10.56.36.2]?          

Source filename [images/ap/MPUpgrade-4.0.0.0.bin]? 

Destination filename [MPUpgrade-4.0.0.0.bin]? 

.

.

.

3d19h:%SVCLC-SP-5-STRRECVD:mod 8:<Upgrade of MP was successful.>

3d19h:%SVCLC-SP-5-STRRECVD:mod 8:<You can now reset the module>

Sup# show module 8

.

The Following output shows MP image name because Guard module is reset 
to MP (cf:1)

. 

Mod	MAC addresses	Hw	Fw	Sw	Status

---	--------------------------------	----- ------- ----------- -------

8	000f.348d.d7f0 to 000f.348d.d7f7	0.301	7.2(1)	4.0(0.0)m	Other 

...

Sup# hw-module module 8 reset cf:4 <<< Resets Guard module to AP 
(normal operation)

Device BOOT variable for reset = <cf:4>

Proceed with reload of module? [confirm]

...

%OIR-SP-6-INSCARD:Card inserted in slot 8, interfaces are now online

Upgrading the AP and MP Images Inline

The inline image upgrade procedure provides an alternative method to upgrading the AP and MP images.

To upgrade the software image, perform the following steps:

---

Step 1 Back up the Guard module configuration before initiating the upgrade process by using the copy running-config command. See the "Exporting Configuration" section for more information.

Step 2 To upgrade an image to the latest available version, first locate the image in the Software Center at Cisco.com,

http://www.cisco.com/public/sw-center/.

Copy the software image to a directory accessible to FTP.

See the "Burning a New Flash Version" section for more information on the MP commands.

Step 3 Log in to the supervisor engine through the console port or through a Telnet session.

Step 4 If the Guard module is running in the maintenance image, proceed to Step 6. If the Guard module is not running in the maintenance image, enter the following command on the supervisor engine:

hw-module module slot_number reset cf:1

The slot_number argument is the number of the slot in which the module is inserted into the chassis.

Step 5 After the Guard module is back online, establish a console session with the Guard module and log into the root account. The default password for the account is cisco.

Step 6 Upgrade the software image by entering the following command:

upgrade ftp://path/filename 

The path/filename argument specifies the FTP location and the name of the image file.

If the FTP server does not allow anonymous users, use the following syntax for the ftp-url value: ftp://user@host/absolute-path/filename. Enter your password when prompted.

To upgrade the AP software image, enter the AP software image filename. To upgrade the MP software image, enter the MP software image filename. See the "Upgrading Operation Notes" section for more information.

---

Caution Do not reset the module until the Guard module displays the following message on the console:

Application image upgrade complete. You can boot the image now.

Resetting the module before this message displays will cause the upgrade to fail.

---

Step 7 After completing the upgrade, log out of the Guard module by entering the exit command.

Step 8 Reset the Guard module to the AP software image by entering the following command:

hw-module module slot_number reset cf:4

---

Note Upgrading to a new software release might require updating the common firmware environment (CFE). See the release note that corresponds with each software release for more information. In case of a CFE mismatch, the Guard module displays the following message when you establish the first session to the Guard module after upgrading the AP image:

Bad CFE version (X). This version requires version Y

See the "Burning a New Flash Version" section for more information.

---

Step 9 When the Guard module has rebooted, verify the software version by entering the show version command.

---

The following example shows how to upgrade the Guard module application software:

Sup# hw-module module 8 reset cf:1

.

.

.

Proceed with reload of module? [confirm]

% reset issued for module 9

.

.

.

Sup# session slot 8 proc 1

.

.

.

login:root

Password: 

.

.

.

root@localhost.cisco.com# upgrade 
ftp://psdlab-pc1/pub/images/ap/AGM-APUpgrade-4.0.0.x.bin

Downloading the image. This may take several minutes...

.

.

.

Upgrading will wipe out the contents on the storage media.

Do you want to proceed installing it [y|N]:

Proceeding with upgrade. Please do not interrupt.

If the upgrade is interrupted or fails, boot into

Maintenance image again and restart upgrade.

.

.

.

Application image upgrade complete. You can boot the image now.

root@hostname.cisco.com# exit

logout

                                                           [  OK  ]

[Connection to 127.0.0.91 closed by foreign host]

Sup# hw-module module 8 reset cf:4

Burning a New Flash Version

You can burn a new flash version only when there is a mismatch between the current Common Firmware Environment (CFE) and the software release. A mismatch condition can occur when you update the Guard module software.

When a CFE mismatch is detected, the Guard module displays the following message when you establish the first session with the Guard module after upgrading the software release (X denotes the old flash version and Y denotes the new flash version):

Bad CFE version (X). This version requires version Y

---

Caution You must be sure that there is a stable power supply to the Guard module and refrain from performing any Guard module operations while you burn a new flash version. If you fail to adhere to these restrictions, the upgrade may fail and cause the Guard module to become inaccessible.

---

To burn a new flash version, perform the following steps:

---

Step 1 Enter the following command in configuration mode:

flash-burn

If you try to burn a new flash version when the CFE and the Guard module software versions match, the operation fails.

Step 2 Reload the Guard module by entering the following command:

reload

You must enter the reload command after burning a new flash version. The Guard module is not fully functional until you enter the reload command.

---

The following example shows how to burn a new flash version:

user@GUARD-conf# flash-burn 

Please note: DON'T PRESS ANY KEY WHILE IN THE PROCESS! 

. . .

Burned firmware successfully 

SYSTEM IS NOT FULLY OPERATIONAL. Type 'reload' to restart the system 

Using MP Commands

Administrators can boot the Guard module to the MP. A set of interfaces is available on the MP to administer and diagnose the Guard module. One of the key features of the MP is to provide the ability to install a new AP image.

To boot to the MP use the hw_module module reset command, and then enter the session slot command to log into the MP.

Table 12-3 summarizes the MP commands.

Table 12-3 MP Commands 

Command	Description
clear ap password	Clears all passwords that are defined on the Guard module.
clear ap config	Returns the Guard module to its default configuration. This commands deletes all Guard module configuration, logs, and reports.
ip address [ip address] [subnet]	Configures the IP address that the Guard module uses to access the external network.
ip gateway [default-gateway]	Specifies the default gateway for the network.
passwd	Changes the password for the current user.
passwd-guest	Changes the password for the guest account.
ping {host-name | ip address}	Pings a specified host on the network and verifies that the network parameters are configured correctly.
show images	Displays the images stored in the application partition.
show ip	Displays the network parameters of the Guard module.
upgrade ftp-url	Upgrades the image where ftp-url is the URL specifying the FTP server containing the image and the path to the image. The path format is as follows: ftp://user:password@server-name/path. You can specify the name of the FTP server or its IP address.

Recovering a Lost Password

To recover lost passwords, perform the following steps:

---

Step 1 Reset the Guard module to the MP by entering the following command on the supervisor engine:

hw-module module slot_number reset cf:1

The slot_number argument is the number of the slot in which the module is inserted into the chassis.

Step 2 After the Guard module is back online, establish a session with the Guard module, and log in to the root account.

Step 3 Erase all passwords that are configured on the Guard module by entering the following command:

clear ap password

Step 4 Reset the Guard module to the AP by entering the following command:

hw-module module slot_number reset cf:4

Step 5 Configure a new password for users that are configured on the Guard module. (See the "Changing Your Password" section.) To view a list of Guard module users, use the show running-config command.

---

Tip To narrow the display of the show running-config command output to include only the list of Guard module users, use the show running-config | include username command.

---

---

Resetting the Configuration to Factory Defaults

In certain situations, you may want to restore the Guard module configuration to the original default factory settings, Resetting the configuration to factory defaults is useful when you want to remove an undesirable configuration in the Guard module, if the configuration has become complex, or if you want to move the Guard module from one network to another network. You can reset the Guard module to the factory defaults and configure it as a new Guard module.

We recommend that you back up the Guard module configuration by using the copy running-config command before you reset it to the default factory settings. See the "Exporting Configuration" section.

The management interface configuration (eth1) is available until you reload the Guard module.

To reset the Guard module to the factory defaults settings, enter the following command in configuration mode:

clear config all

The configuration change takes effect only after a reset.

---

Caution If you reset the Guard module configuration to the factory defaults, and then reload the Guard module while you are not connected from a console, you will lose connectivity to the Guard module.

---

The following example shows how to reset the Guard module to the factory defaults settings:

user@GUARD-conf# clear config all