Cisco Anomaly Guard Module Configuration Guide (Software Version 5.1)
Configuring the Guard Module on the Supervisor Engine
Download this chapter
Configuring the Guard Module on the Supervisor EngineConfiguring the Guard Module on the Supervisor Engine
Download the complete book
Cisco Anomaly Guard Module Configuration Guide (Software Version 5.1), Book-Length PDFCisco Anomaly Guard Module Configuration Guide (Software Version 5.1), Book-Length PDF (PDF - 3 MB)
give_us_feedback

Table Of Contents

Configuring the Guard Module on the Supervisor Engine

Verifying the Guard Module Installation

Setting Up Guard Module Management

Configuring VLANs

Configuring VLANs on the Supervisor Engine

Assigning VLANs to the Guard Module

Configuring the Layer 3 Interfaces on the VLANs

Establishing a Session with the Guard Module

Rebooting the Guard Module

Verifying the Guard Module Configuration

Configuring Multiple Guard Modules in a Single Switch or Router

Load Sharing

Redundancy and High Availability


Configuring the Guard Module on the Supervisor Engine

This chapter describes how to configure the Cisco Anomaly Guard Module (Guard module) on the supervisor engine. You must configure the Guard module on the supervisor engine before you can establish a session with the Guard module to configure it.

You can install the Cisco Anomaly Guard Module (Guard module) in a Catalyst 6500 series switch or a 7600 series router. See the "Understanding the Cisco Anomaly Guard Module" section on page 1-1 for more information.

This chapter consists of the following sections:

Verifying the Guard Module Installation

Setting Up Guard Module Management

Configuring VLANs

Establishing a Session with the Guard Module

Rebooting the Guard Module

Verifying the Guard Module Configuration

Configuring Multiple Guard Modules in a Single Switch or Router

To configure the Guard module on the supervisor engine, you must have EXEC privileges and must be in configuration mode.

To save all configuration changes to the Flash memory, use the write memory command in privileged EXEC mode.

Verifying the Guard Module Installation

Verify that the supervisor engine acknowledges the new Guard module and has brought it online.

Note For information on how to install the Guard module in the Catalyst 6500 series switch, refer to the Cisco Anomaly Guard Module and Traffic Anomaly Detector Module Installation Note.

To verify the installation, perform the following steps:

Step 1 Log into the supervisor engine console.

Step 2 Verify that the Guard module is online. Enter the following command: 

show module

This example shows the output of the show module command: 

Sup# show module 
Mod	 Ports	 Card	Type Model	Serial No.

—-	 ——-	 ———————————————————	—————————	—————-

1	 2	 Catalyst 6000 supervisor 2(Active)	WS-X6K-SUP2-2GE	SAL081230TJ

... ...

6	 3	 Anomaly Guard module Module	WS-SVC-agm-1-K9	SAD081000GG

Mod	MAC addresses	Hw	Fw	Sw	Status

---	--------------------------------	----- ------- ----------- -------

...

6	000e.847f.fe04 to 000e.847f.fe0b	3.0	7.2(1)	4.0(0.10)	Ok

...

Sup

#

Note When the Guard module is first installed, the status is usually "other." Once the Guard module completes the diagnostic routines and comes online, the status reads "OK." Allow at least 5 minutes for the Guard module to come online.

Setting Up Guard Module Management

To establish a remote management session with the Guard module, you must set the Guard module management port.

To select a VLAN for management, use the following command:

anomaly-guard module module_number port port_number [allowed-vlan vlan_range | native-vlan vlan_id]

Table 2-1 provides the arguments and keywords for the anomaly-guard module command.

Table 2-1 Arguments and Keywords for the anomaly-guard module
Command 

Parameter
Description

module_number

The number of the slot in which the module is inserted in the chassis (1-9).

port port_number

The number of the port used for management. The Guard module supports port 1 for management.

allowed-vlan vlan_range

A range of VLANs or several VLANs in a comma-separated list (do not enter space characters).

native-vlan vlan_id

The native VLAN for the trunk in 802.1Q trunking mode. The default native VLAN is 1.


The following example shows how to select VLAN 5 for a module inserted in slot number 4 in the chassis for management: 

Sup(config)# anomaly-guard module 4 port 1 allowed-vlan 5

To establish a remote management session with the Guard module, you must also configure the following on the Guard module:

Configure the Guard module management port interface, eth1. See the "Configuring a Physical Interface" section on page 3-10.

Enable the relevant services. See the "Managing the Guard" section on page 3-17.

Configuring VLANs

To configure VLANs on the supervisor engine to forward traffic to the Guard module, perform the following steps:

Step 1 Configure VLANs on the supervisor engine to forward traffic to the Guard module. See the "Configuring VLANs on the Supervisor Engine" section for more information.

Step 2 Assign VLANs to the Guard module. See the "Assigning VLANs to the Guard Module" section for more information.

Step 3 (Optional) Configure Layer 3 interfaces on the VLANs. See the "Configuring the Layer 3 Interfaces on the VLANs" section for more information.

Step 4 Configure the Guard module interfaces. See the "Configuring the Guard Interfaces" section on page 3-9 for more information.

Configuring VLANs on the Supervisor Engine

You must configure VLANs on the supervisor engine to forward traffic to the Guard module. To create a VLAN on the supervisor engine, use the following command and define the VLAN range that you plan to assign to the Guard module:

vlan vlan_range

The vlan_range argument specifies a single number, a range of VLANs, or several VLANs in a comma-separated list (do not enter space characters). The vlan range can be one or more VLANs (from 1 to 4094).

The following example shows how to define VLANs: 

Sup(config)# vlan 86-89,99

See the "Configuring a VLAN" section on page 3-12 for information on how to configure VLANs on the Guard module.

Assigning VLANs to the Guard Module

Assigning VLANs to the Guard module requires that you understand the mapping between the Guard module and the Ethernet ports that connect the Guard module to the switch fabric.

To assign VLANs to the Guard module, use the following command at the supervisor engine prompt:

anomaly-guard module module_number port port_number [allowed-vlan vlan_range | native-vlan vlan_id]

Table 2-2 provides the arguments and keywords for the anomaly-guard module command.

Table 2-2 Arguments and Keywords for the anomaly-guard module Command 

Parameter
Description

module_number

The number of the slot in which the module is inserted in the chassis (1-9).

port port_number

The port number (1-3). Port 1 is used for management and port 2 is used for data. Port 3 is not currently in use.

allowed-vlan vlan_range

A range of VLANs or several VLANs in a comma-separated list (do not enter space characters).

native-vlan vlan_id

The native VLAN for the trunk in 802.1Q trunking mode. The default native VLAN is 1.

One of the allowed VLANs must be the administrative VLAN. By default, this is VLAN 1.


The following example shows how to assign VLANs to the Guard module: 

Sup# anomaly-guard module 7 port 2 allowed-vlan 1,3,6-15

Note In addition to assigning VLANs, you must also configure the management port and the data port on the Guard module. See "Configuring a Physical Interface" section on page 3-10 for more information.

Configuring the Layer 3 Interfaces on the VLANs

You can configure Layer 3 interfaces on the VLANs if required by the application.

Note You must assign the VLANs to the Guard module before you can configure the Layer 3 interfaces.

To configure a Layer 3 VLAN interface, perform the following steps:

Step 1 Enter the VLAN interface configuration mode with the following command at the supervisor engine prompt: 

interface vlan vlan-id

The vlan-id argument specifies the number of the VLAN; valid values are from 1 to 4094.

Step 2 Set the VLAN IP address by entering the following command: 

ip address ip_address subnet_mask

The ip-addr and subnet-mask arguments define the interface IP address.

Step 3 Activate the interface with the following command: 

no shutdown

The following example shows how to configure a Layer 3 VLAN interface: 

sup (config)# interface vlan 5

sup (config-if)# ip address 192.168.89.100 255.255.255.0

sup (config-if)# no shutdown

Establishing a Session with the Guard Module

To log in to the Guard module, perform the following steps:

Step 1 Establish a Telnet session or console log session into the switch.

Step 2 Enter the following command at the supervisor engine prompt: 

session slot slot_number processor processor_number

Table 2-3 provides the arguments and keywords for the session slot command.

Table 2-3 Arguments and Keywords for the session slot Command 

Parameter
Description

slot-number

The number of the slot in which the module is inserted in the chassis (1-9).

processor processor_number

The number of the Guard module processor. The Guard module supports only management through processor 1.


Step 3 Log in at the Guard module login prompt: 

login: admin

Step 4 Enter the password.

If this is the first time that you are establishing a session with the Guard module, you must choose a password for the admin and the riverhead user accounts. The password must be between 6 to 24 characters with no spaces. You can change the password at any time. See the "Changing Your Password" section on page 4-9 for more information.

After a successful login, the command-line prompt is represented as user@GUARD#. You can change the prompt by entering the hostname command.

Rebooting the Guard Module

Cisco IOS software provides the following commands to control the Guard module: boot, shutdown, power enable and reset:

Caution If you enter the reload command at the supervisor engine prompt, the reload occurs for the entire chassis and includes all the modules in the chassis. See the "Reloading the Guard Module" section on page 14-11 for information on how to reload the Guard module.

shutdown—Brings the operating system down gracefully, ensuring that no data is lost. To prevent corruption of the Guard module, it is critical that you shut down the Guard module properly. Enter the following command at the supervisor engine prompt: 

hw-module module slot_number shutdown

The slot_number argument specifies the number of the slot in which the module is inserted in the chassis.

You must then enter the hw-module module module_number reset command to restart the Guard module.

The following example shows how to shut down the Guard module: 

Sup# hw-module module 8 shutdown

Note The Guard module reboots if you reboot the switch.

reset—Resets the module. This command is typically used in the upgrade process to switch between Application Partition (AP) and Maintenance Partition (MP) images or to recover from a shutdown. The hw-module reset command resets the module by turning the power off and then on. The reset process requires several minutes. Enter the following command at the supervisor engine prompt: 

hw-module module slot_number reset [string]

The slot_number argument specifies the number of the slot in which the module is inserted in the chassis. The string argument is an optional string for the PC boot sequence. Enter cf:1 to reset to the MP and cf:4 to reset to the AP. See the "Upgrading the Guard Module Software" section on page 14-11 for more information.

The following example shows how to reset the Guard module: 

Sup# hw-module module 8 reset

no power enable—Shuts down the module so that it can be safely removed from the chassis. Enter the following command at the supervisor engine prompt: 

no power enable module slot_number

The slot_number argument specifies the number of the slot in which the module is inserted in the chassis.

To switch the module on again, use the following command: 

power enable module slot_number

The following example shows how to shut down the Guard module: 

Sup (config)# no power enable module 8

boot—Forces the Guard module to boot to the MP at the next power on. Enter the following command at the supervisor engine prompt: 

boot device module slot_number cf:1

The slot_number argument specifies the number of the slot in which the module is inserted in the chassis.

To enable the Guard module to boot to the default partition, which is the AP, at the next boot cycle, use the following command at the supervisor engine prompt: 

no boot device module slot_number cf:1

The following example shows how to configure the Guard module to boot to the AP at the next boot cycle: 

Sup# boot device module 8 cf:1

Caution The zone learning phases are restarted after reboot. See the "Rebooting the Guard Module and Inactivating Zones" section on page 14-11 for more information on the default behavior of the zones after reboot.

Verifying the Guard Module Configuration

To verify the Guard module configuration on the supervisor engine, use the following command at the supervisor engine prompt:

show anomaly-guard module slot_number port port_number [state | traffic]

Table 2-4 provides the arguments and keywords for the show module command.

Table 2-4 Arguments and Keywords for the show module Command 

Parameter
Description

slot-number

The number of the slot in which the module is inserted in the chassis (1-9).

port port_number

The port number (1-3). Port 1 is used for management and port 2 is used for data.

state

The configuration of the specified port.

traffic

The traffic statistics of the specified port.


The following example shows how to display the Guard module configuration on the supervisor engine: 

Sup# show anomaly-guard module 8 port 2 state

Configuring Multiple Guard Modules in a Single Switch or Router

You can install several Guard modules in a Catalyst 6500 series switch or a Cisco 7600 series router as long as at least one supervisor engine is installed. Refer to the most current Release Note for the exact number of modules.

Note To review the latest Release Note for the Guard module, see the following URL:

http://www.cisco.com/en/US/products/hw/modules/ps2706/prod_release_notes_list.html

You can configure multiple Guard modules in one of the following configurations:

Load Sharing

Redundancy and High Availability

Load Sharing

You can configure several Guard modules to handle the zone traffic. The supervisor engine distributes the traffic equally between the Guard modules whenever it has more than one equal cost route to the same destination.

To configure more than one Guard module for load sharing, perform the following tasks:

Define the zone on all Guard modules. See the "Configuring Zone Attributes" section on page 6-9 for more information.

Assign the same weight for diversion hijacking on all Guard modules. See the "Configuring Hijacking" section on page 5-11 for more information.

Activate the Guard module learning process for the zone on all Guard modules simultaneously. See the "Synchronizing a Guard Module with Cisco Traffic Anomaly Detector Module Zone Configuration" section on page 6-13 for more information.

Activate zone protection on all Guard modules. See Chapter 10, "Protecting Zones," for more information.

Note If more than half the Guard modules stop functioning, the remaining Guard modules might regard the legitimate traffic as an attack on the zone.

Redundancy and High Availability

You can configure two Guard modules (or groups of Guard modules) for high availability. If the active Guard module is not available, the supervisor engine diverts the zone traffic to the standby Guard module.

The supervisor engine forwards the traffic to the lower cost routes (the routes with the lowest weight). The supervisor engine forwards the traffic to the redundant routes only if it detects that the routes to the active Guard are down.

To configure Guard modules in redundant configuration, perform the following tasks:

Define the same zone on both Guard modules. See the "Configuring Zone Attributes" section on page 6-9 for more information.

Assign a lower weight for diversion hijacking to the active Guard module. See the "Configuring Hijacking" section on page 5-11 for more information.

Assign a higher weight for diversion hijacking to the redundant Guard module. See the "Configuring Hijacking" section on page 5-11 for more information.

Activate the learning process on the active Guard module. See the "Synchronizing a Guard Module with Cisco Traffic Anomaly Detector Module Zone Configuration" section on page 6-13 for more information.

Copy the zone configuration to the redundant Guard module. See the "Exporting the Configuration" section on page 14-3 and the "Importing and Updating the Configuration" section on page 14-6 for more information.

Activate zone protection on both Guard modules. See the "Protecting Zones" section on page 10-1 for more information.