Cisco Anomaly Guard Module Configuration Guide (Software Version 5.1) - Performing Maintenance Tasks [Cisco Services Modules]

Table Of Contents

Performing Maintenance Tasks

Configuring File Servers

Exporting the Configuration

Importing and Updating the Configuration

Exporting Files Automatically

Reloading the Guard Module

Rebooting the Guard Module and Inactivating Zones

Upgrading the Guard Module Software

Supervisor Engine 2 or Supervisor Engine 720 IOS Software

Guard Module Software

Upgrading Operation Notes

Upgrading the AP Image

Upgrading the MP Image

Upgrading the AP and MP Images Inline

Burning a New Flash Version

Using MP Commands

Recovering a Lost Password

Resetting the Configuration to Factory Defaults

Performing Maintenance Tasks

This chapter describes how to perform tasks used for general care and maintenance of the Cisco Anomaly Guard Module (Guard module) and contains the following sections:

•Configuring File Servers

•Exporting the Configuration

•Importing and Updating the Configuration

•Exporting Files Automatically

•Reloading the Guard Module

•Rebooting the Guard Module and Inactivating Zones

•Upgrading the Guard Module Software

•Using MP Commands

•Recovering a Lost Password

•Resetting the Configuration to Factory Defaults

Configuring File Servers

Configuring a network server to which to can export the Guard module files or from where import files to the Guard module allows you to configure the network server attributes such as the IP address, the communication method, and the login details one time, and then use the name of the network server without specifying the network server attributes in later operations.

After you configure the network server, you must configure the export or the import commands. For example, use the export reports commands to configure the Guard module to export attack reports to a network server.

To configure a network server, use one of the following commands in configuration mode:

•file-server file-server-name description ftp server remote-path login password

•file-server file-server-name description [sftp | scp] server remote-path login

Because Secure FTP (SFTP) and Secure Copy (SCP) rely on Secure Shell (SSH) for secure communication, you must configure the SSH key that the Guard module uses for SFTP and SCP communication. See the "Configuring the Keys for SFTP and SCP Connections" section for more information on how to configure the key that the Guard module uses for secure communication.

Table 14-1 provides the arguments and keywords for the file-server command.

Table 14-1 Arguments and Keywords for the file-server
Command

Parameter

Description

file-server-name

A name for the network server. Enter an alphanumeric string from 1 to 63 characters. The string can contain underscores but cannot contain any spaces.

description

A string to describe the network server. The maximum string length is 80 characters. If you use spaces in the expression, enclose the expression in quotation marks (" ").

ftp

Defines the network server to use FTP.

sftp

Defines the network server to use SFTP.

scp

Defines the network server to use SCP.

server

The IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).

remote-path

The complete path of the directory in which to save the files or from which to import the files.

login

The login name for the network server.

password

The password for the network server.

This option is valid only for an FTP server. The Guard module authenticates network servers that use SFTP and SCP using a public key.

The following example shows how to define an FTP server with the IP address 10.0.0.191:
user@GUARD-conf# file-server CorpFTP-Server "Corp's primary FTP 
server" ftp 10.0.0.191 /root/ConfigFiles <user> <password>
To delete a network server, use the no file-server [file-server-name | *] command in configuration mode.

To display the list of network servers, use the show file-servers command in global or configuration mode.

Exporting the Configuration

You can export the Guard module configuration file or a zone configuration file (running-config) to a network server. By exporting the Guard module or zone configuration file to a remote server, you can do the following:

•Implement the Guard module configuration parameters on another Guard module

•Back up the Guard module configuration

To export the Guard module configuration file, use one of the following commands in global mode:

•copy [zone zone-name] running-config ftp server full-file-name [login [password]]

•copy [zone zone-name] running-config {sftp | scp} server full-file-name login

•copy [zone zone-name] running-config file-server-name dest-file-name

Because SFTP and SCP rely on SSH for secure communication, if you do not configure the key that the Guard module uses before you enter the copy command with the sftp or scp option, the Guard module prompts you for the password. See the "Configuring the Keys for SFTP and SCP Connections" section for more information on how to configure the key that the Guard module uses for secure communication.

Table 14-2 provides the arguments and keywords for the copy running-config ftp command.

Table 14-2 Arguments and Keywords for the copy running-config ftp
Command

Parameter

Description

zone zone-name

(Optional) The zone name. If you specify the zone name, the Guard module exports the zone configuration file. The default is to export the Guard module configuration file.

running-config

Exports the complete Guard module configuration or the configuration of the specified zone.

ftp

Exports the configuration to a network server using FTP.

sftp

Exports the configuration to a network server using SFTP.

scp

Exports the configuration to a network server using SCP.

server

IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).

full-file-name

Complete name of the file. If you do not specify a path, the server saves the file in your home directory.

login

Server login name.

The login argument is optional when you define an FTP server. When you do not enter a login name, the FTP server assumes an anonymous login and does not prompt you for a password.

password

(Optional) Password for the remote FTP server. If you do not enter the password, the Guard module prompts you for one.

file-server-name

Name of a network server to which to export the configuration file. You must configure the network server using the file-server command.

If you configured the network server using SFTP or SCP, you must configure the SSH key that the Guard module uses for SFTP and SCP communication.

See the "Configuring File Servers" section for more information.

destination-file-
name

Name of the configuration file on the remote server. The Guard module saves the configuration file on the network server using the destination filename in the directory that you defined for the network server by using the file-server command.

The following example shows how to export the Guard module configuration file to an FTP server:
user@GUARD# copy running-config ftp 10.0.0.191 run-conf.txt <user> 
<password>
The following example shows how to export the Guard module configuration file to a network server:
user@GUARD# copy running-config CorpFTP Configuration-12-11-05
Importing and Updating the Configuration

You can import a Guard module or zone configuration file from an FTP server and reconfigure the Guard module according to the newly transferred file. Import the configuration to do one of the following tasks:

•Configure the Guard module based on an existing Guard module configuration file

•Restore the Guard module configuration

Zone configuration is a partial Guard module configuration. To copy both types of configuration files to the Guard module and reconfigure it accordingly, use the copy ftp running-config command.

Note The new configuration replaces the existing configuration. You must reload the Guard module for the new configuration to take effect.

We recommend that you deactivate all zones before you initiate the import process. The Guard module deactivates a zone before importing the zone configuration.

The Guard module, by default, ignores older versions of self-protection configuration. We recommend that you do not overwrite the self-protection configuration with an older configuration, because the older configuration may not be compatible with the current version.

To import a Guard module configuration file, use one of the following commands in global mode:

•copy ftp running-config server full-file-name [login [password]]

•copy {sftp | scp} running-config server full-file-name login

•copy file-server-name running-config source-file-name

Because SFTP and SCP rely on SSH for secure communication, if you do not configure the key that the Guard module uses before you enter the copy command with the sftp or scp option, the Guard module prompts you for the password. See the "Configuring the Keys for SFTP and SCP Connections" section for more information on how to configure the key that the Guard module uses for secure communication.

Table 14-3 provides the arguments for the copy ftp running-config command.

Table 14-3 Arguments for the copy ftp running-config
Command

Parameter

Description

ftp

Imports the configuration from a network server using FTP.

sftp

Imports the configuration from a network server using SFTP.

scp

Imports the configuration from a network server using SCP.

server

IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).

remote-path

Complete name of the file. If you do not specify a path, the server searches for the file in your home directory.

login

Server login name.

The login argument is optional when you define an FTP server. When you do not enter a login name, the FTP server assumes an anonymous login and does not prompt you for a password.

password

(Optional) Password for the remote FTP server. If you do not enter the password, the Guard module prompts you for one.

file-server-name

Name of a network server. You must configure the network server using the file-server command.

If you configured the network server using SFTP or SCP, you must configure the SSH key that the Guard module uses for SFTP and SCP communication.

See the "Configuring File Servers" section for more information.

source-file-name

Name of the file to import. The Guard module appends the name of the file to the path that you defined for the network server by using the file-server command.

The following example shows how to import the Guard module configuration file from an FTP server:
user@GUARD# copy ftp running-config 10.0.0.191 
/root/backup/conf/scannet-conf <user> <password>
The following example shows how to import the Guard module configuration file from a network server:
user@GUARD# copy CorpFTP running-config scannet-conf
When you import a configuration that was exported from an older version, the Guard module displays the following message:
WARNING: The configuration file includes a self-protection definition 
that is incompatible with the current version and will be ignored. 
Continue? [yes|no]
Enter one of the following options:

•yes—Ignores the old self-protection configuration. The Guard module performs the following:

–Ignores the old self-protection configuration and does not import it

–Imports all other configuration, such as zone, interface, and services configuration

•no—Enables you to import the old self-protection configuration. The Guard module displays the following message:
You can abort the import process or import the old self-protection 
definition as-is. 
WARNING: The self-protection definitions are incompatible with the 
current version.
Abort? [yes|no]
Caution We recommend that you do not overwrite the self-protection configuration with an older configuration because the older configuration may not be compatible with the current software version.

To import the older self-protection configuration, enter no.

To abort the import process, enter yes.

Exporting Files Automatically

You can configure the Guard module to export automatically the following files to a network server:

•Packet-dump capture files

The Guard module exports the packet-dump capture files when the capture buffer size reaches 50 MB or after 10 minutes have elapsed. See the "Exporting Packet-Dump Capture Files Automatically" section for more information.

•Attack reports

The Guard module exports the reports of any one of the zones when an attack on the zone ends. See the "Exporting Attack Reports Automatically" section for more information.

The Guard module exports the packet-dump capture files and the attack reports in Extensible Markup Language (XML) format. The software version is accompanied by xsd files that describe the XML schema. You can download the xsd files from the Cisco website (www.cisco.com).

To export files automatically to a network server, perform the following steps:

Step 1 Define the network server to which you can export files.

See the "Configuring File Servers" section for more information.

Step 2 Configure the Guard module to export files automatically by entering the following command:
export {packet-dump | reports} file-server-name
Table 14-4 provides the arguments and keywords for the export command.

Table 14-4 Arguments and Keywords for the export Command

Parameter

Description

packet-dump

Exports packet-dump capture files each time the contents of the packet-dump buffer are saved to a local file. The Guard module exports the packet-dump capture files in PCAP format, which is compressed and encoded by the gzip (GNU zip) program, with an accompanying file in Extensible Markup Language (XML) that describes the recorded data. See the Capture.xsd file that accompanies the version for a description of the XML schema. See the "Monitoring Network Traffic and Extracting Attack Signatures" section for more information on packet-dump capture files.

reports

Exports attack reports in XML format at the end of an attack. The Guard module exports the reports of any one of the zones when an attack on the zone ends. See the ExportedReports.xsd file that accompanies the version for a description of the XML schema. See the "Exporting Attack Reports" section for more information.

file-server-name

The name of the network server on which you can save files. You must configure the network server using the file-server command.

The following example shows how to define an FTP server with the IP address 10.0.0.191, and then to configure the Guard module to automatically export reports (in XML) at the end of an attack to that server:
user@GUARD-conf# file-server CorpFTP-Server "Corp's primary FTP 
server" ftp 10.0.0.191 /root/ConfigFiles <user> <password>
user@GUARD-conf# export reports CorpFTP-Server
To disable the automatic export of files to a network server, use the no form of the command.

Reloading the Guard Module

You can reload the Guard module configuration without rebooting the machine by using the reload command.

For the following changes to take effect, you must reload the Guard module:

•Deactivating or activating a physical interface using the shutdown command

•Burning a new flash

Rebooting the Guard Module and Inactivating Zones

The default behavior of the Guard module is to load all zones in an inactive operation state. Therefore, the Guard module does not enable zone protection or the learning process after reboot, regardless of the zone operation state prior to the reboot.

To change the default behavior so that the Guard module automatically activates zones that were active prior to the reboot process, enter the following command in configuration mode:

boot reactivate-zones

Caution The zone learning phase is restarted after reboot.

Upgrading the Guard Module Software

The Guard module requires two software components for its operation:

•Supervisor Engine 2 Or Supervisor Engine 720 Cisco IOS software

•Guard module software

Note To upgrade the Guard module software, you must log on to the supervisor engine.

Supervisor Engine 2 or Supervisor Engine 720 IOS Software

The first software component is the Cisco IOS software image on the Catalyst 6500 Supervisor Engine 2 or the Supervisor Engine 720. The image on the supervisor engine recognizes and initializes the Guard module and its processor. You must use a Cisco IOS software release that supports the Guard module.

Guard Module Software

The Guard module software resides on a compact flash (CF) card that is integrated with the processor control complex. The compact flash has two partitions for software images, each with its own operating system (image):

•Maintenance Partition (MP)—The software required for base module initialization and daughter card control functions (identified as cf:1)

•Application Partition (AP)—The image with the Guard module application (identified as cf:4)

You can upgrade the Guard module software on the compact flash card through the supervisor engine console. The upgrade process involves downloading the latest versions of the AP and MP images from the Cisco Software Center to an FTP or a TFTP server and installing them to the compact flash card.

The following three upgrade procedures are available for the Guard module:

•AP upgrade procedure—Upgrades an application image to the latest available version. You must perform this procedure from the MP and reset the module. See the "Upgrading the AP Image" section.

•MP upgrade procedure—Upgrades the maintenance partition. The MP image rarely requires upgrading. Use this procedure only when instructed in the release note that corresponds with the software release. See the "Upgrading the MP Image" section.

•Inline image upgrade procedure—Upgrades the application or the maintenance image. Perform this procedure from the MP. See the "Upgrading the AP and MP Images Inline" section.

Upgrading Operation Notes

This section provides guidelines for upgrading the AP and MP versions:

•To upgrade the AP and MP versions, log into the supervisor engine. To upgrade the Guard module flash (CFE), log into the Guard module.

•If you need to upgrade both AP and MP images, you must upgrade the MP image first.

•Use the hw-module module slot_number reset cf:1 command to switch to the MP. The main purpose for operating in the MP mode is to upgrade the AP image.

•Use the hw-module module slot_number reset cf:4 command to switch to the AP. The AP is the normal operating mode.

•The show module command displays the software version of the partition image that you are running. If you are running the AP image, the show module command displays the AP image version. A sample format of the AP image version is 5.1(0.12). If you are running the MP image, it displays the MP image version. A sample format of the MP image version is 5.1(0.0)m.

•The MP image filename uses the c6svc-mp.5-0-3.bin format.

•The AP image filename uses the c6svc-agm-k9.5-0-3.bin format.

•The MP uses the same network settings as the Guard module. You must configure the network settings before you can upgrade the Guard module images. See "Configuring the Guard Module on the Supervisor Engine" and "Initializing the Guard"for more information.

•When you upgrade the AP, the Guard module updates the self-protection configuration with a new configuration. We recommend that you do not overwrite the self-protection configuration with an older configuration, because the older configuration may not be compatible with the current version.

Note We recommend that you globally configure the logging console command on the supervisor engine to display the output details of the upgrade procedure. If you are connected from a Telnet session and not from the console, use the terminal monitor command to display console messages.

Upgrading the AP Image

To upgrade the application image, perform the following steps:

Step 1 Back up the Guard module configuration before initiating the upgrade process by using the copy running-config command. Backing up enables you to save your existing configuration so that you can can quickly restore the configuration to the current state if needed. See the "Exporting the Configuration" section for more information.

Step 2 Export files that you want to save. You can export the following files:

•Export attack reports that you want to save by using the copy reports command or the copy zone zone-name reports command. See the "Exporting Attack Reports of All Zones" section and the "Exporting Zone Reports" section for more information.

•Export logs that you want to save by using the copy log command. See the "Exporting the Log File" section for more information.

•Export the packet-dump capture files that you want to save by using the copy zone zone-name packet-dump captures command. See the "Exporting Packet-Dump Capture Files Manually" section for more information.

Step 3 To upgrade an application image to the latest available software release, locate the image on the Cisco website (www.cisco.com).

Copy the software image to a directory accessible to FTP or TFTP.

Step 4 Reset the Guard module and load the MP image (this operation takes approximately 3 minutes). Skip this step if you are already running the MP image.

Enter the following command on the supervisor engine:
hw-module module slot_number reset cf:1
The slot_number argument is the number of the slot in which the module is inserted in the chassis.

Step 5 Verify that the MP has booted and that the Guard module status is OK. Enter the following command:
show module slot_number
Step 6 Install the AP image on the compact flash. This operation could last several minutes. Enter the following command:
copy tftp://path/filename pclc#slot_number-fs:
The path/filename argument specifies the FTP location and the name of the image file. If the FTP server does not allow anonymous users, use the following syntax for the ftp-url value: ftp://user@host/absolute-path/filename. Enter your password when prompted.

You can also download the version from an FTP server.

It can take up to 30 minutes to download an application image depending on the connection speed.

Caution Do not reset the module until the Guard module displays the following message on the console: "You can now reset the module." Resetting the module before this message displays will cause the upgrade to fail.

Step 7 Reset the Guard module to the AP by entering the following command:
hw-module module slot_number reset cf:4
Step 8 Verify that the AP image that you copied displays in the output of the show module command by entering the following command:
show module slot_number
Note A new version may require updating the common firmware environment (CFE). See the release note that corresponds with each software release for more information. If there is a CFE mismatch, the Guard module displays the following message when you establish the first session to the Guard module after upgrading the AP image: "Bad CFE version (X). This version requires version Y."

See the "Burning a New Flash Version" section for more information.

The following example shows how to upgrade the AP image:
Sup# hw-module module 8 reset cf:1
Device BOOT variable for reset = <cf:1>
Warning:Device list is not verified. <<< This message is informational
Proceed with reload of module? [confirm]
% reset issued for module 8
Sup# copy tftp:images/ap/agm-APUpgrade-4.0.0.x.bin pclc#8-fs:
Address or name of remote host [10.56.36.2]?          
Source filename [images/ap/agm-APUpgrade-4.0.0.x.bin]? 
Destination filename [agm-APUpgrade-4.0.0.x.bin]? 
.
.
.
19:50:06: %SVCLC-SP-5-STRRECVD: mod 8: <Application upgrade has 
started>
19:50:06: %SVCLC-SP-5-STRRECVD: mod 8: <Do not reset the module till 
upgrade completes!!>
......<<< Wait
19:59:58: %SVCLC-SP-5-STRRECVD: mod 8: <Application upgrade has 
succeeded>
19:59:58: %SVCLC-SP-5-STRRECVD: mod 8: <You can now reset the module>
Sup# hw-module module 8 reset cf:4 <<<<< Resets Guard module to AP
Device BOOT variable for reset = <cf:4>
Proceed with reload of module? [confirm]
...
%OIR-SP-6-INSCARD:Card inserted in slot 8, interfaces are now online
Upgrading the MP Image

The MP image rarely requires upgrading. If you are instructed to update the MP software in the release note that corresponds with the software release, perform the following steps:

Step 1 To upgrade to the latest software release, locate the software image on the Cisco website (www.cisco.com).

Copy the software image to a directory that is accessible to FTP or TFTP.

To reset the Guard module and load the MP image (this operation takes approximately 3 minutes), enter the following command on the supervisor engine:
hw-module module slot_number reset cf:1
Disregard this step if you are running the MP image already.

The slot_number argument is the number of the slot in which the module is inserted in the chassis.

Step 2 Verify that the MP has booted and that the Guard module status is OK by entering the following command:
show module slot_number
Step 3 Copy the MP image to the compact flash. You can copy the MP image when the Guard module is reset to the MP or to the AP by entering the following command on the supervisor engine:
copy tftp://path/filename pclc#slot_number-fs:
The path/filename argument specifies the FTP location and name of the image file.

If the FTP server does not allow anonymous users, use the following syntax for the ftp-url value: ftp://user@host/absolute-path/filename. Enter your password when prompted.

It can take up to 30 minutes to download an application image depending on the connection speed.

Caution Do not reset the module until the Guard module displays the following message on the console: "You can now reset the module." Resetting the module before this message displays will cause the upgrade to fail.

You can also download the version from an FTP server.

See the "Using MP Commands" section for more information about the MP commands.

Step 4 Verify that the MP image that you copied is displayed in the output of the show module command by entering the following command:
show module slot_number
Step 5 Reset the Guard module to the AP by entering the following command:
hw-module module slot_number reset cf:4
The following example shows how to upgrade the MP image:
Sup# hw-module module 8 reset cf:1
Device BOOT variable for reset = <cf:1>
Warning:Device list is not verified. <<< This message is informational
Proceed with reload of module? [confirm]
% reset issued for module 8
Sup# copy tftp:images/mp/MPUpgrade-4.0.0.0.bin pclc#8-fs:
Address or name of remote host [10.56.36.2]?          
Source filename [images/ap/MPUpgrade-4.0.0.0.bin]? 
Destination filename [MPUpgrade-4.0.0.0.bin]? 
.
.
.
3d19h:%SVCLC-SP-5-STRRECVD:mod 8:<Upgrade of MP was successful.>
3d19h:%SVCLC-SP-5-STRRECVD:mod 8:<You can now reset the module>
Sup# show module 8
.
The Following output shows MP image name because Guard module is reset 
to MP (cf:1)
. 
Mod	MAC addresses	Hw	Fw	Sw	Status
---	--------------------------------	----- ------- ----------- -------
8	000f.348d.d7f0 to 000f.348d.d7f7	0.301	7.2(1)	4.0(0.0)m	Other 
...
Sup# hw-module module 8 reset cf:4 <<< Resets Guard module to AP 
(normal operation)
Device BOOT variable for reset = <cf:4>
Proceed with reload of module? [confirm]
...
%OIR-SP-6-INSCARD:Card inserted in slot 8, interfaces are now online
Upgrading the AP and MP Images Inline

The inline image upgrade procedure provides an alternative method to upgrading the AP and MP images.

To upgrade the software image, perform the following steps:

Step 1 Back up the Guard module configuration before initiating the upgrade process by using the copy running-config command. Backing up enables you to save your existing configuration so that you can can quickly restore the configuration to the current state if needed. See the "Exporting the Configuration" section for more information.

Step 2 Export files that you want to save. You can export the following files:

•Export attack reports that you want to save by using the copy reports command or the copy zone zone-name reports command. See the "Exporting Attack Reports of All Zones" section and the "Exporting Zone Reports" section for more information.

•Export logs that you want to save by using the copy log command. See the "Exporting the Log File" section for more information.

•Export the packet-dump capture files that you want to save by using the copy zone zone-name packet-dump captures command. See the "Exporting Packet-Dump Capture Files Manually" section for more information.

Step 3 To upgrade an image to the latest available version, locate the image on the Cisco website (www.cisco.com).

Copy the software image to a directory accessible to FTP.

See the "Burning a New Flash Version" section for more information on the MP commands.

Step 4 Log in to the supervisor engine through the console port or through a Telnet session.

Step 5 If the Guard module is running in the maintenance image, proceed to Step 7. If the Guard module is not running in the maintenance image, enter the following command on the supervisor engine:
hw-module module slot_number reset cf:1
The slot_number argument is the number of the slot in which the module is inserted into the chassis.

Step 6 After the Guard module is back online, establish a console session with the Guard module and log into the root account. The default password for the account is cisco.

Step 7 Upgrade the software image by entering the following command:
upgrade ftp://path/filename 
The path/filename argument specifies the FTP location and the name of the image file.

If the FTP server does not allow anonymous users, use the following syntax for the ftp-url value: ftp://user@host/absolute-path/filename. Enter your password when prompted.

To upgrade the AP software image, enter the AP software image filename. To upgrade the MP software image, enter the MP software image filename. See the "Upgrading Operation Notes" section for more information.

Caution Do not reset the module until the Guard module displays the following message on the console: "Application image upgrade complete. You can boot the image now." Resetting the module before this message displays will cause the upgrade to fail.

Step 8 After completing the upgrade, log out of the Guard module by entering the exit command.

Step 9 Reset the Guard module to the AP software image by entering the following command:
hw-module module slot_number reset cf:4
Note Upgrading to a new software release might require updating the common firmware environment (CFE). See the release note that corresponds with each software release for more information. If there is a CFE mismatch, the Guard module displays the following message when you establish the first session to the Guard module after upgrading the AP image: "Bad CFE version (X). This version requires version Y." See the "Burning a New Flash Version" section for more information.

Step 10 When the Guard module has rebooted, verify the software version by entering the show version command.

The following example shows how to upgrade the Guard module application software:
Sup# hw-module module 8 reset cf:1
.
.
.
Proceed with reload of module? [confirm]
% reset issued for module 9
.
.
.
Sup# session slot 8 proc 1
.
.
.
login:root
Password: 
.
.
.
root@localhost.cisco.com# upgrade 
ftp://psdlab-pc1/pub/images/ap/agm-APUpgrade-4.0.0.x.bin
Downloading the image. This may take several minutes...
.
.
.
Upgrading will wipe out the contents on the storage media.
Do you want to proceed installing it [y|N]:
Proceeding with upgrade. Please do not interrupt.
If the upgrade is interrupted or fails, boot into
Maintenance image again and restart upgrade.
.
.
.
Application image upgrade complete. You can boot the image now.
root@hostname.cisco.com# exit
logout
                                                           [  OK  ]
[Connection to 127.0.0.91 closed by foreign host]
Sup# hw-module module 8 reset cf:4
Burning a New Flash Version

You can burn a new flash version only when there is a mismatch between the current Common Firmware Environment (CFE) and the software release. A mismatch condition can occur when you update the Guard module software.

When a CFE mismatch is detected, the Guard module displays the following message when you establish the first session with the Guard module after upgrading the software release (X denotes the old flash version and Y denotes the new flash version): "Bad CFE version (X). This version requires version Y."

Caution You must be sure that there is a stable power supply to the Guard module and avoid performing any Guard module operations while you burn a new flash version. If you fail to adhere to these restrictions, the upgrade may fail and cause the Guard module to become inaccessible.

To burn a new flash version, perform the following steps:

Step 1 Enter the following command in configuration mode:
flash-burn
If you try to burn a new flash version when the CFE and the Guard module software versions match, the operation fails.

Step 2 Reload the Guard module by entering the following command:
reload
You must enter the reload command after burning a new flash version. The Guard module is not fully functional until you enter the reload command.

The following example shows how to burn a new flash version:
user@GUARD-conf# flash-burn 
Please note: DON'T PRESS ANY KEY WHILE IN THE PROCESS! 
. . .
Burned firmware successfully 
SYSTEM IS NOT FULLY OPERATIONAL. Type 'reload' to restart the system 
Using MP Commands

You can boot the Guard module to the MP. A set of interfaces is available on the MP to administer and diagnose the Guard module. One of the key features of the MP is to provide the ability to install a new AP image.

To boot to the MP, use the hw_module module reset command, and then enter the session slot command to log into the MP.

Table 14-5 summarizes the MP commands.
Table 14-5 MP Commands
Command

Description
clear ap 
password
Clears all passwords that are defined on the Guard module.
clear ap config
Returns the Guard module to its default configuration. This command deletes all Guard module configuration, logs, and reports.
ip address [ip 
address] 
[subnet]
Configures the IP address that the Guard module uses to access the external network.
ip gateway 
[default-gateway
]
Specifies the default gateway for the network.
passwd
Changes the password for the current user.
passwd-guest
Changes the password for the guest account.
ping {host-name 
| ip address}
Pings a specified host on the network and verifies that the network parameters are configured correctly.
show images
Displays the images stored in the application partition.
show ip
Displays the network parameters of the Guard module.
upgrade ftp-url 
Upgrades the image where ftp-url is the URL specifying the FTP server containing the image and the path to the image. The path format is as follows: ftp://user:password@server-name/path.

You can specify the name of the FTP server or its IP address.
Recovering a Lost Password

To recover lost passwords, perform the following steps:

Step 1 Reset the Guard module to the MP by entering the following command on the supervisor engine:
hw-module module slot_number reset cf:1
The slot_number argument is the number of the slot in which the module is inserted into the chassis.

Step 2 After the Guard module is back online, establish a session with the Guard module, and log in to the root account.

Step 3 Delete all passwords that are configured on the Guard module by entering the following command:
clear ap password
Step 4 Reset the Guard module to the AP by entering the following command:
hw-module module slot_number reset cf:4
Step 5 Configure a new password for users that are configured on the Guard module. (See the "Changing Your Password" section.) To view a list of Guard module users, use the show running-config command.

Tip To narrow the display of the show running-config command output to include only the list of Guard module users, use the show running-config | include username command.

Resetting the Configuration to Factory Defaults

In certain situations, you may want to restore the Guard module configuration to the original default factory settings, Resetting the configuration to factory defaults is useful when you want to remove an undesirable configuration in the Guard module, if the configuration has become complex, or if you want to move the Guard module from one network to another network. You can reset the Guard module to the factory defaults and configure it as a new Guard module.

We recommend that you back up the Guard module configuration by using the copy running-config command before you reset it to the default factory settings. See the "Exporting the Configuration" section.

The management interface configuration (eth1) is available until you reload the Guard module.

Caution If you reset the Guard module configuration to the factory defaults, and then reload the Guard module while you are not connected from a console, you will lose connectivity to the Guard module.

To reset the Guard module to the factory defaults settings, use the following command in configuration mode:

clear config all
The configuration change takes effect only after a reset.

The following example shows how to reset the Guard module to the factory defaults settings:
user@GUARD-conf# clear config all