Cisco Anomaly Guard Module Configuration Guide (Software Version 6.0)
Initializing the Guard Module
Download this chapter
Initializing the Guard ModuleInitializing the Guard Module
Download the complete book
Cisco Anomaly Guard Module Configuration Guide (Software Version 6.0), Book-Length PDFCisco Anomaly Guard Module Configuration Guide (Software Version 6.0), Book-Length PDF (PDF - 9 MB)
 Feedback

Table Of Contents

Initializing the Guard Module

Using the Command-Line Interface

Understanding User Privilege Levels

Understanding Command Modes

Entering CLI Commands

Using the no Form of a Command

show Command Syntax

CLI Error Messages

Tips for Using the CLI

Using Help

Using the Tab Completion

Understanding Conventions of Operation Direction

Abbreviating a Command

Using Wildcard Characters

Configuring the Guard Module Interfaces

Configuring a Physical Interface

Configuring a VLAN on the Guard Module Interfaces

Clearing the Counters of a Physical Interface

Configuring the Default Gateway

Adding a Static Route to the Routing Table

Configuring the Proxy IP Address

Managing the Guard Module

Managing the Guard Module with the Cisco Web-Based Manager

Managing the Guard Module with the Cisco DDoS MultiDevice Manager

Accessing the Guard Module with SSH


Initializing the Guard Module

This chapter describes the basic tasks required to initialize the Cisco Anomaly Guard Module (Guard module) in a network and how to manage it.

Note Operational and configuration differences exist between a Guard module operating at 1 Gbps and a Guard module operating at 3 Gbps. This chapter discusses the differences between the 1-Gbps operation and the 3-Gbps operation. Unless stated, the information in this chapter applies to both modes of operation. For more information, see the "Understanding the 1-Gbps and 3-Gbps Bandwidth Options" section on page 1-7.

This chapter contains the following sections:

Using the Command-Line Interface

Configuring the Guard Module Interfaces

Configuring the Default Gateway

Adding a Static Route to the Routing Table

Configuring the Proxy IP Address

Managing the Guard Module

Using the Command-Line Interface

You can control the Guard module functions by using the command-line interface (CLI). The Guard module user interface is divided into different command modes and the access to the CLI is mapped according to user privilege levels. The commands that are available to you depends on which mode you are currently in.

This section includes the following topics:

Understanding User Privilege Levels

Understanding Command Modes

Entering CLI Commands

Tips for Using the CLI

Understanding User Privilege Levels

The access to the CLI is mapped according to user privilege levels. Each privilege level has its own group of commands.

Table 3-1 describes the user privilege levels.

Table 3-1 User Privilege Levels 

User Privilege Level
Description

Administration (admin)

Provides access to all operations.

Configuration (config)

Provides access to all operations except for operations relating to user definition, deletion, and modification.

Dynamic (dynamic)

Provides access to monitoring and diagnostic operations, protection, and learning-related operations. Users with Dynamic privileges can also configure flex-content filters and dynamic filters.

Show (show)

Provides access to monitoring and diagnostic operations.


Note We recommend that users with Administration and Configuration privilege levels configure all filters. Users with lower privilege levels can add and remove dynamic filters.

Understanding Command Modes

This section contains summaries of the command and configuration modes used in the Guard module CLI. To obtain a list of commands available for each command mode, enter ? at the system prompt.

Table 3-2 lists and describes the Guard module command modes.

Table 3-2 Guard Module Command Configuration Modes 

Mode
Description

Global

Allows you to connect to remote devices and list system information.

The Global prompt is the default prompt when you log into the Guard module. The command prompt is as follows: 

user@GUARD#

Configuration

Allows you to configure features that affect the Guard module operation and have restricted user access.

To enter configuration mode, use the configure command in global mode. The command prompt is as follows: 

user@GUARD-conf#

Interface configuration

Allows you to configure the Guard module networking interfaces.

To enter interface configuration mode, use the interface command in configuration mode. The command prompt is as follows: 

user@GUARD-conf-if-<interface-name>#

Zone configuration

Allows you to configure the zone attributes.

To enter zone configuration mode, use the zone command in configuration mode or use the configure command in global mode. The command prompt is as follows: 

user@GUARD-conf-zone-<zone-name>#

Policy template configuration

Allows you to configure the zone policy templates.

To enter policy template configuration mode, use the policy-template command in zone configuration mode. The command prompt is as follows: 

user@GUARD-conf-zone-<zone-name>-policy_template-<policy-template-name>#

Policy configuration

Allows you to configure the zone policies.

To enter policy configuration mode, use the policy command in zone configuration mode. The command prompt is as follows: 

user@GUARD-conf-zone-<zone-name>-policy-<policy-path>#

Entering CLI Commands

This section contains the following topics:

Using the no Form of a Command

show Command Syntax

CLI Error Messages

Table 3-3 describes the rules for entering CLI commands.

Table 3-3 CLI Rules 

Action
Keyboard Sequence

Scroll through and modify the command history

Use the arrow keys.

Display commands available in a specific command mode

Press Shift and enter the ? (question mark) key

Display a command completion

Type the beginning of the command and press Tab.

Display a command syntax completion(s)

Enter the command and press Tab twice.

Scroll using the more command

Enter the more number-of-lines command.

The more command configures the number of additional lines displayed in the window once you press the Spacebar. The default is two lines less than the capability of the terminal.

The number-of-lines argument configures the number of additional lines to be displayed once you press the Spacebar.

Scroll on a single screen (within a command output)

Press the Spacebar.

Scroll back a single screen (within a command output)

Press the b key.

Stop scroll movement

Press the q key.

Search forward for a string

Press the / (forward slash) key and enter the string.

Search backward for a string

Press the ? (question mark) key and enter the string.

Cancel the action or delete a parameter

Use the no form of a specific command.

Display information relating to a current operation

Enter the show command.

Exit from a current command group level to a higher group level

Enter the exit command.

Exit all command group levels and return to the root level

Enter the end command.

Display command output from and including the first line that contains a string

Enter the | (vertical bar) and then enter the begin string command.

Display command output lines that include a string

Enter the | (vertical bar) and then enter the include string command.

Display command output lines that do not include a string

Enter the | (vertical bar) and then enter the exclude string command.


Note If you enter the exit command at the root level, you exit the CLI environment to the operating system login screen.

Using the no Form of a Command

Almost every configuration command also has a no form. In general, use the no form of a command to disable a feature or function. Use the command without the keyword no to enable a disabled feature or function. For example, the event monitor command turns on the event monitor, and the no event monitor command turns it off.

show Command Syntax

You can execute zone-related show commands from the zone configuration mode. Alternatively, you can execute these commands from the global or configuration modes.

The following is the syntax for the show command in global or configuration modes:

show zone zone-name zone-parameters

The following is the syntax for the show command in zone configuration mode:

show zone-parameters

Note This publication uses the show command syntax from the zone configuration mode unless explicitly specified.

CLI Error Messages

The Guard module CLI displays error messages in the following situations:

The syntax of the command is incomplete or incorrect.

The command does not match the system configuration.

The operation could not be performed due to a system failure. In this situation, an entry is created in the system log.

Tips for Using the CLI

This section provides tips for using the CLI and includes the following topics:

Using Help

Using the Tab Completion

Understanding Conventions of Operation Direction

Abbreviating a Command

Using Wildcard Characters

Using Help

The CLI provides context-sensitive help at every mode of the command hierarchy. The help information tells you which commands are available at the current command mode and provides a brief description of each command.

To get help, type ?.

To display help for a command, type ? after the command.

To display all commands available in a mode along with a short description, enter ? at the command prompt.

The help displays commands available in the current mode only.

Using the Tab Completion

You can use tab completion to reduce the number of characters that you need to type for a command. Type the first few characters of a command and press Tab to complete the command.

After entering a command that has a value with multiple options, press Tab twice to display a list of possible input parameters, including system-defined parameters and user-defined parameters. For example, if you press Tab twice after entering the policy-template command in zone configuration mode, the list of policy template names is displayed. If you press Tab twice after entering the zone command in configuration mode, zones that are already defined are displayed.

If multiple commands match for a Tab completion action, nothing is displayed; the system repeats the current line that you entered.

The tab completion feature displays only commands available for the current mode.

You can disable tab completion for zone names in all commands in global and configuration modes such as the zone command and the show zone commands by using the aaa authorization commands zone-completion tacacs+ command. See the "Disabling Tab Completion of Zone Names" section on page 4-12 for more information.

Understanding Conventions of Operation Direction

The order of keywords in the command syntax define the direction of the operation. When you enter the keyword before you enter the command, the Guard module copies the data from the Guard module to the server. When you enter the command before you enter the keyword, the Guard module copies the data from the server to the Guard module. For example, the copy log ftp command copies the log file from the Guard module to the FTP server. The copy ftp new-version command copies the new software version file from the FTP server to the Guard module.

Abbreviating a Command

You can abbreviate commands and keywords to the number of characters that allow a unique abbreviation.

For example, you can abbreviate the show command to sh.

Using Wildcard Characters

You can use an asterisk (*) as a wildcard. For example, if you enter the learning policy-construction * command, the policy construction phase is activated for all the zones that are configured on the Guard module.

If you enter the learning policy-construction scan* command, the policy construction phase is activated for all the zones that are configured on the Guard module with names that begin with scan (such as scannet, scanserver, and so on).

If you enter the no zone * command, all zones are removed.

Configuring the Guard Module Interfaces

Configuring the Guard module interfaces requires that you understand the mapping between the Guard module and the three Gigabit Ethernet ports that connect the Guard module to the switch fabric. The interface designator and function varies depending on the bandwidth operation of the Guard module (1 Gbps or 3 Gbps). To determine the bandwidth operation of your Guard module, see the "Displaying the Installed Software Version Number and License Agreement" section on page 13-2.

Table 3-4 shows the correlation between the supervisor engine ports and the Guard module interfaces.

Table 3-4 Supervisor Engine and Guard Module Interface Port Mapping

Supervisor Ports
Guard Module Interfaces
 
1-Gbps Operation
3-Gbps Operation

Port 1

eth1: Out-of-band management traffic

giga1: Data and inband management traffic

Port 2

giga2: Data traffic

giga2: Data and inband management traffic

Port 3

giga3: Not used

giga3: Data and inband management traffic


Note The Guard module also contains internal interfaces, which you cannot configure. However, when using SNMP to display the Guard module interface information, the display includes information for the internal interfaces as follows:

1-Gbps operation—Displays information for the internal interfaces eth0 and eth2.

3-Gbps operation—Displays information for the internal interfaces eth0, eth1, and eth2.

Note (3-Gbps operation only) When you activate zone protection, the Guard module first validates the configuration of the three interfaces used for traffic diversion. If you do not have the interfaces properly configured, the Guard module does not activate zone protection. For more information on the validation process, see the "Validating the Guard Module Network Configuration" section on page 5-20.

You can enter configuration mode to configure the Guard module by entering the following command:

configure [terminal]

The following example shows how to enter configuration mode: 

user@GUARD# configure 

user@GUARD-conf#

You must configure the Guard module interfaces so that the Guard module can operate correctly. When you enter the interface command, you must specify the interface type and number.

Follow these guidelines for all physical and virtual interface configuration processes:

Each interface must be configured with a unique IP address and a IP subnet mask unless you configure IP addresses for individual VLANs.

You must activate each interface using the no shutdown command.

To display the status or the current configuration of an interface, enter the show or show running-config commands.

This section contains the following topics:

Configuring a Physical Interface

Configuring a VLAN on the Guard Module Interfaces

Clearing the Counters of a Physical Interface

Configuring a Physical Interface

You can configure the physical interfaces that connect the Guard module to the supervisor engine.

Caution Do not configure two interfaces on the same subnet or the Guard module routing may not work properly.

To configure the physical interfaces, perform the following steps:

Step 1 Enter interface configuration mode by entering the following command in configuration mode: 

interface if-name

The if-name argument specifies the interface name as shown in Table 3-5.

Table 3-5 Guard Module Interfaces

1-Gbps Operation
3-Gbps Operation

eth1: Out-of-band management traffic

giga1: Data and inband management traffic

giga2: Data traffic

giga2: Data and inband management traffic

giga3: Not used

giga3: Data and inband management traffic


Step 2 Set the interface IP address by entering the following command: 

ip address ip-addr ip-mask

The ip-addr and ip-mask arguments define the interface IP address. Enter the IP address and subnet mask in dotted-decimal notation (for example, an IP address of 192.168.100.1 and a subnet mask of 255.255.255.0).

Step 3 (Optional) Define the interface MTU by entering the following command: 

mtu integer

The integer argument is an integer as follows:

1-Gbps Operation:

Data port (giga2)—MTU range is between 576 and 1800 bytes.

Management port (eth1)—MTU range is between 1200 and 8162 bytes.

3-Gbps Operation:

Data/management ports (giga1, giga2, giga3)—MTU range is between 576 and 1800 bytes.

Step 4 The default MTU value for all interfaces is 1500 bytes. Activate the interface by entering the following command: 

no shutdown

Step 5 Repeat Steps 1-4 to configure each of the remaining physical interfaces.

After activating or deactivating an interface, you must reload the Guard module for the configuration change to take effect.

The following 1-Gbps operation example shows how to configure and activate the giga2 interface for data traffic: 

user@GUARD-conf# interface giga2

user@GUARD-conf-if-giga2# ip address 192.168.100.33 255.255.255.252

user@GUARD-conf-if-giga2# no shutdown

The following 3-Gbps operation example shows how to configure and activate all three interfaces for data traffic: 

user@GUARD-conf# interface giga1

user@GUARD-conf-if-giga1# ip address 192.168.100.33 255.255.255.252

user@GUARD-conf-if-giga1# no shutdown

user@GUARD-conf-if-giga1# interface giga2

user@GUARD-conf-if-giga2# ip address 192.168.100.34 255.255.255.252

user@GUARD-conf-if-giga2# no shutdown

user@GUARD-conf-if-giga2# interface giga3

user@GUARD-conf-if-giga3# ip address 192.168.100.35 255.255.255.252

user@GUARD-conf-if-giga3# no shutdown

To deactivate a physical interface, use the shutdown command in the interface configuration mode.

Configuring a VLAN on the Guard Module Interfaces

When configuring a data traffic VLAN on a Guard module that operates with only one interface (1-Gbps operation), you configure interface giga2 only with the VLAN.

When configuring a data traffic VLAN on a Guard module that is licensed for 3-Gbps operation, you must configure the VLAN on each of the three Guard module interfaces. If the VLAN is for Guard module management traffic, you can configure the VLAN on only one of the interfaces.

Note Before configuring a VLAN on the Guard module, you must define the VLAN on the supervisor engine and then assign the VLAN to the Guard module. See the "Configuring VLANs for Management and Data Traffic" section on page 2-2 for more information.

To configure a VLAN on the Guard module, perform the following steps:

Step 1 Enter the VLAN interface configuration mode for an existing VLAN or configure a new VLAN by entering the following command in configuration mode or interface configuration mode: 

interface interface.vlan-id

The interface argument is the physical interface number (giga1, giga2, or giga3) followed by a decimal point (.). The vlan-id argument is an integer that specifies the VLAN ID number (a TAG IEEE 802.1Q number).

Step 2 Set the VLAN IP address by entering the following command: 

ip address ip-addr ip-mask

The ip-addr and ip-mask arguments define the interface IP address. Enter the IP address and subnet mask in dotted-decimal notation (for example, an IP address of 192.168.100.1 and a subnet mask of 255.255.255.0).

Step 3 (Optional) Define the interface MTU by entering the following command: 

mtu integer

The integer argument is an integer between 576 and 1824 bytes.

The default MTU value is 1500 bytes.

Step 4 Activate the interface by entering the following command: 

no shutdown

Step 5 (3-Gbps operation only) If the VLAN is for data traffic only and not for management traffic, repeat Steps 1-4 for the two remaining interfaces following these rules:

Use the same VLAN identifier for each interface.

Assign a unique VLAN IP address on each interface (they must all be on the same subnet).

Use the same subnet mask on each interface.

The following 1-Gbps operation example shows how to configure VLAN 124 on the giga2 data traffic interface and activate the interface: 

user@GUARD-conf# interface giga2.124

user@GUARD-conf-if-giga2.124# ip address 192.168.5.4 255.255.255.0

user@GUARD-conf-if-giga2.124# no shutdown

The following 3-Gbps operation example shows how to configure VLAN 124 on the three Guard module interfaces and activate the interfaces: 

user@GUARD-conf# interface giga1.124

user@GUARD-conf-if-giga1.124# ip address 192.168.5.4 255.255.255.0

user@GUARD-conf-if-giga1.124# no shutdown

user@GUARD-conf-if-giga1.124# interface giga2.124

user@GUARD-conf-if-giga2.124# ip address 192.168.5.6 255.255.255.0

user@GUARD-conf-if-giga2.124# no shutdown

user@GUARD-conf-if-giga2.124# interface giga3.124

user@GUARD-conf-if-giga3.124# ip address 192.168.5.8 255.255.255.0

user@GUARD-conf-if-giga3.124# no shutdown

Clearing the Counters of a Physical Interface

You can clear the counters of physical interfaces that are used for data if you are going to perform testing and want to be sure that the counters include information from the testing session only.

To clear the interface counters, use the following command in interface configuration mode:

clear counters

The following example shows how to clear the counters of the interface giga2: 

user@GUARD-conf-if-giga2# clear counters

Configuring the Default Gateway

The default gateway receives and forwards packets that have IP addresses that are unknown to the local network. In most cases, the Guard module default gateway IP address is the adjacent router, located between the Guard module and the Internet. The default gateway address must be on the same network as one of the IP addresses of the Guard module network interfaces.

Caution If you do not configure the default gateway IP address, the Guard module may not be accessible to the network.

To assign a default gateway address, use the following command in configuration mode:

default-gateway ip-addr

The ip-addr argument specifies the default gateway IP address. Enter the IP address in dotted-decimal notation (for example, enter an IP address of 192.168.100.1).

To modify the default gateway address, reenter the command.

The following example shows how to configure the default gateway: 

user@GUARD-conf# default-gateway 192.168.100.1

Adding a Static Route to the Routing Table

You can add a static route to the Guard module routing table to specify routes for servers or networks outside the local networks that are associated with the Guard module IP interfaces. The static route is added permanently and is not lost when the Guard module reboots.

Note (3-Gbps operation only) During the validation process, the Guard module verifies that a static route exists for each next-hop IP address that you specify for a traffic diversion and injection. For more information about the validation process, see the "Validating the Guard Module Network Configuration" section on page 5-20. For more information about configuring a traffic diversion, see the "Understanding Traffic Diversion" section on page 5-1.

To add a static route to the Guard module routing table, use the following command in configuration mode:

ip route ip-addr ip-mask nexthop-ip [if-name]

Table 3-6 provides the arguments for the ip route command.

Table 3-6 Arguments for the ip route Command 

Parameter
Description
ip-addr

Network destination of the route. The destination can be an IP network address (where the host bits of the network address are set to 0) or an IP address for a host route. Enter the IP address in dotted-decimal notation (for example, enter 192.168.100.1).

ip-mask

Subnet mask associated with the network destination. Enter the subnet mask in dotted-decimal notation (for example, enter 255.255.255.0).

nexthop-ip

Forwarding or the next-hop IP address over which the set of addresses that are defined by the network destination and subnet mask are reachable. The next-hop IP address should be within the interface subnet. For local subnet routes, the next-hop IP address is the IP address that is assigned to the interface that is attached to the subnet. For remote routes, available across one or more routers, the next-hop IP address is a directly reachable IP address that is assigned to a neighboring router.

if-name

(Optional) The Guard module interface over which the destination is reachable. If you do not specify an interface, the next-hop IP address in the Guard module routing table determines the interface used.


The following example shows how to configure a static route: 

user@GUARD-conf# ip route 172.16.31.5 255.255.255.255 192.168.100.34

To display the routing table, enter the show ip route command.

Configuring the Proxy IP Address

The Guard module proxy IP address is required for the proxy mode anti-spoofing protection mechanisms in which the Guard module serves as a TCP proxy to the zone. The Guard module first authenticates a new connection and only then initiates a connection with the zone using its own IP address as the source IP address.

Caution You cannot activate zone protection without first defining a proxy IP address on each of the Guard module data traffic interfaces. For 1-Gbps operation, the data interface is giga2. For 3-Gbps operation, the data interfaces are giga1, giga2, and giga3.

Follow these rules and recommendations for configuring proxy IP addresses on the Guard module:

Do not assign a proxy IP address while zone protection is enabled.

Configure each data interface with at least one proxy IP address.

Configure three to four proxy IP addresses per interface if your network uses load balancing to distribute network overload or if your network requires a high number of concurrent connections.

You can configure up to 60 proxy IP addresses per interface; however, we recommend that you do not configure more than 20 proxy IP addresses because more proxy IP addresses consume more memory resources.

Note (3-Gbps operation only) When you activate zone protection, the Guard module first validates the configuration of the three interfaces used for data traffic and traffic diversion. The validation process includes a check of the proxies configured with each interface. If you do not have the interfaces properly configured, the Guard module does not activate zone protection. For more information about the validation process, see the "Validating the Guard Module Network Configuration" section on page 5-20.

To configure a Guard module antispoofing proxy IP address, use the following command in the interface configuration mode of each data interface:

proxy ip-addr

The ip-addr argument specifies the proxy IP address. Enter the IP address in dotted-decimal notation (for example, enter 192.168.100.1).

You must verify the route between every zone and the Guard module proxy IP address. The Guard module does not answer ping requests to its proxy IP address.

To configure additional proxy IP addresses, reenter the command.

The following 1-Gbps operation example shows how to configure the giga2 data traffic interface with a proxy IP address: 

user@GUARD-conf# interface giga1

user@GUARD-conf-if-giga1# proxy 192.168.100.34

The following 3-Gbps operation example shows how to configure all three interfaces with a proxy IP address: 

user@GUARD-conf# interface giga1

user@GUARD-conf-if-giga1# proxy 192.168.100.34

user@GUARD-conf-if-giga1# interface giga2

user@GUARD-conf-if-giga2# proxy 192.168.100.36

user@GUARD-conf-if-giga2# interface giga3

user@GUARD-conf-if-giga3# proxy 192.168.100.38

Managing the Guard Module

After you establish a session from the supervisor engine and configure the Guard module networking (see Chapter 2, "Configuring the Guard Module on the Supervisor Engine" and the "Configuring the Guard Module Interfaces" section), you can access and manage the Guard module using one of the following methods:

Access using a Secure Shell (SSH) session.

Access the Guard module using the Web-Based Manager (WBM).

Access the Guard module using the MultiDevice Manager (MDM).

Access from a DDoS-sensing network element. Refer to the appropriate documentation for more information.

This section contains the following topics:

Managing the Guard Module with the Cisco Web-Based Manager

Managing the Guard Module with the Cisco DDoS MultiDevice Manager

Accessing the Guard Module with SSH

Managing the Guard Module with the Cisco Web-Based Manager

The WBM allows you to manage an individual Guard module from the web using a web browser.

To enable the WBM service and manage the Guard module, perform the following steps:

Step 1 Enable the WBM service by entering the following command in configuration mode: 

service wbm

Step 2 Permit access to the Guard module from the remote manager IP address by entering the following command in configuration mode: 

permit wbm {* | ip-addr [ip-mask]}

Table 3-7 provides the arguments for the permit wbm command.

Table 3-7 Arguments for the permit wbm Command 

Parameter
Description
*

Asterisk wildcard character that allows access by all remote manager IP addresses.

Caution For security reasons, we do not recommend that you permit access to a service from all IP addresses
ip-addr

IP address of the remote manager. Enter the IP address in dotted-decimal notation (for example, enter 192.168.100.1).

ip-mask

(Optional) Subnet mask. Enter the subnet mask in dotted-decimal notation (for example, enter 255.255.255.0).


Step 3 From a network PC, open the web browser and enter the following URL: 

https://Guard module-ip-address/

The Guard module-ip-address argument is the IP address of the Guard module.

The Guard module WBM window appears.

Note HTTPS, not HTTP, is used to enable web-based management control.

Step 4 Enter your username and password and click OK. After you enter the username and password correctly, the Guard module home page displays.

If you have the Guard module configured to use Terminal Access Controller Access Plus (TACACS+) authentication, the Guard module uses the TACACS+ user database for user authentication instead of using its local database. If you have configured advanced authentication attributes on the TACACS+ server, such as password expiry, the Guard module may prompt you for a new password based on the configuration of the user on the TACACS+ server or notify you when the password is about to expire.

The following example shows how to enable the Guard module WBM: 

user@GUARD-conf# service wbm

user@GUARD-conf# permit wbm 192.168.30.32

For information about using the WMB to manage your Guard module, see the appropriate Cisco Web-Based Manager Configuration Guide.

Managing the Guard Module with the Cisco DDoS MultiDevice Manager

The Cisco DDoS MultiDevice Manager (MDM) is a server-based application that allows you to manage one or more Guard modules from the web using a web browser. To use the MDM to manage your network of Guard modules, you must perform the following actions:

Install and configure the MDM software on a network server (see the Cisco DDoS MultiDevice Manager Configuration Guide).

Enable the MDM service on your Guard module and permit access by the MDM as described in the following procedure.

To enable the MDM service on the Guard module, perform the following steps:

Step 1 Enable the MDM service by entering the following command in configuration mode: 

service mdm

Step 2 Permit access to the Guard module from the MDM by entering the following command in configuration mode: 

mdm server ip-addr

The ip-addr argument defines the IP address of your MDM server. Enter the IP address in dotted-decimal notation.

The following example shows how to enable the MDM service and permit access by the MDM: 

user@GUARD-conf# service mdm

user@GUARD-conf# mdm server 192.168.30.32

For information about using the MBM to manage your Guard modules, see the Cisco DDoS MultiDevice Manager Configuration Guide.

Accessing the Guard Module with SSH

You can access the Guard module using a SSH connection.

The SSH service is enabled by default.

To access the Guard module with SSH, perform the following steps:

Step 1 Permit access to the Guard module from the remote network IP address by entering the following command in configuration mode: 

permit ssh {ip-addr [ip-mask] | *}

Table 3-8 provides the arguments for the permit ssh command.

Table 3-8 Arguments for the permit ssh Command 

Parameter
Description
ip-addr

IP address of the remote network. Enter the IP address in dotted-decimal notation (for example, enter 192.168.100.1).

ip-mask

(Optional) Subnet mask. Enter the subnet mask in dotted-decimal notation (for example, enter 255.255.255.0).

*

Asterisk character. Allows access by any remote network.


Step 2 Establish a connection from the remote network address and enter your login username and password.

If you have the Guard module configured to use TACACS+ authentication, the Guard module uses the TACACS+ user database for user authentication instead of using its local database. If you have configured advanced authentication attributes on the TACACS+ server, such as password expiry, the Guard module may prompt you for a new password based on the configuration of the user on the TACACS+ server or notify you when the password is about to expire.

To enable the SSH connection without entering a login username and password, perform the following:

Configure the Guard module to use a locally configured login and password for authentication. See the "Configuring Authentication" section on page 4-4 for more information.

Add the remote connection SSH public key to the Guard module SSH key list. See the "Managing SSH Keys" section on page 4-21 for more information.

The following example shows how to enable an SSH connection to the Guard module: 

user@GUARD-conf# permit ssh 192.168.30.32