Cisco Anomaly Guard Module Configuration Guide (Software Version 6.0) - Performing Maintenance Tasks [Cisco Services Modules]

Table Of Contents

Performing Maintenance Tasks

Configuring File Servers

Exporting the Configuration

Importing and Updating the Configuration

Exporting Files Automatically

Reloading the Guard Module

Rebooting the Guard Module and Inactivating Zones

Upgrading the Guard Module Software

Supervisor Engine 2 or Supervisor Engine 720 Cisco IOS Software

Guard Module Software

Upgrading Operation Notes

Upgrading the AP Image

Upgrading the MP Image

Upgrading the AP and MP Images Inline

Burning a New Flash Version to Upgrade the CFE

Upgrading the Bandwidth Performance from 1 Gbps to 3 Gbps

Obtaining and Installing the XG Software Image for 3-Gbps Operation

Obtaining and Installing the XG Software Image License Key

Updating Existing Port and Interface Configurations for 3-Gbps Operation

Configuring Proxies On the Interfaces for 3-Gbps Operation

Regenerating the SSL Certificates for the 3-Gbps Operation

Using MP Commands

Recovering from a Lost Password Condition

Resetting the Default admin User Account Password

Resetting All User Account Information

Resetting the User Account Information Using the MP root User Account

Resetting the User Account Information Using the AP root User Account

Resetting the Guard Module Configuration to Factory Default Values

Performing Maintenance Tasks

This chapter describes how to perform tasks used for general care and maintenance of the Cisco Anomaly Guard Module (Guard module).

This chapter refers to the Cisco Detector (Detector), the companion product of the Guard. The Detector is a Distributed Denial of Service (DDoS) attack detection device that analyzes a copy of the zone traffic. The Detector can activate the Guard attack mitigation services when the Detector determines that the zone is under attack. The Detector can also synchronize zone configurations with the Guard. For more information about the Detector, see the Cisco Traffic Anomaly Detector Module Configuration Guide and Cisco Traffic Anomaly Detector Configuration Guide.

Note Operational and configuration differences exist between a Guard module operating at 1 Gbps and a Guard module operating at 3 Gbps. This chapter discusses the differences between the 1-Gbps operation and the 3-Gbps operation. Unless stated, the information in this chapter applies to both modes of operation. For more information, see the "Understanding the 1-Gbps and 3-Gbps Bandwidth Options" section on page 1-7.

This chapter contains the following sections:

•Configuring File Servers

•Exporting the Configuration

•Importing and Updating the Configuration

•Exporting Files Automatically

•Reloading the Guard Module

•Rebooting the Guard Module and Inactivating Zones

•Upgrading the Guard Module Software

•Upgrading the Bandwidth Performance from 1 Gbps to 3 Gbps

•Using MP Commands

•Recovering from a Lost Password Condition

•Resetting the Guard Module Configuration to Factory Default Values

Configuring File Servers

You can define a network server on the Guard module for importing and exporting files between the Guard module and the server. The Guard module allows you to create a network server profile in which you define the network server attributes such as the IP address, the communication method, and the login details. Creating a network server profile allows you to specify just the server name when importing or exporting files.

After you configure the network server, you must configure the export or the import commands. For example, use the export reports commands to configure the Guard module to export attack reports to a network server.

To configure a network server, use one of the following commands in configuration mode:

•file-server file-server-name description ftp server remote-path login password

•file-server file-server-name description [sftp | scp] server remote-path login

Table 14-1 provides the arguments and keywords for the file-server command.

Table 14-1 Arguments and Keywords for the file-server Command

Parameter

Description

file-server-name

Name for the network server. Enter an alphanumeric string from 1 to 63 characters. The string can contain underscores but cannot contain any spaces.

description

String to describe the network server. The maximum string length is 80 alphanumeric characters. If you use spaces in the expression, enclose the expression in quotation marks (" ").

ftp

Specifies File Transfer Protocol (FTP).

sftp

Specifies Secure File Transfer Protocol (SFTP).

scp

Specifies Secure Copy Protocol (SCP).

server

IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).

remote-path

Complete path of the directory in which to save the files or from which to import the files.

login

Login name for the network server.

password

Password for the network server. This option is valid only for an FTP server. The Guard module authenticates network servers that use SFTP and SCP using a public key.

Note Because SFTP and SCP rely on Secure Shell (SSH) for secure communication, you must configure the SSH key that the Guard module uses for SFTP and SCP communication. See the "Configuring the Keys for SFTP and SCP Connections" section on page 4-23 for more information.

The following example shows how to define an FTP server with the IP address 10.0.0.191:
user@GUARD-conf# file-server CorpFTP-Server "Corp's primary FTP server" ftp 10.0.0.191 
/root/ConfigFiles <user> <password>
To delete a network server, use the no file-server [file-server-name | *] command in configuration mode.

To display the list of network servers, use the show file-servers command in global or configuration mode.

Exporting the Configuration

You can export the Guard module configuration file or a zone configuration file (running-config) to a network server, which allows you to do the following:

•Implement the Guard module configuration parameters on another Guard module

•Back up the Guard module configuration

To export the Guard module configuration file, use one of the following commands in global mode:

•copy [zone zone-name] running-config ftp server full-file-name [login [password]]

•copy [zone zone-name] running-config {sftp | scp} server full-file-name login

•copy [zone zone-name] running-config file-server-name dest-file-name

Table 14-2 provides the arguments and keywords for the copy running-config ftp command.

Table 14-2 Arguments and Keywords for the copy running-config ftp Command

Parameter

Description

zone zone-name

(Optional) Specifies the zone name. If you specify the zone name, the Guard module exports the zone configuration file. The default is to export the Guard module configuration file.

running-config

Exports the complete Guard module configuration or the configuration of the specified zone.

ftp

Specifies FTP.

sftp

Specifies SFTP.

scp

Specifies SCP.

server

IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).

full-file-name

Complete name of the file. If you do not specify a path, the server saves the file in your home directory.

login

(Optional) Server login name. The login argument is optional when you define an FTP server. When you do not enter a login name, the FTP server assumes an anonymous login and does not prompt you for a password.

password

(Optional) Password for the remote FTP server. If you do not enter the password, the Guard module prompts you for one.

file-server-name

Name of a network server to which to export the configuration file. You must configure the network server using the file-server command (see the "Configuring File Servers" section).

dest-file-name

Name of the configuration file on the remote server. The Guard module saves the configuration file on the network server using the destination filename in the directory that you defined for the network server by using the file-server command.

Note If you configured the network server using SFTP or SCP, you must configure the SSH key that the Guard module uses for SFTP and SCP communication. If you do not configure the key that the Guard module uses before you enter the copy command with the sftp or scp option, the Guard module prompts you for the password. See the "Configuring the Keys for SFTP and SCP Connections" section on page 4-23 for more information.

The following example shows how to export the Guard module configuration file to an FTP server:
user@GUARD# copy running-config ftp 10.0.0.191 run-conf.txt <user> <password>
The following example shows how to export the Guard module configuration file to a network server:
user@GUARD# copy running-config CorpFTP Configuration-12-11-05
Importing and Updating the Configuration

You can import a Guard module or zone configuration file from an FTP server and reconfigure the Guard module according to the newly transferred file. Import the configuration to do one of the following tasks:

•Configure the Guard module based on an existing Guard module configuration file

•Restore the Guard module configuration

Zone configuration is a partial Guard module configuration. To copy both types of configuration files to the Guard module and reconfigure it accordingly, use the copy ftp running-config command.

Note The new configuration replaces the existing configuration. You must reload the Guard module for the new configuration to take effect.

We recommend that you deactivate all zones before you initiate the import process. The Guard module deactivates a zone before importing the zone configuration.

The Guard module, by default, ignores older versions of self-protection configuration. We recommend that you do not overwrite the self-protection configuration with an older configuration because the older configuration may not be compatible with the current version.

To import a Guard module configuration file, use one of the following commands in global mode:

•copy ftp running-config server full-file-name [login [password]]

•copy {sftp | scp} running-config server full-file-name login

•copy file-server-name running-config source-file-name

Table 14-3 provides the arguments for the copy ftp running-config command.

Table 14-3 Arguments for the copy ftp running-config Command

Parameter

Description

ftp

Specifies FTP.

sftp

Specifies SFTP.

scp

Specifies SCP.

server

IP address of the network server. Enter the IP address in dotted-decimal notation (for example, enter 192.168.10.2).

full-file-name

Complete name of the file. If you do not specify a path, the server searches for the file in your home directory.

login

(Optional) Server login name. The login argument is optional when you define an FTP server. When you do not enter a login name, the FTP server assumes an anonymous login and does not prompt you for a password.

password

(Optional) Password for the remote FTP server. If you do not enter the password, the Guard module prompts you for one.

file-server-name

Name of a network server. You must configure the network server using the file-server command (see the "Configuring File Servers" section).

source-file-name

Name of the file to import. The Guard module appends the name of the file to the path that you defined for the network server by using the file-server command (see the "Configuring File Servers" section).

Note If you configured the network server using SFTP or SCP, you must configure the SSH key that the Guard module uses for SFTP and SCP communication. If you do not configure the key that the Guard module uses before you enter the copy command with the sftp or scp option, the Guard module prompts you for the password. See the "Configuring the Keys for SFTP and SCP Connections" section on page 4-23 for more information.

The following example shows how to import the Guard module configuration file from an FTP server:
user@GUARD# copy ftp running-config 10.0.0.191 /root/backup/conf/scannet-conf <user> 
<password>
The following example shows how to import the Guard module configuration file from a network server:
user@GUARD# copy CorpFTP running-config scannet-conf
When you import a configuration that was exported from an older version, the Guard module displays the following message:
WARNING: The configuration file includes a self-protection definition that is incompatible 
with the current version and will be ignored. 
Continue? [yes|no]
Enter one of the following options:

•yes—Ignores the old self-protection configuration. The Guard module performs as follows:

–Ignores the old self-protection configuration and does not import it

–Imports all other configurations, such as the zone, interface, and services configuration

•no—Enables you to import the old self-protection configuration. The Guard module displays the following message:
You can abort the import process or import the old self-protection definition as-is. 
WARNING: The self-protection definitions are incompatible with the current version.
Abort? [yes|no]
Caution We recommend that you do not overwrite the self-protection configuration with an older configuration because the older configuration may not be compatible with the current software version.

To import the older self-protection configuration, enter no.

To abort the import process, enter yes.

Exporting Files Automatically

You can configure the Guard module to export the following files to a network server automatically:

•Packet-dump capture files—The Guard module exports the packet-dump capture files when the capture buffer size reaches 50 MB or after 10 minutes have elapsed. See the "Exporting Packet-Dump Capture Files Automatically" section on page 13-15 for more information.

•Attack reports—The Guard module exports the reports of any one of the zones when an attack on the zone ends. See the "Exporting Attack Reports Automatically" section on page 12-12 for more information.

The Guard module exports the packet-dump capture files and the attack reports in Extensible Markup Language (XML) format. The software version is accompanied by xsd files that describe the XML schema. You can download the xsd files from www.cisco.com.

To export files automatically to a network server, perform the following steps:

Step 1 Define the network server to which you can export files.

See the "Configuring File Servers" section for more information.

Step 2 Configure the Guard module to export files automatically by entering the following command:
export {packet-dump | reports} file-server-name
Table 14-4 provides the arguments and keywords for the export command.

Table 14-4 Arguments and Keywords for the export Command

Parameter

Description

packet-dump

Exports packet-dump capture files each time that the contents of the packet-dump buffer are saved to a local file. The Guard module exports the packet-dump capture files in PCAP format, which is compressed and encoded by the gzip (GNU zip) program, with an accompanying file in XML that describes the recorded data. See the Capture.xsd file that accompanies the version for a description of the XML schema. See the "Monitoring Network Traffic and Extracting Attack Signatures" section on page 13-11 for more information about packet-dump capture files.

reports

Exports attack reports in XML format at the end of an attack. The Guard module exports the reports of any one of the zones when an attack on the zone ends. See the ExportedReports.xsd file that accompanies the version for a description of the XML schema. See the "Exporting Attack Reports" section on page 12-11 for more information.

file-server-name

Name of the network server on which you can save files. You must configure the network server using the file-server command (see the "Configuring File Servers" section).

The following example shows how to define an FTP server with the IP address 10.0.0.191 and then to configure the Guard module to automatically export reports (in XML) at the end of an attack to that server:
user@GUARD-conf# file-server CorpFTP-Server "Corp's primary FTP server" ftp 10.0.0.191 
/root/ConfigFiles <user> <password>
user@GUARD-conf# export reports CorpFTP-Server
To disable the automatic export of files to a network server, use the no form of the command.

Reloading the Guard Module

You can reload the Guard module configuration without rebooting the machine by using the reload command.

For the following changes to take effect, you must reload the Guard module:

•Deactivating or activating a physical interface using the shutdown command

•Burning a new flash

Rebooting the Guard Module and Inactivating Zones

By default, the Guard module loads all zones in an inactive operation state. The Guard module does not enable zone protection or the learning process after reboot, regardless of the zone operation state prior to the reboot.

To allow the Guard module to automatically activate zones that were active prior to the reboot process, enter the following command in configuration mode:

boot reactivate-zones

Caution The zone learning phase is restarted after reboot.

Upgrading the Guard Module Software

This section describes the following software components that the Guard module requires for its operation:

•Cisco IOS release that supports the Supervisor Engine 2 or Supervisor Engine 720.

•Guard module software (maintenance partition image and application partition image)

To upgrade the Guard module software, you must log on to the supervisor engine.

This section contains the following topics:

•Supervisor Engine 2 or Supervisor Engine 720 Cisco IOS Software

•Guard Module Software

•Upgrading Operation Notes

•Upgrading the AP Image

•Upgrading the MP Image

•Upgrading the AP and MP Images Inline

•Burning a New Flash Version to Upgrade the CFE

Supervisor Engine 2 or Supervisor Engine 720 Cisco IOS Software

The Cisco IOS software image resides on the Supervisor Engine 2 or the Supervisor Engine 720 of the Catalyst 6500 series switch or the Cisco 7600 series router. The image on the supervisor engine recognizes and initializes the Guard module and its processor. You must use a Cisco IOS software release that supports the Guard module.

Guard Module Software

The Guard module software resides on a compact flash (CF) card that is integrated with the processor control complex. The compact flash is divided into the following partitions, each with its own Guard module software image:

•Maintenance Partition (MP)—Contains the Guard module maintenance software image required for base module initialization and daughter card control functions. The supervisor engine identifies the MP as cf:1.

•Application Partition (AP)—Contains the Guard module application software image. The supervisor engine identifies the AP as cf:4.

You can upgrade one or both of the software images through the supervisor engine console. The upgrade process involves downloading the latest versions of the AP and MP images from the Cisco Software Center to an File Transfer Protocol (FTP) or a Trivial File Transfer Protocol (TFTP) server and installing them on the compact flash card.

Note If you are upgrading the Guard module software to increase the bandwidth performance from 1 Gbps to 3 Gbps, see the "Upgrading the Bandwidth Performance from 1 Gbps to 3 Gbps" section.

The following upgrade procedures are available for the Guard module:

•AP image upgrade procedure—Upgrades an AP image using the supervisor engine CLI. See the "Upgrading the AP Image" section.

•MP image upgrade procedure—Upgrades the MP image using the supervisor engine CLI. The MP image rarely requires upgrading. Use this procedure only when instructed to do so in the release note that corresponds with the software release. See the "Upgrading the MP Image" section.

•Inline image upgrade procedure—Upgrades the AP or MP image using the Guard module CLI. See the "Upgrading the AP and MP Images Inline" section.

•Common Firmware Environment (CFE)—Upgrades the CFE on the Guard module. The CFE rarely requires upgrading because the process of installing a new AP or MP image also upgrades the CFE. You need to upgrade the CFE only when the Guard module displays an error message that indicates a mismatch between the current CFE and the new MP or AP image. See the "Burning a New Flash Version to Upgrade the CFE" section.

Upgrading Operation Notes

Follow these guidelines when upgrading the AP and MP software images and CFE:

•To upgrade the AP and MP versions, log into the supervisor engine.

•To upgrade the CFE, log into the Guard module.

•If you need to upgrade both the AP and MP images, upgrade the MP image first.

•Use the hw-module module slot_number reset cf:1 command to switch the Guard module to the MP operating mode. The main purpose for operating in the MP mode is to upgrade the AP image.

•Use the hw-module module slot_number reset cf:4 command to switch the Guard module to the AP operating mode, which is the normal operating mode.

•The show module command displays the software version of the partition image that you are running. If the Guard module is running in the AP operating mode, the show module command displays the AP image version. A sample format of the AP image version is 5.1(0.12). If the Guard module is running in the MP operating mode, it displays the MP image version. A sample format of the MP image version is 5.1(0.0)m.

•The MP image filename uses the c6svc-mp.5-0-3.bin format.

•The AP image filename uses the c6svc-agm-k9.5-0-3.bin format.

•The MP uses the same network settings as the Guard module. You must configure the network settings before you can upgrade the Guard module images. See Chapter 2, "Configuring the Guard Module on the Supervisor Engine" and Chapter 3, "Initializing the Guard Module"for more information.

•When you upgrade the AP image, the Guard module updates the self-protection configuration with a new configuration. We recommend that you do not overwrite the self-protection configuration with an older configuration because the older configuration may not be compatible with the current version.

Note We recommend that you globally configure the logging console command on the supervisor engine to display the output details of the upgrade procedure. If you are connected from a Telnet session and not from the console, use the terminal monitor command to display console messages.

Upgrading the AP Image

To upgrade the AP image, perform the following steps:

Step 1 Back up the Guard module configuration before initiating the upgrade process by using the copy running-config command. Backing up enables you to save your existing configuration so that you can quickly restore the configuration to the current state if needed. See the "Exporting the Configuration" section for more information.

Step 2 Export files that you want to save. You can export the following files:

•Export attack reports that you want to save by using the copy reports command or the copy zone zone-name reports command. See the "Exporting Attack Reports of All Zones" section on page 12-12 and the "Exporting Zone Reports" section on page 12-13 for more information.

•Export logs that you want to save by using the copy log command. See the "Exporting the Log File" section on page 13-9 for more information.

•Export the packet-dump capture files that you want to save by using the copy zone zone-name packet-dump captures command. See the "Exporting Packet-Dump Capture Files Manually" section on page 13-16 for more information.

Step 3 Upgrade an application image to the latest available software release by locating the image on www.cisco.com.

Copy the software image to a directory accessible to FTP or TFTP.

Step 4 Reset the Guard module and load the MP image (this operation takes approximately 3 minutes). Skip this step if you are already running the MP image.

Enter the following command on the supervisor engine:
hw-module module slot_number reset cf:1
The slot_number argument is the number of the slot in which the module is inserted in the chassis.

Step 5 Verify that the MP has booted and that the Guard module status is OK. Enter the following command:
show module slot_number
Step 6 Install the AP image on the compact flash. This operation can take up to 30 minutes depending on the connection speed. Enter the following command:
copy ftp://path/filename pclc#slot_number-fs:
The path/filename argument specifies the FTP location and the name of the image file. If the FTP server does not allow anonymous users, use the following syntax for the ftp-url value: ftp://user@host/absolute-path/filename. Enter your password when prompted.

You can also download the version from a TFTP server.

Caution Do not reset the module until the Guard module displays the following message on the console: "You can now reset the module." Resetting the module before this message displays will cause the upgrade to fail.

Step 7 Reset the Guard module to the AP by entering the following command:
hw-module module slot_number reset cf:4
Step 8 Verify that the AP image that you copied displays in the output of the show module command by entering the following command:
show module slot_number
Note A new version may require updating the common firmware environment (CFE). See the release note that corresponds with each software release for more information. If there is a CFE mismatch, the Guard module displays the following message when you establish the first session to the Guard module after upgrading the AP image: "Bad CFE version (X). This version requires version Y."

See the "Burning a New Flash Version to Upgrade the CFE" section for more information.

The following example shows how to upgrade the AP image:
Sup# hw-module module 8 reset cf:1
Device BOOT variable for reset = <cf:1>
Warning:Device list is not verified. <<< This message is informational
Proceed with reload of module? [confirm]
% reset issued for module 8
Sup# copy tftp:images/ap/agm-APUpgrade-4.0.0.x.bin pclc#8-fs:
Address or name of remote host [10.56.36.2]?          
Source filename [images/ap/agm-APUpgrade-4.0.0.x.bin]? 
Destination filename [agm-APUpgrade-4.0.0.x.bin]? 
.
.
.
19:50:06: %SVCLC-SP-5-STRRECVD: mod 8: <Application upgrade has started>
19:50:06: %SVCLC-SP-5-STRRECVD: mod 8: <Do not reset the module till upgrade completes!!>
......<<< Wait
19:59:58: %SVCLC-SP-5-STRRECVD: mod 8: <Application upgrade has succeeded>
19:59:58: %SVCLC-SP-5-STRRECVD: mod 8: <You can now reset the module>
Sup# hw-module module 8 reset cf:4 <<<<< Resets Guard module to AP
Device BOOT variable for reset = <cf:4>
Proceed with reload of module? [confirm]
...
%OIR-SP-6-INSCARD:Card inserted in slot 8, interfaces are now online
Upgrading the MP Image

The MP image rarely requires upgrading. If you are instructed to update the MP software in the release note that corresponds with the software release, perform the following steps:

Step 1 Obtain the latest software release by locating the software image on www.cisco.com. Copy the software image to a directory that is accessible to FTP or TFTP.

Step 2 Reset the Guard module and load the MP image (this operation takes approximately 3 minutes), enter the following command on the supervisor engine:
hw-module module slot_number reset cf:1
Disregard this step if you are running the MP image already.

The slot_number argument is the number of the slot in which the module is inserted in the chassis.

Step 3 Verify that the MP has booted and that the Guard module status is OK by entering the following command:
show module slot_number
Step 4 Copy the MP image to the compact flash by entering the following command on the supervisor engine:
copy ftp://path/filename pclc#slot_number-fs:
The path/filename argument specifies the FTP location and name of the image file.

If the FTP server does not allow anonymous users, use the following syntax for the ftp-url value: ftp://user@host/absolute-path/filename. Enter your password when prompted.

It can take up to 30 minutes to download an application image depending on the connection speed.

Caution Do not reset the module until the Guard module displays the following message on the console: "You can now reset the module." Resetting the module before this message displays will cause the upgrade to fail.

You can also download the version from a TFTP server.

See the "Using MP Commands" section for more information about the MP commands.

Step 5 Verify that the MP image that you copied is displayed in the output of the show module command by entering the following command:
show module slot_number
Step 6 Reset the Guard module to the AP by entering the following command:
hw-module module slot_number reset cf:4
The following example shows how to upgrade the MP image:
Sup# hw-module module 8 reset cf:1
Device BOOT variable for reset = <cf:1>
Warning:Device list is not verified. <<< This message is informational
Proceed with reload of module? [confirm]
% reset issued for module 8
Sup# copy tftp:images/mp/MPUpgrade-4.0.0.0.bin pclc#8-fs:
Address or name of remote host [10.56.36.2]?          
Source filename [images/ap/MPUpgrade-4.0.0.0.bin]? 
Destination filename [MPUpgrade-4.0.0.0.bin]? 
.
.
.
3d19h:%SVCLC-SP-5-STRRECVD:mod 8:<Upgrade of MP was successful.>
3d19h:%SVCLC-SP-5-STRRECVD:mod 8:<You can now reset the module>
Sup# show module 8
.
The Following output shows MP image name because Guard module is reset to MP (cf:1)
. 
Mod	MAC addresses	Hw	Fw	Sw	Status
---	--------------------------------	----- ------- ----------- -------
8	000f.348d.d7f0 to 000f.348d.d7f7	0.301	7.2(1)	4.0(0.0)m	Other 
...
Sup# hw-module module 8 reset cf:4 <<< Resets Guard module to AP (normal operation)
Device BOOT variable for reset = <cf:4>
Proceed with reload of module? [confirm]
...
%OIR-SP-6-INSCARD:Card inserted in slot 8, interfaces are now online
Upgrading the AP and MP Images Inline

The inline image upgrade procedure provides an alternative method to upgrading the AP and MP images. When performing the inline image upgrade, you execute the upgrade from the Guard module rather than from the supervisor engine.

To upgrade the software image, perform the following steps:

Step 1 Back up the Guard module configuration before initiating the upgrade process by using the copy running-config command. Backing up enables you to save your existing configuration so that you can quickly restore the configuration to the current state if needed. See the "Exporting the Configuration" section for more information.

Step 2 Export files that you want to save. You can export the following files:

•Export attack reports that you want to save by using the copy reports command or the copy zone zone-name reports command. See the "Exporting Attack Reports of All Zones" section on page 12-12 and the "Exporting Zone Reports" section on page 12-13 for more information.

•Export logs that you want to save by using the copy log command. See the "Exporting the Log File" section on page 13-9 for more information.

•Export the packet-dump capture files that you want to save by using the copy zone zone-name packet-dump captures command. See the "Exporting Packet-Dump Capture Files Manually" section on page 13-16 for more information.

Step 3 Obtain the latest available software image by locating the image on www.cisco.com. Copy the software image to a directory accessible to FTP.

Step 4 Log in to the supervisor engine through the console port or through a Telnet session.

Step 5 If the Guard module is operating in the maintenance image, proceed to Step 7. If the Guard module is not running in the maintenance image, enter the following command on the supervisor engine:
hw-module module slot_number reset cf:1
The slot_number argument is the number of the slot in which the module is inserted into the chassis.

Step 6 After the Guard module is back online, establish a console session with the Guard module and log into the root account. The default password for the root account is cisco. To establish the console session, enter the following command at the supervisor engine prompt:
session slot slot_number processor processor_number 
The slot-number is the number of the slot in which the Guard module is inserted in the chassis (1-13 depending on the model of your switch or router). The processor_number is the number of the Guard module processor. The Guard module supports management through processor 1 only.

Step 7 Upgrade the software image by entering the following command:
upgrade ftp://path/filename 
The path/filename argument specifies the FTP location and the name of the image file.

If the FTP server does not allow anonymous users, use the following syntax for the ftp-url value: ftp://user@host/absolute-path/filename. Enter your password when prompted.

To upgrade the AP software image, enter the AP software image filename. To upgrade the MP software image, enter the MP software image filename. See the "Upgrading Operation Notes" section for more information.

Caution Do not reset the module until the Guard module displays the following message on the console: "Application image upgrade complete. You can boot the image now." Resetting the module before this message displays will cause the upgrade to fail.

Step 8 Log out of the Guard module by entering the exit command after the upgrade is completed.

Step 9 Reset the Guard module to the AP software image by entering the following command:
hw-module module slot_number reset cf:4
Note Upgrading to a new software release might require updating the common firmware environment (CFE). See the release note that corresponds with each software release for more information. If there is a CFE mismatch, the Guard module displays the following message when you establish the first session to the Guard module after upgrading the AP image: "Bad CFE version (X). This version requires version Y." See the "Burning a New Flash Version to Upgrade the CFE" section for more information.

Step 10 When the Guard module has rebooted, verify the software version by entering the show version command.

The following example shows how to upgrade the Guard module application software:
Sup# hw-module module 8 reset cf:1
.
.
.
Proceed with reload of module? [confirm]
% reset issued for module 9
.
.
.
Sup# session slot 8 proc 1
.
.
.
login:root
Password: 
.
.
.
root@localhost.cisco.com# upgrade ftp://psdlab-pc1/pub/images/ap/agm-APUpgrade-4.0.0.x.bin
Downloading the image. This may take several minutes...
.
.
.
Upgrading will wipe out the contents on the storage media.
Do you want to proceed installing it [y|N]:
Proceeding with upgrade. Please do not interrupt.
If the upgrade is interrupted or fails, boot into
Maintenance image again and restart upgrade.
.
.
.
Application image upgrade complete. You can boot the image now.
root@hostname.cisco.com# exit
logout
                                                           [  OK  ]
[Connection to 127.0.0.91 closed by foreign host]
Sup# hw-module module 8 reset cf:4
Burning a New Flash Version to Upgrade the CFE

You can burn a new flash version only when there is a mismatch between the current CFE and the software release. A mismatch condition can occur when you update the Guard module AP or MP software.

When the Guard module detects a CFE mismatch, it displays the following message when you establish the first session with the Guard module after upgrading the software release (X denotes the old flash version and Y denotes the new flash version): "Bad CFE version (X). This version requires version Y."

Note If you try to burn a new flash version when the CFE and the Guard module software versions match, the operation fails.

Caution You must be sure that there is a stable power supply to the Guard module and avoid performing any Guard module operations while you burn a new flash version. If you fail to adhere to these restrictions, the upgrade may fail and cause the Guard module to become inaccessible.

To burn a new flash version, perform the following steps:

Step 1 Enter the following command in configuration mode:
flash-burn
Step 2 Reload the Guard module by entering the following command:
reload
You must enter the reload command after burning a new flash version. The Guard module is not fully functional until you enter the reload command.

The following example shows how to burn a new flash version:
user@GUARD-conf# flash-burn 
Please note: DON'T PRESS ANY KEY WHILE IN THE PROCESS! 
. . .
Burned firmware successfully 
SYSTEM IS NOT FULLY OPERATIONAL. Type 'reload' to restart the system 
Upgrading the Bandwidth Performance from 1 Gbps to 3 Gbps

If your Guard module currently operates with a maximum bandwidth of 1 Gbps, you can upgrade the bandwidth performance to 3 Gbps by installing the XG version of the software image and corresponding software license key. The XG software image activates all three interface ports between the Guard module and the supervisor engine to data traffic and inband management traffic. The 1-Gbps software image uses only one interface port for data traffic. The software license key activates the installed XG software image. For more information, see the "Understanding the 1-Gbps and 3-Gbps Bandwidth Options" section on page 1-7.

When you install the XG software image, the Guard module is not operational until you install the corresponding software license and make the necessary configuration modifications that are required for the 3-Gbps operation. The configuration changes include the following items:

•Interface configurations—Configure the new interfaces on the supervisor engine and on the Guard module with IP addresses and VLANs.

•Proxies—Configure the new interfaces on the Guard module with proxies.

•SSL Certificates—Generate new SSL certificates on the Guard module and any associated Detectors.

Installing the XG software image and license does not affect the following Guard module items:

•Zone configurations—Existing zone configuration information is untouched.

•Management access—Configuration parameters that you had configured on eth1 for the 1-Gbps operation are automatically assigned to giga1 for the 3-Gbps operation.

This section contains the following topics:

•Obtaining and Installing the XG Software Image for 3-Gbps Operation

•Obtaining and Installing the XG Software Image License Key

•Updating Existing Port and Interface Configurations for 3-Gbps Operation

•Configuring Proxies On the Interfaces for 3-Gbps Operation

•Regenerating the SSL Certificates for the 3-Gbps Operation

Obtaining and Installing the XG Software Image for 3-Gbps Operation

To obtain a copy of the XG software image and install the software on the Guard module, see the "Upgrading the AP Image" section.

To verify that the XG software image is loaded, use the show version command. With the XG software image loaded, XG displays after the software version number.

Obtaining and Installing the XG Software Image License Key

The license key that is required to activate the XG software image is tied to the Media Access Control (MAC) address of the Guard module where the XG software image resides. This section describes the process that you use to order the XG software license key.

Note You must have the XG version of the 6.0 operating software (or newer) loaded on your Guard module before ordering and installing the corresponding license. To verify the version of software currently loaded on your Guard module, use the show version command. When the XG software image is loaded, the software version number has a -XG suffix (for example, version 6.0(0.39)-XG).

To obtain and install the 3-Gbps license, perform the following steps:

Step 1 From the Guard module, enter the show license-key unique-identifier command (this command requires the admin privilege level) to view the Guard module MAC address.

Step 2 Record the MAC address information because you will need this information when placing your order for the 3-Gbps operation license.

Step 3 Order the lic-agm-3g-k9 license using any of the available Cisco ordering tools on cisco.com.

Step 4 When you receive the Software License Claim Certificate from Cisco, follow the instructions that direct you to the following Cisco.com website: http://www.cisco.com/go/license

Step 5 Enter the Product Authorization Key (PAK) number found on the Software License Claim Certificate as your proof of purchase.

Step 6 Provide all of the requested information to generate a license key.

Once the system generates the license key, you will receive a license key e-mail with an attached license file and installation instructions. Save the license key e-mail in a safe place in case you need it in the future.

Step 7 Open the license key file using a text editor and copy its contents into your desktop computer's clipboard.

Step 8 From the Guard module, enter the license-key add command in configuration mode. The CLI prompts you to enter the key lines.

Step 9 Paste the contents of your desktop computer's clipboard (containing the license key) and press the Enter key.

Step 10 Enter an empty line and press Enter. If the Guard module contains a previously installed license, a confirmation message displays that asks if you want to install the new license.

Step 11 Type y (yes). The XG software image is now active and ready for 3-Gbps operation.

Step 12 (Optional) Enter the show license-key command to verify that the key loaded properly and is valid.

Updating Existing Port and Interface Configurations for 3-Gbps Operation

Installing and activating the XG software image allows data traffic between the supervisor engine and the Guard module to travel over three interface ports rather than just one interface port. If prior to activating the 3-Gbps operation, the supervisor engine and Guard module contained existing interface configurations for the one interface port, then you need to update the interface configurations on both devices to include the two additional interfaces. Configure the three interface ports by performing the following tasks:

•From the supervisor engine, assign VLANs to the Guard module by using the anomaly-guard module command. When assigning a data traffic VLAN to the Guard module, you must assign the VLAN to all three supervisor engine ports. For more information, see the "Configuring VLANs for Management and Data Traffic" section on page 2-2.

•From the Guard module, perform the following tasks:

–Configure all three physical interfaces with IP addresses by using the interface command in the configuration mode and then the ip address command in the interface configuration mode. The IP addresses must be unique for each interface and they must all belong to the same subnet. Activate the interface by using the no shutdown command in the interface configuration mode. For more information, see the "Configuring a Physical Interface" section on page 3-8.

–Define each data traffic VLAN on all three interfaces by using the interface command in the configuration mode and then the ip address command in the interface configuration mode. Activate the interface by using the no shutdown command in the interface configuration mode. For more information, see the "Configuring a VLAN on the Guard Module Interfaces" section on page 3-9.

Configuring Proxies On the Interfaces for 3-Gbps Operation

Configure each Guard module interface with at least one anti-spoofing proxy IP address by using the proxy command in configuration mode. For more information, see the "Configuring the Proxy IP Address" section on page 3-12.

Note After configuring the three interface ports and defining proxies on each of the interfaces, verify that you have the three interfaces properly configured for traffic diversion by entering the validate network-config command in either the global mode or the configuration mode (see the "Validating the Guard Module Network Configuration" section on page 5-20).

Regenerating the SSL Certificates for the 3-Gbps Operation

The Guard module uses an Secure Sockets Layer (SSL) certificate to establish a secure communication channel with its associated Detectors. Upgrading from the 1-Gbps software image to the 3-Gbps software image deletes any existing SSL certificate from the Guard module. After installing the 3-Gbps software image and license, you must regenerate the SSL certificates that the Guard module and associated Detectors use to establish a secure communication channel between them. For any associated Detector, you must first delete the existing SSL certificate before you can generate a new certificate.

For more information, see the "Configuring the SSL Communication Channel Parameters" section on page 4-17.

Using MP Commands

You can boot the Guard module to the MP to access the set of interfaces available on the MP to administer and diagnose the Guard module. One of the key features of the MP is to provide the ability to install a new AP image.

To boot to the MP, perform the following steps:

Step 1 Reset the Guard module to the MP by entering the following command on the supervisor engine:
hw-module module slot_number reset cf:1
The slot_number argument is the number of the slot in which the module is inserted into the chassis.

Step 2 After the Guard module is back online, establish a session with the Guard module and log in to the MP using the MP root user account (username: root, password (default): cisco).

Table 14-5 summarizes the MP commands.

Table 14-5 MP Commands

Command

Description

clear ap password

Clears the following information that you have defined on the Guard module:

•All user passwords

•All TACACS+ login authentication method (reset to local)

Note This command does not reset the MP root user account.

clear ap config

Returns the Guard module to its default configuration. This command deletes all Guard module configuration, logs, reports, and license key (if installed).

ip address [ip address] [subnet]

Configures the IP address that the Guard module uses to access the external network.

ip gateway [default-gateway]

Specifies the default gateway for the network.

passwd

Changes the password for the current user.

passwd-guest

Changes the password for the guest account.

ping {host-name | ip address}

Pings a specified host on the network and verifies that the network parameters are configured correctly.

show images

Displays the images stored in the application partition.

show ip

Displays the network parameters of the Guard module.

upgrade ftp-url

Upgrades the image where ftp-url is the URL specifying the FTP server containing the image and the path to the image. The path format is as follows: ftp://user:password@server-name/path.

You can specify the name of the FTP server or its IP address.

Recovering from a Lost Password Condition

You can reset the forgotten password of the Guard module default admin user account using one of the following methods:

•Using a user account with administrative privileges—Enables you to use the Guard module CLI to configure the default admin user account with a new password without affecting the other user accounts. For more information, see the "Changing the Passwords of Other Users" section on page 4-7.

•Reviewing the TACACS server configuration—Enables you to determine the current password associated with the default admin user account. This method requires that you currently have the Guard module configured to perform login authentication on a TACACS server first.

•Using the Linux tac-cli user account—Enables you to use Linux to configure the Guard module default admin user account with a new password without affecting the other user accounts. For more information, see the "Resetting the Default admin User Account Password" section.

•Resetting all user account information—Deletes all configured user account information (usernames and associated passwords) and deletes the passwords associated with the following Guard module default user accounts: admin, riverhead, tac-cli, and root. After resetting the user account information, you access the Guard module as if you were accessing it for the first time and the CLI prompts you to configure the default user account passwords. For more information, see the "Resetting All User Account Information" section.

This section contains the following topics:

•"Resetting the Default admin User Account Password"

•"Resetting All User Account Information"

Resetting the Default admin User Account Password

You can reset the password of the Guard module default admin user account by using the Linux tac-cli user account.

To reset the Guard module default admin user account password, perform the following steps:

Step 1 Log in to the Guard module as the Linux tac-cli user.

Step 2 Switch to the admin username by using the su - admin command.

Step 3 Configure the password for the Guard module default admin user account by using one of the following commands:

•username admin admin password—The password argument consists of 6 to 24 characters.

•password admin—The CLI prompts you to enter a password and reenter it for verification as shown in the following example:
@PGuardR3#password admin
New Password: 
Retype New Password: 
finished successfully
Password was changed successfully
The password consists of 6 to 24 characters.

Step 4 Switch back to the tac-cli prompt by using the exit command.

Step 5 Log out of tac-cli using the exit command.

Step 6 Log in to the Guard module using the admin username and the new password.

Step 7 (Optional) If the login authentication method is configured for local authentication, configure the other Guard module user account names and passwords (see the "Adding a User" section on page 4-6).

Resetting All User Account Information

The procedure in this section shows how to reset the Guard module user account information when you forget the password to all Guard module administrative user accounts and the Linux tac-cli user account.

Caution The process of resetting the Guard module user account information deletes all configured user account information, including all usernames and associated passwords. After the user account information is reset, only the default user account names (admin, riverhead, tac-cli, and root) remain, requiring you to log on using the procedure in the "Establishing a Session with the Guard Module after the Initial Session" section on page 2-7 and assign new passwords to these four user accounts.

Caution Resetting the user account information requires rebooting the Guard module, which will interrupt network traffic processing. We recommend that you avoid using this procedure while the Guard module is in service.

•Using the MP root user account—Uses the root user account that is built into the MP. The default password for this root account is cisco. You must boot the Guard module to the MP to use this method. This method also resets the login authentication method to "local" to avoid a lockout condition due to an invalid TACACS login authentication configuration. Resetting the user account information using this method does not reset the MP root user account.

•Using the AP root user account—Uses the root user account that is built into the AP. This user account is accessible from the supervisor engine only and is authenticated locally only, even if you have the Guard configured to use TACACS as the authentication method. To use this method, you must know the AP root user account password, which you configured when you first installed the Guard module and established the initial session. Resetting the user account information using this method does not reset the MP root user account.

Using the AP root user account to reset all user account information is useful if you are locked out due to an invalid TACACS login authentication configuration and there is no way to recover from it because you do not have access the TACACS configuration. Because the AP root user account is always authenticated locally, you can avoid TACACS authentication.

Note The main advantage of clearing all configured user account information using the AP rather than the MP is reduced downtime. Using the MP requires two reboots of the Guard module whereas using the AP requires only one reboot.

This section contains the following topics:

•Resetting the User Account Information Using the MP root User Account

•Resetting the User Account Information Using the AP root User Account

Resetting the User Account Information Using the MP root User Account

To reset the Guard module user account information and change the login authentication method to "local" using the MP root user account, perform the following steps:

Step 1 Reset the Guard module to the MP by entering the following command on the supervisor engine:
hw-module module slot_number reset cf:1
The slot_number argument is the number of the slot in which the module is inserted into the chassis.

Step 2 After the Guard module is back online, establish a session with the Guard module, and log in to the root user account (username: root, password (default): cisco).

Step 3 Delete all user account information that is configured on the Guard module by entering the following command:
clear ap password
Step 4 Reset the Guard module to the AP by entering the following command:
hw-module module slot_number reset cf:4
Step 5 Access the Guard module using the procedure in the "Establishing a Session with the Guard Module after the Initial Session" section on page 2-7 and assign new passwords to the following default user accounts: admin, riverhead, tac-cli, and root.

Step 6 (Optional) Configure new user accounts for accessing the Guard module (see the "Adding a User" section on page 4-6).

Resetting the User Account Information Using the AP root User Account

To reset the Guard module user account information using the AP root user account, perform the following steps:

Step 1 Log on to the Guard from supervisor engine using the AP root username and password.

Step 2 Clear the user account information by entering the clear password command as follows:
root@GUARD#clear password
WARNING: this will reset all user passwords (reboot required), are you sure? '[Y/N]: 'Y
Reboot is required after clear password. Please use the 'hw-module module [slot #] reset' 
command via the Cisco Catalyst CLI to reboot the blade
Step 3 Press Y to approve the reset request.

Step 4 Use the exit command to log out of root as follows:
.root@GUARD#exit
logout
[Connection to 127.0.0.31 closed by foreign host]
Step 5 Reboot the Guard by entering the hw-module module X reset cf:4 command.

Resetting the Guard Module Configuration to Factory Default Values

You can reset the Guard module to the factory-default values and configure it as a new Guard module by using the following command in configuration mode:

clear config all
Resetting the configuration to factory defaults is useful when you want to remove an undesirable configuration in the Guard module, if the configuration has become complex, or if you want to move the Guard module from one network to another network. You can also use the clear ap config MP command to reset the Guard module to the factory-default values (see the "Using MP Commands" section).

Caution Resetting the Guard module configuration deletes all configured user account information, including all usernames and associated passwords. After you reset the Guard module configuration, the default user account names (admin, riverhead, tac-cli, and root) are the only user account information that remain, requiring you to log on using the procedure in the "Establishing a Session with the Guard Module after the Initial Session" section on page 2-7.

You should back up the Guard module configuration by using the copy running-config command before you reset it to the factory-default settings. See the "Exporting the Configuration" section.

Caution Execute the clear config all command using either an out-of-band management interface connection (if available) or a connection through the supervisor. When the Guard module executes the clear config command, it clears the configuration and then performs a reboot after you confirm the reboot request. If you execute the clear config all command using an inline SSH connection, you are disconnected during the clear configuration process and the Guard module does not reboot. You must then connect to the supervisor engine and reboot the Guard module manually.

To reset the Guard module to the factory-default settings, perform the following steps using an out-of-band console connection:

Step 1 Enter the clear config all command from the configuration mode. The CLI displays a verification prompt that asks you to verify that you want to clear all of the configuration information.

Step 2 Enter yes. The CLI displays a prompt stating that a reboot is required and to press the Enter key.

Caution You must reboot the Guard module at this time (using the current session) or it will not operate correctly.

Step 3 Press the Enter key.

Step 4 Access the Guard module by following the procedure in the "Establishing a Session with the Guard Module after the Initial Session" section on page 2-7 and assign new passwords to the following default user accounts: admin, riverhead, tac-cli, and root.

Step 5 Reconfigure the Guard module.

The following example shows how to reset the Guard module to the factory-default settings using an out-of-band console connection:
user@GUARD-conf# clear config all
Are you sure you want to clear ALL configuration and logging information?
Type 'yes' to clear config, or any other key to cancel
yes
Reboot is required after clear config. Please press Enter to continue