Cisco Anomaly Guard Module Configuration Guide (Software Version 6.1 and 6.1-XG)
Configuring the Guard Module on the Supervisor Engine
Download this chapter
Configuring the Guard Module on the Supervisor EngineConfiguring the Guard Module on the Supervisor Engine
Download the complete book
Cisco Anomaly Guard Module Configuration Guide (Software Version 6.1 and 6.1-XG) Book-Length PDFCisco Anomaly Guard Module Configuration Guide (Software Version 6.1 and 6.1-XG) Book-Length PDF (PDF - 9 MB)
 Feedback

Table Of Contents

Configuring the Guard Module on the Supervisor Engine

Verifying the Guard Module Installation

Configuring VLANs for Management and Data Traffic

Defining VLANs on the Supervisor Engine

Assigning VLANs to the Guard Module

Configuring the Layer 3 Interfaces on the VLANs

Accessing the Guard Module for the First Time

Establishing a Session with the Guard Module after the Initial Session

Rebooting the Guard Module

Verifying the Guard Module Configuration

Configuring Multiple Guard Modules in a Single Switch or Router

Load Sharing

Redundancy and High Availability


Configuring the Guard Module on the Supervisor Engine

This chapter describes how to configure the installed Cisco Anomaly Guard Module (Guard module) on the supervisor engine of a Catalyst 6500 series switch or a Cisco 7600 series router. You must configure the Guard module on the supervisor engine before you can establish a session with the Guard module to configure it.

To configure the Guard module on the supervisor engine, you must have EXEC privileges and must be in configuration mode.

To save all configuration changes to the Flash memory, use the write memory command in privileged EXEC mode.

Note Operational and configuration differences exist between a Guard module operating at 1 Gbps and a Guard module operating at 3 Gbps. This chapter discusses the differences between the 1-Gbps operation and the 3-Gbps operation. Unless stated, the information in this chapter applies to both modes of operation. For more information, see the "Understanding the 1-Gbps and 3-Gbps Bandwidth Options" section on page 1-7.

This chapter contains the following sections:

Verifying the Guard Module Installation

Configuring VLANs for Management and Data Traffic

Accessing the Guard Module for the First Time

Establishing a Session with the Guard Module after the Initial Session

Rebooting the Guard Module

Verifying the Guard Module Configuration

Configuring Multiple Guard Modules in a Single Switch or Router

Verifying the Guard Module Installation

Verify that the supervisor engine acknowledges the new Guard module and has brought it online.

Note For information on how to install the Guard module in the Catalyst 6500 series switch, see the Cisco Anomaly Guard Module and Traffic Anomaly Detector Module Installation Note.

To verify the installation, perform the following steps:

Step 1 Log into the supervisor engine console.

Step 2 Verify that the Guard module is online. Enter the following command: 

show module

This example shows the output of the show module command: 

Sup# show module 
Mod	 Ports	 Card	Type	Model	Serial No.

--	----	 ------------------------------	--------	--------------

1	 2	 Catalyst 6000 supervisor 2(Active)	WS-X6K-SUP2-2GE	SAL081230TJ

... ...

6	 3	 Anomaly Guard module Module	WS-SVC-agm-1-K9	SAD081000GG


Mod	MAC addresses	Hw	Fw	Sw	Status

---	--------------------------------	----- ------- ----------- -------

...

6	000e.847f.fe04 to 000e.847f.fe0b	1.0	7.2(1)	6.0(0.10)	Ok

...

Sup

#

Note When the Guard module is first installed, the status is usually "other." Once the Guard module completes the diagnostic routines and comes online, the status reads "OK." Allow at least 5 minutes for the Guard module to come online.

Configuring VLANs for Management and Data Traffic

VLANs are used for passing traffic between the supervisor engine and Guard module. From the supervisor engine, you must assign a VLAN to the Guard module before you can configure the Guard module to use the VLAN. How you define a VLAN on the supervisor engine and Guard module interface ports depends on whether the Guard module is operating as a 1-Gbps or a 3-Gbps device and which of the following traffic types the port is to handle:

Management traffic—You must define the management VLAN on one of the supervisor engine interface ports. The Guard module uses the management VLAN to allow user access through one of the available remote management services described in the "Managing the Guard Module" section on page 3-13. The requirements for defining a management VLAN depends on which of the following bandwidth performance levels that your Guard module operates:

1-Gbps operation— Inband and out-of-band management traffic is supported between the supervisor engine and the Guard module. Port 1 on the supervisor engine is the only port that supports out-of-band management traffic. You must define the out-of-band management VLAN on this port. When you configure the Guard module for management traffic, you assign the same management VLAN to the Guard module physical interface that is used exclusively for out-of-band management traffic and identified as eth1.

3-Gbps operation—Only inband management traffic is supported between the supervisor engine and the Guard module. Ports 1, 2, and 3 on the supervisor engine all support Guard module management traffic. You can define a management VLAN on any or all of the three supervisor engine ports. You must configure the management VLAN on the correlating Guard module interfaces. For example, if you configure the management VLAN on port 1 of the supervisor engine, you must configure the same VLAN on giga1 of the Guard module.

Data traffic—The Guard module uses data traffic VLANs for hijacking and injecting network traffic when you activate zone protection or learning. The requirements for defining a data traffic VLAN depends on which of the following bandwidth performance levels that your Guard module operates:

1 Gbps operation—Data traffic is supported on port 2 only of the supervisor engine and giga2 of the Guard module. Therefore, you must define data traffic VLANs on port 2 of the supervisor engine.

3 Gbps operation—Data traffic is supported on all three supervisor ports (port 1, port 2, and port 3) and all three correlating Guard module interfaces (giga 1, giga2, and giga3). You must define every data traffic VLAN on all three supervisor engine ports and all three Guard module interfaces.

To configure VLANs for Guard module traffic, perform the following steps:

Step 1 From the supervisor engine, define the VLANs to be used for Guard module traffic. See the "Defining VLANs on the Supervisor Engine" section for more information.

Step 2 From the supervisor engine, assign the VLANs to the Guard module. See the "Assigning VLANs to the Guard Module" section for more information.

Step 3 (Optional) From the supervisor engine, configure Layer 3 interfaces on the VLANs. See the "Configuring the Layer 3 Interfaces on the VLANs" section for more information.

Step 4 From the Guard module, configure the Guard module interfaces. See the "Configuring the Guard Module Interfaces" section on page 3-7 for more information.

This section contains the following topics:

Defining VLANs on the Supervisor Engine

Assigning VLANs to the Guard Module

Configuring the Layer 3 Interfaces on the VLANs

Defining VLANs on the Supervisor Engine

You must define VLANs on the supervisor engine that are to be used for Guard module traffic. To define one or more VLANs on the supervisor engine that you plan to assign to the Guard module, use the following command:

vlan vlan_range

The vlan_range argument specifies a single number, a range of VLANs, or several VLANs in a comma-separated list (do not enter space characters). The VLAN range can be from 1 to 4094 VLANs.

The following example shows how to define VLANs on the supervisor engine: 

Sup(config)# vlan 86-89,99

Assigning VLANs to the Guard Module

Assigning VLANs to the Guard module requires that you understand the mapping between the Guard module and the three Gigabit Ethernet ports that connect the Guard module to the switch fabric. Table 2-1 shows the correlation between the supervisor engine ports and the Guard module interfaces.

Table 2-1 Supervisor Engine and Guard Module Interface Port Mapping

Supervisor Ports
Guard Module Interfaces
 
1-Gbps Operation
3-Gbps Operation

Port 1

eth1: Out-of-band management traffic

giga1: Data and inband management traffic

Port 2

giga2: Data traffic

giga2: Data and inband management traffic

Port 3

giga3: Not used

giga3: Data and inband management traffic


Caution (3-Gbps operation only) When you are assigning a VLAN to the Guard module for data traffic, you must assign the VLAN to all three interface ports. If the VLAN is for management traffic, you can assign the VLAN to one port only.

You do not need to assign VLANs to the Guard module if you plan to use the default value of VLAN 1 only.

To assign VLANs to the Guard module, use the following command at the supervisor engine prompt:

anomaly-guard module module_number port port_number [allowed-vlan vlan_range | native-vlan vlan_id]

Table 2-2 provides the arguments and keywords for the anomaly-guard module command.

Table 2-2 Arguments and Keywords for the anomaly-guard module Command 

Parameter
Description

module_number

Number of the slot in which the module is inserted in the chassis (1-13 depending on the model of your switch or router).

port port_number

Specifies the port number (1-3) as follows:

1-Gbps operation:

Port 1—Out-of-band management traffic only

Port 2—Data traffic only

Port 3—Unused

3-Gbps operation:

Port 1—Data and inband management traffic

Port 2—Data and inband management traffic

Port 3—Data and inband management traffic

allowed-vlan vlan_range

(Optional) Specifies an individual VLAN, a range of VLANs, or multiple VLANs in a comma-separated list (do not enter space characters). For example, 1-65,72,300-320.

native-vlan vlan_id

(Optional) Specifies the native VLAN for the trunk in 802.1Q trunking mode. The default native VLAN is 1.

One of the allowed VLANs must be the administrative VLAN. By default, this is VLAN 1.


The following 1-Gbps operation example shows how to assign VLANs for data traffic to the data interface port (port 2): 

Sup# anomaly-guard module 7 port 2 allowed-vlan 1,3,6-15

The following 1-Gbps operation example shows how to assign a VLAN for management traffic to the management port: 

Sup# anomaly-guard module 7 port 1 allowed-vlan 16

The following 3-Gbps operation example shows how to assign VLANs for data traffic to the three Guard module interface ports: 

Sup# anomaly-guard module 7 port 1 allowed-vlan 1,3,6-15

Sup# anomaly-guard module 7 port 2 allowed-vlan 1,3,6-15

Sup# anomaly-guard module 7 port 3 allowed-vlan 1,3,6-15

The following 3-Gbps operation example shows how to assign a single VLAN for management traffic: 

Sup# anomaly-guard module 7 port 3 allowed-vlan 16

In addition to assigning VLANs to the Guard module from the supervisor engine, you must also configure the interface ports on the Guard module. See the "Configuring a Physical Interface" section on page 3-8 for more information.

For information about configuring VLANs on the Guard module, see the "Configuring a VLAN on the Guard Module Interfaces" section on page 3-9.

To establish a remote management session with the Guard module, you must also enable the relevant services on the Guard module. See the "Managing the Guard Module" section on page 3-13.

Configuring the Layer 3 Interfaces on the VLANs

You can configure Layer 3 interfaces on the VLANs if required by the application.

To configure a Layer 3 VLAN interface, perform the following steps:

Step 1 Enter the VLAN interface configuration mode with the following command at the supervisor engine prompt: 

interface vlan vlan-id

The vlan-id argument specifies the number of the VLAN; valid values are from 1 to 4094.

Step 2 Set the VLAN IP address by entering the following command: 

ip address ip_addr subnet_mask

The ip-addr and subnet-mask arguments define the interface IP address.

Step 3 Activate the interface with the following command: 

no shutdown

The following example shows how to configure a Layer 3 VLAN interface: 

sup (config)# interface vlan 5

sup (config-if)# ip address 192.168.89.100 255.255.255.0

sup (config-if)# no shutdown

Accessing the Guard Module for the First Time

This section shows how to establish the initial session with the Guard module by using the preconfigured username that has an administration user privilege level. During this process, the CLI prompts you to assign passwords to the following default user accounts:

admin—Provides access to all administrative and configuration operations.

riverhead—Provides access to monitoring and diagnostic operations, zone protection, and learning-related operations. This user can also configure flex-content filters and dynamic filters.

tac-cli—Provides access to the Linux shell for certain administrative operations.

root—Provides access to a limited number of administrative operations in the application partition (AP), which contains the Guard module application software image.

To access the Guard module for the first time, perform the following steps:

Step 1 Establish a Telnet session or console log session into the switch.

Step 2 Enter the following command at the supervisor engine prompt: 

session slot slot_number processor processor_number

Table 2-3 provides the arguments and keywords for the session slot command.

Table 2-3 Arguments and Keywords for the session slot Command 

Parameter
Description

slot-number

Number of the slot in which the Guard module is inserted in the chassis (1-13 depending on the model of your switch or router).

processor processor_number

Specifies the number of the Guard module processor. The Guard module supports management through processor 1 only.


Step 3 Enter admin for the default admin account username and rhadmin for the password.

Step 4 Enter a password for the root user account that consists of 6 to 24 characters.

Retype the new password to verify it.

Step 5 Enter a password for the tac-cli user account that consists of 6 to 24 characters.

Retype the new password to verify it.

Step 6 Enter a password for the admin user account that consists of 6 to 24 characters.

Retype the new password to verify it.

Step 7 Enter a password for the riverhead user account that consists of 6 to 24 characters.

Retype the new password to verify it.

Step 8 Enter configuration mode to configure the Guard module by entering the following command:

configure [terminal]

The following example shows how to enter configuration mode: 

user@GUARD# configure 

user@GUARD-conf#

Note You can change the passwords for the admin and riverhead usernames at any time. See the "Changing Your Password" section on page 4-8 for more information.

To establish all future sessions with the Guard module, use the procedure in the "Establishing a Session with the Guard Module after the Initial Session" section.

Establishing a Session with the Guard Module after the Initial Session

This section shows how to session with the Guard module following the initial session in which you assigned passwords to the default user accounts (see the "Accessing the Guard Module for the First Time" section).

To log in to the Guard module, perform the following steps:

Step 1 Establish a Telnet session or console log session into the switch.

Step 2 Enter the following command at the supervisor engine prompt: 

session slot slot_number processor processor_number

See Table 2-3 for argument and keyword descriptions.

Step 3 Log in at the Guard module login prompt using a configured user account: 

login: user

Step 4 Enter the password.

After a successful login, the command-line prompt is represented as user@GUARD. You can change the prompt by entering the hostname command.

Rebooting the Guard Module

Cisco IOS software provides the following commands to control the Guard module: boot, shutdown, power enable and reset:

Caution If you enter the reload command at the supervisor engine prompt, the reload occurs for the entire chassis and includes all the modules in the chassis. See the "Reloading the Guard Module" section on page 14-7 for information on how to reload the Guard module.

shutdown—Brings the operating system down gracefully, ensuring that no data is lost. To prevent corruption of the Guard module, it is critical that you shut down the Guard module properly. Enter the following command at the supervisor engine prompt: 

hw-module module slot_number shutdown

The slot_number argument specifies the number of the slot in which the module is inserted in the chassis.

You must then enter the hw-module module module_number reset command to restart the Guard module.

The following example shows how to shut down the Guard module: 

Sup# hw-module module 8 shutdown

Note The Guard module reboots if you reboot the switch.

reset—Resets the module. This command is typically used in the upgrade process to switch between Application Partition (AP) and Maintenance Partition (MP) images or to recover from a shutdown (for more information, see the "Upgrading the Guard Module Software" section on page 14-8). The hw-module reset command resets the module by turning the power off and then on. The reset process requires several minutes. Enter the following command at the supervisor engine prompt: 

hw-module module slot_number reset [string]

The slot_number argument specifies the number of the slot in which the module is inserted in the chassis. The string argument is an optional string for the PC boot sequence. Enter cf:1 to reset to the MP and cf:4 to reset to the AP. See the "Upgrading the Guard Module Software" section on page 14-8 for more information.

The following example shows how to reset the Guard module: 

Sup# hw-module module 8 reset

no power enable—Shuts down the module so that it can be safely removed from the chassis. Enter the following command at the supervisor engine prompt: 

no power enable module slot_number

The slot_number argument specifies the number of the slot in which the module is inserted in the chassis.

To switch the module on again, use the following command: 

power enable module slot_number

The following example shows how to shut down the Guard module: 

Sup (config)# no power enable module 8

boot—Forces the Guard module to boot to the MP at the next power on. Enter the following command at the supervisor engine prompt: 

boot device module slot_number cf:1

The slot_number argument specifies the number of the slot in which the module is inserted in the chassis.

To enable the Guard module to boot to the default partition, which is the AP, at the next boot cycle, use the following command at the supervisor engine prompt: 

no boot device module slot_number cf:1

The following example shows how to configure the Guard module to boot to the AP at the next boot cycle: 

Sup# no boot device module 8 cf:1

Caution The zone learning phases are restarted after reboot. See the "Rebooting the Guard Module and Inactivating Zones" section on page 14-8 for more information on the default behavior of the zones after reboot.

Verifying the Guard Module Configuration

To verify the Guard module configuration on the supervisor engine, use the following command at the supervisor engine prompt:

show anomaly-guard module slot_number port port_number [state | traffic]

Table 2-4 provides the arguments and keywords for the show module command.

Table 2-4 Arguments and Keywords for the show module Command 

Parameter
Description

slot-number

Number of the slot in which the module is inserted in the chassis (1-13 depending on the model of your switch or router).

port port_number

Specifies the port number (1-3).

state

(Optional) Specifies the configuration of the specified port.

traffic

(Optional) Specifies the traffic statistics of the specified port.


The following example shows how to display the Guard module configuration on the supervisor engine: 

Sup# show anomaly-guard module 8 port 2 state

Configuring Multiple Guard Modules in a Single Switch or Router

You can install several Guard modules in a Catalyst 6500 series switch or a Cisco 7600 series router as long as at least one supervisor engine is installed. Refer to the most current Release Note for the exact number of modules.

Note To review the latest Release Note for the Guard module, see the following URL:

http://www.cisco.com/en/US/products/hw/modules/ps2706/prod_release_notes_list.html

You can configure multiple Guard modules in one of the following configurations:

Load Sharing

Redundancy and High Availability

Load Sharing

You can configure several Guard modules to handle the zone traffic. The supervisor engine distributes the traffic equally between the Guard modules whenever it has more than one equal cost route to the same destination.

Note (3-Gbps operation only) The supervisor engine distributes the traffic equally between the three interfaces of a single Guard module whenever it has more than one equal cost route to the same destination.

To configure more than one Guard module for load sharing, perform the following tasks:

Define the zone on all Guard modules. See the "Configuring Zone Attributes" section on page 6-6 for more information.

Assign the same weight for diversion hijacking on all Guard modules. See the "Configuring Traffic Hijacking" section on page 5-8 for more information.

Activate the Guard module learning process for the zone on all Guard modules simultaneously. See the "Synchronizing a Guard Module with a Detector Zone Configuration" section on page 6-9 for more information.

Activate zone protection on all Guard modules. See Chapter 10, "Protecting Zones," for more information.

Caution If more than half the Guard modules stop functioning, the remaining Guard modules might regard the legitimate traffic as an attack on the zone.

Redundancy and High Availability

You can configure two Guard modules (or groups of Guard modules) for high availability. If the active Guard module is not available, the supervisor engine diverts the zone traffic to the standby Guard module.

The supervisor engine forwards the traffic to the lower cost routes (the routes with the lowest weight). The supervisor engine forwards the traffic to the redundant routes only if it detects that the routes to the active Guard module are down.

To configure Guard modules in a redundant configuration, perform the following tasks:

Define the same zone on both Guard modules. See the "Configuring Zone Attributes" section on page 6-6 for more information.

Assign a lower weight for diversion hijacking to the active Guard module. See the "Configuring Traffic Hijacking" section on page 5-8 for more information.

Assign a higher weight for diversion hijacking to the redundant Guard module. See the "Configuring Traffic Hijacking" section on page 5-8 for more information.

Activate the learning process on the active Guard module. See the "Synchronizing a Guard Module with a Detector Zone Configuration" section on page 6-9 for more information.

Copy the zone configuration to the redundant Guard module. See the "Exporting the Configuration" section on page 14-3 and the "Importing and Updating the Configuration" section on page 14-4 for more information.

Activate zone protection on both Guard modules. See the "Protecting Zones" section on page 10-1 for more information.