Table Of Contents

TIDP Based Mitigation Services

Contents

Prerequisites for TMS

Restrictions for TMS

Information About TMS

Threat Information Distribution Protocol

TIDP Based Mitigation Services

Threat Information Messages

TMS Protocol Configuration

Mitigation Enforcement Actions

Block Rule

Redirect Rule

TMS Rules Engine Configuration

Local Device Exceptions

TMS System Logging

How to Configure TMS

Configuring the TMS Type Parameter Map on a Controller

TMS Event Logging

Examples

What to Do Next

Configuring a TMS Type Parameter Map on a Consumer

TMS Event Logging

Examples

What to Do Next

Configuring the TMS Type Class Map on a Controller or Consumer

Prerequisites

Examples

What to Do Next

Configuring the TMS Type Policy Map on a Controller or Consumer

Prerequisites

Examples

What to Do Next

Attaching the Service Policy to a Global TMS Controller Process

Configuring the TMS Controller Identifier

Prerequisites

Restrictions

Examples

Troubleshooting Tips

What to Do Next

Attaching the Service Policy to a Global TMS Consumer Process

Consumer Registration

Configuring Device Exceptions

Prerequisites

Restrictions

Examples

Troubleshooting Tips

What to Do Next

Registering and Deregistering a TMS Consumer

Implicit Synchronization

Prerequisites

Examples

Troubleshooting Tips

What to Do Next

Configuring an XML Threat Definition File

XML Version 1.0 Syntax

Threat Definition File Syntax Guidelines

Threat File Tag Descriptions

XML Threat Definition File Configuration Steps

What to Do Next

Loading a Threat Definition File on a TMS Controller

Loaded and Active Databases

Updating or Replacing a Loaded Threat

Prerequisites

Restrictions

Examples

Troubleshooting Tips

What to Do Next

Sending Threat Information Messages from the Controller to a TMS Consumer

Prerequisites

Examples

Troubleshooting Tips

What to Do Next

Synchronizing the Threat Status of a Consumer with the TMS Group

Implicit Synchronization

Prerequisites

Examples

Troubleshooting Tips

What to Do Next

Managing Threat Information Messages on a Consumer from the Controller

Updating or Replacing a Loaded Threat

Prerequisites

Examples

Troubleshooting Tips

What to Do Next

Sending a Status Request Message to Consumers from the TMS Controller

Prerequisites

Examples

Troubleshooting Tips

What to Do Next

Unloading a Threat Information Messages from the Loaded Database

Loaded and Active Databases

Prerequisites

Examples

Troubleshooting Tips

What to Do Next

Configuring the TMS Rules Engine on a Consumer

Mitigation Type Service Policy

ACL Drop Rule

Ignore Rule

Redirect Rule

Prerequisites

Restrictions

Examples

Troubleshooting Tips

What to Do Next

Configuring Local Device Exceptions on a Consumer

Prerequisites

Examples

Troubleshooting Tips

What to Do Next

Clearing Threat Information Messages on a Consumer

Examples

Troubleshooting Tips

What to Do Next

Verifying TMS Configuration and Threat Status on a Controller or Consumer

Examples

What to Do Next

Enabling TMS Debug Messages on a Controller or Consumer

Restrictions

Examples

What to Do Next

Configuration Examples for TMS

Controller: TMS Configuration Example

Consumer: TMS Configuration Example

Consumer: TMS Rules Engine Configuration Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

Feature Information for TMS

TIDP Based Mitigation Services

---

First Published: February 27, 2006

Last Updated: March 20, 2006

Threat Information Distribution Protocol (TIDP) is the distribution layer protocol for TIDP Based Mitigation Services (TMS). TMS provides the framework to rapidly and efficiently distribute threat information to devices across the network. The TMS framework transports messages that contain specific threat information about suspect traffic and associated mitigation enforcement actions to all devices in the network. Threat Information Messages (TIMs) are distributed throughout the network in near real time. TIMs are distributed from a central device, the TMS controller. TMS consumers are devices configured to receive TIMs. Each consumer can be configured with a unique rule set to locally enforce mitigation actions based on local requirements. Local rule sets can be customized on demand.

Finding Feature Information in This Module

Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for TMS" section

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Prerequisites for TMS

•Restrictions for TMS

•Information About TMS

•How to Configure TMS

•Configuration Examples for TMS

•Additional References

•Command Reference

Prerequisites for TMS

•You should have a clear understanding of the physical topology and traffic patterns in your network before deploying TIDP and TMS.

•This document assumes that all devices, on which TMS services are to be deployed, have been preconfigured to run TIDP. If TIDP has not been configured, use the following document to configure TIDP before continuing with TMS configuration: Threat Information Distribution Protocol.

Restrictions for TMS

The following restrictions apply to TMS in Cisco IOS Release 12.4(6)T:

•High availability (HA) features are not supported.

•Only one controller can be configured for each TMS group. However, up to 250 consumers can be configured in one or more groups. Up to 64 groups can be configured in a network.

Information About TMS

You should understand the following concepts, before configuring TMS:

•Threat Information Distribution Protocol

•TIDP Based Mitigation Services

•Threat Information Messages

•TMS Protocol Configuration

•Mitigation Enforcement Actions

•TMS Rules Engine Configuration

•Local Device Exceptions

•TMS System Logging

Threat Information Distribution Protocol

TIDP Based Mitigation Services (TMS) run over Threat Information Distribution Protocol (TIDP). TIDP is the distribution layer protocol that runs over of TCP (transport layer protocol). TIDP distributes Threat Information Messages (TIMs), for TMS, across the network in near real time.

Figure 1 shows TIDP distribution and transport.

Figure 1 TMS Service Run over TIDP

TIDP is designed to be a scalable and secure. TIDP supports point-to-point and point-to-multipoint communication. TIDP provides secure communication and message distribution. Message authentication is configured for all TIDP peering sessions. The message payload can be optionally encrypted to protect the contents. Authentication and encryption are configured using AES-128, HMAC-SHA1-160, or RSA key generation. TIDP is designed with replay protection (an attack that reuses old TCP sequence numbers to flood packets).

TIDP Based Mitigation Services

TMS provides the framework to rapidly and efficiently distribute Threat Information Messages (TIMs) to devices across the network. The network administrator distributes one or more TIMs from a central location, such as the network operations center (NOC). The TMS framework transports TIMs that contain specific threat information about suspect traffic and an associated mitigation enforcement actions to all devices in the network. Figure 2 shows TMS message distribution.

Figure 2 Threat Information Messages are Distributed over the TMS Framework

TMS provides a scalable point-to-point or point-to-multipoint framework. A TIM can be sent from the TMS controller to a single device (TMS consumer) or all devices in the network. Each TIM message is structured to identify suspect traffic and to enforce a mitigation action.

TMS is configured on a per group basis. A single device is configured as the TMS controller. The controller the is the central point in the network for TMS message distribution. The controller packages and distributes TIMs to TMS consumers. All other devices in the group are configured as consumers. A controller can support 250 TMS consumers in one or more TMS groups. Up to 64 TMS groups can be configured in a network.

The consumer is any device that is configured to receive and process TIMs and send status to the controller. The mitigation enforcement action is applied based on rules in the TIM. Each consumer can be optionally configured with a individual rule set (TMS Rules Engine) customized to fit local requirements.

Threat Information Messages

Each Threat Information Message (TIM) is identified by a threat ID, owner ID, and version number. The TIM is configured to identify suspect traffic. This traffic can be a single host IP address or entire major network range. The TIM is configured with a mitigation enforcement action that is associated with suspect traffic.

Each TIM is created in a threat definition file. The threat definition file is authored in a text or XML editor. The threat definition file must comply with Extensible Markup Language (XML) version 1.0 syntax. Each threat definition file can be up to 64 kb in size. A typical TIM is between 800 and a 1000 bytes. Each TMS group can support up to 256 active TIMs.

Figure 3 TIMs are Distributed from the TMS Controller

The threat definition file is loaded to the TMS controller from a local storage device, such as ATA or linear flash memory. The file can also be loaded from a reachable host (using FTP, HTTPS, RCP, or TFTP protocols). This action places the TIMs contained within the threat definition file into the "loaded" database. The TIMs are then distributed (sent) from the controller to TMS consumers by the network administrator. Sending a TIM activates and places the TIM in the active database.

TMS Protocol Configuration

TMS protocol operation, on the controller or consumer, is configured in a TMS type service policy using the Modular QoS CLI (MQC). The TMS type service policy is configured with TMS type class, parameter, and policy maps.

•The TMS type class map is identifies TMS group consumers a traffic class.

•The TMS type parameter map is a container for TMS protocol-specific configuration parameters.

–On the controller, TMS protocol operation timers, such as the heartbeat (keepalive) and message timers are configured.

–On the consumer, the controller is identified and the controller registration timer is configure

–TMS event logging is enabled on both the controller and consumer.

•The TMS type policy map binds (or attaches) the class and parameter maps. The policy map is attached to the global consumer or controller process, which activates the TMS type service policy.

---

Tip Default values for unconfigured parameter map commands are displayed in the router configuration file when a parameter map is created.

---

Mitigation Enforcement Actions

The mitigation enforcement action is defined globally in the TIM. It is associated with suspect traffic and conditionally enforced depending on the configuration of the TIM or the configuration rule on the TMS consumer (Custom rules are configured on TMS consumers in a mitigation type parameter map).

In a TIM, the enforcement action is configured as a block or redirect. The redirect rule can be configured to route null0 (blackhole) or route to a specific host IP address for collection and analysis or to host IP address configured as a sinkhole. The TIM can be also configured to use a mitigation enforcement action defined in a mitigation type parameter map on a TMS consumer.

Block Rule

The block mitigation enforcement action drops suspect traffic when suspect traffic meets all conditions of the rule. The behavior of this action is similar to a deny access list.

Redirect Rule

The redirect enforcement action is configured to route to null0 or to route to a specific host. Cisco IOS Optimized Edge Routing (OER) dynamically controls and implements redirect mitigation enforcement rules. Support for OER is automatically provided in Cisco IOS software images that support TMS. No explicit OER configuration is required. OER will function as if an OER master controller and border router processes has been configured on the TMS consumer.

Cisco IOS OER can also be explicitly configured on TMS consumers. However, the following caveats have been observed:

•Active threats on the TMS consumer must be resynchronized if you change the role that the consumer performs in the OER managed network. For example, if you reconfigure a border router to also perform OER master controller functions or vice versa.

•If multiple TIMs are configured with the same match criteria but different next-hop addresses. The next hop from the first threat will be selected.

Figure 4 shows a typical example where sinkhole routing is used.

Figure 4 Typical OER Route to Sinkhole Example

The OER master controller process advertises the sinkhole router as the next hop for the 192.168.1.1 host, which is under attack.

TMS Rules Engine Configuration

The TMS Rules Engine is a flexible mechanism that allows you to apply custom rules on individual consumers. A TIM can be configured to take the next-hop variable from a rules engine configuration, or a custom rule can be configured to override a mitigation enforcement action sent in a TIM from the TMS controller.

Using the TMS Rules Engine, you can configure a local rule to route traffic to a null0, route traffic to a specific interface for collection and analysis, configure a nonstandard primitive, or configure the local device to ignore an enforcement action sent by the controller.

---

Note Nonstandard primitives are predefined in the threat definition file that is loaded on the TMS controller.

---

The TMS Rules Engine is configured with a mitigation type service policy. The mitigation type service policy is created by configuring and linking mitigation type parameter and class maps to a mitigation type policy map.

•The mitigation type class map is used to define threat primitive and priority traffic matching conditions.

•The mitigation type parameter map contains the next-hop variable in the mitigation type service policy.

•The mitigation type policy map is used to attach the class and parameter maps.

•The mitigation type policy map is configured to bind mitigation type class and parameter maps together, creating a mitigation type service policy.

The mitigation type service policy is activated by attaching the mitigation type policy-map to the TMS type policy map in policy-map class configuration mode. The TMS type policy map is then attached to the global consumer configuration by configuring the service-policy command in TMS Consumer configuration mode.

Local Device Exceptions

Local device exceptions are configured only on TMS consumers. A local device exception is an override configured for a specific host IP address or network. The TMS consumer negates a mitigation enforcement action sent from the controller or from a mitigation type service policy configured on the consumer.

For example, traffic from the 192.168.1.0/24 network is considered to be suspect. So, an ACL drop enforcement action is configured for all traffic sourced from this network. However, a device with a host address in this range (192.168.1.55) has to transit over a specific consumer. A local device exception is configured on the consumer to override ACL drop enforcement action.

TMS System Logging

TMS system logging is enabled in the TMS type parameter map configuration. It is disabled by default.

Controller System Logging Messages

This feature introduces the following system logging messages on the controller.

•TMS controller configuration status notification:

12:58:02: %TMS-6-GROUP: CONTROLLER| Group=1| Host=10.3.3.1| Status=CONFIGURED

•Consumer registration notification:

11:56:44: %TMS-6-DEVICE: CONTROLLER| Group=1| Host=10.3.3.2| Status=REGISTERED 

•Consumer deregistration notification:

12:52:55: %TMS-6-DEVICE: CONTROLLER| Group=1| Host=10.3.3.2| Status=DEREGISTERED 

•Consumer threat send/reset/status notification:

12:30:47: %TMS-6-RESET: CONTROLLER| Group=1| Device=10.3.3.2| Action=Delete| Start 
TID=1| End TID=1 

12:30:47: %TMS-6-THREATSTATUS: CONTROLLER| Group=1| Device=10.3.3.2| Threat=1| 
Status=Threat deleted 

Consumer System Logging Messages

This feature introduces the following system logging messages on the consumer.

•TMS consumer configuration status notification:

Feb 27 02:53:02.620: %TMS-6-GROUP: CONSUMER| Group=2| Host=10.3.3.2| Status=CONFIGURED

•Consumer registration notification:

*Feb 27 02:00:42.213: %TMS-6-DEVICE: CONSUMER| Group=1| Host=10.3.3.1| Status=REG 
Requested

*Feb 27 02:00:42.241: %TMS-6-DEVICE: CONSUMER| Group=1| Host=10.3.3.1| 
Status=REGISTERED

•Consumer response to send/reset/status message sent from the controller:

*Feb 27 02:34:40.417: %TMS-6-RESET: CONSUMER| Group=1| Device=10.3.3.1| Action=Delete| 
Start TID=1| End TID=1

*Feb 27 02:34:40.425: %TMS-6-THREATSTATUS: CONSUMER| Group=1| Device=10.3.3.1| 
Threat=1| Status=Threat deleted

•Consumer response to a resynchronization request sent from the controller:

*Feb 27 02:48:06.224: %TMS-6-THREAT: CONSUMER| Group=1| Device=10.3.3.1| TID=1

*Feb 27 02:48:06.232: %TMS-6-THREATSTATUS: CONSUMER| Group=1| Device=10.3.3.1| 
Threat=1| Status=Redirect 192.168.2.1

TMS syslog messages are processed by Cisco IOS software based on global logging configuration. To modify system, terminal, destination, and other system global logging parameters, use the logging commands in global configuration mode. For more information about global system logging configuration, see the chapter "Troubleshooting and Fault Management" section of the Cisco IOS Network Management Configuration Guide.

How to Configure TMS

This section contains the following tasks:

Configuring a TMS Type Service Policy

•Configuring the TMS Type Parameter Map on a Controller (required)

•Configuring a TMS Type Parameter Map on a Consumer (required)

•Configuring the TMS Type Class Map on a Controller or Consumer (required)

•Configuring the TMS Type Policy Map on a Controller or Consumer (required)

Attaching the TMS Type Service Policy to a Global TMS Process

•Attaching the Service Policy to a Global TMS Controller Process (required)

•Attaching the Service Policy to a Global TMS Consumer Process (required)

Registering and Deregistering a TMS Consumer

•Registering and Deregistering a TMS Consumer (optional)

Managing Threat Information Messages on a TMS Controller

•Configuring an XML Threat Definition File (required)

•Loading a Threat Definition File on a TMS Controller (required)

•Sending Threat Information Messages from the Controller to a TMS Consumer (required)

•Synchronizing the Threat Status of a Consumer with the TMS Group (optional)

•Managing Threat Information Messages on a Consumer from the Controller (optional)

•Sending a Status Request Message to Consumers from the TMS Controller (optional)

•Unloading a Threat Information Messages from the Loaded Database (optional)

Managing Threat Information Messages on a TMS Consumer

•Configuring the TMS Rules Engine on a Consumer (optional)

•Configuring Local Device Exceptions on a Consumer (optional)

•Clearing Threat Information Messages on a Consumer (optional)

Verifying and Debugging TMS Configuration

•Verifying TMS Configuration and Threat Status on a Controller or Consumer (optional)

•Enabling TMS Debug Messages on a Controller or Consumer (optional)

Configuring the TMS Type Parameter Map on a Controller

The steps in this task show how to configure a TMS type parameter map on a controller. The TMS type parameter map is a container for TMS protocol-specific configuration parameters. A TMS type parameter map is configured on the controller and on each consumer. On the controller, the heartbeat (keepalive) and threat message timers are configured. Entering the parameter-map type tms command places the router in parameter-map configuration mode.

TMS Event Logging

The logging tms events command is entered in a TMS type parameter map on the consumer and/or controller. TMS system logging is disabled by default. TMS syslog messages are processed by Cisco IOS software based on global logging configuration. To modify system, terminal, destination, and other system global logging parameters, use the logging commands in global configuration mode.

SUMMARY STEPS

1. enable

2. configure terminal

3. parameter-map type tms {name}

4. heartbeat retry count {number}

5. heartbeat retry interval {time}

6. message retry count {number}

7. message retry interval {time}

8. logging tms events

9. exit

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	parameter-map type tms name Example: Router(config)# parameter-map type tms TMS_PAR_1	Configures a TMS type parameter map. Tip Default values for unconfigured parameter map commands are displayed in the router configuration file when a parameter map is created.
Step 4	heartbeat retry count {number} Example: Router(config-profile)# heartbeat retry count 5	Configures the number of times that heart beat messages are sent from a TMS controller to a consumer. •The heart beat message timer is configured on the TMS controller to regulate the frequency and interval of the transmission of heart beat (keepalive) messages. •A number from 1 to 5 is entered for the number argument. The default number is 2. •The controller is configured to send up to 5 heart beat messages to a nonresponsive peer in this example.
Step 5	heartbeat retry interval {time} Example: Router(config-profile)# heartbeat retry interval 60	Configures the time interval between the transmission of heart beat messages. •The time argument is configured in seconds. A number from 60 to 3000 is entered. The default time interval is 120 seconds. •The controller is configured to send heart beat messages at 60 second intervals in this example.
Step 6	message retry count {number} Example: Router(config-profile)# message retry count 3	Configures the number of times that a threat message is sent from a TMS controller to a consumer. •The threat message timer is configured on the TMS controller to regulate the frequency and interval that the controller attempts to send threat messages to a nonresponsive peer. •A number from 0 to 5 is entered for the number argument. The default number is 5. •The controller is configured to send a threat message up to 3 times to a nonresponsive consumer in this example.
Step 7	message retry interval {time} Example: Router(config-profile)# message retry interval 15	Configures the time interval between the transmission of threat messages. •The time argument is configured in seconds. A number from 3 to 300 is entered. The default time interval 10 seconds. •The controller is configured to send threat messages at 15 second intervals to a nonresponsive consumer in this example.
Step 8	logging tms events Example: Router(config-profile)# logging tms events	Enables TMS event logging on the controller. •TMS specific events are logged to syslog in this example.
Step 9	exit Example: Router(config-profile)# exit	Exits parameter-map configuration mode, and enters global configuration mode.

Examples

The following example, starting in global configuration mode, configures a TMS type parameter map on a controller:

Router(config)# parameter-map type tms TMS_PAR_1 

Router(config-profile)# logging tms events 

Router(config-profile)# heartbeat retry interval 60 

Router(config-profile)# heartbeat retry count 3 

Router(config-profile)# message retry interval 15 

Router(config-profile)# message retry count 5 

Router(config-profile)# exit 

What to Do Next

A TMS type parameter map must also be configured on each consumer. Proceed to the next section to see more information.

Configuring a TMS Type Parameter Map on a Consumer

The steps in this task show how to configure a TMS type parameter map on a consumer. A TMS type parameter map is configured on the controller and on each consumer. On the consumer, it is configured to identify the controller to and to set registration timers. Entering the parameter-map type tms command places the router in parameter-map configuration mode.

TMS Event Logging

The logging tms events command is entered in a TMS type parameter map on the consumer and/or controller. TMS system logging is disabled by default. TMS syslog messages are processed by Cisco IOS software based on global logging configuration. To modify system, terminal, destination, and other system global logging parameters, use the logging commands in global configuration mode.

SUMMARY STEPS

1. enable

2. configure terminal

3. parameter-map type tms {name}

4. controller ipv4 {ip-address}

5. registration retry count {number}

6. registration retry interval {time}

7. logging tms events

8. exit

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	parameter-map type tms name Example: Router(config)# parameter-map type tms TMS_PAR_2	Configures a TMS type parameter map. Tip Default values for unconfigured parameter map commands are displayed in the router configuration file when a parameter map is created.
Step 4	controller ipv4 {ip-address} Example: Router(config-profile)# controller ipv4 10.1.1.1	Specifies the TMS controller in the parameter map of a TMS consumer. •The 10.1.1.1 host IP address is configured as the TMS controller in this example. Tip The IP address that is configured in this step is the IP address that was configured as the source interface in the TIDP configuration on the TMS controller.
Step 5	registration retry count {number} Example: Router(config-profile)# registration retry count 5	Configures the number of times that an implicit TMS registration message is sent from a TMS controller to a controller. •The TMS consumer must register before the controller will send threat messages. Implicit registration messages are sent when a TMS type service policy is activated on the consumer or when the consumer is deregistered (by the administrator) from the controller. •A number from 1 to 5 is entered for the number argument. The default number is 3. •The consumer is configured to send a registration message to a controller up to 5 times or until successfully registered in this example.
Step 6	registration retry interval {time} Example: Router(config-profile)# registration retry interval 60	Configures the time interval between the transmission of registration messages. •The time argument is configured in seconds. A number from 30 to 3000 is entered. The default time interval is 180 seconds. •The consumer is configured to registration messages at 60 second intervals in this example.
Step 7	logging tms events Example: Router(config-profile)# logging tms events	Enables logging for TMS events on a TMS controller or consumer. •TMS specific events are logged to syslog in this example.
Step 8	exit Example: Router(config-profile)# exit	Exits parameter-map configuration mode, and enters global configuration mode.

Examples

The following example, starting in global configuration mode, configures a TMS type parameter map on a consumer:

Router(config)# parameter-map type tms TMS_PAR_2 

Router(config-profile)# controller ipv4 10.1.1.1 

Router(config-profile)# logging tms events 

Router(config-profile)# registration retry count 5 

Router(config-profile)# registration retry interval 60 

Router(config-profile)# exit 

What to Do Next

The next step is to identify the TIDP group, over which TMS services are to be configured. Proceed to the next section to see more information.

Configuring the TMS Type Class Map on a Controller or Consumer

The steps in this task show how to configure a TMS type class map to define a TMS group as a class of traffic. A single TMS group or range of groups are configured with the match tidp-group command. This task is performed on the controller and on each consumer.

Prerequisites

TIDP is operational on the controller and all consumers.

SUMMARY STEPS

1. enable

2. configure terminal

3. class-map type tms {[match-any] name}

4. match tidp-group number [- number]

5. exit

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	class-map type tms {[match-any] name} Example: Router(config)# class-map type tms TMS_CLASS_1	Configures a TMS type class map to define a TMS group as a class of traffic.
Step 4	match tidp-group number [- number] Example: Router(config-cmap)# match tidp group 10	Defines a TMS group or a range of groups as match criteria in a class map. •TMS group 10 is defined in this example.
Step 5	exit Example: Router(config-cmap)# exit	Exits class-map configuration mode, and enters global configuration mode.

Examples

The following example, starting in global configuration mode, configures groups 10 through 20 and group 30 as match criteria in the TMS_CLASS_1 class map:

Router(config)# class-map type tms TMS_CLASS_1 

Router(config-cmap)# match tidp group 10 - 20 

Router(config-cmap)# match tidp group 30 

Router(config-cmap)# exit 

What to Do Next

The next step is to attach the TMS type class and parameter maps to a TMS type policy map. Proceed to the next section to see more information.

Configuring the TMS Type Policy Map on a Controller or Consumer

The steps in this task show how to configure a TMS type policy map. The TMS policy map is configured to bind (attach) TMS type class and parameter maps. Any number of class maps, with different parameter maps, can be attached to the policy map. This task is performed on the controller and on each consumer.

Prerequisites

A TMS type class and parameter map is configured.

SUMMARY STEPS

1. enable

2. configure terminal

3. policy-map type control tms {name}

4. class {class-name | class-default}

5. mitigation {parameter-map}

6. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	policy-map type control tms {name} Example: Router(config)# policy-map type control tms TMS_POL_1	Configures a TMS type policy map.
Step 4	class {class-name | class-default} Example: Router(config-pmap)# class TMS_CLASS_1	Defines the TMS traffic class (TMS group) to attach to the policy map. •The class-name argument must be configured in this step.
Step 5	mitigation {parameter-map} Example: Router(config-pmap-c)# mitigation TMS_PAR_1	Attaches the TMS parameter map to the class map under the policy map.
Step 6	end Example: Router(config-pmap-c)# end	Exits policy-map class configuration mode, and enters privileged EXEC mode.

Examples

The following example, starting in global configuration mode, attaches TMS type class and parameter maps to a TMS type policy map:

Router(config)# parameter-map type tms TMS_PAR_1 

Router(config-profile)# logging tms events 

Router(config-profile)# exit 

Router(config)# class-map type tms TMS_CLASS_1 

Router(config-cmap)# match tidp-group 10

Router(config-cmap)# exit 

Router(config)# policy-map type control tms TMS_POL_1 

Router(config-pmap)# class TMS_CLASS_1 

Router(config-pmap-c)# mitigation TMS_PAR_1 

Router(config-pmap-c)# end 

What to Do Next

The next step is to attach the policy map to the global TMS controller or consumer process. Proceed to the next section to see more information.

Attaching the Service Policy to a Global TMS Controller Process

The TMS type service policy that was configured in the first three configuration tasks is attached to a global TMS controller process in this task.

Configuring the TMS Controller Identifier

The identifier command is configured to assign a unique ID number to a TMS controller. In Cisco IOS Release 12.4(6)T, only a single controller can be configured in each group. Identifier configuration is required only when multiple controllers are configured in a single TMS group.

Prerequisites

•A TMS type service policy has been configured.

•TIDP is operational on the controller and all consumers.

Restrictions

•Only a single TMS type policy map can be attached to the global TMS controller or consumer process. However, you can configure multiple TMS type class maps and associate these maps under the same TMS type policy map. Each class map can be configured with the same parameter map or a different parameter map.

SUMMARY STEPS

1. enable

2. configure terminal

3. tms controller

4. service-policy type tms {policy-map}

5. identifier {number}

6. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	tms controller Example: Router(config)# tms controller	Configures a networking device as a TMS controller.
Step 4	service-policy type tms {policy-map} Example: Router(cfg-tms-ctrl)# service-policy type tms TMS_POL_1	Attaches a TMS type service policy to a TMS consumer process.
Step 5	identifier {number} Example: Router(cfg-tms-ctrl)# identifier 1000	(Optional) Configures a unique identifier for a TMS controller. •A number from 1 to 4294967295 can be entered for the number argument. Note This configuration step is not required in Cisco IOS Release 12.4(6)T.
Step 6	end Example: Router(cfg-tms-cons)# end	Exits TMS consumer configuration mode, and enters privileged EXEC mode.

Examples

The following example, starting in global configuration mode, configures a global TMS controller process, attaches a TMS type policy map:

Router(config)# tms controller 

Router(cfg-tms-ctrl)# service-policy type tms TMS_POL_1 

Router(cfg-tms-ctrl)# end 

Troubleshooting Tips

If the controller is unable to send threat messages to the consumer, perform the following steps:

1. Verify the registration status of the consumers by entering the show tms controller command. A registered consumer will be listed as "Registered Successfully" in the "Status" column. If the Status column displays "Configured Available", then the controller is activated and waiting for a consumer to send a registration message.

2. If a consumer does not register successfully, use the ping command to send extended pings to the consumer to verify reachability.

3. If the consumer is reachable from the controller, enter the tms consumer register command on the consumer.

4. If the controller and consumers are properly configured and reachable via TCP/IP but the consumer is still unable to register with the controller, enable the debug tms controller error command to display related error messages.

What to Do Next

A TMS type policy map must also be attached to a global TMS consumer process. Proceed to the next section to see more information.

Attaching the Service Policy to a Global TMS Consumer Process

The TMS type service policy that was configured in the first three configuration tasks is attached to a global TMS consumer process in this task. Attaching the service policy activates a TMS consumer.

Consumer Registration

The TMS consumer must register with the TMS controller before the controller can send Threat Information Messages (TIMs). Implicit registration requests are automatically sent to the controller when a TMS type service policy is activated on the consumer.

By default, a TMS consumer sends a registration request message to the TMS controller once every 3 minutes for up to 3 times or until successfully registered. If the consumer is a member of multiple groups, it will send a separate registration request messages to the controller of each group.

---

Tip Explicit registration is configured by entering the tms consumer registration command on a TMS consumer in privileged EXEC mode. This command is unaffected by registration timer configuration and can be used to register the consumer with the controller at any time.

---

Configuring Device Exceptions

The exception access-group command is configured to attach a local device exception to a TMS consumer process. A local device exception is an override configured on the TMS consumer that negates a enforcement action sent from the TMS controller or from a TMS Rules Engine configuration (mitigation type service policy) configured on the TMS consumer.

For example, traffic from the 192.168.1.0/24 network is considered to be suspect. So, an ACL drop mitigation enforcement action is configured for all traffic sourced from this network. However, a device with a host address in this range (192.168.1.55) needs to transit over a specific consumer. A local device exception is configured on the consumer to override ACL drop enforcement action.

The device exception is configured locally. A host IP address (or any other subset of the network) is defined in an extended access list and then referenced by the exception access-group command. The tms-class command is configured to associate an interface with the device exception. The enforcement action configured on the controller is not applied to traffic that is permitted by the access list.

Prerequisites

•A TMS type service policy has been configured.

•TIDP is operational on the controller and all consumers.

Restrictions

•Only a single TMS type policy map can be attached to the global TMS controller or consumer process. However, you can configure multiple TMS type class maps and associate these maps under the same TMS type policy map. Each class map can be configured with the same parameter map or a different parameter map.

SUMMARY STEPS

1. enable

2. configure terminal

3. tms consumer

4. service-policy type tms {policy-map}

5. exception access-group {extended-acl}

6. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	tms consumer Example: Router(config)# tms consumer	Enters TMS consumer configuration mode to configure a consumer.
Step 4	service-policy type tms {policy-map} Example: Router(cfg-tms-cons)# service-policy type tms TMS_POL_1	Binds a TMS type service policy to a TMS consumer process.
Step 5	exception access-group {named-acl} Example: Router(cfg-tms-cons)# exception access-group NAMED_ACL	Configures a device exception in a global TMS consumer configuration.
Step 6	end Example: Router(cfg-tms-cons)# end	Exits TMS consumer configuration mode, and enters privileged EXEC mode.

Examples

The following example, starting in global configuration mode, configures a global TMS consumer process, attaches a TMS type policy map, and configures a device exception:

Router(config)# ip access-list extended NAMED_ACL 

Router(config-ext-nacl)# permit tcp host 192.168.1.55 any 

Router(config-ext-nacl)# exit 

Router(config)# interface Ethernet 0/0 

Router(config-if)# ip access-group NAMED_ACL in 

Router(config-if)# tms-class 

Router(config-if)# exit 

Router(config)# tms consumer 

Router(cfg-tms-cons)# exception access-group NAMED_ACL 

Router(cfg-tms-cons)# service-policy type tms TMS_POL_1 

Router(cfg-tms-cons)# end 

Troubleshooting Tips

If the consumer does not receive threat messages from the controller, perform the following steps:

1. Verify the registration status of the consumer by entering the show tms consumer command. A registered consumer will be listed as "Registered Successfully" in the "Status" column. If logging is enabled, the syslog output will show registered consumers as REGISTERED.

2. If a consumer does not register successfully, use the ping command to send extended pings to the controller (defined in the TMS type parameter map) to verify reachability.

3. If the controller is reachable from the consumer, use the tms consumer register command to explicitly register the consumer with the controller.

4. If the controller and consumers are properly configured and reachable via TCP/IP but the consumer is still unable to register with the controller, enable the debug tms consumer error command to display related error messages.

What to Do Next

A consumer must be registered with the controller to receive TIMs. Implicit registration occurs automatically when this task is completed. A consumer can be explicitly registered or deregistered at any time. Proceed to the next section to see more information.

Registering and Deregistering a TMS Consumer

This task is optional. The steps in this task shows how to register or deregister a consumer with a controller. All commands described in this section are entered in privileged EXEC mode.

Implicit Synchronization

Implicit synchronization (resync) messages are sent between the controller and consumer when the tms consumer register command is entered. Implicit synchronization ensures that the consumer has received all threats that have been configured its TMS group. Threats remain active until they are removed by the controller or until the consumer is deregistered.

Prerequisites

•TIDP and TMS is operational on the controller and all consumers.

SUMMARY STEPS

1. enable

2. tms consumer register {group group-id controller ipv4 ip-address}

3. tms consumer deregister {group group-id controller ipv4 ip-address}

4. tms controller deregister {group group-id consumer ipv4 ip-address}

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	tms consumer register {group group-id controller ipv4 ip-address} Example: Router# tms consumer register group 10 controller ipv4 10.1.1.1	(Required) Registers the consumer with a controller. This command is entered on a consumer. •The group-id is entered as a number from 1 to 4294967295.
Step 3	tms consumer deregister {group group-id controller ipv4 ip-address} Example: Router# tms consumer deregister group 10 controller ipv4 10.1.1.1	(Optional) Deregisters the consumer from a controller. This command is entered on a consumer. •Threats sent to a deregistered consumer are deleted.
Step 4	tms controller deregister {group group-id consumer ipv4 ip-address} Example: Router# tms controller deregister group 10 consumer ipv4 10.1.1.2	Deregisters the consumer from a controller. This command is entered on a controller. •Threats sent to a deregistered consumer are deleted.

Examples

The following example registers a TMS consumer with a TMS controller:

Router# tms consumer register group 10 controller ipv4 10.1.1.1 

The following example deregisters the 10.1.1.2 consumer from the controller:

Router# tms controller deregister group 10 consumer ipv4 10.1.1.2 

Troubleshooting Tips

If the consumer is unable to register with the controller, perform the following steps:

1. Verify registration status by entering the show tms controller command on the controller or the show tms consumer command on the consumer.

2. Use the ping command to send extended pings to the controller to verify reachability.

3. If the controller and consumers are properly configured and reachable via TCP/IP but the consumer is still unable to register with the controller, enable the debug tms consumer error command to display related error messages.

What to Do Next

At completion of this task, the framework and services for distributing threat messages is complete and operational. Proceed to the next section to see information on configuring a threat definition file.

Configuring an XML Threat Definition File

The steps in this task show how to configure an XML threat definition file. The threat definition file is a container for Threat Information Messages (TIMs). The threat definition file first is configured in a text or XML editor. The threat definition file loaded to the TMS controller. TIMs are then distributed to TMS consumers.

XML Version 1.0 Syntax

The syntax of the threat definition file must comply with Extensible Markup Language (XML) version 1.0 syntax. For information about version 1.0 XML syntax, refer to the following document:

•http://www.w3.org/TR/REC-xml/

Threat Definition File Syntax Guidelines

The following list describes required and optional syntax for the threat definition file:

•The threat file must contain descriptions for one or more threats

•Threat details are encoded in XML notation

•The threat file itself should begin with the following version encoding:

<?xml version="1.0" encoding="utf-8"?>

•XML tags are represented by bold text

•Attribute syntax is represented by italic text

•Each threat is uniquely identified by the owner ID, threat ID, and version number

•Each threat should start with a threat tag, which contains the owner/threat ID/version values

•The following XML tags are mandatory for every threat:

threat, threat_info, primitive and tcdf

•The following XML tags are optional for every threat:

condition and parameter

Threat File Tag Descriptions

This section describes required and optional XML tags.

threat (required)

The threat tag must follow the XML version tag. This tag has the following three required attributes:

threat_info (required)

The threat_info tag contains the Event Risk Rating (ERR) attribute. The ASR field in this tag is used to set the priority of the threat. The priority is configured with a number from 1 to 5. The priority implies no preference or hierarchy. It simply provides 5 levels of independent classification for threat messages.

---

Tip The ASR field maps directly to the match priority command. It is configured on the consumer to match the ASR field to a traffic class in a mitigation type service policy (TMS Rule Engine configuration).

---

---

Note In Cisco IOS Release 12.4(6)T, the threat priority cannot be configured in the TMS Rules Engine (mitigation type service policy). However, priority values can be with the match priority command.

---

primitive (required)

The primitive tag contains the primitive attribute. The primitive attribute defines the mitigation enforcement action: block, redirect, or a nonstandard (user-defined) primitive. The nonstandard primitive is configured with any string value. Block and redirect are standard primitives. Any other value is interpreted as a nonstandard.

---

Tip The primitive attribute maps directly to the match primitive command. It is configured on a consumer to match the mitigation enforcement action to a traffic class in a mitigation type service policy.

---

parameter (optional)

The parameter tag is a container for the next-hop variable of the mitigation enforcement action. The next-hop variable is defined in a nested redirect tag. The next hop is configured to route to a specific IPv4 host address or to the null0 interface (black hole).

The profile attribute is defined to configure the threat to take the next hop from a mitigation type parameter map configured on the consumer.

---

Tip The profile attribute maps directly to the name of the mitigation type parameter map configured on the TMS consumer. The variable command is configured in the parameter-map to define the next hop. The parameter tag can be configured with either the profile attribute or a nested redirect tag but not both.

---

condition (optional)

The condition tag is used to define a conditional enforcement rule on an interface for a mitigation action. The mitigation action is enforced on the interface when any condition (first match) or all conditions (strict match) are met.

•The condition tag should have at least one match tag.

•A match tag must be configured with the attribute of type "all" or "any."

•A match tag can contain nested match tags, or it can contain the device_class, sub_device_class, or host_locate optional tags.

The device_class tag is configured with an attribute name that identifies the router or networking device.

---

Note In Cisco IOS Release 12.4(6)T, "Router" is the only supported attribute name for the device_class tag.

---

The sub_device_class tag is configured with an attribute name that identifies an interface. This tag is used to associate one or more threats with one or more interfaces.

---

Tip The sub_device_class tag maps directly to the name argument of the tms-class command. The tms-class command is configured in interface configuration mode to associate an interface with an ACL drop enforcement action.

---

The host_locate tag is configured with the ipv4_address attribute. This attribute is entered with a valid IP version 4 (IPv4) address to identify a specific host. This tag is used to associate a specific host with a threat.

---

Tip The host_locate tag maps directly to the edge keyword of the tms-class command. This configuration is used to associate a host with a threat. The mitigation action is enforced only if the host is reachable from the interface when the edge keyword is configured.

---

tcdf (required)

The tcdf tag defines the traffic class for which the mitigation action that is enforced. This includes the classification match rule (strict or first) and the network (IP) and the transport (TCP or UDP) layer protocols that carry the traffic.

•Only one classification is allowed for each tag.

•Information attributes of the class, such as the name, are ignored.

•Attribute match="all" or match="any" are supported by TCDF.

•Only one match tag can be entered. The attribute for match, is type, which can take values "all" or "any'.

---

Note In Cisco IOS Release 12.4(6)T, only strict traffic class matching (match="all") is supported.

---

•Eq and range filters are supported.

•The attribute field can accept the following string values:

ip.src_addr

ip.dst_addr

ip.proocol

tcp.src_port

tcp.dst_port

udp.src_port

udp.dst_port

•The range filter can be configured for only TCP and UDP port numbers.

•The ip.protocol attribute can configured with only TCP and UDP values (6 and 17). When TCP is configured, tcp.src_port and tcp.dst_port range can be defined. When UDP is configured as the protocol, udp.src_port and udp.dst_port range can be defined.

---

Tip If the ip.protocol attribute is not specified, the traffic class is processed without regard to the transport layer protocol. Only the source and destination IP addresses are entered for this type of traffic class definition. Port numbers are not.

---

XML Threat Definition File Configuration Steps

Steps 5, 6, and 7 contain branching tasks. Each branching task shows an alternate configuration that can be applied for the given step.

---

Step 1 (Required) The threat file is configured with the version and encoding declaration.

<?xml version="1.0" encoding="utf-8"?> 

Step 2 (Required) The threat ID, owner ID, and version numbers are configured. The version must be incremented each time the threat is updated (replaced with a newer version).

<threat tid="1" owner="1000" version = "10"> 

</threat> 

Step 3 (Required) Threat information is configured. In this sample step, the ASR field is set to 3 (threat priority level).

<threat_info threat_name="NAME" 

             threat_text="THREATTEXT"

             mitigation_text="mitigaationtext" >

    <err ASR="3" SFR="20" ARR="30" TFR="40"  PD="50"></err>

    <threat_class name="tc1"> </threat_class>

    <threat_class name="tc2"> </threat_class>

</threat_info>

Step 4 (Required) The threat primitive is configured as a block, redirect, or nonstandard (user-defined) mitigation action.

<primitive name="redirect"> </primitive> 

Step 5 (Optional) The next-hop variable is set to a host IP address (172.16.1.1).

<parameter> 

    <redirect nexthop="172.16.1.1"> </redirect> 

</parameter>

Or

(Optional) The next-hop variable is set to the null0 interface (0.0.0.0).

<parameter> 

    <redirect nexthop="0.0.0.0"> </redirect> 

</parameter> 

Or

(Optional) The next-hop variable is determined by the configuration of the mitigation type parameter map configured on the TMS consumer (MIT_PAR_2).

<parameter profile="MIT_PAR_2"> </parameter> 

Step 6 (Optional) A first match conditional enforcement rule is configured. In this sample step, the mitigation action is enforced when suspect traffic travels over an interface tagged with the sub_device_class name (Ingress_Ethernet) or when suspect traffic travels over an interface that is reachable from the 10.2.2.2 host.

<condition>

    <match type="any"> 

        <match type="any"> 

            <host_locate ipv4_addr="10.2.2.2" >  </host_locate> 

            <device_class name="Router" > </device_class> 

        </match> 

        <match type="any"> 

            <device_class name="Router" > </device_class> 

		<sub_dev_class name="Ingress_Ethernet" > </sub_dev_class> 

        </match> 

    </match> 

</condition>

Or

(Optional) A strict match conditional enforcement rule is configured. In this sample step, the mitigation action is enforced only when suspect traffic travels over an interface that is reachable from the 10.2.2.2 host and is tagged with the sub_device_class name (Ingress_Ethernet).

<condition> 

    <match type="all"> 

        <host_locate ipv4_addr="10.2.2.2" >  </host_locate> 

        <device_class name="Router" > </device_class> 

        <sub_dev_class name="Ingress_Ethernet" > </sub_dev_class> 

    </match> 

</condition> 

Step 7 (Required) The traffic class is defined to specify suspect traffic. In this sample step, TCP is identified as the transport layer protocol. Specific source and destination IP addresses and port numbers are configured.

<tcdf>

   <class name="match-critera" type="access-control" match="all"> 

       <match>

           <eq field="ip.src_addr" value="192.168.7.66" mask="255.255.255.255"> </eq>

           <eq field="ip.dst_addr" value="10.3.3.3" mask="255.255.255.255"> </eq>

           <eq field="ip.protocol" value="6"> </eq>

            <range field=field="tcp.src_port" from="10" to="200">  </range>

            <range field="tcp.dst_port" from="50"> </range>

       </match>

   </class>

</tcdf> 

Or

(Required) In this sample step, UDP is identified as the transport layer protocol.

<tcdf>

   <class name="match-critera" type="access-control" match="all">

       <match>

           <eq field="ip.src_addr" value="192.168.7.66" mask="255.255.255.255"> </eq>

           <eq field="ip.dst_addr" value="10.3.3.3" mask="255.255.255.255"> </eq>

           <eq field="ip.protocol" value="17"> </eq>

            <range field=field="udp.src_port" from="1000" to="2000">  </range>

            <range field="udp.dst_port" from="5000"> </range>

       </match>

   </class>

</tcdf> 

Or

(Required) In this sample step, no transport layer protocol is defined. Only source and destination IP addresses are configured to identify suspect traffic.

<tcdf>

   <class name="match-critera" type="access-control" match="all">

       <match>

           <eq field="ip.src_addr" value="192.168.7.66" mask="255.255.255.255"> </eq>

           <eq field="ip.dst_addr" value="10.3.3.3" mask="255.255.255.255"> </eq>

        </match>

   </class>

</tcdf>

---

Tip Source and destination port number are not configured when a transport layer protocol is not specified.

---

---

What to Do Next

The threat definition file must be loaded to the controller before threats contained in the threat definition file can be sent to consumers. Proceed to the next section to see information on loading and unloading threats.

Loading a Threat Definition File on a TMS Controller

This task shows how to load a threat definition file on a TMS controller. The tms controller load threat command is entered in privileged EXEC mode to load an XML threat definition file to the TMS controller from a local storage device, such as ATA or linear flash memory. The file can also be loaded from a reachable host (using FTP, HTTPS, RCP, or TFTP protocols).

Loaded and Active Databases

Two databases are maintained on the controller: the "loaded" database and the "active" database. The tms controller load threat command is used to upload a threat definition file on the controller. Once the threat definition file has been loaded, individual threats contained within the threat definition file are placed in the "loaded" database for distribution to consumers. Threats are removed from the loaded database by entering the tms controller unload command. Entering this command does not remove the threat from the active database if the threat is active on at least one consumer.

A threat is placed in the "active" database when the tms controller send command is used to send one or more threats to one or more consumers. A threat remains in the active database as long as it is active on at least one consumer. An active threat can be removed from consumers by entering the tms controller reset command on the controller. Active threats can be removed on the consumer by entering clear tms consumer or by reloading the consumer.

Updating or Replacing a Loaded Threat

Each threat that is contained within a threat definition file is uniquely identified by the threat ID, owner ID, and version number. The controller uses the version field to ensure that the most recent threat is sent to consumers. A higher version number indicates a more current or newer threat.

To replace or update an existing threat in the loaded database, a modified threat definition file must be loaded to the controller. The threat contained within this file must have a higher number in the version field. If the version field is the same or contains a lower number, the updated threat will not be loaded.

To distribute the updated threat to TMS consumers, the older version of the threat must be removed from the active database. The tms controller reset command can be entered with the delete keyword to remove the threat from all consumers.

Prerequisites

•TIDP and TMS is operational on the controller and all consumers.

•A threat definition file that contains one or more TIMs has been created.

•The threat definition file has been copied to flash memory on the controller or is accessible on a reachable host.

Restrictions

•There is no limit on the number of threats that can be loaded on to the controller. However, the amount of memory required is dependent on the number consumers, the number of threats, and the number of other processes that run on the router or network device.

SUMMARY STEPS

1. enable

2. tms controller load threat {file-source}

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	tms controller load threat {file-source} Example: Router#_tms controller load threat disk0: THREAT_DEFINITION_FILE	(Required) Loads a threat definition file on to a TMS controller. •The threat definition file can be loaded from a local file system, such as flash memory, or it can be loaded from a reachable host over the network.

Examples

The following example loads a threat definition file from local flash memory:

Router# tms controller load threat disk0: THREAT_FILE 

The following example loads a threat definition file from a TFTP server:

Router# tms controller load threat tftp://172.16.1.1/THREAT_DEFINITION_FILE 

Troubleshooting Tips

If there is a problem loading or unloading an XML threat definition file, the debug tms controller xml error command can be enabled to configure the router to print related error messages.

What to Do Next

The threat message is not activated until it is sent to TMS consumers. Proceed to the next section to see more information.

Sending Threat Information Messages from the Controller to a TMS Consumer

This task shows how to send a TIM to TMS consumers. A single threat, a range of threats, or all threats can be sent. The threat can be sent to a single group or all groups. The start time when the threat is activated and the duration of the threat are configurable. The tms controller send command is entered in privileged EXEC mode.

Prerequisites

•TIDP and TMS is operational on the controller and all consumers.

•A threat definition file that contains one or more TIMs has been put in the loaded database on the controller.

SUMMARY STEPS

1. enable

2. tms controller send {group {group-id | all} owner owner-id tid {threat-id [- number] | all} consumer {all | ipv4 ip-address} [start_time seconds] [duration seconds]}

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	tms controller send {group {group-id | all} owner owner-id tid {threat-id [- number] | all} consumer {all | ipv4 ip-address} [start_time seconds] [duration seconds]} Example: Router# tms controller send group 10 owner 1000 tid 100 consumer all duration 3600	Configures a TMS controller to send a threat definition file to TMS consumers.

Examples

The following example sends threat ID 100 to all consumers in TIDP group 10. The threat will remain active for 1 hour.

Router# tms controller send group 10 owner 1000 tid 100 consumer all duration 3600 

Troubleshooting Tips

If the controller is unable to send threat messages to the consumer, perform the following steps:

1. Verify the registration status of the consumers by entering the show tms controller command. A registered consumer will be listed as "Registered Successfully" in the "Status" column. If the Status column displays "Configured Available", then the controller is activated and waiting for a consumer to send a registration message.

2. If a consumer does not register successfully, use the ping command to send extended pings to the consumer to verify reachability.

3. If the consumer is reachable from the controller, enter the tms consumer register command on the consumer.

4. If the controller and consumers are properly configured and reachable via TCP/IP but the consumer is still unable to register with the controller, enable the debug tms controller error command to display related error messages.

What to Do Next

Proceed to the next section to see information about synchronizing the threat status on a consumer with other consumers in a TMS group.

Synchronizing the Threat Status of a Consumer with the TMS Group

This task is optional. This task shows how to synchronize the threat status on a consumer with the threat status on other consumers. This command is entered to ensure that the consumer has received all messages that have been sent to the TMS group. The tms consumer resync command is entered in privileged EXEC mode.

Implicit Synchronization

Implicit synchronization (resync) messages are sent between the controller and consumer when the tms consumer register command is entered. Implicit synchronization ensures that the consumer has received all threats that have been configured its TMS group. Threats remain active until they are removed by the controller or until the consumer is deregistered.

Prerequisites

•TIDP and TMS is operational on the controller and all consumers.

•A threat definition file that contains one or more TIMs has been put in the loaded database on the controller.

SUMMARY STEPS

1. enable

2. tms consumer resync {group group-id owner {owner-id | any} tid {threat-id [- number] | all} controller ipv4 ip-address}

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	tms consumer resync {group group-id owner {owner-id | any} tid {threat-id [- number] | all} controller ipv4 ip-address} Example: Router# tms consumer resync group 10 owner any tid all controller ipv4 10.1.1.1	(Optional) Synchronizes a TMS consumer with a TMS controller. •The example synchronizes all threats from any owner that were sent to TIDP group 10.

Examples

The following example synchronizes all threats from any owner that were sent to TIDP group 10.

Router# tms consumer resync group 10 owner any tid all controller ipv4 10.1.1.1 

Troubleshooting Tips

If you are unable to synchronize the consumer with the TMS group, perform the following steps:

1. Verify the threat status on the controller and consumers by entering the show tms controller and show tms consumer commands. Filter the output to display information about the group and threat ID numbers.

2. If the consumer is reachable from the controller, enter the tms consumer register command on the consumer.

3. If the controller and consumers are properly configured and reachable but the consumer is still unable to synchronize, enable the following debug commands to display related error messages:

–debug tms controller error or debug tms consumer error

–debug tms controller events or debug tms consumer events

–debug tms consumer feature-interface

---

Tip You can also process these messages through syslog by enabling the logging tms events command in a TMS type parameter map type.

---

What to Do Next

Proceed to the next section to see information about updating and removing threats on a consumer.

Managing Threat Information Messages on a Consumer from the Controller

This task is optional. This task shows how to activate, deactivate and delete threat messages on one or all consumers. The tms controller reset command is entered in privileged EXEC mode.

Updating or Replacing a Loaded Threat

Each threat that is contained within a threat definition file is uniquely identified by the threat ID, owner ID, and version number. The controller uses the version field to ensure that the most recent threat is sent to consumers. A higher version number indicates a more current or newer threat.

To replace or update an existing threat in the loaded database, a modified threat definition file must be loaded to the controller. The threat contained within this file must have a higher number in the version field. If the version field is the same or contains a lower number, the updated threat will not be loaded.

To distribute the updated threat to TMS consumers, the older version of the threat must be removed from the active database. The tms controller reset command can be entered with the delete keyword to remove the threat from all consumers.

Prerequisites

•TIDP and TMS is operational on the controller and all consumers.

•A threat definition file that contains one or more TIMs has been put in the loaded database on the controller.

SUMMARY STEPS

1. enable

2. tms controller reset {activate | delete | inactivate} group {group-id | all} owner owner-id tid {threat-id [- number] | all} consumer {all | ipv4 ip-address}

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	tms controller reset {activate | delete | inactivate} group {group-id | all} owner owner-id tid {threat-id [- number] | all} consumer {all | ipv4 ip-address} Example: Router# tms consumer reset activate group 10 owner 1000 tid 1000 consumer ipv4 10.1.1.2	Manages threat definition messages on a TMS consumer from the TMS controller. •A single peer or range of TIDP groups can be managed. •Threat definition files can be activated, deactivated, or deleted based on the group ID, owner ID, threat ID, or host address.

Examples

Threat Activation Example

The following example activates all threats on all consumers in all groups that belong to owner number 1000:

Router# tms controller reset activate group all owner 1000 tid all consumer all 

Threat Removal Example

The following example removes threats, 1 through 10, from the active database for all consumers in group 10:

Router# tms controller reset delete group 10 owner 1000 tid 1 - 10 consumer all 

Threat Deactivation Example

The following example deactivates threats, 1 through 10, from the active database for all consumers in group 10:

Router# tms controller reset inactivate group 10 owner 1000 tid 1 - 10 consumer all 

Troubleshooting Tips

If you are unable to manage threats on a consumer, perform the following steps:

1. Verify the threat status on the controller and consumers by entering the show tms controller and show tms consumer commands. Filter the output to display information about the group and threat ID numbers.

2. If the consumer is reachable from the controller, enter the tms consumer register command on the consumer.

3. If the controller and consumers are properly configured and reachable but the consumer is still unable to synchronize, enable the following debug commands to display related error messages:

–debug tms controller error or debug tms consumer error

–debug tms controller events or debug tms consumer events

–debug tms consumer feature-interface

---

Tip You can also process these messages through syslog by enabling the logging tms events command in a TMS type parameter map type.

---

What to Do Next

Proceed to the next section to see information about sending a status request message to a consumer.

Sending a Status Request Message to Consumers from the TMS Controller

This task is optional. This task shows how to send a status request message from a controller to a consumer or group of consumers. The consumer must be registered to receive this message. In response, the consumer sends information about one or all threats to the controller. The tms controller status command is entered in privileged EXEC mode.

Prerequisites

•TIDP and TMS is operational on the controller and all consumers.

•A threat definition file that contains one or more threat information messages has been loaded on the controller.

SUMMARY STEPS

1. enable

2. tms controller status {group {group-id | all} owner owner-id tid {threat-id [- number] | all} consumer {all | ipv4 ip-address}}

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	tms controller status {group {group-id | all} owner owner-id tid {threat-id [- number] | all} consumer {all | ipv4 ip-address}} Example: Router# tms controller status group 10 owner 1000 tid 1 consumer ipv4 10.1.1.2	Sends a status request message to a TMS consumer from the TMS controller.

Examples

The following example sends a status request message for information about all threats from owner 1000:

Router# tms controller status group all owner 1000 tid all consumer all 

The following example sends a status request message to the 10.1.1.2 consumer in group 10 for information threats, 1 through 10:

Router# tms controller status group 10 owner 1000 tid 1 - 10 consumer ipv4 10.1.1.2 

Troubleshooting Tips

If you are unable to send a status request message to a consumer, perform the following steps:

1. Verify the threat status on the controller and consumers by entering the show tms controller and show tms consumer commands. Filter the output to display information about the group and threat ID numbers.

2. If the consumer is reachable from the controller, enter the tms consumer register command on the consumer.

3. If the controller and consumers are properly configured and reachable but the consumer is still unable to synchronize, enable the following debug commands to display related error messages:

–debug tms controller error or debug tms consumer error

–debug tms controller events or debug tms consumer events

–debug tms consumer feature-interface

---

Tip You can also process these messages through syslog by enabling the logging tms events command in a TMS type parameter map type.

---

What to Do Next

Proceed to the next section to see information about unloading threat messages from the loaded database.

Unloading a Threat Information Messages from the Loaded Database

This task is optional. This task shows how to unload a TIM from the "loaded" database. The tms controller unload command is entered on a TMS controller in privileged EXEC mode.

Loaded and Active Databases

Two databases are maintained on the controller: the "loaded" database and the "active" database. The tms controller load threat command is used to upload a threat definition file on the controller. Once the threat definition file has been loaded, individual threats contained within the threat definition file are placed in the "loaded" database for distribution to consumers. Threats are removed from the loaded database by entering the tms controller unload command. Entering this command does not remove the threat from the active database if the threat is active on at least one consumer.

A threat is placed in the "active" database when the tms controller send command is used to send one or more threats to one or more consumers. A threat remains in the active database as long as it is active on at least one consumer. An active threat can be removed from consumers by entering the tms controller reset command on the controller. Active threats can be removed on the consumer by entering clear tms consumer or by reloading the consumer.

Prerequisites

•TIDP and TMS is operational on the controller and all consumers.

•A threat definition file that contains one or more TIMs has been put in the loaded database on the controller.

SUMMARY STEPS

1. enable

2. tms controller unload {owner owner-id tid {threat-id [- number] | all}}

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	tms controller unload {owner owner-id tid {threat-id [- number] | all}} Example: Router# tms controller unload owner 10 tid 1-10	(Optional) Unloads a threat definition file from a TMS controller. •The owner-id argument is entered as a number from 1 to 65535 •The threat-id argument is entered as a number from 1 to 65535. A range of threat ID numbers can configured by entering a hyphen and an ascending number.

Examples

The following example unloads threats, 1 through 10, from the loaded database on a TMS controller:

Router#_tms controller unload owner 1000 tid 1 - 10 threat 

Troubleshooting Tips

If there is a problem loading or unloading an XML threat definition file, enabling the debug tms controller xml error command will configured the router to print related error messages.

What to Do Next

At completion of this procedure, all configuration tasks that are performed on a controller are complete. The remain configuration tasks are performed on a consumer. Proceed to the next see information about configuring the TMS Rules Engine on a consumer.

Configuring the TMS Rules Engine on a Consumer

This task is optional. The steps in this task show how to configure the TMS Rules Engine. The TMS Rules Engine is configured using a mitigation type service policy.

The TMS Rules Engine is used to configure a mitigation enforcement action directly on a consumer to override an enforcement action sent from the controller. The following tasks are performed in this section:

•The mitigation traffic class is defined in a class map

•The next hop variable is defined in parameter map

•A mitigation type policy map is configured to bind the class and parameter maps

•The mitigation type service policy is associated with the TMS type policy map

Mitigation Type Service Policy

The mitigation type service policy is configured only on the consumer. It is used to customize or override mitigation enforcement actions sent by the controller. The TMS Rules Engine is used to configure an ACL drop, an ignore, or a redirect enforcement action. Only one action can configured for each mitigation type traffic class.

This type of service policy is created by configuring and linking mitigation type parameter and class maps to a mitigation type policy map. The class map is configured to define threat primitive and priority traffic matching conditions (as a class of traffic). The parameter map is configured to apply a next-hop variable to the class of traffic. The class and parameter maps are attached to a mitigation type policy map. The mitigation type service policy is activated by attaching the mitigation type policy map to a TMS type policy map, which is attached to the global TMS consumer process.

ACL Drop Rule

The ACL drop rule is configured to drop packets that are permitted by a predefined extended access-list. The ip access-group command is configured to attach the access list to the interface. The tms-class command is configured to associate the interface with the ACL drop enforcement action.

Ignore Rule

The ignore rule configures the TMS Rules Engine to ignore (not carry out any action for) a mitigation enforcement action defined for the matching traffic class. The traffic class is defined by the primitive and/or priority configured in a mitigation type class map.

Redirect Rule

The redirect rule is configured to redirect traffic to an explicitly defined IPv4 host, to a null interface or to an IPv4 host defined in a variable. The variable is initialized under the mitigation parameter-map using the variable command. If no destination is configured, the TMS Rules Engine will first check the threat information message (associated with the mitigation class map). If a destination cannot be derived from the threat information message, then the mitigation type parameter map is checked (if one is configured and attached to the mitigation type service policy).

If a next-hop IP address, null interface, or user-defined variable is not configured, the next hop variable must be defined in a mitigation type parameter map and then associated under the policy map with the source parameter command, or the parameter-map name must be specified in the profile attribute entered under the parameter tag in the threat definition file.

Prerequisites

•TIDP and TMS is operational on the controller and all consumers.

•A TMS type service policy has been configured and attached to the global TMS consumer process.

Restrictions

•Only one mitigation enforcement action can configured for each mitigation type traffic class.

SUMMARY STEPS

1. enable

2. configure terminal

3. class-map type mitigation {[match-all | match-any] name}

4. match priority {number}

5. match primitive {any | block | redirect | any-string}

6. exit

7. parameter-map type mitigation {name}

8. variable name {ipv4 ip-address | null0}

9. exit

10. policy-map type control mitigation {name}

11. class {class-name | class-default}

12. acl drop

13. ignore

14. redirect route {next-hop-ip-address | null | $-variable}

15. source parameter{parameter-map}

16. exit

17. exit

18. policy-map type control mitigation {name}

19. service-policy {policy-map}

20. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	class-map type mitigation {[match-all | match-any] name} Example: Router(config)# class-map type mitigation MIT_CLASS_1	Configures a mitigation class map. Note Match all is default behavior if no optional keywords are configured.
Step 4	match priority {number} Example: Router(config-cmap)# match priority 4	Configures the traffic class to match the priority level of a mitigation enforcement action.
Step 5	match primitive {any | block | redirect | any-string} Example: Router(config-cmap)# match primitive block	Configures the traffic class to match the primitive (mitigation enforcement action.)
Step 6	exit Example: Router(config-cmap)# exit	Exits class map configuration mode, and enters global configuration mode.
Step 7	parameter-map type {mitigation name | tms name} Example: Router(config)# parameter-map type mitigation MIT_PAR_1	Configures a mitigation type parameter map.
Step 8	variable name {ipv4 ip-address | null0} Example: Router(config-profile)# variable nexthop ipv4 192.168.1.1	Defines the next-hop variable in the mitigation type parameter map.
Step 9	exit Example: Router(config-profile)# exit	Exits parameter-map configuration mode, and enters global configuration mode.
Step 10	policy-map type control mitigation {name} Example: Router(config)# policy-map type control mitigation MIT_POL_1	Configures a mitigation type policy map.
Step 11	class {class-name | class-default} Example: Router(config-pmap)# class MIT_CLASS_1	Attaches the mitigation traffic class to the policy map. •The class-name argument must be configured in this step.
Step 12	redirect route {next-hop-ip-address | null | $-variable} Example: Router(config-pmap-c)# redirect route	(Optional) Configures a redirect enforcement action in a mitigation type policy map. •The next hop is configured as specific IP address, the null 0 interface, or a user-defined variable. •If a user-defined variable is entered, the variable string must start with the $ character.
Step 13	acl drop Example: Router(config-pmap-c)# acl drop	(Optional) Configures an access list drop enforcement action. •The drop action is based on a predefined named access list.
Step 14	ignore Example: Router(config-pmap-c)# ignore	(Optional) Configures TMS to ignore the enforcement action.
Step 15	source parameter {parameter-map} Example: Router(config-pmap-c)# source parameter MIT_PAR_1	Attaches a mitigation type parameter map in a policy-map class configuration.
Step 16	exit Example: Router(config-pmap-c)# exit	Exits policy-map class configuration mode, and enters policy-map configuration mode.
Step 17	exit Example: Router(config-pmap)# exit	Exits policy-map configuration mode, and enters global configuration mode.
Step 18	policy-map type control {mitigation name | tms name} Example: Router(config)# policy-map type control tms TMS_POL_1	Configures the TMS type policy map.
Step 19	class {name} Example: Router(config-pmap)# class MIT_CLASS_1	Configures the TMS type class under the policy map. Note The TMS type class-map configuration is not shown in this task table.
Step 20	service-policy {policy-map} Example: Router(config-pmap-c)# service policy MIT_POL_1	Attaches the mitigation type policy map to the TMS type policy map. Note A TMS type policy map that has a mitigation type policy map attached cannot be attached to a global TMS controller process.
Step 21	end Example: Router	Exits policy-map class configuration mode, and enters privileged EXEC mode.

Examples

ACL Drop Rule Example

The following example, starting in global configuration mode, configures an ACL drop enforcement action. Traffic that matches the extended access list (172.16.1/24) is dropped.

Router(config)# ip access-list extended 100 

Router(config-ipacl)# permit ip 172.16.1.0 0.0.0.255 any 

Router(config-ipacl)# exit 

Router(config)# interface Ethernet 0/0 

Router(config-if)# ip access-group 100 in 

Router(config-if)# tms-class 

Router(config-if)# exit 

Router(config)# class-map type mitigation match-all MIT_CLASS_1 

Router(config-cmap)# match priority 3 

Router(config-cmap)# match primitive block 

Router(config-cmap)# exit 

Router(config)# policy-map type control mitigation MIT_POL_1 

Router(config-pmap)# class MIT_CLASS_1 

Router(config-pmap-c)# acl drop 

Router(config-pmap-c)# end 

Blackhole (Redirect) Rule Example

The following example, starting in global configuration mode, configures the TMS Rules Engine to send priority 5 redirect threat mitigation traffic to a null interface (black hole):

Router(config)# parameter-map type mitigation MIT_PAR_2 

Router(config-profile)# variable RTBH NULL0 

Router(config-profile)# exit 

Router(config)# class-map type mitigation match-all MIT_CLASS_2 

Router(config-cmap)# match priority 5 

Router(config-cmap)# match primitive redirect 

Router(config-cmap)# exit 

Router(config)# policy-map type control mitigation MIT_POL_2 

Router(config-pmap)# class MIT_CLASS_2 

Router(config-pmap-c)# source parameter MIT_PAR_2 

Router(config-pmap-c)# redirect route $RTBH 

Router(config-pmap-c)# end 

Collection (Redirect) Rule Example

The following example, starting in global configuration mode, configures the TMS Rules Engine to set the next hop variable to 192.168.1.1 for traffic that matches the mitigation class (priority 1 traffic and any primitive):

Router(config)# class-map type mitigation MIT_CLASS_3 

Router(config-cmap)# match primitive any 

Router(config-cmap)# match priority 1 

Router(config-cmap)# exit 

Router(config)# parameter-map type mitigation MIT_PAR_3 

Router(config-profile)# variable COLLECTION ipv4 192.168.1.1 

Router(config-profile)# exit 

Router(config)# policy-map type control mitigation MIT_POL_3 

Router(config-pmap)# class MIT_CLASS_3 

Router(config-pmap-c)# source parameter MIT_PAR_3 

Router(config-pmap-c)# end 

Ignore Example

The following example, starting in global configuration mode, configures a TMS consumer to ignore a priority 5 redirect primitive:

Router(config)# parameter-map type mitigation MIT_PAR_4 

Router(config-profile)# variable RTBH NULL0 

Router(config-profile)# exit 

Router(config)# class-map type mitigation match-all MIT_CLASS_4 

Router(config-cmap)# match priority 5 

Router(config-cmap)# match primitive redirect 

Router(config-cmap)# exit 

Router(config)# policy-map type control mitigation MIT_POL_4 

Router(config-pmap)# class MIT_CLASS_4 

Router(config-pmap-c)# source parameter MIT_PAR_4 

Router(config-pmap-c)# ignore 

Router(config-pmap-c)# end 

Activating the TMS Rules Engine Example (Complete Configuration)

The following example, starting in global configuration mode, creates a Rules Engine configuration and activates it under the global TMS consumer process:

Router(config)# class-map type mitigation MIT_CLASS_3 

Router(config-cmap)# match primitive block 

Router(config-cmap)# match priority 1 

Router(config-cmap)# exit 

Router(config)# parameter-map type mitigation MIT_PAR_3 

Router(config-profile)# variable COLLECTION ipv4 192.168.1.1 

Router(config-profile)# exit 

Router(config)# policy-map type control mitigation MIT_POL_3 

Router(config-pmap)# class MIT_CLASS_3 

Router(config-pmap-c)# redirect route 

Router(config-pmap-c)# source parameter MIT_PAR_3 

Router(config-pmap-c)# exit 

Router(config-pmap)# exit 

Router(config)# policy-map type control tms TMS_POL_1 

Router(config-pmap)# class TMS_CLASS_1 

Router(config-pmap-c)# mitigation TMS_PAR_1 

Router(config-pmap-c)# service-policy MIT_POL_3 

Router(config-pmap-c)# exit 

Router(config-pmap)# exit 

Router(config)# tms consumer 

Router(config-cons)# service-policy type tms TMS_POL_1 

Router(config-cons)# end 

Troubleshooting Tips

Troubleshooting Strict Match Mitigation Policies

The TMS Rules Engine provides a flexible mechanism to match TIMs on the TMS consumer. A match policy can be configured to match any (first) threat priority or primitive or to match all (strict).

Match all is the default when a mitigation type class map is configured without entering either optional keyword. This, as the name implies, is a strict match that requires all elements to match in order for the rule to be processed. Therefore, it is possible to configure a strict match that cannot function because it is impossible to match all elements. The following example illustrates this point:

class-map type mitigation MIT_CLASS 

  match primitive block 

  match primitive redirect 

  match priority 2 

  match priority 3 

The above configuration uses a default match-all rule because no keyword is entered. The match-all rule invalidates the above configuration because no threat can satisfy all match criteria (block and redirect).

This configuration can be corrected by configuring the class map with the match-any keyword, as shown in the following configuration:

class-map type mitigation match-any MIT_CLASS 

  match primitive block 

  match primitive redirect 

  match priority 2 

  match priority 3 

The above configuration could be configured with a match-all rule if either the block or redirect primitive is removed.

General TMS Rules Engine Troubleshooting

The Rules Engine configuration can be verified by entering the show tms consumer and show tms controller commands. If the enforcement action is not applied, you can enable the debug tms consumer feature-interface command to print error messages to help determine if the correct feature interface is called (ACL or OER).

What to Do Next

In this task, the TMS Rules Engine was configured to override a threat enforcement action on the consumer. Proceed to the next section to see information on excluding a device from TMS control.

Configuring Local Device Exceptions on a Consumer

This task is optional. The steps in this task show how to configure local device exceptions. Local device exceptions are configured on TMS consumers only. A local device exception is an override configured for a specific host IP address or network. The TMS consumer negates a mitigation enforcement action sent from the controller or from a mitigation type service policy configured on the consumer.

For example, traffic from the 192.168.1.0/24 network is considered to be suspect. So, an ACL drop enforcement action is configured for all traffic sourced from this network. However, a device with a host address in this range (192.168.1.55) needs to transit over a specific consumer. A local device exception is configured on the consumer to override ACL drop enforcement action.

A host IP address (or any other subset of the network) is defined in an extended access list and then referenced by the exception access-group command. The tms-class command is configured to associate an interface with the device exception. The enforcement action configured on the controller is not applied to traffic that is permitted by the access list.

Prerequisites

•TIDP and TMS is operational on the controller and all consumers.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip access-list {standard | extended}[access-list-name | access-list-number]

4. [sequence-number] permit | deny protocol source source-wildcard destination destination-wildcard [option option-value] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

5. exit

6. interface {type | number}

7. ip access-group {access-list-number | access-list-name}{in | out}

8. tms-class

9. exit

10. tms consumer

11. exception access-group {extended-acl}

12. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	ip access-list {standard | extended}[access-list-name | access-list-number] Example: Router(config)# ip access-list extended NAMEDACL	Specifies the IP access list type, and enters the corresponding access list configuration mode. •A named or numbered extended access list must be configured in this step.
Step 4	[sequence-number] permit | deny protocol source source-wildcard destination destination-wildcard [option option-value] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments] Example: Router(config-ext-nacl)# permit tcp host 192.168.1.55 any	Defines the criteria for which the access list will permit or deny packets. •A host IP address or any subset of the network can be configured.
Step 5	exit Example: Router(config-ext-nacl)# exit	Exits named access list configuration mode, and enters global configuration mode.
Step 6	interface {type | number} Example: Router(config)# interface Ethernet 0/0	Enters interface configuration mode to configure an interface.
Step 7	ip access-group {access-list-number | access-list-name}{in | out} Example: Router(config-if)# ip access-group NAMED_ACL in	Applies an access list to the interface.
Step 8	tms-class Example: Router(config-if)# tms-class	Associates the interface with the device exception.
Step 9	exit Example: Router(config-if)# exit	Exits interface configuration mode, and enters global configuration mode.
Step 10	tms consumer Example: Router(config)# tms consumer	Enters TMS consumer configuration mode to configure a consumer.
Step 11	exception access-group {named-acl} Example: Router(cfg-tms-cons)# exception access-group NAMED_ACL	Defines the extended access list as the source criteria for the device exception under the global TMS consumer process.
Step 12	end Example: Router(cfg-tms-cons)# end	Exits TMS consumer configuration mode, and enters privileged EXEC mode.

Examples

The following example, starting in global configuration mode, configures an device exception for the 192.168.1.55 host address:

Router(config)# ip access-list extended NAMED_ACL 

Router(config-ext-nacl)# permit tcp host 192.168.1.55 any 

Router(config-ext-nacl)# exit 

Router(config)# interface Ethernet 0/0 

Router(config-if)# ip access-group NAMED_ACL in 

Router(config-if)# tms-class 

Router(config-if)# exit 

Router(config)# tms consumer 

Router(cfg-tms-cons)# exception access-group NAMED_ACL 

Router(cfg-tms-cons)# service-policy type tms TMS_POL_1 

Router(cfg-tms-cons)# end 

Troubleshooting Tips

If the interface is operational and the device exception is properly configured, you can enable the debug tms consumer feature-interface command to print error messages to help determine if the correct feature interface is called (ACL or OER).

What to Do Next

At completion of this task, all procedures related to TMS configuration and management have been completed. Proceed to the following sections to see information about using TMS clear, show, and debug commands.

Clearing Threat Information Messages on a Consumer

This task is optional. This task shows how to clear threat information messages on a TMS consumer. The clear tms consumer group command is entered in privileged EXEC mode. Entering this command on a consumer has an effect similar to entering the tms controller reset command from the TMS controller.

SUMMARY STEPS

1. enable

2. clear tms consumer group {group-id | all} owner {owner-id | any} tid {threat-id [- number] | all}

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	clear tms consumer group {group-id | all} owner {owner-id | any} tid {threat-id [- number] | all} Example: Router# clear tms consumer group all owner any tid all	Clears threat information messages on a TMS consumer.

Examples

The following example clears all threat information messages:

Router# clear tms consumer group all owner any tid all 

Troubleshooting Tips

The show tms controller and show tms consumer commands can be entered to verify that the clear command was successful.

What to Do Next

Proceed to the next section to see information on verifying TMS configuration.

Verifying TMS Configuration and Threat Status on a Controller or Consumer

This task is optional. This task shows how to verify TMS configuration on a controller or consumer using TMS show commands. All commands described in this section are entered in privileged EXEC mode.

SUMMARY STEPS

1. enable

2. show tms consumer

3. show tms consumer group {group-id [owner {owner-id | any}] tid {threat-id | all} [controller ipv4 ip-address] [verbose] | threats] | all owner {owner-id | any} tid {threat-id | all} [controller ipv4 ip-address] [verbose]}

4. show tms controller

5. show tms controller group {group-id [owner {owner-id | any}] tid {threat-id | all} [controller ipv4 ip-address] [verbose] | threats] | all owner {owner-id | any} tid {threat-id | all} [controller ipv4 ip-address] [verbose]}

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	show tms consumer Example: Router# show tms consumer	Displays information about TMS consumer registration, TIDP membership, and TMS controllers.
Step 3	show tms consumer group {group-id [owner {owner-id | any}] tid {threat-id | all} [consumer ipv4 ip-address] [verbose] | threats] | all owner {owner-id | any} tid {threat-id | all} [controller ipv4 ip-address] [verbose]} Example: Router# show tms consumer group all owner any tid all verbose	Displays information about threats sent to the specified consumer groups.
Step 4	show tms controller Example: Router# show tms controller	Displays information about TMS consumer registration and TIDP membership.
Step 5	show tms controller group {group-id [owner {owner-id | any}] tid {threat-id | all} [controller ipv4 ip-address] [verbose] | threats] | all owner {owner-id | any} tid {threat-id | all} [controller ipv4 ip-address] [verbose]} Example: Router# show tms controller group 10	Displays information about TMS controller groups.

Examples

show tms consumer example

The following example is sample output from the show tms consumer command:

Router# show tms consumer 

TMS Interface details

Interface    Edge    SubDeviceClass

---------    ----    --------------

    Fa0/0

    Fa0/1    Edge

TIDP-Group    TMS-Controller-IP       Status

----------    -----------------       ------

10            10.11.11.55             Registered Successfully 

20            10.11.11.55             Registered Successfully

show tms consumer group examples

The following is sample output from the show tms consumer group command.

Router# show tms consumer group all owner any tid all verbose 

OwnerID   TID   Ver  Group       Controller       Status        ActionTaken

-------   ---   ---  ------      -----------      ------        ------------

1         1     1    10          10.1.1.1         Active        Redirect 172.16.1.1

1         2     1    10          10.1.1.1         Active        Redirect NULL

1         3     1    10          10.1.1.1         Inactive      Threat Inactive

2         10    1    10          10.1.1.1         Active        ACL-Drop

2         20    1    10          10.1.1.1         Active        ACL-Drop

The following example is sample output from the show tms consumer group command entered with the threats keyword:

Router# show tms consumer group 10 threats 

TIDP Group 10 

Number of Threats : 13 

#sh tms controller group 10 threats                      

TIDP Group 10 ptr 656C4848

Number of Threats : 1

OwnerID     TID      Ver    State

-------     ---      ---    -----

1           10       1      Active

show tms controller example

The following is sample output from the show tms controller command:

Router# show tms controller 

TIDP-Group     TMS-Consumer-IP        Status

----------    -----------------       ------

10            10.3.3.2                 Registered Successfully

10            10.1.1.2                 Registered Successfully

20            10.3.3.2                 Registered Successfully

20            10.1.1.2                 Registered Successfully

show tms controller group example

The following is sample output from the show tms controller group command:

Router# show tms controller group 10 

TMS-Controller# show tms controller group all owner any tid all verbose     

OwnerID     TID   Ver  Group     Consumer      Status           ActionTaken 

--------   ----  ---- ------     ---------     --------         -------------- 

1          1      1                            Load  Active 

1          1      1    10        10.1.1.2            Active     Redirect 172.16.1.1

1          2      1                            Load  Active 

1          2      1    10        10.1.1.2            Active     Redirect NULL 

1          3      1                            Load  Active 

1          3      1    10        10.1.1.2          Inactive     Threat Inactive

2          10     1                            Load  Active 

2          10     1    10        10.1.1.2            Active     ACL-Drop 

2          20     1                            Load  Active 

2          20     1    10        10.1.1.2            Active     ACL-Drop

What to Do Next

Proceed to the next section to see information on enabling TMS debug messages.

Enabling TMS Debug Messages on a Controller or Consumer

This task shows how to enable TMS debugging on a controller or consumer. All commands described in this section are entered in privileged EXEC mode.

Restrictions

These commands should be used with caution on a production router or networking device. We recommend that debugging is enabled for only individual components as necessary. This restriction is intended to prevent the console session from be overwhelmed by large numbers of messages.

SUMMARY STEPS

1. enable

2. debug tms consumer {all | errors [details] | events [details] | feature-interface | packet | protocol | xml [detail | error]}

3. debug tms controller {all | errors [details] | events [details] | feature-interface | packet | protocol | xml [detail | error]}

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	debug tms consumer {all | errors [details] | events [details] | feature-interface | packet | protocol | xml [detail | error]} Example: Router# debug tms consumer all	Enables the generation of debugging messages on a TMS consumer.
Step 3	debug tms controller {all | errors [details] | events [details] | feature-interface | packet | protocol | xml [detail | error]} Example: Router# debug tms controller xml detail	Enables the generation of debugging messages on a TMS controller.

Examples

Consumer Event Debugging Example

The following is sample output from the debug tms consumer command entered with the events keyword:

Router# debug tms consumer events 

TMS consumer event debugging is on

*Feb 27 21:27:18: TMS_EVE_CO:start timer Controller=10.1.1.1 period=180

*Feb 27 21:27:18: TMS_EVE:Posting a message for the service layer

*Feb 27 21:27:18: TMS_EVE_CO:Processing Reg messsage from ctrl=10.1.1.1 group=10

*Feb 27 21:27:18: TMS_EVE_CO:Processing Reg response from ctrl=10.1.1.1  group=10

*Feb 27 21:27:18: TMS_EVE_CO:start timer Controller=10.1.1.1 period=120

Consumer Feature-Interface Debugging Example

The following is sample output from the debug tms consumer command entered with the feature-interface keyword:

Router# debug tms consumer feature-interface 

TMS consumer feature-interface debugging is on

*Feb 27 21:28:12: TMS_FI_CO:OER:Policy Add client 2 pol id 12 tag 5000  nxthop 172.16.1.1

*Feb 27 21:28:12: TMS_FI_CO:OERCB:ctx C type 2 values 0

*Feb 27 21:28:12: TMS_FI_CO:OERCB:return code rcvd rc 1 

*Feb 27 21:28:12: TMS_FI_CO:OERCB:Threat (1, 1, 1) grpid 10 ctrlip 10.1.1.1 statflags 0 
pol state 1

*Feb 27 21:28:12: TMS_FI_CO:OERCB:Prefix create client 2 id 12 src 0.0.0.0 0.0.0.0 dst 
192.168.8.0 255.255.255.0 proto 6 0 - 0, 10 - 2000 grant TRUE exact TRUE

*Feb 27 21:28:12: TMS_FI_CO:OERCB:ctx C type 2 values 0

*Feb 27 21:28:12: TMS_FI_CO:OERCB:return code rcvd rc 1 

*Feb 27 21:28:12: TMS_FI_CO:OERCB:Threat (1, 1, 1) grpid 10 ctrlip 10.1.1.1 statflags 0 
pol state 3

*Feb 27 21:28:12: TMS_FI_CO:OERCB:Prefix create success with rc = 1

*Feb 27 21:28:13: TMS_FI_CO:ACL:CB3: acl 66886028 item 669C9F98 type 3 ADD 

*Feb 27 21:28:13: TMS_FI_CO:ACL:CB1: acl 66886028 modified.

*Feb 27 21:28:13: TMS_FI_CO:ACL:CB3: acl 66886098 item 669CA0E0 type 3 ADD 

*Feb 27 21:28:13: TMS_FI_CO:ACL:CB1: acl 66886098 modified.

Consumer Packet Debugging Example

The following is sample output from the debug tms consumer command entered with the packet keyword:

Router# debug tms consumer packet 

TMS consumer packets debugging is on 

*Feb 27 00:00:38: TMSCONS:out:Type(6)HeartBeat Req trans-id 15698 len 16

*Feb 27 00:00:38:   tms_flags 8 msg_flags 0 reason 0

*Feb 27 00:00:38:   TLVs:

*Feb 27 00:00:38: TMSCONS:in:Type(6)HeartBeat Req trans-id 158 len 16

*Feb 27 00:00:38:   tms_flags 0 msg_flags 0 reason 0

*Feb 27 00:00:38:   TLVs:

Consumer Protocol Debugging Example

The following is sample output from the debug tms consumer command entered with the protocol keyword:

Router# debug tms consumer protocol 

TMS consumer protocol debugging is on

*Feb 27 21:27:18: TMS_PRO_CO:Sending RegReq ctrl=10.1.1.1 group=10

*Feb 27 21:27:18: TMS_PRO_CO:RegResp recvd controller 10.1.1.1 group 10

*Feb 27 21:27:18: TMS_PRO_CO:Sending Resync request for ctrl=10.1.1.1 group=10

*Feb 27 21:27:18: TMS_PRO_CO:Resync response recvd controller 10.1.1.1, group 10

*Feb 27 21:27:18: TMS_PRO_CO:Processing Resync response from Controller=10.1.1.1on 
Group=10

*Feb 27 21:28:12: TMS_PRO_CO:Threat msg recvd controller 10.1.1.1, Group 10

*Feb 27 21:28:12: TMS_PRO_CO:Processing Threat request from Controller=10.1.1.1on Group=10

*Feb 27 21:28:12: TMS_PRO_CO:msg:NewThreat (1,1,1) in grp 10 ctrl 10.1.1.1

*Feb 27 21:28:58: TMS_PRO_CO:Heartbeat msg recvd controller 10.1.1.1, Group 10

Controller Event Debugging Example

The following is sample output from the debug tms controller command entered with the events keyword:

Router# debug tms controller events 

TMS controller events debugging is on

*Feb 27 10:12:42: TMS_EVE_CN:Timer expired group=10

*Feb 27 10:12:42: TMS_EVE_CN:Start timer: Group=10, period=120

*Feb 27 10:12:42: TMS_EVE:Posting a message for the service layer

*Feb 27 10:12:42: TMS_EVE_CN:Data packet recvd from DL layer

*Feb 27 10:13:34: TMS_EVE:Posting a message for the service layer

*Feb 27 10:13:34: TMS_EVE_CN:Data packet recvd from DL layer

*Feb 27 10:13:34: TMS_EVE_CN:Start timer: Group=10, period=120

*Feb 27 10:13:34: TMS_EVE:Posting a message for the service layer

*Feb 27 10:13:34: TMS_EVE_CN:Data packet recvd from DL layer

Controller Packet Debugging Example

The following is sample output from the debug tms controller command entered with the packet keyword:

Router# debug tms controller packet 

TMS controller packets debugging is on 

TMS controller packets debugging is on 

*Feb 27 10:13:34: TMSCTRL:in:Type(1)Registration Req trans-id 15685 len 16 

*Feb 27 10:13:34:   tms_flags 8 msg_flags 1 reason 0 

*Feb 27 10:13:34:   TLVs: 

*Feb 27 10:13:34: TMSCTRL:out:Type(1)Registration Resp trans-id 15685 len 16 

*Feb 27 10:13:34:   tms_flags 1 msg_flags 1 reason 1 

*Feb 27 10:13:34:   TLVs: 

*Feb 27 10:13:34: TMSCTRL:in:Type(4)Resync/Audit Req trans-id 15686 len 16 

*Feb 27 10:13:34:   tms_flags 8 msg_flags 1 reason 0 

*Feb 27 10:13:34:   TLVs: 

*Feb 27 10:13:34: TMSCTRL:out:Type(4)Resync/Audit Resp trans-id 15686 len 24 

*Feb 27 10:13:34:   tms_flags 1 msg_flags 0 reason 0 

*Feb 27 10:13:34:   TLVs:  Summary(514,8) 

Controller Protocol Debugging Example

The following is sample output from the debug tms controller command entered with the protocol keyword:

Router# debug tms controller protocol 

TMS controller protocol debugging is on 

*Feb 27 10:13:34: TMS_PRO_CN:Registration request recvd consumer 10.1.1.2, group 10 

*Feb 27 10:13:34: TMS_PRO_CN:Sending Reg resp to cons=10.1.1.2 group=10 

*Feb 27 10:13:34: TMS_PRO_CN:Resync request recvd consumer 10.1.1.2, group 10 

*Feb 27 10:13:34: TMS_PRO_CN:Received Resync Req Group=10 

*Feb 27 10:13:34: TMS_PRO_CN:Sending Resync resp for cons=10.1.1.2 group=10 ntids=0

XML Debugging Example

The following is sample output from the debug tms controller command entered with the xml keyword:

Router# debug tms controller xml 

TMS controller xml debugs debugging is on

*Feb 27 10:13:45: TMS_XML_CN:Found tag threat in threat file

*Feb 27 10:13:45: TMS_XML_CN:Found tag threat_info in threat file

*Feb 27 10:13:45: TMS_XML_CN:Found tag primitive in threat file

*Feb 27 10:13:45: TMS_XML_CN:Found tag parameter in threat file

*Feb 27 10:13:45: TMS_XML_CN:Found tag tcdf in threat file

*Feb 27 10:13:45: TMS_XML_CN:Found tag threat in threat file

*Feb 27 10:13:45: TMS_XML_CN:Found tag threat_info in threat file

*Feb 27 10:13:45: TMS_XML_CN:Found tag parameter in threat file

*Feb 27 10:13:45: TMS_XML_CN:Found tag primitive in threat file

*Feb 27 10:13:45: TMS_XML_CN:Found tag tcdf in threat file

*Feb 27 10:13:45: TMS_XML_CN:Found tag threat in threat file

*Feb 27 10:13:45: TMS_XML_CN:Found tag threat_info in threat file

*Feb 27 10:13:45: TMS_XML_CN:Found tag parameter in threat file

*Feb 27 10:13:45: TMS_XML_CN:Found tag primitive in threat file

*Feb 27 10:13:45: TMS_XML_CN:Found tag tcdf in threat file

*Feb 27 10:13:45: TMS_XML_EVE:Decoding threat tag

*Feb 27 10:13:45: TMS_XML_EVE:Found threat

*Feb 27 10:13:45: TMS_XML_EVE:Decoded threat TLV -  threat id : 1, owner id : 1, 
version : 1

*Feb 27 10:13:45: TMS_XML_EVE:Decoding threat info

*Feb 27 10:13:45: TMS_XML_EVE:Found threat info

*Feb 27 10:13:45: TMS_XML_EVE:Found ERR

*Feb 27 10:13:45: TMS_XML_EVE:name is name, value is tc2

*Feb 27 10:13:45: Decoded Threat desc TLV:

*Feb 27 10:13:45:  Threat name = NAME:

*Feb 27 10:13:45:  Threat text = THREATTEXT:

*Feb 27 10:13:45:  Mitigation text = mitigationtext:

*Feb 27 10:13:45:  Threat classes :    [ tc2 ] 

*Feb 27 10:13:45:  ERR:

*Feb 27 10:13:45:  ASR = 5, SFR = 20, TFR = 40, ARR = 30 PD = 50

*Feb 27 10:13:45: TMS_XML_EVE:Decoding primtive

*Feb 27 10:13:45: TMS_XML_EVE:Found primtive

*Feb 27 10:13:45:  TMS-XML: Decoded primitive TLV 

*Feb 27 10:13:45:  Prim type = 2 

*Feb 27 10:13:45:  Primitive = redirect 

*Feb 27 10:13:45: TMS_XML_EVE:Decoding parameter

*Feb 27 10:13:45: TMS_XML_EVE:CNS PARSER  : Node is 129 tag = parameter

*Feb 27 10:13:45: TMS_XML_EVE:Found parameter

*Feb 27 10:13:45: TMS_XML_EVE:CNS PARSER  : Node is 130 tag = redirect

*Feb 27 10:13:45: TMS_XML_EVE:parameter : Found redirect

*Feb 27 10:13:45: TMS_XML_EVE:Found nexthop in redirect

*Feb 27 10:13:45: TMS_XML:Decoded Parameter TLV 

*Feb 27 10:13:45: Parameter type = 1

*Feb 27 10:13:45:  Redirect addr = 172.16.1.1

*Feb 27 10:13:45: TMS_XML_EVE:Decoding match criteria

*Feb 27 10:13:45: TMS-XML: Decoded match crt TLV : 

*Feb 27 10:13:45:  Src addr : 0.0.0.0 , Src mask : 0.0.0.0

*Feb 27 10:13:45:  Dest addr : 192.168.8.0 , Dest mask : 255.255.255.0

*Feb 27 10:13:45:  Protocol : 6

*Feb 27 10:13:45:  Src port - Start : 0, End : 0

*Feb 27 10:13:45:  Dest port - Start : 10, End : 2000

*Feb 27 10:13:45: TMS_EVE_CN:Threat (1,1,1) allocated.

*Feb 27 10:13:45: TMS_EVE_CN:Threat (1,1,1) added to LoadDB.

*Feb 27 10:13:45: TMS_XML_CN:Threat (1,1,1) Loaded into LoadDB

*Feb 27 10:13:45: TMS_XML_EVE:Decoding threat tag

*Feb 27 10:13:45: TMS_XML_EVE:Found threat

*Feb 27 10:13:45: TMS_XML_EVE:Decoded threat TLV -  threat id : 2, owner id : 1, 
version : 1

What to Do Next

Proceed to the next section to see complete TMS configuration examples.

Configuration Examples for TMS

This section provides the following configuration examples:

•Controller: TMS Configuration Example

•Consumer: TMS Configuration Example

•Consumer: TMS Rules Engine Configuration Example

Controller: TMS Configuration Example

The following example, starting in global configuration mode, configures a TMS type parameter map:

Router(config)# parameter-map type tms TMS_PAR_1 

Router(config-profile)# logging tms events 

Router(config-profile)# heartbeat retry interval 60 

Router(config-profile)# heartbeat retry count 3 

Router(config-profile)# message retry interval 15 

Router(config-profile)# message retry count 5 

Router(config-profile)# exit 

TMS groups 10 through 20 and group 30 are configured as a TMS traffic class:

Router(config)# class-map type tms TMS_CLASS_1 

Router(config-cmap)# match tidp group 10 - 20 

Router(config-cmap)# match tidp group 30 

Router(config-cmap)# exit

TMS type class and parameter maps are attached to a TMS type policy map:

Router(config)# policy-map type control tms TMS_POL_1 

Router(config-pmap)# class TMS_CLASS_1 

Router(config-pmap-c)# mitigation TMS_PAR_1 

Router(config-pmap-c)# end 

A global TMS controller process is created and a policy map (TMS type service policy) is attached:

Router(config)# tms controller 

Router(cfg-tms-ctrl)# service-policy type tms TMS_POL_1 

Router(cfg-tms-ctrl)# end 

Consumer: TMS Configuration Example

The following example, starting in global configuration mode, configures a TMS type parameter map:

Router(config)# parameter-map type tms TMS_PAR_2 

Router(config-profile)# controller ipv4 10.1.1.1 

Router(config-profile)# logging tms events 

Router(config-profile)# registration retry count 5 

Router(config-profile)# registration retry interval 60 

Router(config-profile)# exit 

TMS groups 10 through 20 and group 30 are configured as a TMS traffic class:

Router(config)# class-map type tms TMS_CLASS_2 

Router(config-cmap)# match tidp group 10 - 20 

Router(config-cmap)# match tidp group 30 

Router(config-cmap)# exit

TMS type class and parameter maps are attached to a TMS type policy map:

Router(config)# policy-map type control tms TMS_POL_2 

Router(config-pmap)# class TMS_CLASS_2 

Router(config-pmap-c)# mitigation TMS_PAR_2 

Router(config-pmap-c)# end 

A global TMS consumer process is created and a policy map (TMS type service policy) is attached. A local device exception is configured for the 192.168.1.55 host.

Router(config)# ip access-list extended NAMED_ACL 

Router(config-ext-nacl)# permit tcp host 192.168.1.55 any 

Router(config-ext-nacl)# exit 

Router(config)# interface Ethernet 0/0 

Router(config-if)# ip access-group NAMED_ACL in 

Router(config-if)# tms-class 

Router(config-if)# exit 

Router(config)# tms consumer 

Router(cfg-tms-cons)# exception access-group NAMED_ACL 

Router(cfg-tms-cons)# service-policy type tms TMS_POL_2 

Router(cfg-tms-cons)# end 

Consumer: TMS Rules Engine Configuration Example

The following example, starting in global configuration mode, creates a TMS Rules Engine configuration and activates it under the global TMS consumer process.

The priority 1 block traffic is defined as a traffic class:

Router(config)# class-map type mitigation MIT_CLASS_3 

Router(config-cmap)# match primitive block 

Router(config-cmap)# match priority 1 

Router(config-cmap)# exit 

The next-hop variable is defined in a mitigation type parameter map:

Router(config)# parameter-map type mitigation MIT_PAR_3 

Router(config-profile)# variable COLLECTION ipv4 192.168.1.1 

Router(config-profile)# exit 

The mitigation type policy map is configured to bind the class and parameter maps. A redirect mitigation action is also configured in this policy map:

Router(config)# policy-map type control mitigation MIT_POL_3 

Router(config-pmap)# class MIT_CLASS_3 

Router(config-pmap-c)# redirect route 

Router(config-pmap-c)# source parameter MIT_PAR_3 

Router(config-pmap-c)# exit 

Router(config-pmap)# exit 

The mitigation service policy (TMS Rules Engine configuration) is attached to a TMS type policy map:

Router(config)# policy-map type control tms TMS_POL_2 

Router(config-pmap)# class TMS_CLASS_1 

Router(config-pmap-c)# mitigation TMS_PAR_2 

Router(config-pmap-c)# service-policy MIT_POL_3 

Router(config-pmap-c)# exit 

Router(config-pmap)# exit 

The TMS type policy map is attached to a global consumer process, activating the mitigation type service policy:

Router(config)# tms consumer 

Router(config-cons)# service-policy type tms TMS_POL_2 

Router(config-cons)# end

Additional References

The following sections provide references related to TMS.

Related Documents

Related Topic	Document Title
Cisco IOS Configuration Fundamentals Command Reference	Cisco IOS Configuration Fundamentals Command Reference
Cisco IOS Optimized Edge Routing Command Reference	Cisco IOS Optimized Edge Routing Command Reference
Extensible Markup Language (XML)	Extensible Markup Language (XML) 1.0 (Third Edition)
Threat Information Distribution Protocol	Threat Information Distribution Protocol

Standards

Standard	Title
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.	—

MIBs

MIB	MIBs Link
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.	To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB gateways, go to the Cisco MIB website on Cisco.com at the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

RFCs

RFC	Title
No new or modified RFCs are supported by this feature, and support for existing standards has not been modified by this feature.	—

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport

Command Reference

The following commands are introduced or modified in the feature or features

•acl drop

•class-map type mitigation

•class-map type tms

•clear tms consumer group

•controller (TMS)

•debug tms consumer

•debug tms controller

•exception access-group

•heartbeat retry count

•heartbeat retry interval

•identifier

•ignore (TMS)

•logging tms events

•match primitive

•match priority

•match tidp-group

•message retry count

•message retry interval

•mitigation

•parameter-map type mitigation

•parameter-map type tms

•policy-map type control mitigation

•policy-map type control tms

•redirect route

•registration retry count

•registration retry interval

•show tms consumer

•show tms consumer group

•show tms controller

•show tms controller group

•service-policy type tms

•source parameter

•tms consumer

•tms consumer deregister

•tms consumer register

•tms consumer resync

•tms controller

•tms controller deregister

•tms controller load threat

•tms controller reset

•tms controller send

•tms controller status

•tms controller unload

•tms-class

•variable

For information about these commands, see the Cisco IOS Security Command Reference at
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html.

For information about all Cisco IOS commands, see the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or the Master Command List.

Feature Information for TMS

Table 1 lists the release history for this feature.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

---

Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

---

Table 1

TIDP Based Mitigation Services

12.4(6)T

TMS was introduced. TMS provides the framework to rapidly and efficiently distribute threat information to devices across the network. The TMS framework transports messages that contain specific threat information about suspect traffic and associated mitigation enforcement actions to all devices in the network.

Feature Information for TMS

CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2009 Cisco Systems, Inc. All rights reserved.