Cisco Guard Configuration Guide (Software Version 3.08) - Initial Procedures [Cisco Guard DDoS Mitigation Appliances]

Table Of Contents

Initial Procedures

The Guard Rack Mount

The Guard Front Panel

The Guard Rear Panel

Connecting the Guard

The Guard Connections

The Guard Power Connections

Guard to Console Communication Procedure

Guard to Console Local Connection

The Command Line Interface (CLI) Environment

Issuing Commands in the CLI

Show Command Syntax

CLI Error Messages

Guard Access Options

Initial Access to the Guard

Entering the Configuration Command Level

Assigning Privilege Levels Procedure

Changing a User Password

Removing a User

Assigning Privilege Levels with Passwords

Moving between User Privilege Levels

Guard Administrative Procedures

Reloading the Guard Modified Configurations

Rebooting the Guard

Displaying the Guard Configuration file

Displaying the Guard Configuration File - Detailed View

Enabling Guard Services

Guard Service Permission

Disabling Guard Services

Disabling the Guard Service Permission

Guard Web Based Management (WBM)

Guard and SNMP

Enabling and Disabling the SNMP Server Service

Enabling and Disabling the SNMP Trap Generator Service

Defining an SNMP Server Community String

Configuring the SNMP Trap Generator

Displaying the SNMP Server Community String

Displaying a specific Host Destination Details

Displaying all Destination Host Details

TACACS+ and Local Authentication Methods

Configuring Authentication Methods

Configuring TACACS+ Server Connection

Time Related Commands

Time Zone Configuration

Network Time Protocol Commands

Time and Date Commands

Installing a New Guard Software Version

Downloading an Updated Guard Software Version

Installing an Updated Guard Software Version

Displaying the Guard Software Version

Burning a New Flash Version

Changing the Guard Host Name

Exiting the CLI and Turning the Guard OFF

Initial Procedures

This chapter describes the Guard physical features and specifications, its required wiring, and connection procedures. The chapter continues to outline the CLI environment and the Guard user privilege level procedures. Next, this chapter details the TACACS+ server configuration and proceeds to details the Guard administrative procedures.

The Guard Rack Mount

The Guard operates on an e-server xSeries 345 Type 8670 IBM rack mount platform. The following table displays the main rack mount specifications.

Dimensions

Weight

62 lbs (28.12 Kg)

Height

3.36 inches (2U) (8.53cm)

Width

17.5 inches (19 inches rack mountable)

Depth

27.5 inches

Power management

Power supply

350 Watts

Power supply type

110 or 220 volt universal auto sensing

Interfaces

Out-of-Band

Two 10/100/1000 BaseT

In-Band

One dual port NIC consisting of one of the following options:

•Two Auto sense full/half duplex 10/100/1000 Base-T (copper)

•Two 1000 Base-SX (fiber)

Serial port

Two serial DB9 RS-232 ports

Electrical

100-240 VAC auto sense auto switch 50-60 Hz (Optional- A dual power supply)

The Guard Front Panel

Figure 2-1 displays the Guard front panel:

Figure 2-1 Guard Front Panel

The following table displays the Guard front panel items:

No

Item

Description

Function

1

ON/OFF Button

Power control button

Switches the Guard On/Off

A Green LED is turned on when the Guard is powered (blinks when the Guard is OFF but connected to live mains).

2

Reset button

Orange button

Resets the server and runs the power-on self test.

3

CD-ROM Drive

CD-ROM drive

CD-ROM drive for CDs

4

Diskette Drive

Diskette drive

Diskette drive for a floppy diskette

5

Hard Disk Drive

Hard disk drive

A drive for a server hard disk

Note Refer to IBM e-server xSeries 345 Type 8670 documentation CD and Installation Guide for further details.

The Guard Rear Panel

Figure 2-2 displays the Guard rear panel:

Figure 2-2 Guard Rear Panel

No

Item

Description

Function

1

Serial RS-232

Serial port (COM 1)

A serial port to connect to the user console control or to the console server.

2

Monitor cable socket

Console monitor socket

A socket for the console monitor

3

Keyboard cable socket

Console keyboard cable socket

A socket for the console keyboard cable

4

Mouse cable socket

Console mouse cable socket

A socket for the console mouse cable

5

Ethernet socket

10/100/1000 BaseT Ethernet cable socket

Network interface sockets for Out-of-Band management cable

6

Network sockets

Network sockets

Accelerator card network interface sockets

Note The ports may vary according to the cable type (copper/ fiber) used. The photo displays a fiber connection.

7

Power Cable 2

Socket

Power supply cable socket

(Optional) A power supply cable for the server power supply 2

8

Power Cable 1

Socket

Power supply cable socket

A power supply cable for the server power supply 1

9

Accelerator card serial socket

Accelerator card serial socket

A Cisco proprietary accelerator card serial socket

10

Accelerator card

Accelerator card

A Cisco proprietary accelerator card

11

(Optional-not shown on the photo) RA-HDG

Cisco Guard / Detector Hardware Diagnostic card

This card provides hardware diagnostics data.

Note The Cisco Guard employs a preinstalled hardware acceleration card (P/N X25E02 with fiber cable or P/N X25E03 with copper cable). There are no connections with exposed plant leads. All lines are indoors only.

The card is used to off-load critical per-packet processing from the main Intel CPU's, thus achieving the high throughput required. The card contains 3 connectors on the bracket: 2 GigE interfaces as described above (Giga0 and Giga1 (6) and a serial connector for debugging purposes (9). Other connectors on the card that are not on the bracket (a power connector and an EJTAG connector) are not user accessible, and should never be used outside Cisco labs.

Warning Card P/N X25E02 contains a CLASS I LASER product. This module satisfies Class I Laser Safety requirements in accordance with the US FDA/CDRH and international IEC-825 standards.

Connecting the Guard

This section describes how to connect the Guard to the surrounding network elements and power source or sources.

Note The Guard console connections depend on whether the Guard is console or local operated (see the "Guard to Console Communication Procedure" section for further details).

The Guard power connections vary between a single and a double power supply.

The Guard Connections

1. Connect the Ethernet 10/100/1000 BaseT cable to the corresponding Guard socket (see item 5 in Figure 2-2) and the cable other end to the appropriate management network socket.

2. Connect the In-Band cable (copper or fiber) to the corresponding Guard network socket (see item 6 in Figure 2-2) and the cable other end to the appropriate In-Band network socket.

The Guard Power Connections

The following procedure details the Guard power connections when single or double powers supplies power the Guard:

Connect the power supply cable to the Guard power cable socket 1 (see number 8 in Figure 2-2) and the cable other end to the appropriate mains. A Green light is blinking indicating the connection.

Note Refer to the label at the power cable sockets for reference.

When double power supplies power the Guard, connect the power supply cable to the Guard power cable socket 2 (see socket 7 in Figure 2-2) and the cable other end to the appropriate mains. A Green light is lit indicating the connection.

Guard to Console Communication Procedure

The following communication procedure applies when the Guard is operated from a console:

Connect the RS-232 cable to the Guard RS-232 socket (see socket 1 in Figure 2-2) and the cable other end to the serial console control end and Push the ON/OFF button (see the ON/OFF button in Figure 2-1).

The user may use any suitable Terminal Emulator software to establish communication to the Guard via the serial connection. The example cited in this manual is Hilgraeve Inc. Hyper Terminal, software written for Microsoft by Hilgraeve Inc.

To establish a communication to the Guard via the serial connection perform the following:

1. Launch the Hyper Terminal. The following screen appears:

2. Enter a connection name (in this case Cisco Guard) and choose OK. The following screen appears:

3. Enter the desired details into the appropriate fields (this example uses port COM1) and choose OK. The following screen appears:

4. Enter the following port settings:

•Bits per second: 9600

•Data bits: 8

•Parity: None

•Stop bits: 1

•Flow control: None

5. Choose OK. The Hyper Terminal main screen appears:

6. Choose PROPERTIES from the FILE drop-down menu and then select the SETTINGS screen tab. The following screen appears:

7. Insert the following into their appropriate fields:

•Emulation: VT100

•Telnet terminal ID: VT100

•Backscroll buffer lines: 500

8. Choose OK. The Hyper Terminal main screen appears with the Guard login prompt.

Guard to Console Local Connection

The following local connection procedure applies when the Guard is locally operated:

1. Connect the monitor, keyboard, and mouse cables to their corresponding Guard sockets (see sockets 2,3, and 4 in Figure 2-2).

2. Push the ON/OFF button (see the ON/OFF button Figure 2-1) and after a while (approximately 2-3 minutes) the login prompt appears.

The Command Line Interface (CLI) Environment

The Guard has a CLI environment from which to control all its functions. The CLI environment is hierarchically constructed to enable a flexible command flow. Therefore, it is layered so `lower' level command groups are accessible via `higher' level groups (i.e. Zone command group in level two is accessible via the Configuration command group in level one and the latter is accessible via the Global command group in the `highest' (Root level). Since a command group also denotes a level this manual will relate to the group commands as levels, i.e. the Interface command group is termed the Interface command group level.

Figure 2-3 displays the command groups, their hierarchy, and command levels (the level numeration is for reference purposes only):

Figure 2-3 CLI Hierarchy

The access to the CLI commands is mapped according to user types. Each user type is granted with a corresponding set of commands. The following table displays the Guard user groups and their command groups:

User Group

Command Group

Administrator (Admin.)

Full access to all command groups

Configuration (Config.)

Full access to all command groups except the commands relating to user definition, deletion, and modification

Dynamic

The entire Global command group show commands in addition the protect, and the learning related commands. The user may also configure the Flex and Dynamic filters (see the note below).

Show

All the Global command group show commands

Note We recommend that Administrator and Configuration level users perform all filter configuration procedures. Lower level users can also perform dynamic filter addition and removal.

Issuing Commands in the CLI

The following table summarizes the CLI command issuing rules:

To

Procedure

Issue a command

Type the command's syntax and choose ENTER

Delete a command

Choose BACKSPACE

Scroll through and modify the command history

Use the ARROW keys

Display commands available in a specific command mode

Choose Shift + "?"

Display a command completion

Type the beginning of the command and choose TAB.

Display a command syntax completion(s)

Type the command and choose TAB twice

Move to the next line

Choose ENTER

Scrolling using the more command

more <number-of-lines>

The more command configures number of additional lines displayed in the window once the user chooses SPACE. The default is two lines less than what the terminal is capable of.

<number-of-lines> - configures the number of additional lines to be displayed once the user chooses SPACE.

Scrolling on a single screen (within a command output)

Choose SPACE

Scrolling back a single screen (within a command output)

Choose b

Stop scrolling movement

Choose q

Search forward for a string

/ + <string> + ENTER

Search backward for a string

? + <string> + ENTER

Cancel the action or delete a parameter

Use the no form of a specific command

Display, whenever applicable, information relating to a current operation

Type show

To exit from a current command group level to a `higher' group level

Type exit

To exit all command group levels and return to the Root level

Type end

To move from a current command group level to a `lower' level

From a group command level type the name of the nested, `lower' level, command group

Display command output from and including the first line that contains "string".

<command> | begin <string>

To display command output lines that include a <string>

<command> | include <string>

To display command output lines that do not include a <string>

<command> | exclude <string>

Note Issuing the exit command in the Root level exits the CLI environment to the operating system login screen.

Show Command Syntax

The user may execute zone related show commands from the zone command group level. Alternatively, these commands may also be executed from the Global or Configuration command group levels.

The syntax for the show command executed from the Global or Configuration command group levels is:

show zone <zone-name> <parameters>...
The syntax for the show command executed from the zone command group level is:

show <parameters>...

Note As a writing convention, this manual uses the show command syntax from the zone command group level.

CLI Error Messages

The Guard CLI displays error messages in the following cases:

•Syntax of the typed command is incomplete or incorrect

•The typed command does not match the system configuration

•The operation could not be performed due to a system failure - in this case, an entry is created in the system's log

Note For most operations, if they are successfully performed no message is displayed and the Guard CLI returns the prompt.

Guard Access Options

The Guard initially arrives with the following access options:

•Accessing the Guard locally by directly connecting to the Guard via a console. The user is then prompted to a Login and Password and then to the Guard CLI (this procedure is detailed in the "Assigning Privilege Levels Procedure" section in this chapter).

Once configuring the Guard networking, the following access options are also available:

•Accessing the Guard indirectly from a DDoS-sensing, network element to establish a connection and form a counter DDoS system. Refer to the appropriate documentation for further details.

•Accessing the Guard via initializing a Secured Shell (SSH) session (see the "Guard TCP Proxy Configuration" section in Chapter 3, "Guard Configuration" for further details) and managing the Guard via the CLI

•Accessing the Guard using Web-Based Management (WBM), see the "Guard Web Based Management (WBM)" section in this chapter for further details.

Initial Access to the Guard

The user initially has a preconfigured Administrator's privilege level to access the Guard (see the "The Command Line Interface (CLI) Environment" section for further details).

Note The user also has the riverhead user name, which grants the Dynamic privilege level.

The Detector uses the riverhead user name for the Guard's remote activation. See the "The Command Line Interface (CLI) Environment" section for further details.

To access the Guard for the first time perform the following:

1. Push the Guard ON/OFF button to power the Guard. A Green LED is turned on

2. Type admin to answer the user name. Type in the password supplied by Cisco.

3. The following prompt line appears: admin@GUARD#

Entering the Configuration Command Level

The user should enter the Configuration command level to perform Guard specific operations and procedures.

To enter the Configuration command level perform the following:

1. From the Global command group level type the following:
admin@GUARD# configure [<terminal>]
Where terminal enters the Configuration command level.

2. Choose ENTER.

Below is an example of the configure command implementation:
admin@GUARD# configure 
admin@GUARD-conf#
Assigning Privilege Levels Procedure

The user initially has a preconfigured Administrator's privilege level to define the Guard user types and their privilege levels (see the "The Command Line Interface (CLI) Environment" section for further details).

Note The user also has the riverhead user name and rhguard password. These grant the Dynamic privilege level. See the "The Command Line Interface (CLI) Environment" section for further details.

User definition enables the Administrator to divide the Guard user community into privilege levels.

To assign user privilege levels perform the following:

1. From the Configuration command group level, type the following:
admin@GUARD# username <username> {admin | config | dynamic | show} 
[<password>] 
Where:

•username—The user's choice of a user name. An alphanumeric string should start with a letter, hold no spaces, and should be limited to a length of up to 63 characters. The string may contain underscores.

•admin | config | dynamic | show—A user privilege level. The Guard has the following user privilege levels:

Administrator, Configure, Dynamic, and Show. See the "The Command Line Interface (CLI) Environment" section for further details.

•password—(Optional) The user's choice of a password. Maximum password length is 24 characters, excluding spaces.

Note When the password is unspecified the Guard prompts the user for a password.

2. Choose ENTER. The following, sample, prompt appears:
admin@GUARD#  username Richard config 1234
User Richard was added successfully
admin@GUARD#
Note The running config file displays the command username with the option encrypted:

username Richard config encrypted 840xdMk3

The encrypted option indicates that the passwords are encrypted and saved. The password displayed is the encrypted password and not the password entered by the user.

Changing a User Password

The user may change the password. This procedure applies at every user privilege level.

To change a user password perform the following:

1. From the Global command group level type the following:
config@GUARD> password
2. Choose ENTER. The following prompt appears:
Old Password:
3. Type the old password and choose ENTER. The following prompt appears:
New Password:
4. Type the new password and choose ENTER. The following prompt appears:
Retype New Password:
5. Retype the new password and choose ENTER. The following message appears:
Password was changed successfully
Removing a User

An Administrator may wish to remove a user from the Guard user list.

To remove a user from the Guard user list perform the following:

1. From the Configuration command group level type the following:
admin@GUARD-conf# no username <username>
Where:

•no—Removes a user from the Guard user list

•username—A user name

2. Choose ENTER. The following, sample, prompt appears:
admin@GUARD-conf# no username Richard 
User Richard was removed successfully
admin@GUARD-conf#
Assigning Privilege Levels with Passwords

The Guard enables an administrator-level privileged user to assign passwords to access every user privilege level. Thus, would a user operating in one privilege level be able to enter another privilege level.

To assign a password to a privilege level perform the following:

1. From the Configure command group level type the following:
admin@GUARD-conf# enable password [level <level>] [<password>]
Where:

•level—(Optional) The required privilege level. This can be the following:

admin, config, dynamic, show - See the "The Command Line Interface (CLI) Environment" section for further details.

Note The default level is admin for unspecified level.

•password—(Optional) The privilege level password. The maximum password length is 24 characters, spaces excluded.

Note When no password is specified, the Guard prompts for a non-echoed password.

2. Choose ENTER. The following prompt appears:
admin@GUARD-conf#
Moving between User Privilege Levels

Having assigned the privilege levels with passwords, authorized users may move between the user privilege levels.

To move between privilege levels perform the following:

1. From the Global command group level type the following:
admin@GUARD> enable [<level>]
Where level is the required privilege level. This can be the following:

admin, config, dynamic—See the "The Command Line Interface (CLI) Environment" section for further details.

Note The default level is admin for unspecified level.

2. Choose ENTER. The Guard prompts for a non-echoed password:
Enter enable admin Password:
3. Type the level password and choose ENTER. The following message appears for a successful authentication:
Authentication successful.
admin@GUARD#
Note The Guard prompts the following message when authentication fails:

Authentication failure.

To switch back to the lower privilege level (show) perform the following:

1. From the Global command group level type the following:
admin@GUARD# disable
2. Choose ENTER.

Guard Administrative Procedures

The Guard enables the user to perform a series of administrative procedures. The following sub sections detail these procedures:

•Reloading the Guard Modified Configurations

•Rebooting the Guard

•Displaying the Guard Configuration file

•Enabling Guard Services

•Guard Web Based Management (WBM)

•Guard and SNMP

•TACACS+ and Local Authentication Methods

•Time Related Commands

•Installing a New Guard Software Version

•Displaying the Guard Software Version

•Burning a New Flash Version

•Changing the Guard Host Name

•Exiting the CLI and Turning the Guard OFF

Reloading the Guard Modified Configurations

Using the reload command follows changes in the following:

•Out-of-Band interface IP address (see the "Assigning an IP Address and Mask to a Physical Interface" section in Chapter 3, "Guard Configuration" for further details) and shutting-down the Out-of-Band interface (see the "Shutting-down an Interface" section in Chapter 3, "Guard Configuration" for further details)

•In-Band interface IP address (see the "Assigning an IP Address and Mask to a Physical Interface" section in Chapter 3, "Guard Configuration" for further details) and shutting-down the In-Band interface (see the "Shutting-down an Interface" section in Chapter 3, "Guard Configuration" for further details)

•VLAN ID number and IP address (see the "Assigning an ID number, IP Address, and Subnet Mask to a VLAN" section in Chapter 3, "Guard Configuration" for further details) and shutting-down a VLAN (see the "Shutting-down a VLAN" section in Chapter 3, "Guard Configuration" for further details).

•The following Tunnel parameters: name, type, source and destination IP addresses, IP and Mask addresses (see the "Defining a Tunnel", "Assigning a Tunnel an IP and Mask Addresses", "Assigning a Tunnel a Source IP Address", and "Assigning a Tunnel a Destination IP Address" sections in Chapter 3, "Guard Configuration" for further details)

•Default Gateway IP address (see the "Assigning a Default Gateway Address" section in Chapter 3, "Guard Configuration" for further details)

•Guard TCP Proxy IP address (see the "Assigning the Guard a Proxy Address" section in Chapter 3, "Guard Configuration" for further details)

•Burning a new flash (see the Burning a New Flash Version in this chapter for further details)

The user may display the current Guard software version.

To display the current software version perform the following:

1. From the Global command group level type the following:
admin@GUARD# show version
2. From the Configuration command group level type the following:
admin@GUARD-conf# show version
Copyright (c) 2000-2004 Cisco Systems, Inc. All rights reserved.
Software License Agreement
1. Cisco grants the Customer a non-exclusive license to use Cisco 
software and related documentation (collectively, the "Cisco 
Software") for its internal business purposes and to service its 
customers. The Customer is the company or organization, which 
ordered and paid for the Cisco Software.........
.... .... 
9. If a term or condition of this License is unenforceable, the 
remaining terms will remain in full force and effect.
Cisco Guard
Label:  R3-50.20
Update: 2004/02/19 16:17:28
Base Information:
   Cisco Guard Release R3
   Created by label R3_BaseCreation5.1 on Tue Nov  4 16:08:15 IST 
2003
   upgraded to BaseUpgradeR3-5-5 on Thu Jan  1 09:31:55 EST 2004
GUARD uptime is 2 weeks, 5 days, 21 hours, 58 minutes
Contact Information:
   Cisco Systems Inc.
   http://www.cisco.com/techsupport
Caution Issuing the reload command affects details in the Guard configurations together with deactivating the Learning and the Protection procedures.

To issue the reload command perform the following:

1. From the Global command group level type the following:
admin@GUARD# reload
From the Configuration command group level type the following:
admin@GUARD-conf# reload 
2. Choose ENTER. The following prompt appears:
Are you sure? Type 'yes' to reload
3. Type yes. The system is reloaded and the operating login screen appears.

Note Typing anything other than yes results in returning to the Global command group level prompt without executing the reload command.

Rebooting the Guard

The authorized user is able to reboot the Guard.

Caution Rebooting the Guard while in the Learning or Protection processes stops these processes.

To reboot the Guard perform the following:

1. From the Global command group level type the following:
admin@GUARD# reboot 
2. Choose ENTER. The following prompt message appears:
Are you sure? Type 'yes' to reboot
3. Type yes. The system is rebooted and the operating login screen appears.

Note Typing anything other than yes results in returning to the Global command group level prompt without executing the reboot command.

Displaying the Guard Configuration file

The user may wish to display the Guard configuration file. This file includes information relating to the Guard configuration such as: interface addresses, the Guard proxy address, default Gateway address, etc.

To display the Guard configuration file perform the following:

1. From the Global command group level type the following:
admin@GUARD# show [running-config] guard
From the Configuration command group level type the following:
admin@GUARD-conf# show [running-config] guard
2. Choose ENTER. The following, sample, screen appears:
admin@GUARD# show running-config guard
hostname GUARD
timezone America/New_York
history logs 7
history reports 30
tacacs-server timeout 0
tacacs-server key (null)
no tacacs-server first-hit
username riverhead dynamic encrypted 
$1$OVQm0Bg2$Ndw04KsC/xGrpClp0Qdrs.
username admin admin encrypted 
$1$Y8jjQjts$DCTWo5Mbmxhgm6J0WYRC3.community-string riverhead
interface eth0
  mtu 1500
  ip address 10.10.10.33 255.0.0.0
  no shutdown
exit
interface giga1
  mtu 1500
  ip address 192.168.100.33 255.255.255.0
  no shutdown
exit
... ... ... 
service wbm
... ... ... 
permit wbm 10.0.0.0 255.0.0.0
Displaying the Guard Configuration File - Detailed View

The user may display a detailed display of the Guard configuration file. Such a display includes data relating to the Guard interfaces and Zones, and the Zebra router.

To display a detailed view of the Guard configuration file perform the following:

1. From the Global command group type the following:
admin@GUARD# show running-config all
2. Choose ENTER. The following partial, sample, screen appears:
admin@GUARD# show running-config all
hostname GUARD
tacacs-server timeout 0
tacacs-server key (null)
no tacacs-server first-hit
username riverhead dynamic encrypted $1$OVQm0Bg2$Ndw04KsC.
username admin admin encrypted $1$Y8jjQjts$DCTWo5Mbmxhgm.
community-string riverhead
interface eth0
  mtu 1500
  ip address 10.10.8.11 255.0.0.0
  no shutdown
exit
interface giga0
  mtu 1500
  ip address 192.168.8.88 255.255.255.0
  no shutdown
exit
service wbm
permit wbm 10.0.0.0 255.0.0.0
permit ssh 10.0.0.0 255.0.0.0
Enabling Guard Services

The user may define which Guard services are enabled. After enabling a service, the user should permit access to that service using the permit command.

To enable a Guard service perform the following:

1. From the Configuration command group level type the following:
admin@GUARD-conf# service {ntp | snmp-server | snmp-trap | wbm} 
Where:

•ntp—The Network Time Protocol (NTP) service. The Guard provides the user with a time synchronization service. This capability enables the user to synchronize the Guard with a Time Synchronization Server via the Network Time Protocol (NTP) service. The first stage in time synchronization would be to enable the Guard NTP service. Next is directing the Guard to the desired Time Synchronization Server.

•snmp-server—The Simple Network Management Protocol (SNMP) service. The Guard enables a Simple Network Management Protocol (SNMP) access. The user may access the Guard and retrieve information as defined by the Cisco Management Information Base 2 (MIB2).

•snmp-trap—The Simple Network Management Protocol (SNMP) service. The Guard enables a Simple Network Management Protocol (SNMP) traps. On Activation of the snmp-trap service, the Guard generates snmp traps. See the "Configuring the SNMP Trap Generator" section in this chapter for further details.

•wbm—The Web Based Management (WBM) service. The Guard enables the user to control it via the web using a web browser.

2. Choose ENTER.

Note By default, Guard services are disabled, except SSH. To gain SSH access to the Guard, see the "Gaining an SSH Access to the Guard" section in Chapter 3, "Guard Configuration."

Guard Service Permission

The user may limit the addresses from which the Guard is accessed and controlled. The Guard enables the user to control the addresses that may activate the SNMP, SSH, WBM, and NTP services. The user may grant or deny permission from a desired IP address.

The service must be enabled and access to the service permitted to enable proper functionality. To enable a service, use the service command.

To grant a permission for an IP address to access a Guard service perform the following:

1. From the Configuration command group level type the following:
admin@GUARD-conf# permit <service> <ip-addr> [<ip-mask>]
Where:

•service—The desired service to be accessed and operated. The options are:

–ntp—The Network Time Protocol (NTP).

–snmp-server—The Simple Network Management Protocol (SNMP) service.

–ssh—The Secured Shell service (see the "Guard Secured Shell (SSH) Configuration" section in Chapter 3, "Guard Configuration" for further details).

–wbm—The Web Based Management (WBM) service.

•ip-addr—The IP address of the permitted user, i.e. the IP address of the remote manager. Use * to indicate `any' IP address.

•ip-mask—(Optional) The IP mask of the permitted user.

Note If not specified, the Guard assumes the default subnet mask of 255.255.255.255.

Caution We do not recommend permitting access from `any' IP address after initial configuration due to security considerations.

2. Choose ENTER.

Note By default, Guard services are disabled, except SSH. To gain SSH access to the Guard, see the "Gaining an SSH Access to the Guard" section in Chapter 3, "Guard Configuration."

Disabling Guard Services

The user may disable Guard services.

To disable a Guard service perform the following:

1. From the Configuration command group level type the following:
admin@GUARD-conf# no service {ntp|snmp-server|snmp-trap|wbm}
Where:

•ntp—The Network Time Protocol (NTP) service.

•snmp-server—The Simple Network Management Protocol (SNMP) service.

•snmp-trap—The Simple Network Management Protocol (SNMP) trap generator.

•wbm—The Web Based Management (WBM) service.

2. Choose ENTER.

Disabling the Guard Service Permission

The user may wish to deny access to the Guard services from previously defined IP addresses.

To deny permission for an IP address to access a Guard service perform the following:

1. From the Configuration command group level type the following:
admin@GUARD-conf# no permit <service> <ip-addr> [<ip-mask>]
Where:

•service—The desired service to be accessed and operated. The options are:

–ntp—The Network Time Protocol (NTP).

–snmp-server—The Simple Network Management Protocol (SNMP) service.

–ssh—The Secured Shell service (see the "Guard Secured Shell (SSH) Configuration" section in Chapter 3, "Guard Configuration" for further details).

–wbm—The Web Based Management (WBM) service.

•ip-addr—The IP address of the permitted user, i.e. the IP address of the remote manager. Use * to indicate `any' IP address.

•ip-mask—(Optional) The IP mask of the permitted user.

2. Choose ENTER.

Guard Web Based Management (WBM)

The Guard enables the user to control it via the web using a web browser.

To enable the Guard web based management service perform the following:

1. From the Configuration command group level type the following to enable the WBM service:
admin@GUARD-conf# service wbm
From the Configuration command group level type the following to permit WBM access to the Guard from the remote manager's IP address:
admin@GUARD-conf# permit wbm <ip-addr> [<ip-mask>]
Where ip-addr and ip-mask define the remote manager's IP address.

2. Choose ENTER. The following screen appears:
admin@GUARD-conf# service wbm
admin@GUARD-conf# permit wbm 10.0.0.0 255.0.0.0
3. The user then types the following in the browser window:
https://<guard-ip-address>/ 
4. Choose ENTER. The Guard Web Base Management window appears.

Note Note that HTTPS and not HTTP is used to enable web based management control.

Guard and SNMP

The Guard enables a Simple Network Management Protocol (SNMP) access. The user may access the SNMP server and retrieve information as defined by the Management Information Base 2 (MIB2) and the Cisco proprietary MIB. The user is also able to activate the SNMP Trap Generator and configure the trap information scope.

In the following procedures the user enables (and disables) the SNMP service and the SNMP Trap Generator. The user, then, changes the Guard default SNMP community string, defines a new community string and displays the current community string. The user continues to configure the destination hosts for SNMP Traps and the traps information scope. Finally, the user displays the defined destination hosts and the generated information scopes.

Note The permit command also controls the SNMP usage.

Enabling and Disabling the SNMP Server Service

The user may enable the Guard SNMP service to access the SNMP server.

To enable the Guard SNMP service perform the following:

1. From the Configuration command group level type the following:
admin@GUARD-conf# service snmp-server
2. Choose ENTER.

The user may disable the Guard SNMP service.

To disable the Guard SNMP service perform the following:

1. From the Configuration command group level type the following:
admin@GUARD-conf# no service snmp-server
2. Choose ENTER.

Enabling and Disabling the SNMP Trap Generator Service

The user may enable the trap generator service to acquire its report.

To enable the SNMP trap generator service perform the following:

1. From the Configuration command group level type the following:
admin@GUARD-conf# service snmp-trap
2. Choose ENTER.

The user may disable the trap generator service.

To disable the SNMP trap generator service perform the following:

1. From the Configuration command group level type the following:
admin@GUARD-conf# no service snmp-trap
2. Choose ENTER.

Defining an SNMP Server Community String

The user may change the Guard default community string and define a new string.

Note The Guard default community string is riverhead.

To define the Guard community string perform the following:

1. From the Configuration command group level type the following:
admin@GUARD-conf# snmp community <community-string>
Where community-string is the desired Guard community string. The string is of a maximum length of 15 alphanumeric characters excluding spaces.

2. Choose ENTER.

Configuring the SNMP Trap Generator

The user configures the SNMP Trap Generator parameters. These include the destination host (or hosts) IP address (or addresses), the SNMP trap generator community string (optional), and the information scope of the generated trap (also optional). The user defines the information scope by defining the event severity level that the trap displays. The trap then displays all specified severity level events and above (i.e. if the user specifies severity level 4 the trap displays all severity level events from 4 to 0).

To configure the SNMP trap generator perform the following:

1. From the Configuration group level command type the following:
admin@GUARD-conf# snmp trap-dest <ip-address> [<community-string> 
[<min-severity>]]
Where:

•ip-address—The destination host IP address

•community-string—(Optional) The community string that is sent with the trap should match the community string defined for the destination host. The string is of a maximum length of 15 alphanumeric characters excluding spaces.

Note When the community string is undefined the "public" string is used.

•min-severity—(Optional) The trap information scope. The user defines the scope by stating the minimum severity level coverage. The following list states the severity level options:

–Emergencies—System is unusable (severity = 0)

–Alerts—Immediate action needed (severity = 1)

–Critical—Critical conditions (severity = 2)

–Errors—Error conditions (severity = 3)

–Warnings—Warning conditions (severity = 4)

–Notifications—Normal but significant conditions (severity = 5)

–Informational— Informational messages (severity = 6)

–Debugging—Debugging messages (severity = 7)

Note When the minimum severity parameter remains unspecified the report displays all severity level events.

2. Choose ENTER.

Displaying the SNMP Server Community String

The user may view the Guard community string.

To view the community string perform the following:

1. From the Configuration command group type the following:
admin@GUARD-conf# show snmp community
2. Choose ENTER.

Displaying a specific Host Destination Details

The user may view a specific host destination details.

To view a specific host destination details perform the following:

1. From the Configuration command group type the following:
admin@GUARD-conf# show snmp trap-dest <ip-address>
Where ip-address is the host destination IP address.

2. Choose ENTER.

Displaying all Destination Host Details

The user may view a list of all the destination host details.

To view a list of the entire destination host details perform the following:

1. From the Configuration command group type the following:
admin@GUARD-conf# show snmp trap-dest *
2. Choose ENTER.

TACACS+ and Local Authentication Methods

The Guard enables the Administrator to configure which authentication method the Guard utilizes when the user tries either to log into the Guard or requests a higher privilege level (using the enable command). The Guard offers the following authentication options:

•Guard local authentication—Local authentication uses locally configured login and enable passwords for authentication. This is the default authentication method.

Guard local authentication may be performed when authentication through a TACACS+ server or a list of TACACS+ servers returns a rejection. This option is valid when the user does not configure the `first-hit' option.

•TACACS+ authentication—TACACS+ authentication authenticates users through a TACACS+ server or a list of TACACS+ servers. The user may configure the Guard to stop at first received reply (`first hit') or perform authentication with each of the server on the TACACS+ server list.

Authentication through the TACACS+ server may be performed when the Guard local authentication returns a rejection. This option is valid when the user does not configure the `first-hit' option.

Configuring Authentication Methods

The Administrator configures which authentication method the Guard utilizes when the user tries either to log into the Guard or requests a higher privilege level (using the enable command).

The Guard enables the user to configure a sequential list that defines the authentication methods used to authenticate a user. This enables the user to designate one or more methods to be used for authentication. Thus, a backup system for authentication is provided, in case the initial method fails.

The Guard uses the first method listed to authenticate users; if that method does not respond, the Guard selects the second authentication method. Only if both authentication methods are exhausted, the authentication fails.

The Guard user privilege levels relate to the TACACS+ privilege numeration as follows:

•admin = 15

•config = 10

•dynamic = 5

•show = 0

To configure the authentication method perform the following:

1. From the Configuration command group level type the following:
admin@GUARD-conf# aaa authentication {enable| login} {local| 
tacacs+} [tacacs+| local]
Where:

•enable—The Guard authenticates on entering a higher privilege level.

•login—The Guard authenticates when logging into it.

•local—The Guard utilizes its local database to authenticate the user.

•tacacs+—A TACACS+ server authenticates the user.

•tacacs+| local—(Optional) This sets an alternative authentication method in case the configured method fails.

Note This option is valid only when first-hit is not configured. (See the "Configuring TACACS + Search" section for further details).

Note The user must configure the TACACS+ server connection prior to applying the TACACS+ authentication method. See the "Configuring TACACS+ Server Connection" section for further details.

2. Choose ENTER. The following, sample, prompt appears:
admin@GUARD-conf# aaa authentication enable tacacs+ local
admin@GUARD-conf#
Configuring TACACS+ Server Connection

The user must configure the TACACS+ server parameters prior to applying the TACACS+ authentication method. The TACACS+ server configuration includes the following:

•Server address (or addresses)

•Server encryption key

•Search

•Server access timeout

Configuring TACACS+ Server IP Address

The user defines an IP address (or addresses) of a single or more TACACS+ servers.

The Guard enables the user to configure a sequential list of TACACS+ servers used to authenticate a user. The Guard uses the TACACS+ server listed to authenticate users; if that server does not respond, the Guard selects the second server. Only if servers listed are exhausted, the authentication fails.

Alternatively, the user may configure the Guard to use only the first TACACS+ server on the list to authenticate users (see the "Configuring TACACS + Search" section for further details).

To assign an IP address to a TACACS+ server perform the following:

1. From the Configuration command group level type the following:
admin@GUARD-conf# tacacs-server host <ip-address>
Where ip-address is the IP address of the TACACS+ server.

2. Choose ENTER.

3. Repeat steps one and two for a list of TACACS+ servers.

Configuring TACACS+ Server Encryption Key

The user should configure the encryption key to access the TACACS+ server.

To configure the server encrypted access key perform the following:

1. From the Configuration command group level type the following:
admin@GUARD-conf# tacacs-server key <tacacs-key>
Where tacacs-key is an alphanumeric string.

2. Choose ENTER.

Note Only one encryption key can be defined when using several TACACS+ servers. This key is used to encrypt communication with all TACACS+ servers.

Configuring TACACS + Search

The user may configure the Guard to regard an authentication rejection as final and stop further search with other TACACS+ servers. The Guard, in this case, does not fall back to the local authentication method (unless configured to do so, see the "Configuring Authentication Methods" section), and does not move on to the next configured TACACS+ server (if such exists).

To configure a TACACS+ server access procedure perform the following:

1. From the Configuration command group level type the following:
admin@GUARD-conf# tacacs-server first-hit
2. Choose ENTER.

Note If the user does not launch the tacacs-server first-hit command the Guard, by default, tries all TACACS+ servers in its list.

Configuring TACACS+ Server Connection Timeout

The user may configure the timeout for the Guard to wait for the TACACS+ server reply. When the timeout ends, the Guard either attempts to establish a connection with the next TACACS+ server (if such a server was configured) or falls back to local authentication (if such fallback was configured). Authentication fails if no fallback authentication is configured.

To configure the connection timeout perform the following:

1. From the Configuration command group level type the following:
admin@GUARD-conf# tacacs-server timeout <timeout>
Where timeout is the timeout in seconds.

2. Choose ENTER.

Time Related Commands

Note Configure the Guard time parameters prior to the Network Time Protocol server configuration.

Time Zone Configuration

The user may configure the Guard system time zone.

To configure the Guard system time zone perform the following:

1. From the Configuration command group level type the following:
admin@GUARD-conf# timezone <timezone-name>
Where timezone-name is the name of the desired time zone. The name consists of continent /city:

The continent options are:

•Africa, America, Antarctica, Arctic, Asia, Atlantic, Australia, Europe, Indian, Pacific

•Etc—A wild card for a desired timezone

Note The time zone name is case sensitive. Type the desired continent name + double TAB for a list of relevant cities.

2. Choose ENTER. Below is an example of the timezone command:
admin@GUARD-conf# timezone Asia/Jerusalem
admin@GUARD-conf#
To view the current time zone perform the following:

1. From the Global or the Configuration command group levels type the following:
admin@GUARD-conf# show timezone
2. Choose ENTER. Below is an example of the show timezone command:
admin@GUARD# show timezone
Asia/Jerusalem
Network Time Protocol Commands

The Guard provides the user with a time synchronization service. This capability enables the user to synchronize the Guard with a Time Synchronization Server via the Network Time Protocol (NTP) service. The first stage in time synchronization would be to enable the Guard NTP service. Next is directing the Guard to the desired Time Synchronization Server.

To enable the NTP service perform the following:

1. From the Configuration command group level type the following:
admin@GUARD-conf# service ntp
2. Choose ENTER.

To direct the Guard to the desired Time Synchronization Server to obtain the NTP service perform the following:

1. From the Configuration command group level type the following:
admin@GUARD-conf# ntp server <ip-address>
Where ip-address is the NTP server IP address.

2. Choose ENTER. The following prompt appears:
admin@GUARD-conf#
To disable an NTP service from a previously defined server perform the following:

1. From the Configuration command group level type the following:
admin@GUARD-conf# no ntp server <ip-address>
Where ip-address is the NTP server IP address.

2. Choose ENTER. The following prompt appears:
admin@GUARD-conf#
Time and Date Commands

The user may wish to display the Guard date and time.

To display the time and date perform the following:

1. From the Global command group level type the following:
admin@GUARD# show date
From the Configuration command level group type the following:
admin@GUARD-conf# show date
2. Choose ENTER. The following, sample, screen appears:
admin@GUARD# show date
Sun Jan 26 19:37:00 EST 2003
To set the time and the date perform the following:

1. From the Configuration command group levels type the following
admin@GUARD# date MMDDhhmm[[CC]YY][.ss]
Where:

•MM—The month in numeric figures

•DD—The day of the month

•hh—The hour in a 24 hour clock

•mm—The minutes

•[[CC]YY]—(Optional) The year. The last to digits may be entered.

•.ss—The seconds

2. Choose ENTER. The following screen appears:
admin@GUARD-conf# date  1008171003.17
Wed Oct  8 17:10:17 EDT 2003
admin@GUARD-conf#
Installing a New Guard Software Version

The Guard enables the user to download a new software version from an FTP server and install it on the Guard machine.

Downloading an Updated Guard Software Version

The user may download an updated version of the Guard software from an FTP server.

To download an updated version of the Guard software perform the following:

1. From the Global command group level type the following:
admin@GUARD# copy ftp new-version <server> <full-file-name> 
[<login>] [<password>]
Where:

•server—The IP address of ftp server from which the new version will be copied.

•full-file-name—The full file name of the version file.

Note If a path is not specified, the default is the user's home directory.

•login—(Optional) The login name in the ftp server.

Note If a login name is not entered, the login anonymous is assumed. In such a case the user will not be prompted for a password.

•password—(Optional) The password for the remote ftp server.

Note If a password is not entered, the user will be prompted for the password.

2. Choose ENTER. The following sample appears:
admin@GUARD# copy ftp new-version 10.0.0.191 
/home/Versions/R3.i386.rpm user password
FTP in progress...
admin@GUARD#
Installing an Updated Guard Software Version

After downloading the updated version of the Guard software version, the user may install it.

To install the downloaded version of the Guard software perform the following:

1. From the Global command group level type the following:
admin@GUARD# install new-version 
2. Choose ENTER. The following, sample, screen appears:
admin@GUARD#install new-version
GUARD: running pre install scripts
Shutting down Cisco system
GUARD: running post install scripts
Starting Cisco system
Waiting for card to start ........
Shutting down interface eth0:  [  OK  ]
Shutting down interface eth1:  [  OK  ]
Shutting down interface lo:0:  [  OK  ]
Shutting down loopback interface:  [  OK  ]
Disabling IPv4 packet forwarding:  [  OK  ]
Bringing up interface giga1:  [  OK  ]
Setting network parameters:  [  OK  ]
Bringing up loopback interface:  [  OK  ]
Bringing up interface eth0:  [  OK  ]
Bringing up interface eth1:  [  OK  ]
Bringing up interface gre2:  [  OK  ]
Starting ZEBRA and DIVERTER
Press Enter to close this CLI session.
Caution Issuing the install new-version command deactivates the Learning and the Protection procedures.

Displaying the Guard Software Version

The user may display the current Guard software version.

To display the current software version perform the following:

1. From the Global command group level type the following:
admin@GUARD# show version
From the Configuration command group level type the following:
admin@GUARD-conf# show version
Copyright (c) 2004 Cisco Systems, Inc. All rights reserved.
Software License Agreement
1. Cisco grants the Customer a non-exclusive license to use Cisco 
software and related documentation (collectively, the "Cisco 
Software") for its internal business purposes and to service its 
customers. The Customer is the company or organization, which 
ordered and paid for the Cisco Software.........
.... .... 
9. If a term or condition of this License is unenforceable, the 
remaining terms will remain in full force and effect.
Cisco Guard
Label:  R3-50.20
Update: 2004/02/19 16:17:28
Base Information:
   Cisco Guard Release R3
   Created by label R3_BaseCreation5.1 on Tue Nov  4 16:08:15 IST 
2003
   upgraded to BaseUpgradeR3-5-5 on Thu Jan  1 09:31:55 EST 2004
GUARD uptime is 2 weeks, 5 days, 21 hours, 58 minutes
Contact Information:
   Cisco Systems, Inc.
http://www.cisco.com/techsupport
Burning a New Flash Version

The user may burn a new flash version only when there is a mismatch between current CFE and software versions.

In case of a CFE mismatch, the following message will be displayed when issuing the install new-version command:
logger: RHInit FATAL: Bad CFE version ( 17). This version requires 
version 18
Message from syslogd@localhost at Mon Dec 22 14:31:08 2003 ...
localhost logger: RHInit FATAL: Bad CFE version ( 17). This 
version requires version  18
Caution The user must ensure a stable power supply to the Guard and refrain from any Guard operations while burning a new flash version.

To burn a new flash version perform the following:

1. From the Global command group level type the following:
admin@GUARD# flash-burn
From the Configuration command group level type the following:
admin@GUARD-conf# flash-burn
2. Choose ENTER. The following screen appears:
admin@GUARD-conf# flash-burn
Please note: DON'T PRESS ANY KEY WHILE IN THE PROCESS!
Flash image is 326040 bytes, flags 00000001, CRC 7D3AB66D
------------------------------------------------------------------
---
Programming in progress. Should last approximately a minute
** DO NOT TURN OFF YOUR MACHINE UNTIL THE FLASH UPDATE COMPLETES!! 
**
------------------------------------------------------------------
---
........................................................
Burned firmware successfully
SYSTEM IS NOT FULLY OPERATIONAL. Type 'reload' to restart the 
system
admin@GUARD-conf#
Note Issuing the flash-burn command when the CFE and the Guard software versions match results in the following message:

Can not burn flash while product is running

Failed burning flash. Please contact customer support.

3. Launch the reload command:
admin@GUARD-conf# reload
4. The following message prompt appears:
Are you sure? Type 'yes' to reload
5. Type yes the following prompt appears:
admin@GUARD-conf#
See the "Reloading the Guard Modified Configurations" section for further details.

Changing the Guard Host Name

The user may change the Guard host name. The change also effects the CLI prompt.

To change the CLI prompt perform the following:

1. From the Configuration command group level type the following:
admin@GUARD-conf# hostname <name>
Where name is a host name.

2. Choose ENTER. The prompt now includes the host name. See the sample screen below:
admin@GUARD-conf# hostname AJ1-netset
admin@AJ1-netset-conf# 
Note This manual uses the default CLI prompt (admin@GUARD#) as its writing convention.

Exiting the CLI and Turning the Guard OFF

The user may exit the Guard CLI environment and turn the Guard OFF.

Note Typing exit from any other command level brings the user one level up the CLI command levels towards the root command level.

To exit the CLI and turn the Guard OFF perform the following:

1. In the Global command level prompt line type the following:
admin@GUARD# poweroff
2. Choose ENTER. The following prompt message appears:
Are you sure? Type 'yes' to power off
3. Type yes to exit the CLI environment. The Guard would then shut off saving vital information.

Note Typing anything other than yes results in returning to the Global command group level prompt without executing the poweroff command.

4. Push the Guard ON/OFF button to turn the Guard power OFF. The green power LED is turned off.

Caution Pushing the OFF button without issuing the poweroff command may result in critical data loss!