Cisco Guard Configuration Guide (Software Version 5.0)
Initializing the Guard
Download this chapter
Initializing the GuardInitializing the Guard
Download the complete book
Cisco Guard Configuration Guide (Software Version 5.0), Book-Length PDFCisco Guard Configuration Guide (Software Version 5.0), Book-Length PDF (PDF - 4 MB)
give_us_feedback

Table Of Contents

Initializing the Guard

Guard Physical Specifications

Rack Mount Specifications

Front Panel Description

Rear Panel Description

Connecting the Guard

Connecting the Mini USB Cable

Connecting the Network Interfaces

Connecting the Power Supply

Connecting a Console

Connecting Locally

Using the Command Line Interface

Understanding User Priviledge Levels

Understanding Command Modes

Entering CLI Commands

Using the No Form of a Command

show Command Syntax

CLI Error Messages

Tips for Using the CLI

Using Help

Using Tab Completion

Understanding Convention of Operation Direction

Abbreviating a Command

Using Wildcard Characters

Accessing the Guard for the First Time

Configuring the Guard Interfaces

Configuring a Physical Interface

Configuring a VLAN

Configuring a Loopback Interface

Configuring a Tunnel

Checking the Status of a GRE Tunnel

Configuring the Default Gateway

Adding a Static Route to the Routing Table

Configuring the Proxy IP Address

Managing the Guard

Managing the Guard with a Web-Based Manager

Accessing the Guard with SSH


Initializing the Guard

This chapter describes the basic tasks required to initialize the Cisco Guard (Guard) in a network and how to manage it.

This chapter includes the following topics:

Guard Physical Specifications

Connecting the Guard

Using the Command Line Interface

Accessing the Guard for the First Time

Configuring the Guard Interfaces

Configuring the Default Gateway

Adding a Static Route to the Routing Table

Configuring the Proxy IP Address

Managing the Guard

Guard Physical Specifications

This section includes the following topics:

Rack Mount Specifications

Front Panel Description

Rear Panel Description

Rack Mount Specifications

Table 2-1 describes the Guard rack-mount specifications.

Table 2-1 Rack-Mount Specifications 

Item
Specification
Dimensions
 

Weight

62 lbs (28.12 kg)

Height

3.36 inches (85.4 mm)

Width

17.5 inches (443.6 mm), 19 inches rack mountable

Depth

27.48 inches (698 mm)

Form Factor

Rack mount 2U

Power management
 

Power supply

350 Watts

Power supply type

110 or 220 volt universal auto sensing

Interfaces
 

Out-of-Band

Two 10/100/1000BASE-T

In-Band

One dual-port NIC consisting of one of the following options:

Two Auto sense full/half duplex 10/100/1000 BASE-T (copper)

Two 1000BASE-SX (fiber)

Serial port

Two serial DB9 RS-232 ports

Electrical
 
 

100-240 VAC auto-sense auto switch 50-60 Hz (Optional—A dual power supply)


Front Panel Description

Figure 2-1 displays the Guard front panel.

Figure 2-1 Guard Front Panel

Table 2-2 describes items on the Guard front panel.

Table 2-2 Front Panel Items 

No
Item
Description
Function

1

ON/OFF Button

Power control button

Switches the Guard On or Off

A Green LED is turned on when the Guard is powered up. The LED blinks when the Guard is off but connected to a power source.

2

RESET button

Orange button

Resets the server and runs the power-on self test.

3

CD-ROM drive

Provides CD-ROM drive for CDs.

4

Diskette drive

Provides diskette drive for a floppy diskette.

5

Hard disk drive

Provides a drive for a server hard disk.


Rear Panel Description

Figure 2-2 displays the Guard rear panel.

Figure 2-2 Guard Rear Panel

Table 2-3 describes items on the Guard rear panel.

Table 2-3 Rear Panel Items 

No
Item
Description
Function

1

Serial RS-232

Serial port
(COM 1)

Connects to the user console control or to the console server.

2

Monitor cable socket

Console monitor socket

Provides connection for the console monitor.

3

Keyboard cable socket

Console keyboard cable socket

Provides connection for the console keyboard cable.

4

Mouse cable socket

Console mouse cable socket

Provides connection for the console mouse cable.

5

Eth0 socket

10/100/1000BASE-T Ethernet cable socket

Provides a network interface connection for out-of-band management cable.

6

Eth1socket

10/100/1000BASE-T Ethernet cable socket

Provides a network interface connection for out-of-band management cable.

7

USB port

 

Connects the mini USB cable to the hardware diagnostics card.

Caution This mini USB cable must be connected before power up.

8

Accelerator card

 

A Cisco proprietary accelerator card.

9

Giga1 socket

Network socket

Provides a connection for an accelerator card network in-band interface.

Caution When using a single In-Band interface you must use this socket.

10

Giga0 socket

Network sockets

Provides a connection for an accelerator card network in-band interface.

11

Accelerator card serial socket

 

Provides a connection for a Cisco proprietary accelerator card serial.

12

USB socket on hardware diagnostics card

 

Provides a connection for the mini USB cable.

13

Hardware diagnostics card

 

Provides hardware diagnostic data.

14

Power Cable 2 Socket

Power supply cable socket

Connects a power supply cable for the server power supply 2.

15

Power Cable 1 Socket

Power supply cable socket

Connects a power supply cable for the server power supply 1.


Note The Cisco Guard uses a preinstalled hardware acceleration card (P/N X25E02 with fiber cable or P/N X25E03 with copper cable). There are no connections with exposed plant leads; all lines are indoors only.

The card is used to off-load critical per-packet processing from the main Intel CPUs, which provides the high throughput that is required. The card contains three connectors on the bracket: Two GigabitEthernet interfaces as described above (Giga0 and Giga1 (9,10) and one serial connector for debugging purposes (11). Other connectors on the card that are not on the bracket (a power connector and an EJTAG connector) are not user accessible.

Warning Card P/N X25E02 contains a CLASS I LASER product. This module satisfies Class I Laser Safety requirements in accordance with the US FDA/CDRH and international IEC-825 standards.

Connecting the Guard

This section describes how to connect the Guard to the network and power sources.

Note The Guard console connections depend on whether you operate the Guard locally or from a console. See "Connecting a Console" for more information.

Connecting the Mini USB Cable

Caution The mini USB cable must be connected before power up.

To connect the mini USB cable, perform the following steps:

Step 1 Connect the small plug on the mini USB cable to the USB socket on the hardware diagnostics card. (See item 12 in Figure 2-2.)

Step 2 Connect the other plug to either of the USB ports on the chassis. (See item 7 in Figure 2-2.)

Connecting the Network Interfaces

To connect the network interfaces, perform the following steps:

Step 1 Connect the Ethernet 10/100/1000BASE-T cable to the corresponding Guard network socket and to the appropriate management network socket. (See items 5,6 in Figure 2-2.)

Step 2 Connect the in-band cable (copper or fiber) to the appropriate in-band network socket (see items 9,10 in Figure 2-2) and to the corresponding network socket. The Guard can work with one or two in-band network interface cards.

Warning When using a single In-Band interface you must use Giga1. (See item 9.)

Connecting the Power Supply

Connect the two power supply cables to the sockets on the rear panel (see items 14,15 in Figure 2-2) and to the power source. A blinking green light indicates that the cables have been successfully connected.

Caution Both cables must be connected to a power source for the Guard to work properly.

Connect the power supply cable to the Guard power cable socket 2 (see socket 7 in Figure 2-2) and the other end to a power source. A green light indicates the connection.

Connecting a Console

Connect one end of an RS-232 cable to the RS-232 socket in the Guard (see socket 1 in Figure 2-2) and the other end to the serial console control, and push the ON/OFF button. (See the ON/OFF button in Figure 2-1.)

You can use any suitable terminal emulator software to establish communication with the Guard using the serial connection. The example used in this publication is Hyper Terminal, software written for Microsoft by Hilgraeve Inc.

To establish communication with the Guard using the serial connection, perform the following steps:

Step 1 Launch the Hyper Terminal software. Enter a connection name and click OK.

Step 2 Choose the communications port from the Connect using drop-down list and click OK.

Step 3 Enter the following port settings and click OK:

Bits per second: 9600

Data bits: 8

Parity: None

Stop bits: 1

Flow control: None

Step 4 The Hyper Terminal main screen appears. From the File menu, choose Properties.

Step 5 Select the Settings screen tab.

Step 6 Insert the following values and click OK:

Emulation: VT100

Telnet terminal ID: VT100

Backscroll buffer lines: 500

The Hyper Terminal main screen appears with the Guard login prompt.

Connecting Locally

To connect and operate the Guard locally, perform the following steps:

Step 1 Connect the monitor, keyboard, and mouse cables to their corresponding Guard sockets (see sockets 2,3, and 4 in Figure 2-2.)

Step 2 Push the ON/OFF button (see the ON/OFF button Figure 2-1.)

The login prompt appears after a few minutes.

Using the Command Line Interface

You can control the Guard functions by using the Command-Line Interface (CLI). The Guard user interface is divided into many different command modes and the access to the CLI is mapped according to user privilege levels. The commands that are available to you depend on which mode you are currently in.

This section includes the following topics:

Understanding User Priviledge Levels

Understanding Command Modes

Entering CLI Commands

Tips for Using the CLI

Understanding User Priviledge Levels

The access to the CLI is mapped according to user privilege levels. Each privilege level has its own group of commands.

Table 2-4 describes the user privilege levels.

Table 2-4 User Privilege Levels 

User Privilege Level
Description

Administration (admin)

Provides access to all operations.

Configuration (config)

Provides access to all operations except for operations relating to user definition, deletion, and modification.

Dynamic (dynamic)

Provides access to monitoring and diagnostics operations, protection, and learning-related operations. Users with Dynamic privileges can also configure Flex-Content filters and Dynamic filters.

Show (show)

Provides access to monitoring and diagnostic operations.


Note We recommend that users with Administration and Configuration privilege levels configure all filters. Users with lower privilege levels can add and remove Dynamic filters.

Understanding Command Modes

This section contains summaries of the command and configuration modes used in the Guard Command-Line Interface (CLI). To obtain a list of commands available for each command mode, enter ? at the system prompt.

Table 2-5 lists and describes the Guard command modes.

Table 2-5 Guard Command Configuration Modes 

Mode
Description

Global

Allows you to connect to remote devices and list system information.

The Global prompt is the default prompt when you log into the Guard. The command prompt is as follows: 

user@GUARD#

Configuration

Allows you to configure features that affect the Guard as a whole and have restricted user access.

To enter configuration mode, use the configure command in global mode. The command prompt is as follows: 

user@GUARD-conf#

Interface configuration

Allows you to configure the Guard networking interfaces.

To enter interface configuration mode, use the interface command in configuration mode. The command prompt is as follows: 

user@GUARD-conf-if-<interface-name>#

Router configuration

Allows you to configure the Guard routing configuration.

To enter router configuration mode, use the router command in configuration mode. The command prompt is as follows : 

router>

Zone configuration

Allows you to configure the zone attributes.

To enter zone configuration mode, use the zone command in configuration mode or use the configure command in global mode. The command prompt is as follows: 

user@GUARD-conf-zone-<zone-name>#

Policy template configuration

Allows you to configure the zone policy templates.

To enter policy template configuration mode, use the policy-template command in zone configuration mode. The command prompt is as follows: 

user@GUARD-conf-zone-<zone-name>-policy_template-<policy-template-name>#

Policy configuration

Allows you to configure the zone policies.

To enter policy configuration mode, use the policy command in zone configuration mode. The command prompt is as follows: 

user@GUARD-conf-zone-<zone-name>-policy-<policy-path>#

Entering CLI Commands

This sections describes the rules for entering CLI commands.

This section includes the following topics:

Using the No Form of a Command

show Command Syntax

CLI Error Messages

Table 2-6 describes the rules for entering CLI commands.

Table 2-6 CLI Rules 

Action
Keyboard Sequence

Scroll through and modify the command history

Use the arrow keys.

Display commands available in a specific command mode

Shift + ?

Display a command completion

Type the beginning of the command and press TAB.

Display a command syntax completion(s)

Type the command and press TAB twice.

Scroll using the more command

Enter the more number-of-lines command.

The more command configures the number of additional lines displayed in the window once you press the SPACE bar. The default is two lines less than the capability of the terminal.

The number-of-lines argument configures the number of additional lines to be displayed once you press the SPACE bar.

Scroll on a single screen (within a command output)

SPACE bar

Scroll back a single screen (within a command output)

b

Stop scroll movement

q

Search forward for a string

/ string

Search backward for a string

? string

Cancel the action or delete a parameter

Use the no form of a specific command.

Display information relating to a current operation

show

Exit from a current command group level to a higher group level

exit

Exit all command group levels and return to the root level

end

Display command output from and including the first line that contains a string

| begin string

Display command output lines that include a string

| include string

Display command output lines that do not include a string

| exclude string


Note If you enter the exit command at the root level, you exit the CLI environment to the operating system login screen.

Using the No Form of a Command

Almost every configuration command also has a no form. In general, use the no form of a command to disable a feature or function. Use the command without the keyword no to enable a disabled feature or function. For example, the event monitor command turns on the event monitor, and the no event monitor command turns it off.

show Command Syntax

You can execute zone-related show commands from the zone configuration mode. Alternatively, you can execute these commands from the global or configuration modes.

The following is the syntax for the show command in global or configuration modes:

show zone zone-name parameters...

The following is the syntax for the show command in zone configuration mode:

show parameters...

Note This publication uses the show command syntax from the zone configuration mode unless explicitly specified.

CLI Error Messages

The Guard CLI displays error messages in the following situations:

The syntax of the command is incomplete or incorrect.

The command does not match the system configuration.

The operation could not be performed due to a system failure. In this situation, an entry is created in the system log.

Tips for Using the CLI

This section provides tips for using the CLI and includes the following topics:

Using Help

Using Tab Completion

Understanding Convention of Operation Direction

Abbreviating a Command

Using Wildcard Characters

Using Help

The CLI provides context-sensitive help at every mode of the command hierarchy. The help information tells you which commands are available at the current command mode and provides a brief description of each command.

To get help, type ?.

To display help for a command, type ? after the command.

To display all commands available in a mode along with a short description, enter ? at the command prompt.

The help displays commands available in the current mode only.

Using Tab Completion

You can use tab completion to reduce the number of characters you need to type for a command. Type the first few characters of a command and press Tab to complete the command.

After entering a command that has a value with multiple options, press Tab twice to display a list of possible input parameters, including system-defined parameters and user-defined parameters. For example, if you press Tab twice after entering the policy-template command in zone configuration mode, the list of policy template names is displayed. If you press Tab twice after entering the zone command in configuration mode, zones that are already defined are displayed.

If multiple commands match for a Tab completion action, nothing is displayed; the system repeats the current line you entered.

The tab completion feature displays only commands available for the current mode.

Understanding Convention of Operation Direction

The oder of keywords in the command syntax define the direction of the operation. When the keyword is entered before the command name, the Guard copies data from the Guard to the server. When the command name comes before the keyword, the Guard copies data from the server to the Guard. For example, the copy log ftp command copies the log file from the Guard to the FTP server. The copy ftp new-version command copies the new software version file from the FTP server to the Guard.

Abbreviating a Command

You can abbreviate commands and keywords to the number of characters that allow a unique abbreviation.

For example, you can abbreviate the show command to sh.

Using Wildcard Characters

You can use an asterisk (*) as a wildcard.

For example, if you enter the learning policy-construction * command, the policy construction phase is activated for all the zones that are configured on the Guard.

If you enter the learning policy-construction scan* command, the policy construction phase is activated for all the zones that are configured on the Guard with names that begin with scan (such as scannet, scanserver, and so on).

If you enter the no zone * command, all zones are removed.

Accessing the Guard for the First Time

The Guard has a preconfigured user name with an administration user privilege level.

To access the Guard for the first time, perform the following steps:

Step 1 Press the power control button on the front of the Guard.

After the Guard boot process completes, the software prompts you to enter a username.

Note During power-up, the green power LED on the front of the Guard is on.

Step 2 Enter admin for the username and rhadmin for the password.

Step 3 Choose a password for the administrative (root) account.

Your password must have a minimum length of six characters and should be a combination of letters and numbers. Retype your new password to verify it.

Step 4 Choose a password for the admin username.

Your password must have a minimum length of six characters and should be a combination of letters and numbers. Retype your new password to verify it.

Step 5 Choose a password for the riverhead username.

Your password must have a minimum length of six characters and should be a combination of letters and numbers. Retype your new password to verify it.

You can change the passwords for the admin and riverhead usernames at any time. See the "Changing Your Password" section for more information.

Step 6 Enter admin for the username and enter the password you have configured in Step 4.

The following prompt line appears:

user@GUARD#

Step 7 You must enter configuration mode to configure the Guard by entering the following command:

configure [terminal]

The following example shows how to enter configuration mode: 

user@GUARD# configure 

user@GUARD-conf#

Configuring the Guard Interfaces

The Guard has several Network Interface Cards (NICs). The Eth0 and the Eth1 (FastEthernet and Gigabit Ethernet) interfaces comprise the out-of-band NICs used for management purposes.

The Giga0 and the Giga1 (Gigabit Ethernet) interfaces comprise the In-Band NICs that the Guard uses for management and zone traffic transmissions.

Note When using a single in-band interface, you must use Giga1.

The Giga0 and Giga1 provide the physical interface on which virtual interfaces (VLANs and tunnels) are configured. Configuring the Guard interfaces serves as a basis for the diversion procedures. See "Configuring Traffic Diversion," for more information.

You must configure the Guard interfaces for proper Guard functioning. Interface characteristics include, but are not limited to, the IP address and the interface MTU.

Many features are enabled on a per-interface basis. When you enter the interface command, you must specify the interface type and number.

The following guidelines apply to all physical and virtual interface configuration processes:

Each interface must be configured with an IP address and an IP subnet mask.

You must activate each interface using the no shutdown command.

To display the configuration of an interface, enter the show or show running-config commands.

Configuring a Physical Interface

To connect the Guard to a network, configure a physical interface.

The Guard has four physical interfaces: Eth0, Eth1, Giga0, and Giga1. The out-of-band interfaces are Eth0 and Eth1 (Fast Ethernet and Gigabit Ethernet sockets for out-of-band management).

The in-band interfaces (copper or fiber socket) are Giga0 and Giga1.

Caution Do not configure two physical interfaces on the same subnet or the Guard routing may not work properly.

To configure a physical interface, perform the following steps:

Step 1 Enter interface configuration mode by entering the following command in configuration mode: 

interface if-name

The if-name argument specifies the interface name.

The Guard supports the following interfaces:

eth0 or eth1—The out-of-band interfaces

giga1—First in-band interface

giga0—Second in-band interface

Caution When using a single in-band interface, you must use giga1.

Step 2 Set the interface IP address by entering the following command: 

ip address ip-addr ip-mask

The ip-addr and ip-mask arguments define the interface IP address. Enter the IP address and subnet mask in dotted-decimal notation (for example, an IP address of 192.168.100.1 and a subnet mask of 255.255.255.0).

Step 3 (Optional) Define the interface MTU by entering the following command: 

mtu integer

The integer argument is an integer between 576 and 16384 bytes for eth0 and eth1 interfaces and an integer between 576 and 1824 for giga0 and giga1 interfaces.

The default MTU value is 1500 bytes.

Step 4 (Optional) Configure the interface speed and duplex mode by entering the following command: 

speed {auto | half speed | full speed}

Table 2-7 provides the arguments and keywords for the speed command.

Table 2-7 Arguments and Keywords for the speed Command 

Parameter
Description

auto

Turns on the interface auto-negotiation capability. The interface automatically operates at 10/100/1000 Mbps and half or full duplex, depending on environmental factors, such as the type of media and transmission speeds for the peer routers, hubs, and switches used in the network configuration.

This mode is the default.

half

Specifies half-duplex operation.

full

Specifies full-duplex operation.

speed

Interface speed. Enter 10, 100, or 1000 for 10 Mbps, 100 Mbps, and 1000 Mbps.


Step 5 Activate the interface by entering the following command: 

no shutdown

You must reload the Guard for the configuration change to take effect.

The following example shows how to configure and activate interface eth1: 

user@GUARD-conf# interface eth1

user@GUARD-conf-if-eth1# ip address 10.10.10.33 255.255.255.252

user@GUARD-conf-if-eth1# no shutdown

To deactivate a physical interface, enter the shutdown command.

Configuring a VLAN

You can define VLANs on the in-band interfaces only.

To define a VLAN on the Guard, perform the following steps:

Step 1 Enter VLAN interface configuration mode, if one exists, or define a new VLAN by entering the following command in configuration mode: 

interface gigax.vlan-id

The vlan-id argument is an integer that specifies the VLAN ID number. The VLAN ID is a TAG IEEE 802.1Q number.

The x argument specifies the interface. Enter 0 or 1 for the in-band interface.

Step 2 Set the VLAN IP address by entering the following command: 

ip address ip-addr ip-mask

The ip-addr and ip-mask arguments define the interface IP address. Enter the IP address and subnet mask in dotted-decimal notation (for example, an IP address of 192.168.100.1 and a subnet mask of 255.255.255.0).

Step 3 (Optional) Define the interface MTU by entering the following command: 

mtu integer

The integer argument is an integer between 576 and 1824 bytes.

The default MTU value is 1500 bytes.

Step 4 Activate the interface by entering the following command: 

no shutdown

The following example shows how to configure a VLAN on the Guard: 

user@GUARD-conf#interface giga2.2

user@GUARD-conf-if-giga2.2# ip address 192.168.5.8 255.255.255.0

user@GUARD-conf-if-giga2.2# no shutdown

Configuring a Loopback Interface

You can specify a virtual interface called a loopback interface to emulate a physical interface. You can use the loopback interface to configure advanced diversion configurations, such as the long diversion process.

In applications where other routers or access servers attempt to reach this loopback interface, you should configure a routing protocol to distribute the subnet assigned to the loopback address.

To configure the loopback interface, perform the following steps:

Step 1 Enter the loopback interface configuration mode, if one exists, or define a new loopback interface by entering the following command in configuration mode: 

interface if-name

The if-name argument specifies the loopback interface name. The interface name is lo:integer where integer is an integer between 0 and 1023.

Step 2 Set the loopback interface IP address by entering the following command: 

ip address ip-addr ip-mask

The ip-addr and ip-mask arguments define the interface IP address. Enter the IP address and subnet mask in dotted-decimal notation (for example, an IP address of 192.168.100.1 and a subnet mask of 255.255.255.0).

Step 3 Exit the loopback interface configuration mode by entering the following command: 

exit

The following example shows how to configure a loopback interface: 

user@GUARD-conf# interface lo:0

user@GUARD-conf-if-lo:0# ip address 1.1.1.1 255.255.255.255

user@GUARD-conf-if-lo:0# exit

Configuring a Tunnel

You can define a GRE or an IPIP tunnel. You can configure the Guard to use tunnels in the diversion process to divert the zone traffic to the Guard.

To define a tunnel perform the following steps:

Step 1 Enter the tunnel interface configuration mode if one exists or define a new tunnel by entering the following command in configuration mode: 

interface {greX | ipipY}

The X argument is an integer between 0 and 1024 bytes assigned to a GRE tunnel.

The Y argument is an integer between 0 and 1024 bytes assigned to an IPIP tunnel.

Step 2 Set the tunnel IP address by entering the following command: 

ip address ip-addr [ip-mask]

The ip-addr and ip-mask arguments define the interface IP address. Enter the IP address and subnet mask in dotted-decimal notation (for example, an IP address of 192.168.100.1 and a subnet mask of 255.255.255.0). The default subnet mask is 255.255.255.255.


Step 3 Set the tunnel source IP address by entering the following command: 

tunnel source source ip

The source ip argument specifies the tunnel source IP address. This IP address will be used as the source address for the packets in the tunnel. Enter the IP address in dotted-decimal notation (for example, 192.168.100.1).

Step 4 Set the tunnel destination IP address by entering the following command: 

tunnel destination destination-ip

The destination ip argument specifies the tunnel destination IP address. Enter the IP address in dotted-decimal notation (for example, 192.168.100.1).

Step 5 (Optional) Define the interface MTU by entering the following command: 

mtu integer

The integer argument is an integer between 576 and 1480.

The default value for an IPIP tunnel is 1480 bytes.

The default value for a GRE tunnel is 1476 bytes.

Step 6 Activate the interface. Enter the following command: 

no shutdown

The following example shows how to configure a GRE tunnel: 

user@GUARD-conf# interface gre2

user@GUARD-conf-if-gre2# ip address 192.168.121.1 255.255.255.0

user@GUARD-conf-if-gre2# tunnel source 192.168.8.8

user@GUARD-conf-if-gre2# tunnel destination 192.168.250.2

user@GUARD-conf-if-gre2# no shutdown

Checking the Status of a GRE Tunnel

You can enable keepalive messages over a GRE tunnel. When you enable the keepalive feature, a keepalive packet is sent at the specified time interval to keep the interface active. You can specify the number of times that the Guard tries to send keepalive packets without response before bringing the tunnel down.

You can configure the keepalive time interval, which is the frequency at which the Guard sends messages, to ensure that the GRE tunnel is alive and can adjust the interval in one-second increments. If you do not change the default retries value, a GRE tunnel is declared down after 10 intervals have passed without receiving a keepalive packet.

Caution When the GRE tunnel is declared down, the Guard stops using the tunnel for injection. If no other means of traffic injection exist, the Guard stops the zone traffic diversion!

The Guard continues to send keepalive messages even when the GRE tunnel is declared down. If the tunnel end returns the keepalive message, the Guard activates the tunnel and resumes traffic diversion.

To enable keepalive messages on a GRE tunnel, enter the following command in GRE interface configuration mode:

keepalive [refresh-time [retries]]

Table 2-7 provides the arguments for the keepalive command.

Table 2-8 Arguments for the keepalive Command 

Parameter
Description
refresh-time

(Optional) The time interval in seconds at which keepalive messages are sent. Enter an integer from 1 to 32767.

The default refresh time is 3 seconds.

retries

(Optional) Specifies the number of times that the Guard continues to send keepalive packets without response before bringing the tunnel interface protocol down. Enter an integer from 1 to 255.

The default number of retries is 10.


The following example shows how to enable keepalive messages on a GRE tunnel:

user@GUARD-conf-if-gre2# keepalive 60 5

Configuring the Default Gateway

The default gateway is the IP address of a gateway (for example, a router connected to the network) that receives and forwards packets whose IP addresses are unknown to the local network. In most cases, the Guard default gateway IP address is the adjacent router, located between the Guard and the Internet. The default gateway address must be on the same network as one of the IP addresses of the Guard network interfaces.

Note Do not assign an IP address to a default gateway while zone protection is enabled.

Caution If you do not configure the default gateway IP address, the Guard may not be accessible to the network.

To assign a default gateway address, enter the following command in configuration mode:

default-gateway ip-addr

The ip-addr argument specifies the default gateway IP address. Enter the IP address in dotted-decimal notation (for example, enter an IP address of 192.168.100.1).

To modify the default gateway address, reenter the command.

The following example shows how to configure the default gateway: 

user@GUARD-conf# default-gateway 192.168.100.1

Adding a Static Route to the Routing Table

You can add a static route to the Guard routing table. Add a a static route to specify routes for servers or networks outside the local networks that are associated with the Guard IP interfaces.

The static route is added permanently and is not removed after the Guard is rebooted.

To add a static route to the Guard routing table, enter the following command in configuration mode:

ip route ip-addr ip-mask nexthop-ip [if-name]

Table 2-9 provides the arguments for the ip route command.

Table 2-9 Arguments for the ip route Command 

Parameter
Description
ip-addr

The network destination of the route. The destination can be an IP network address (where the host bits of the network address are set to 0) or an IP address for a host route. Enter the IP address in dotted-decimal notation (for example, enter 192.168.100.1).

ip-mask

The subnet mask associated with the network destination. Enter the subnet mask in dotted-decimal notation (for example, enter 255.255.255.0).

nexthop-ip

The forwarding or the nexthop-IP address over which the set of addresses that are defined by the network destination and subnet mask are reachable. The next-hop IP address should be within the interface subnet. For local subnet routes, the next-hop IP address is the IP address that is assigned to the interface that is attached to the subnet. For remote routes, available across one or more routers, the next-hop IP address is a directly reachable IP address that is assigned to a neighboring router.

if-name

(Optional) The Guard interface, VLAN, or tunnel over which the destination is reachable. If you do not specify an interface, the next-hop IP address according to the Guard routing table determines the interface used.


The following example show how to configure a static route: 

user@GUARD-conf# ip route 172.16.31.5 255.255.255.255 192.168.100.34

Enter the show ip route command to display the routing table.

Configuring the Proxy IP Address

You must assign a proxy IP address to the Guard. The Guard proxy IP address is required for the proxy mode antispoofing protection mechanisms. Do not assign the Guard with a proxy IP address while zone protection is enabled.

Caution You cannot activate zone protection without defining a proxy IP address.

To configure the Guard antispoofing proxy IP address, enter the following command in configuration mode:

proxy ip-addr

The ip-addr argument specifies the proxy IP address. Enter the IP address in dotted-decimal notation (for example, enter 192.168.100.1).

You must verify the route between every zone and the Guard proxy IP address. The Guard does not answer ping requests to its proxy IP address.

To configure additional proxy IP addresses, reenter the command.

Note We recommend that you configure three to four proxy IP addresses if your network uses load balancing to distribute network overload or if your network requires a high number of concurrent connections.

The Guard can have a maximum of 10 proxy IP addresses.

Managing the Guard

Initially you can manage the Guard locally from a console. The console connection provides access to the CLI and allows you to run the initial setup procedures when you first turn on the Guard. See the "Assigning Privilege Levels with Passwords" section for more information.

After you configure the Guard networking (see the "Configuring the Guard Interfaces" section), you can access and manage the Guard using one of the following methods:

Access using a secured shell (SSH) session.

Access the Guard using a Web-Based Manager (WBM).

Access from a DDoS-sensing network element. Refer to the appropriate documentation for more information.

This section contains the following topics:

Managing the Guard with a Web-Based Manager

Accessing the Guard with SSH

Managing the Guard with a Web-Based Manager

You can manage the Guard from the web with a web based manager (WBM) using a web browser.

To enable the Guard WBM, perform the following steps:

Step 1 Enable the WBM service by entering the following command in configuration mode: 

service wbm

Step 2 Permit access to the Guard from the remote manager IP address by entering the following command in configuration mode: 

permit wbm ip-addr [ip-mask]

The ip-addr and ip-mask arguments define the remote manager IP address. Enter the IP address and subnet mask in dotted-decimal notation.

Step 3 Open the browser and enter the following address: 

https://Guard-ip-address/

The Guard-ip-address argument is the IP address of the Guard.

The Guard WBM window appears.

Note HTTPS, not HTTP, is used to enable web-based management control.

Step 4 Enter your username and password and click OK.

After you enter the username and password correctly, the Guard home page is displayed.

If TACACS+ authentication is configured, the TACACS+ user database is used for user authentication rather than the local database.

The following example show how toenable the Guard WBM: 

user@GUARD-conf# service wbm

user@GUARD-conf# permit wbm 192.168.30.32

Accessing the Guard with SSH

You can access the Guard using a secured shell (SSH) connection.

The SSH service is enabled by default.

To enable SSH connection to the Guard, perform the following steps:

Step 1 Permit access to the Guard from the remote network IP address by entering the following command in configuration mode: 

permit ssh ip-addr [ip-mask]

The ip-addr and ip-mask arguments define the remote network IP address. Enter the IP address and subnet mask in dotted-decimal notation.

Step 2 Establish a connection from the remote network address and enter the login and password.

To enable the SSH connection without entering a login and password, add the remote connection SSH public key to the Guard SSH key list.

See the "Managing SSH Keys" section for more information.