Cisco DDoS Multi-Device Management System Configuration Guide (Software Release 1.0) - Resolving Conflicts and Synchronizing Zones [Cisco DDoS Multidevice Management System]

Table Of Contents

Resolving Conflicts and Synchronizing Zones

Resolving MDM Database Conflicts

Synchronizing Zone Configuration Information

Displaying or Modifying the Automatic Synchronization Parameters

Initiating Synchronization Manually

Performing a Workaround for Synchronizing an Active Zone

Resolving Conflicts and Synchronizing Zones

This chapter describes how to use the Cisco DDoS MultiDevice Manager (MDM) to resolve zone configuration conflicts and to synchronize zone configuration information on the zone devices.

The MDM maintains a local database that cross-references the devices that you define on the MDM device list with all of the zone configurations contained on each of the devices. A zone configuration conflict occurs when the zones associated with a device in the MDM database do not match the zones configured on the device. For example, the MDM would indicate that a conflict exists if you were to add a device to the MDM device list that you had previously configured with a zone using the device's CLI. To resolve this conflict, you would allow the MDM to update its database to show the association between the zone and the device.

Synchronization is the process in which the MDM updates the zone devices with the zone configuration information that resides on the zone master device. Synchronization allows you to create or modify a zone configuration once on the master device and then update the other zone devices with the new information. You can manually initiate synchronization, or you can configure the MDM to perform the process automatically.

Note This guide refers to the Cisco Traffic Anomaly Detector Module and the Cisco Traffic Anomaly Detector appliance as Detector and the Cisco Anomaly Guard Module and the Cisco Guard appliance as Guard. When referring to both the Detector and the Guard, this guide uses the term device.

This chapter contains the following sections:

•Resolving MDM Database Conflicts

•Synchronizing Zone Configuration Information

Resolving MDM Database Conflicts

To help manage the devices that you define on the MDM device list, the MDM maintains a database that shows the relationship between each device on the device list and the zones configured on each device. (The database contains the zone name only, not the complete zone configuration.) The MDM considers it a conflict when it detects any inconsistencies between the information in its database and the zones configured on a device. Conflicts can occur for the following reasons:

•A zone exists on a device but is not associated with the device in the MDM database. This situation could occur for the following reasons:

–The device contained zone configurations prior to you adding the device to the MDM device list.

–After adding the device to the MDM device list, you create a zone directly on the device using the device's CLI or Web-Based Manager (WBM).

•A zone is associated with a device in the MDM database, but the zone is not defined on the device. This conflict could occur if you were to delete the zone from the device using the device's CLI or WBM.

The MDM does not automatically check for conflicts in the network. You must click the Conflict Resolution option from the Network Summary menu to enable the MDM to search the network for conflicts.

Figure 4-1 provides an example of the information that the Conflicts Resolution screen displays and the options available for resolving any conflicts. This example shows only two of the four types of conflict tables that may display in this screen. The MDM displays a table only when a conflict exists that matches the conflict table type.

Figure 4-1 Sample Conflict Resolution Screen

To view all existing conflicts and resolve a conflict, follow these steps:

Step 1 Access the Network Summary screen using the following methods:

•From the navigation pane, click Network Summary.

•From the information area located in the upper right hand corner, click Home.

Step 2 From the Network Summary menu, choose Diagnostics > Conflict Resolution. The Conflicts Resolution screen appears, displaying all current conflicts. Depending on the conflicts that exist at the time, the MDM displays as many as four different types of conflict tables. Each table type is described in Step 3.

Step 3 Resolve the desired conflicts using the options available with each of the conflict types:

•Exits on Unassociated Devices—This conflict table displays when the MDM finds a zone on the indicated device (x), but the MDM database does not contain the zone, which means that the database cannot show an association between the zone and device.

Click one of the following conflict resolution options for the MDM to perform:

–Associate—Adds the zone name to its database and associates it with the indicated devices (x). The zone name displays in the navigation pane's zone list.

–Remove—Deletes the zone from the device database.

–Rename & Create—Leaves the existing zone on the MDM alone, but creates a copy of the zone under a new name, which you specify in a new window. The MDM adds the new zone name to its database and associates it with the indicated devices (x). The zone name displays in the navigation pane's zone list.

•Missing from Devices—This conflict table displays when a zone exists in the MDM database, which shows an association between the zone and the indicated device (x); however, the zone does not exist on the indicated device. In this type of conflict, the zone either exists on the zone master device (minimum) or is missing from all of the zone devices, including the master device.

Click one of the following conflict resolution options for the MDM to perform:

–Add—Adds the zone to the device by initiating synchronization, in which the zone information residing on the zone master device is copied to the other zone devices.

–Disassociate—Removes the zone-to-device association in its database.

–Delete—Deletes the zone from its database. Delete is the only option available when the zone is missing from all of the zone devices, including the master device.

•Missing from Master—This conflict table displays when a zone exists in the MDM database, which shows an association between the zone and the indicated device (x); however, the zone does not exist on the indicated devices. In this case, one zone is the zone master device. However, the zone does exist on at least one of the other zone devices.

Click one of the following conflict resolution options for the MDM to perform:

–Select Master—Allows you to choose another device (one with the zone information residing on it), as the master device. The MDM then initiates synchronization which enables the zone information that resides on the new zone master device to be copied to the other zone devices.

–Restore—Copies the zone information from a zone device that you choose as the master device.

•Multiple Inconsistency—This conflict table displays when a conflict exists that is a hybrid of the first two bulleted items (Exists on Unassociated Device and Missing from Devices).

Click one of the following conflict resolution options for the MDM to perform:

–Match Devices—Modifies the database to match the zone information on the devices.

–Match MDM—Modifies the zone information on the devices to match the database.

–Merge—Accepts all inconsistencies by updating its database with missing device association information and updating all of the devices with missing zone information.

Synchronizing Zone Configuration Information

Synchronization allows zone configuration information to be propagated from the master device to the other devices that you have associated with the zone configuration. This function allows you to perform the following operations:

•Create a zone once on the master device and copy the zone configuration to the other zone devices

•Update zone devices with changes made to the zone configuration on the master device

•Resolve zone configuration conflicts between devices

The zone information that the master device synchronizes with the other zone device overwrites the information contained on the other zone devices. The MDM allows you to initiate synchronization manually, or you can configure synchronization so that the MDM automatically initiates the process based on the occurrence of an event, such as when the master device accepts the results of a learning phase.

Note You must synchronize zone configuration information before you activate Protect to ensure that all of the Guards are using the same configuration information (for example, synchronization is important when you add an IP address to the zone configuration).

When the MDM detects a synchronization error, it displays an (x) in the zone listed in the navigation pane. The error icon also displays in the navigation path located in the upper left of the Zone Summary screen.

The MDM can initiate synchronization only when the zone is inactive. If Detect or Protect are currently activated, the master device cannot perform synchronization.

Note Some network applications may require each zone device to operate using its own unique set of policies and policy thresholds. For this type of application, you must disable automatic synchronization (see the "Displaying or Modifying the Automatic Synchronization Parameters" section). When you do not use synchronization, changes that you make to the zone configuration using the MDM are only made to the configuration on the master device.

This section contains the following topics:

•Displaying or Modifying the Automatic Synchronization Parameters

•Initiating Synchronization Manually

•Performing a Workaround for Synchronizing an Active Zone

Displaying or Modifying the Automatic Synchronization Parameters

To display or modify the current automatic synchronization parameters of a zone, follow these steps:

Step 1 From the navigation pane, choose a zone. The zone menu appears.

Step 2 From the zone menu, choose Configuration > General. The zone General screen appears.

Step 3 Verify the current synchronization parameter settings displayed in the MDM Synchronization Parameters area of the General Configuration table.

Step 4 (Optional) Click Config to modify the synchronization parameter settings. The Config Zone Form screen appears.

Step 5 (Optional) Enable automatic synchronization by performing the following steps from the MDM Synchronization Parameters area:

•Define the Immediate synchronization triggers by checking one or both of the following check boxes:

–Before Manual Protection—When you manually activate Protect on the Guards, the MDM initiates synchronization before activating Protect. The default setting for this option is unchecked.

–After Manual Learning Accept—When you manually accept the results of a learning phase, the MDM initiates synchronization after it saves the results to the zone configuration on the master device. The default setting for this option is unchecked.

Note To configure a Detector for automatic synchronization before activating a Guard or after accepting the results of a learning phase, you must configure the Detector by entering the learning-params syc {accept | remote-activate} command in the CLI.

•Enable (or disable) the Periodic synchronization time function:

–Never—Check this option if you do not want the MDM to automatically initiate synchronization after a zone configuration change.

–Minutes—Check this option to have the MDM wait a set number of minutes before initiating synchronization after a zone configuration change. Enter the number of minutes that you want the MDM to wait. The default is 5.

Step 6 (Optional) Disable automatic synchronization by unchecking all of the check boxes in the MDM Synchronization Parameters area.

Step 7 Click OK. The MDM saves the zone configuration changes on the master device.

Initiating Synchronization Manually

To manually initiate synchronization, follow these steps:

Step 1 From the navigation pane, select an inactive zone. The zone menu appears.

Step 2 From the zone menu, choose Activation > Synchronization. The MDM initiates synchronization on the master device.

If an error occurs during synchronization, the MDM displays an error window and places an (x) next to the zone name in the navigation pane.

Performing a Workaround for Synchronizing an Active Zone

When the zone is active because either Detect or Protect are enabled, the MDM does not allow synchronization. However, it may become necessary to make configuration changes on all of the zone devices while the devices are active. For example, you may need to make policy or filter modifications to direct the way in which the Guards are mitigating an attack on the zone. While you cannot synchronize an active zone, you can use a workaround to deactivate the zone long enough to make the required zone modifications and synchronize the zone devices.

To initiate synchronization while the zone is active, follow these steps:

Step 1 Deactivate the zone temporarily using one of the following methods:

•Click Deactivate.

•From the zone menu, choose Activation > Deactivate.

Step 2 Make the required modifications to the zone configuration on the master device (if you have not already).

Step 3 Choose Activation > Sync to manually initiate synchronization.

Step 4 Reactivate the zone by clicking on one or both of the following options:

•Click Detect (or choose Activation > Detect from the zone menu) to reactivate anomaly detection by the Detectors.

•Click Protect (or choose Activation > Protect from the zone menu) to reactivate zone protection by the Guards.

	Cisco DDoS Multi-Device Management System Configuration Guide (Software Release 1.0)
	Resolving Conflicts and Synchronizing Zones
Cisco DDoS Multi-Device Management System Configuration Guide (Software Release 1.0) Index Preface Product Overview Getting Started Managing Devices on the MDM Network Resolving Conflicts and Synchronizing Zones Creating and Configuring Zones Managing Zone Filters Managing Zone Policy Templates Managing Zone Policies Learning Zone Traffic and Taking Snapshots Activating Anomaly Detection and Zone Protection Monitoring Zone and Device Operations Troubleshooting Problems with the MDM	Download this chapter Resolving Conflicts and Synchronizing Zones Download the complete book Cisco DDoS MultiDevice Manager Configuration Guide (Software Version 1.0), Book-Length PDF (PDF - 4 MB) Table Of Contents Resolving Conflicts and Synchronizing Zones Resolving MDM Database Conflicts Synchronizing Zone Configuration Information Displaying or Modifying the Automatic Synchronization Parameters Initiating Synchronization Manually Performing a Workaround for Synchronizing an Active Zone Resolving Conflicts and Synchronizing Zones This chapter describes how to use the Cisco DDoS MultiDevice Manager (MDM) to resolve zone configuration conflicts and to synchronize zone configuration information on the zone devices. The MDM maintains a local database that cross-references the devices that you define on the MDM device list with all of the zone configurations contained on each of the devices. A zone configuration conflict occurs when the zones associated with a device in the MDM database do not match the zones configured on the device. For example, the MDM would indicate that a conflict exists if you were to add a device to the MDM device list that you had previously configured with a zone using the device's CLI. To resolve this conflict, you would allow the MDM to update its database to show the association between the zone and the device. Synchronization is the process in which the MDM updates the zone devices with the zone configuration information that resides on the zone master device. Synchronization allows you to create or modify a zone configuration once on the master device and then update the other zone devices with the new information. You can manually initiate synchronization, or you can configure the MDM to perform the process automatically. Note This guide refers to the Cisco Traffic Anomaly Detector Module and the Cisco Traffic Anomaly Detector appliance as Detector and the Cisco Anomaly Guard Module and the Cisco Guard appliance as Guard. When referring to both the Detector and the Guard, this guide uses the term device. This chapter contains the following sections: •Resolving MDM Database Conflicts •Synchronizing Zone Configuration Information Resolving MDM Database Conflicts To help manage the devices that you define on the MDM device list, the MDM maintains a database that shows the relationship between each device on the device list and the zones configured on each device. (The database contains the zone name only, not the complete zone configuration.) The MDM considers it a conflict when it detects any inconsistencies between the information in its database and the zones configured on a device. Conflicts can occur for the following reasons: •A zone exists on a device but is not associated with the device in the MDM database. This situation could occur for the following reasons: –The device contained zone configurations prior to you adding the device to the MDM device list. –After adding the device to the MDM device list, you create a zone directly on the device using the device's CLI or Web-Based Manager (WBM). •A zone is associated with a device in the MDM database, but the zone is not defined on the device. This conflict could occur if you were to delete the zone from the device using the device's CLI or WBM. The MDM does not automatically check for conflicts in the network. You must click the Conflict Resolution option from the Network Summary menu to enable the MDM to search the network for conflicts. Figure 4-1 provides an example of the information that the Conflicts Resolution screen displays and the options available for resolving any conflicts. This example shows only two of the four types of conflict tables that may display in this screen. The MDM displays a table only when a conflict exists that matches the conflict table type. Figure 4-1 Sample Conflict Resolution Screen To view all existing conflicts and resolve a conflict, follow these steps: Step 1 Access the Network Summary screen using the following methods: •From the navigation pane, click Network Summary. •From the information area located in the upper right hand corner, click Home. Step 2 From the Network Summary menu, choose Diagnostics > Conflict Resolution. The Conflicts Resolution screen appears, displaying all current conflicts. Depending on the conflicts that exist at the time, the MDM displays as many as four different types of conflict tables. Each table type is described in Step 3. Step 3 Resolve the desired conflicts using the options available with each of the conflict types: •Exits on Unassociated Devices—This conflict table displays when the MDM finds a zone on the indicated device (x), but the MDM database does not contain the zone, which means that the database cannot show an association between the zone and device. Click one of the following conflict resolution options for the MDM to perform: –Associate—Adds the zone name to its database and associates it with the indicated devices (x). The zone name displays in the navigation pane's zone list. –Remove—Deletes the zone from the device database. –Rename & Create—Leaves the existing zone on the MDM alone, but creates a copy of the zone under a new name, which you specify in a new window. The MDM adds the new zone name to its database and associates it with the indicated devices (x). The zone name displays in the navigation pane's zone list. •Missing from Devices—This conflict table displays when a zone exists in the MDM database, which shows an association between the zone and the indicated device (x); however, the zone does not exist on the indicated device. In this type of conflict, the zone either exists on the zone master device (minimum) or is missing from all of the zone devices, including the master device. Click one of the following conflict resolution options for the MDM to perform: –Add—Adds the zone to the device by initiating synchronization, in which the zone information residing on the zone master device is copied to the other zone devices. –Disassociate—Removes the zone-to-device association in its database. –Delete—Deletes the zone from its database. Delete is the only option available when the zone is missing from all of the zone devices, including the master device. •Missing from Master—This conflict table displays when a zone exists in the MDM database, which shows an association between the zone and the indicated device (x); however, the zone does not exist on the indicated devices. In this case, one zone is the zone master device. However, the zone does exist on at least one of the other zone devices. Click one of the following conflict resolution options for the MDM to perform: –Select Master—Allows you to choose another device (one with the zone information residing on it), as the master device. The MDM then initiates synchronization which enables the zone information that resides on the new zone master device to be copied to the other zone devices. –Restore—Copies the zone information from a zone device that you choose as the master device. •Multiple Inconsistency—This conflict table displays when a conflict exists that is a hybrid of the first two bulleted items (Exists on Unassociated Device and Missing from Devices). Click one of the following conflict resolution options for the MDM to perform: –Match Devices—Modifies the database to match the zone information on the devices. –Match MDM—Modifies the zone information on the devices to match the database. –Merge—Accepts all inconsistencies by updating its database with missing device association information and updating all of the devices with missing zone information. Synchronizing Zone Configuration Information Synchronization allows zone configuration information to be propagated from the master device to the other devices that you have associated with the zone configuration. This function allows you to perform the following operations: •Create a zone once on the master device and copy the zone configuration to the other zone devices •Update zone devices with changes made to the zone configuration on the master device •Resolve zone configuration conflicts between devices The zone information that the master device synchronizes with the other zone device overwrites the information contained on the other zone devices. The MDM allows you to initiate synchronization manually, or you can configure synchronization so that the MDM automatically initiates the process based on the occurrence of an event, such as when the master device accepts the results of a learning phase. Note You must synchronize zone configuration information before you activate Protect to ensure that all of the Guards are using the same configuration information (for example, synchronization is important when you add an IP address to the zone configuration). When the MDM detects a synchronization error, it displays an (x) in the zone listed in the navigation pane. The error icon also displays in the navigation path located in the upper left of the Zone Summary screen. The MDM can initiate synchronization only when the zone is inactive. If Detect or Protect are currently activated, the master device cannot perform synchronization. Note Some network applications may require each zone device to operate using its own unique set of policies and policy thresholds. For this type of application, you must disable automatic synchronization (see the "Displaying or Modifying the Automatic Synchronization Parameters" section). When you do not use synchronization, changes that you make to the zone configuration using the MDM are only made to the configuration on the master device. This section contains the following topics: •Displaying or Modifying the Automatic Synchronization Parameters •Initiating Synchronization Manually •Performing a Workaround for Synchronizing an Active Zone Displaying or Modifying the Automatic Synchronization Parameters To display or modify the current automatic synchronization parameters of a zone, follow these steps: Step 1 From the navigation pane, choose a zone. The zone menu appears. Step 2 From the zone menu, choose Configuration > General. The zone General screen appears. Step 3 Verify the current synchronization parameter settings displayed in the MDM Synchronization Parameters area of the General Configuration table. Step 4 (Optional) Click Config to modify the synchronization parameter settings. The Config Zone Form screen appears. Step 5 (Optional) Enable automatic synchronization by performing the following steps from the MDM Synchronization Parameters area: •Define the Immediate synchronization triggers by checking one or both of the following check boxes: –Before Manual Protection—When you manually activate Protect on the Guards, the MDM initiates synchronization before activating Protect. The default setting for this option is unchecked. –After Manual Learning Accept—When you manually accept the results of a learning phase, the MDM initiates synchronization after it saves the results to the zone configuration on the master device. The default setting for this option is unchecked. Note To configure a Detector for automatic synchronization before activating a Guard or after accepting the results of a learning phase, you must configure the Detector by entering the learning-params syc {accept \| remote-activate} command in the CLI. •Enable (or disable) the Periodic synchronization time function: –Never—Check this option if you do not want the MDM to automatically initiate synchronization after a zone configuration change. –Minutes—Check this option to have the MDM wait a set number of minutes before initiating synchronization after a zone configuration change. Enter the number of minutes that you want the MDM to wait. The default is 5. Step 6 (Optional) Disable automatic synchronization by unchecking all of the check boxes in the MDM Synchronization Parameters area. Step 7 Click OK. The MDM saves the zone configuration changes on the master device. Initiating Synchronization Manually To manually initiate synchronization, follow these steps: Step 1 From the navigation pane, select an inactive zone. The zone menu appears. Step 2 From the zone menu, choose Activation > Synchronization. The MDM initiates synchronization on the master device. If an error occurs during synchronization, the MDM displays an error window and places an (x) next to the zone name in the navigation pane. Performing a Workaround for Synchronizing an Active Zone When the zone is active because either Detect or Protect are enabled, the MDM does not allow synchronization. However, it may become necessary to make configuration changes on all of the zone devices while the devices are active. For example, you may need to make policy or filter modifications to direct the way in which the Guards are mitigating an attack on the zone. While you cannot synchronize an active zone, you can use a workaround to deactivate the zone long enough to make the required zone modifications and synchronize the zone devices. To initiate synchronization while the zone is active, follow these steps: Step 1 Deactivate the zone temporarily using one of the following methods: •Click Deactivate. •From the zone menu, choose Activation > Deactivate. Step 2 Make the required modifications to the zone configuration on the master device (if you have not already). Step 3 Choose Activation > Sync to manually initiate synchronization. Step 4 Reactivate the zone by clicking on one or both of the following options: •Click Detect (or choose Activation > Detect from the zone menu) to reactivate anomaly detection by the Detectors. •Click Protect (or choose Activation > Protect from the zone menu) to reactivate zone protection by the Guards.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.