Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 6.1 and 6.1-XG)
Configuring the Detector Module on the Supervisor Engine

Table Of Contents

Configuring the Detector Module on the Supervisor Engine

Verifying the Detector Module Installation

Setting Up Detector Module Management

Configuring Traffic Sources for Capturing Traffic

Configuring VACLs

Configuring SPAN

Accessing the Detector Module for the First Time

Establishing a Session with the Detector Module after the Initial Session

Rebooting the Detector Module

Verifying the Detector Module Configuration


Configuring the Detector Module on the Supervisor Engine


This chapter describes how to configure the Cisco Traffic Anomaly Detector Module (Detector module) on the supervisor engine of a Catalyst 6500 series switch or a Cisco 7600 series router. You must configure the Detector module on the supervisor engine before you can establish a session with the Detector module to configure it.

To configure the Detector module on the supervisor engine, you must have EXEC privileges and must be in configuration mode.

To save all configuration changes to the flash memory, use the write memory command in privileged EXEC mode.


Note Operational and configuration differences exist between a Detector module operating at 1 Gbps and a Detector module operating at 2 Gbps. This chapter discusses the differences between the 1-Gbps operation and the 2-Gbps operation. Unless stated, the information in this chapter applies to both modes of operation. For more information, see the "Understanding the 1-Gbps and 2-Gbps Bandwidth Options" section.


This chapter contains the following sections:

Verifying the Detector Module Installation

Setting Up Detector Module Management

Configuring Traffic Sources for Capturing Traffic

Accessing the Detector Module for the First Time

Establishing a Session with the Detector Module after the Initial Session

Rebooting the Detector Module

Verifying the Detector Module Configuration

Verifying the Detector Module Installation

Verify that the supervisor engine acknowledges the new Detector module and has brought it online.


Note For information about how to install the Detector module in the Catalyst 6500 series switch, see the Cisco Anomaly Guard Module and Traffic Anomaly Detector Module Installation Note.


To verify the installation, perform the following steps:


Step 1 Log into the supervisor engine console.

Step 2 Verify that the Detector module is online. Enter the following command:

show module 

This example shows the output of the show module command:

Sup# show module 
Mod	 Ports	 Card	Type	Model	Serial No.
--	 ----	 ------------------------------	--------	--------------
1	 2	 Catalyst 6000 supervisor 2(Active)	WS-X6K-SUP2-2GE	SAL081230TJ
... ...
6	 3	 Anomaly Detector module Module	WS-SVC-adm-1-K9	SAD081000GG
...
Mod	MAC addresses	Hw	Fw	Sw	Status
---	--------------------------------	----- ------- ----------- -------
...
6	000e.847f.fe04 to 000e.847f.fe0b	1.0	7.2(1)	6.0(0.10)	Ok
...
Sup
# 


Note When the Detector module is first installed, the status is usually "other." Once the Detector module completes the diagnostic routines and comes online, the status reads "OK." Allow at least 5 minutes for the Detector module to come online.



Setting Up Detector Module Management

You can establish a remote management session with the Detector module by configuring the Detector module management port.

To select a VLAN for management, use the following command:

anomaly-detector module module_number management-port access-vlan vlan_number

Table 2-1 provides the arguments and keywords for the anomaly-detector module command.

Table 2-1 Arguments and Keywords for the anomaly-detector module Command 

Parameter
Description

module_number

Number of the slot in which the module is inserted in the chassis (1-13 depending on the model of your switch or router).

management-port

Specifies the port that transports management traffic between the supervisor engine and the Detector module.

access-vlan vlan_number

Specifies the VLAN ID used for management. The default is VLAN 1.


You can view the current management port setting by using the show anomaly-detector module command (see the "Verifying the Detector Module Configuration" section).

The following example shows how to select VLAN 5 for a module inserted in slot number 4 in the chassis for management:

Sup(config)# anomaly-detector module 4 management-port access-vlan 5

To establish a remote management session with the Detector module, you must also configure the following on the Detector module:

Configure the Detector module management port interface. See the "Configuring a Physical Interface" section.

Enable the relevant services. See the "Managing the Detector Module" section.

Configuring Traffic Sources for Capturing Traffic

You must configure the switch to capture the traffic sent to the zone and pass a copy of it to the Detector module. The Detector module analyzes the network traffic that passes through it and monitors the traffic for evolving attack patterns.

You can use one of the following methods to pass network traffic to the Detector module:

Switched Port Analyzer (SPAN)—Capture received or sent (or both) traffic on one or more source ports to a destination port for analysis. The Detector module provides a single destination port for SPAN sessions. See the "Configuring SPAN" section for more information.

VLAN access list (VACL)—Forward traffic from either a WAN interface or VLANs to the Detector module data port. This method is an alternative to using SPAN for the same purpose. You can set VACLs to capture traffic from a single VLAN or from multiple VLANs. See the "Configuring VACLs" section for more information.

For more information about SPAN, see the "Configuring SPAN and RSPAN" chapter in the Catalyst 6500 Series Switch Software Configuration Guide or in the Cisco 7600 Series Router Software Configuration Guide.

For more information about VACL, see the "Configuring VLAN ACLs" chapter in the Catalyst 6500 Series Switch Software Configuration Guide or in the Cisco 7600 Series Router Software Configuration Guide.

You can capture traffic for Detector module monitoring from a single VLAN or from multiple VLANs. If you want to monitor traffic from specific VLANs only, you need to clear the VLANs that you do not want to monitor from the capture feature.

This section contains the following topics:

Configuring VACLs

Configuring SPAN

Configuring VACLs

You can set VACLs to capture traffic for the Detector module from a single VLAN or from multiple VLANs.


Note The procedure in this section provides the basic information for configuring a VACL to capture Detector module traffic on a VLAN. For more information, refer to the appropriate Catalyst 6500 series switch or Cisco 7600 series router configuration guide.


To configure VACLs to capture Detector module traffic on VLANs, perform the following steps:


Step 1 Define the access control list (ACL) and add access-control entries (ACEs) through the permit and/or deny statements by entering the following command:

ip access-list {standard | extended} acl-name

Table 2-2 describes the arguments and keywords for the ip access-list command.

Table 2-2 Arguments and Keywords for the ip access-list Command 

Parameter
Description

standard

Specifies a standard IP access list.

extended

Specifies an extended IP access list.

acl-name

Name of the ACL. Names cannot contain a space or quotation mark and must begin with an alphabetic character to prevent ambiguity with numbered access lists.



Note Alternatively, you can use the access-list command.


Step 2 Define a VLAN access map by entering the following command:

vlan access-map map_name [0-65535]

The map_name argument specifies the name tag of the access map. You can specify a sequence number. If you do not specify a sequence number, a number is automatically assigned. Once you execute the command, you enter VLAN access map configuration mode.

You can enter one match clause and one action clause per map sequence.

Step 3 Configure a match clause in the VLAN access map sequence by entering the following command:

match ip address {acl_number | acl_name}

Table 2-3 describes the arguments and keywords for the match ip address command.

Table 2-3 Arguments for the match ip address Command 

Parameter
Description

acl_number

One or more IP ACLs for a VLAN access-map sequence. Valid values are from 1 to 199 and from 1300 to 2699.

acl_name

IP ACL name.


Step 4 Configure an action clause in the VLAN access map sequence to forward the network traffic by entering the following command:

action forward capture

Step 5 Apply the VLAN access map to a VLAN interface by entering the following command:

vlan filter map_name vlan-list vlan_list

Table 2-4 provides the arguments and keywords for the vlan filter command.

Table 2-4 Arguments and Keywords for the vlan filter Command 

Parameter
Description

map_name

VLAN access-map tag.

vlan-list vlan_list

Specifies a VLAN list. Valid values are from 1 to 4094.


Step 6 (Optional) Configure the Detector module data ports to capture the captured-flagged traffic by entering the following command:

Enter the following command:

anomaly-detector module slot_number data-port port_number capture allowed-vlan vlan_range

Note If you do not specify the data ports, the Detector enables capturing traffic from all VLANs.


Table 2-5 provides the arguments and keywords for the anomaly-detector module capture command.

Table 2-5 Arguments and Keywords for the anomaly-detector module capture Command 

Parameter
Description

slot_number

Number of the slot in which the module is inserted in the chassis (1-13 depending on the model of your switch or router).

data-port port_number

Specifies the number of the port used for data. The data ports options are as follows:

1-Gbps operation—Port 1.

2-Gbps operation—Port 1 and port 2.

allowed-vlan vlan_range

Specifies a range of VLANs or several VLANs in a comma-separated list (do not enter space characters).


Step 7 Enable the capture function on the Detector module by entering the following command:

anomaly-detector module module_number data-port port_number capture

Table 2-6 provides the arguments and keywords for the anomaly-detector module capture command.

Table 2-6 Arguments and Keywords for the anomaly-detector module capture Command 

Parameter
Description

module_number

Chassis slot number in which the module is inserted (1-13 depending on the model of your switch or router).

data-port port_number

Specifies the number of the port used for data. The data ports options are as follows:

1-Gbps operation—Port 1.

2-Gbps operation—Port 1 and port 2. You must enable the capture function on both data ports by entering the command twice (once for each port number).



Note For the 1-Gbps operation, you must configure the one data port as either a SPAN destination port or a capture port. For the 2-Gbps operation, you can configure the two data ports in the following ways:

Both data ports as SPAN destination port

Both data ports as capture ports

One data port as a SPAN destination port and one data port as a capture port


The following 2-Gpbs operation example shows how to configure VACLs to capture Detector module traffic on VLANs:

Sup (config)# ip access-list extended Permit_Any
Sup (config-ext-nacl)# permit ip any any
Sup (config-ext-nacl)# exit
Sup (config)# vlan access-map Detector 10
Sup (config-access-map)# match ip address Permit_Any
Sup (config-access-map)# action forward capture
Sup (config-access-map)# exit
Sup (config)# vlan filter Detector vlan-list 921,931
Sup (config)# anomaly-detector module 6 data-port 1 capture
Sup (config)# anomaly-detector module 6 data-port 1 capture allowed-vlan 921
Sup (config)# anomaly-detector module 6 data-port 2 capture
Sup (config)# anomaly-detector module 6 data-port 2 capture allowed-vlan 931

Configuring SPAN

You can create a SPAN session and specify the source (monitored) and destination (monitoring) ports. You cannot use the Detector module ports as SPAN source ports.


Note The procedure in this section provides the basic information for creating a SPAN session. For more information, refer to the appropriate Catalyst 6500 series switch or Cisco 7600 series router configuration guide.


From the privileged EXEC mode on the supervisor engine console, perform the following steps to create a SPAN session and specify the source and destination ports:


Step 1 Specify the SPAN session and the source port (monitored port) by entering the following command:

monitor session session_number source interface interface-id [, | -] [rx | tx]

Table 2-7 provides the arguments and keywords for the monitor session command.

Table 2-7 Arguments and Keywords for the monitor session Command 

Parameter
Description

session_number

Session identification number.

source interface interface-id

Specifies the source port to monitor. Valid interfaces include physical interfaces and port-channel logical interfaces (port-channel port-channel-number or VLAN).

, | -

(Optional) Series or range of interfaces. Enter a space before and after the comma; enter a space before and after the hyphen.

rx | tx

(Optional) Specifies the direction of traffic to monitor. If you do not specify a traffic direction, the source interface sends both transmitted and received traffic.


Caution The Detector module receives a capture of the traffic for every direction specified. Do not specify both rx and tx because two copies of the packet will be forwarded to the Detector module ports and will affect the performance of the Detector module.

rx—Specifies to monitor received traffic.

tx—Specifies to monitor transmitted traffic.


Step 2 Specify the SPAN session and the destination port (monitoring port) by entering the following command:

monitor session SPAN_session_number destination anomaly-detector-module module_number [data-port port]

Table 2-8 provides the arguments and keywords for the monitor session destination command.

Table 2-8 Arguments and Keywords for the monitor session destination Command 

Parameter
Description

SPAN_session_number

Interface identification number. Specify 1.

anomaly-detector-module module-number

Specifies the number of the slot in which the module is inserted in the chassis (1-13 depending on the model of your switch or router).

data-port port

Specifies the number of the port used to capture data. The data ports options are as follows:

1-Gbps operation—Port 1.

2-Gbps operation—Port 1 and port 2. You must specify both ports as destination ports by entering the command twice (once for each port number).


Step 3 Return to privileged EXEC mode by entering the following command:

end

Step 4 Verify your entries by entering the following command:

show monitor [session session_number]

The session_number argument specifies the session identification number.


The following 1-Gbps operation example shows how to set up a SPAN session, session 1, for monitoring source port traffic to a destination port. Received traffic is mirrored from source port 1 to the Detector module.

Sup(config)# monitor session 1 source interface GigabitEthernet 1/2 rx

Sup(config)# monitor session 1 destination anomaly-detector-module 4 data-port 1

The following 2-Gbps operation example shows how to set up SPAN sessions, session 1 and 2, for monitoring source port traffic to two destination ports. Received traffic is mirrored from source ports 1 and 2 to the Detector module ports 1 and 2.

Sup(config)# monitor session 1 source interface GigabitEthernet 1/2 rx

Sup(config)# monitor session 1 destination anomaly-detector-module 4 data-port 1

Sup(config)# monitor session 2 source interface GigabitEthernet 2/2 rx

Sup(config)# monitor session 2 destination anomaly-detector-module 4 data-port 2

Accessing the Detector Module for the First Time

This section shows how to establish the initial session with the Detector module by using the preconfigured username that has an administration user privilege level. During this process, the CLI prompts you to assign passwords to the following default user accounts:

admin—Provides access to all administrative and configuration operations.

riverhead—Provides access to monitoring and diagnostic operations, zone protection, and learning-related operations. This user can also configure flex-content filters and dynamic filters.

tac-cli—Provides access to the Linux shell for certain administrative operations.

root—Provides access to a limited number of administrative operations in the application partition (AP), which contains the Detector module application software image.

To access the Detector module for the first time, perform the following steps:


Step 1 Establish a Telnet session or console log session into the switch.

Step 2 Enter the following command at the supervisor engine prompt:

session slot slot_number processor processor_number 

Table 2-9 provides the arguments and keywords for the session slot command.

Table 2-9 Arguments and Keywords for the session slot Command 

Parameter
Description

slot-number

Number of the slot in which the Detector module is inserted in the chassis (1-13 depending on the model of your switch or router).

processor processor_number

Specifies the number of the Detector module processor. The Detector module supports management through processor 1 only.


Step 3 Enter admin for the default admin account username and rhadmin for the password.

Step 4 Enter a password for the root username that consists of 6 to 24 characters.

Retype the new password to verify it.

Step 5 Enter a password for the tac-cli user account that consists of 6 to 24 character.

Retype the new password to verify it.

Step 6 Enter a password for the admin user account that consists of 6 to 24 character.

Retype the new password to verify it.

Step 7 Enter a password for the riverhead user account that consists of 6 to 24 character.

Retype the new password to verify it.

Step 8 Enter configuration mode to configure the Detector module by entering the following command:

configure [terminal]

The following example shows how to enter configuration mode:

user@DETECTOR# configure 
user@DETECTOR-conf#


Note You can change the passwords for the admin and riverhead user accounts at any time. See the "Changing Your Password" section for more information.


To establish all future sessions with the Detector module, use the procedure in the "Establishing a Session with the Detector Module after the Initial Session" section.

Establishing a Session with the Detector Module after the Initial Session

This section shows how to session with the Detector module following the initial session in which you assigned passwords to the default user accounts (see the "Accessing the Detector Module for the First Time" section).

To log in to the Detector module, perform the following steps:


Step 1 Establish a Telnet session or console log session into the switch.

Step 2 Enter the following command at the supervisor engine prompt:

session slot slot_number processor processor_number 

See Table 2-9 for argument and keyword descriptions.

Step 3 Log in at the Detector module login prompt using a configured user account:

login: user

Step 4 Enter the password.

After a successful login, the command-line prompt is represented as user@DETECTOR#. You can change the prompt by entering the hostname command.


Rebooting the Detector Module

Cisco IOS software provides the following commands to control the Detector module: boot, shutdown, power enable and reset:


Caution If you enter the reload command at the supervisor engine prompt, the reload occurs for the entire chassis and includes all the modules in the chassis. See the "Reloading the Detector Module" section for information about how to reload the Detector module.

shutdown—Brings the operating system down gracefully, ensuring that no data is lost. To prevent corruption of the Detector module, it is critical that you shut down the Detector module properly. Enter the following command at the supervisor engine prompt:

hw-module module slot_number shutdown 

The slot_number argument specifies the number of the slot in which the module is inserted in the chassis.

You must then enter the hw-module module module_number reset command to restart the Detector module.

The following example shows how to shut down the Detector module:

Sup# hw-module module 8 shutdown

Note The Detector module reboots if you reboot the switch.


reset—Resets the module. Use this command to recover from a shutdown or to switch between the following Detector module operating images:

Application Partition (AP)—Detector module application software image (see "Upgrading the Detector Module Software" section).

Maintenance Partition (MP)—Software image required for base module initialization and daughter card control functions (see "Upgrading the Detector Module Software" section).

The hw-module reset command resets the module by turning the power off and then on. The reset process requires several minutes. Enter the following command at the supervisor engine prompt:

hw-module module slot_number reset [string] 

The slot_number argument specifies the number of the slot in which the module is inserted in the chassis. The string argument is an optional string for the PC boot sequence. Enter cf:1 to reset to the MP and cf:4 to reset to the AP. See the "Upgrading the Detector Module Software" section for more information.

The following example shows how to reset the Detector module:

Sup# hw-module module 8 reset

no power enable—Shuts down the module so that it can be safely removed from the chassis. Enter the following command at the supervisor engine prompt:

no power enable module slot_number

The slot_number argument specifies the number of the slot in which the module is inserted in the chassis.

To switch the module on again, use the following command:

power enable module slot_number

The following example shows how to shut down the Detector module:

Sup (config)# no power enable module 8 

boot—Forces the Detector module to boot to the MP at the next power on. Enter the following command at the supervisor engine prompt:

boot device module slot_number cf:1 

The slot_number argument specifies the number of the slot in which the module is inserted in the chassis.

To enable the Detector module to boot to the default partition, which is the AP, at the next boot cycle, use the following command at the supervisor engine prompt:

no boot device module slot_number cf:1

The following example shows how to configure the Detector module to boot to the AP at the next boot cycle:

Sup# no boot device module 8 cf:1 

Caution The zone learning phases are restarted after reboot. See the "Rebooting the Detector Module and Inactivating Zones" section for more information about the default behavior of the zones after reboot.

Verifying the Detector Module Configuration

To verify the Detector module configuration on the supervisor engine, use the following command at the supervisor engine prompt:

show anomaly-detector module slot_number {management-port | data-port port_number} [state | traffic]

Table 2-10 provides the arguments and keywords for the show module command.

Table 2-10 Arguments and Keywords for the show module Command 

Parameter
Description

slot-number

Number of the slot in which the module is inserted in the chassis (1-13 depending on the model of your switch or router).

management-port

Specifies information about the management port.

data-port port_number

Specifies the port number. The data ports options are as follows:

1-Gbps operation—Port 1

2-Gbps operation—Port 1 and port 2

state

(Optional) Specifies the configuration of the specified port.

traffic

(Optional) Specifies the traffic statistics of the specified port.


The following example shows how to display the Detector module configuration on the supervisor engine:

Sup# show anomaly-detector module 7 data-port 1 state