Cisco DDoS Multi-Device Management System Configuration Guide (Software Release 1.5)
Managing Devices on the MDM Network
Download this chapter
Managing Devices on the MDM Network Managing Devices on the MDM Network
Download the complete book
Cisco DDoS MultiDevice Manager Configuration Guide (Software Version 1.5), Book-Length PDF Cisco DDoS MultiDevice Manager Configuration Guide (Software Version 1.5), Book-Length PDF (PDF - 4 MB)
give_us_feedback

Table Of Contents

Managing Devices on the MDM Network

Preparing the Device for Operation with the MDM

Configuring a Device to Connect with the MDM

Adding a Device to the MDM Device List

Displaying the MDM Device List

Displaying Device Resource Information

Exchanging Certificates and Keys

Pinging a Device

Enabling or Disabling Communication with a Device

Deleting a Device

Where to Go Next


Managing Devices on the MDM Network

This chapter describes how to prepare and manage the Detector and Guard devices that you want to include in the Cisco DDoS MultiDevice Manager (MDM) network. Some of the initial action items described in this chapter involve using the device's CLI to configure device-side operational attributes prior to configuring the MDM with the device information.

Note This guide refers to the Cisco Traffic Anomaly Detector Module and the Cisco Traffic Anomaly Detector appliance as Detector and the Cisco Anomaly Guard Module and the Cisco Guard appliance as Guard. When referring to both the Detector and the Guard, this guide uses the term device.

This chapter contains the following sections:

Preparing the Device for Operation with the MDM

Configuring a Device to Connect with the MDM

Adding a Device to the MDM Device List

Displaying the MDM Device List

Displaying Device Resource Information

Exchanging Certificates and Keys

Pinging a Device

Enabling or Disabling Communication with a Device

Deleting a Device

Where to Go Next

Preparing the Device for Operation with the MDM

Before you can use the MDM to manage your Detector and Guard devices, you must first ensure that your devices are installed and configured as described in the appropriate device configuration guide (see the "Related Documentation" section in the Preface). Perform the initial device configuration process using the CLI.

Note To use version 1.5 of the MDM, you must install software version 6.1 or higher on each Detector and Guard device.

Verify that you have configured the following items on each device to ensure proper network operation and communication with the MDM:

Networking configuration—Configure the device network interfaces. You cannot connect to the device until you configure the device interfaces for operation in your networking environment.

Remote Guard List—(Detector only) If your network consists of Detectors that will activate Guards when one of the Detectors detects a traffic anomaly, verify that you have the remote Guard list configured on each Detector.

Traffic diversion—(Guard only) Configure traffic diversion so that each Guard can divert the zone traffic to itself and then inject the legitimate traffic back into the network when you activate zone protection.

Enable the MDM service and permit access—Enable and permit access to the device from the MDM. The CLI procedures to configure this operation are also included in this section (see the "Configuring a Device to Connect with the MDM" section).

Configuring a Device to Connect with the MDM

Use the device's CLI to enable the MDM service and to permit network access to the device from the MDM. You must log on as a user with either administration or configuration user privilege level rights to make the necessary configuration changes. For detailed information on accessing and using the device CLI, see the appropriate configuration guide listed in the "Related Documentation" section of the Preface.

Caution It is possible to define multiple MDM servers on a device using the mdm server command as described in Step 4 of the following procedure; however, using more than one MDM to manage a device is to provide support for MDM redundancy only. To avoid configuration inconsistencies, use only one MDM to configure a device.

To enable the MDM service and permit network access, follow these steps:

Step 1 Log on to the device CLI using a console or a Secure Shell (SSH) connection.

Step 2 Enter configuration mode by entering the following command in global mode: 

admin@DEVICE# configure

Step 3 Enable the MDM service by entering the following command, which activates the Remote Agent (RA) daemon: 

admin@DEVICE-conf# service mdm

Step 4 Permit access to the device from the MDM by entering the following command: 

admin@DEVICE-conf# mdm server ip-addr [ip-mask]

The ip-addr and ip-mask arguments define the IP address of your MDM server.

The following example shows how to configure the network access for an MDM that connects from IP address 192.168.30.32: 

admin@DEVICE# configure

admin@DEVICE-conf# service mdm

admin@DEVICE-conf# server mdm 192.168.30.32

After configuring the network access for the MDM on the device, you may exit the CLI. The device is now ready for you to add to the MDM device list.

Adding a Device to the MDM Device List

The MDM device list defines the devices that the MDM is to manage and associate with the zone configurations. To allow the MDM to communicate with a device on the list, you must enable the MDM service and define the MDM server on the device (see the "Configuring a Device to Connect with the MDM" section).

Caution Avoid adding a device to the MDM device list if you are using another MDM server to manage the device. Using more than one MDM to manage a device is to provide support for MDM redundancy only. To avoid configuration inconsistencies, use only one MDM to configure a device.

To add a device to the MDM device list, follow these steps:

Step 1 Access the Network Summary screen using the following methods:

From the navigation pane, click Network Summary.

From the information area located in the upper right hand corner, click Home.

The Network Summary menu and screen appear.

Step 2 From the Network Summary menu, choose Main > Devices List. The Device List screen appears, displaying the devices currently associated with the MDM.

Step 3 Click Add, located below the Device List table. The Config Device screen appears.

Step 4 Define the device parameters as described in Table 3-1.

Table 3-1 Device Parameters 

Parameter
Description

IP Address

IP address of the device on the network. Enter an IP address in dotted decimal notation (for example, 192.168.12.15).

Hostname

Hostname of the device on the network. Enter an alphanumeric string with a maximum of 255 characters.

Description

Device description to help identify the device on the network. Enter an alphanumeric string with a maximum of 255 characters.

Enable

Manages the communication channel between the MDM and the device. Choose one of the following options:

Check the Enable check box to allow the MDM to communicate with the device.

Uncheck the Enable check box to not allow the MDM to communicate with the device.


Step 5 Click OK. The MDM adds the device to the Device List screen.

After adding a device to the device list, you need to initiate a certificate exchange so that the MDM and the device can establish an SSL session (see the "Exchanging Certificates and Keys" section).

Displaying the MDM Device List

The MDM device list provides you with a summary view of the devices that you have associated with the MDM. From this screen, you can determine the status of each device listed, such as whether the MDM is communicating with the device, the number of zones configured on the device, memory usage, and so on.

To display the MDM device list, follow these steps:

Step 1 Access the Network Summary screen using the following methods:

From the navigation pane, click Network Summary.

From the information area located in the upper right hand corner, click Home.

The Network Summary menu and screen appear.

Step 2 From the Network Summary menu, choose Main > Devices List. The Device List screen appears, displaying the devices currently associated with the MDM.

Table 3-2 describes the fields of the Device List table.

Table 3-2 MDM Device List Fields 

Field
Description

Hostname

Hostname of the device on the network.

IP Address

IP address of the device on the network.

Type

Type of device as determined by the MDM. Possible values for the device type are as follows:

Detector—The MDM recognizes the device as a Detector.

Guard—The MDM recognizes the device as a Guard.

Undetermined—Since you added the device to the device list, the MDM has not been able to communicate with it to determine the device type.

State

Communication state between the MDM and the device. Possible communication states are as follows:

Disconnected—The MDM is not able to establish a connection with the device.

Suspended—The device is not enabled.

Initializing—The MDM is establishing a connection with the device and is in the process of updating the device's Remote Agent (RA).

Connected—The MDM has an established communication path with the device.

Zones

Number of zones configured on the device.

Active Zones

Number of zones configured on the device that perform any of the following operations:

Anomaly detection—Detect operation is active

Zone protection—Protect operation is active

Learning—Construct Policies or Tune Thresholds is active

The MDM displays a value of N/A if it does not have an established communication path with the device as indicated by the State field.

Attacked Zones

Number of zones configured on the device currently under attack.

#DF

Number of dynamic filters that the device has created in response to the attacks the device is currently handling on the active zones.

Mem Usage

Amount of memory that the device's anomaly detection engine is currently utilizing. The amount of memory relates to the number of active zones on the device and the number of services that each zone monitors. This value is expressed as a percentage of the total amount of available memory.

Note If the anomaly detection engine memory usage is higher than 95 percent, we strongly recommend that you lower the number of active zones.

Total Rate

Amount of traffic that the device is receiving from the active zones. This rate is expressed in packets per second (pps).


Displaying Device Resource Information

You can monitor the resources associated with a specific device listed in the MDM Device List screen. The MDM Device Resources table lets you monitor the resource and status information for the specified device.

Note The Guard module can operate at two different bandwidth performance levels: 1 Gigabit per second (Gbps) or 3 Gbps. The Detector module can operate at two different bandwidth performance levels: 1 Gigabit per second (Gbps) or 2 Gbps. The results for the Guard or Detector will differ in the Device Resources table depending on the installed software image on the specific device.

To display the MDM Device Resources table, follow these steps:

Step 1 Access the Network Summary screen using the following methods:

From the navigation pane, click Network Summary.

From the information area located in the upper right hand corner, click Home.

The Network Summary menu and screen appear.

Step 2 From the Network Summary menu, choose Main > Devices List. The Devices List screen appears, displaying the devices currently associated with the MDM.

Step 3 Check the check box next to the hostname of the desired device. You can obtain resource information only for a single device at a time.

Step 4 Click the Device Resources button, located below the Device List table. The Device Resources table appears, displaying the resource and CPU utilization.

Table 3-3 describes the fields of the Device Resources table.

Table 3-3 MDM Device Resources Table Fields 

Field
Description

Host CPU1

Percentage of CPU time for CPU1 in user mode, system mode, niced tasks (tasks with a nice value, which represents the priority of a process, that is negative), and idle. Niced tasks are also counted in system time and user time so that the total CPU utilization can be more than 100 percent.

Host CPU2

(Field visible in Detector or Guard appliance only) Percentage of CPU time for CPU2 in user mode, system mode, niced tasks (tasks with a nice value, which represents the priority of a process, that is negative), and idle. Niced tasks are also counted in system time and user time so that the total CPU utilization can be more than 100 percent.

Disk Space Usage

(Field visible in Detector or Guard appliance only) Percentage of the allocated disk space that the monitored device (Detector or Guard) is using. When the disk space usage reaches approximately 75 percent of the disk or flash maximum capacity (device dependent), the device displays a warning message in its syslog and sends a trap. If the disk space reaches 80 percent, follow the guidelines described in the associated CLI configuration guide (see the "Related Documentation" section in the Preface for a list of the related documentation).

Flash Space Usage

(Field visible in Detector or Guard module only) Percentage of the allocated disk space that the monitored device (Detector or Guard) is using. When the disk space usage reaches approximately 75 percent of the disk or flash maximum capacity (device dependent), the device displays a warning message in its syslog and sends a trap. If the disk space reaches 80 percent, follow the guidelines described in the associated CLI configuration guide (see the "Related Documentation" section in the Preface for a list of the related documentation).

Accelerator Card Memory Usage

Percentage of memory that the accelerator card is using. If the monitored device is either the Guard module or the Detector module, the memory usage is specified on a per-port basis: 1 port for 1-Gbps operation; 2 ports for 2-Gbps operation (Detector module only); 3 ports for 3-Gbps operation (Guard module only).

If the accelerator card memory usage is higher than 85 percent, the Detector or Guard generates an SNMP trap. A high value may indicate that the device is monitoring a high volume of traffic.

Accelerator Card CPU Utilization

Percentage of the accelerator card CPU utilization. If the monitored device is either the Guard module or the Detector module, the CPU utilization is specified on a per-port basis: 1 port for 1-Gbps operation; 2 ports for 2-Gbps operation (Detector module only); 3 ports for 3-Gbps operation (Guard module only).

If the accelerator card CPU utilization is higher than 85 percent, the Detector or Guard generates an SNMP trap. A high value may indicate that the device is monitoring a high volume of traffic.

Top Proxy Usage

(Guard devices only) Percentage of the proxy ports being used on a per-device port basis. The Guard module can operate at two different bandwidth performance levels: 1 Gigabit per second (Gbps) or 3 Gbps.

Anomaly Detection Engine Used Memory

Specifies the percentage of memory that the Detector or Guard statistical engine uses. The anomaly detection engine memory usage is affected by the number of active zones, the number of services each of the zones monitors, and the amount of nonspoofed traffic that the device is monitoring.

If the anomaly detection engine memory usage is higher than 90 percent, we strongly recommend that you lower the number of active zones.

Dynamic Filters Used

Total number of dynamic filters that are active in all the zones. The Detector or Guard displays the number of active dynamic filters and the percentage of dynamic filters that are active out of the total number of dynamic filters that the device supports, which is 150,000. If the number of active dynamic filters reaches 150,000, the Detector or Guard generates an SNMP trap with a severity level of EMERGENCY. If the number of active dynamic filters reaches 135,000, the device generates an SNMP trap with a severity level of WARNING.

A high value may indicate that the Detector or Guard is monitoring a high traffic volume of a DDoS attack.

Number of Zones

Number of zones configured on the device.

Number of Attacked Zones

Number of zones configured on the device currently under attack.

Number of Active Zones

Number of zones configured on the device that are currently performing any of the following operations:

Anomaly detection—Detect operation is active (Detector only)

Zone protection—Protect operation is active (Guard only)

Learning—Construct Policies or Tune Thresholds is active

The MDM displays a value of N/A if it does not have an established communication path with the device as indicated by the State field.


Exchanging Certificates and Keys

Communication between the MDM and the devices is performed using Secure Sockets Layer (SSL). SSL provides a secure means for exchanging data between a device (the client) and the MDM server through privacy, authentication, and data integrity. SSL relies upon certificates and private-public key pairs for this level of security. The keys used for data encryption and the certificates provide proof of identity. To establish an SSL session, the device and the MDM server perform an SSL handshake, during which they exchange their public keys and self-signed certificates.

After adding a new device to the MDM device list, you must initiate a certificate exchange to allow the MDM and the device to perform an SSL handshake and exchange self-signed certificates and public keys. You can only initiate the certificate exchange process on one device at a time.

To initiate a certificate exchange, follow these steps:

Step 1 Access the Network Summary screen using the following methods:

From the navigation pane, click Network Summary.

From the information area located in the upper right hand corner, click Home.

The Network Summary menu and screen appear.

Step 2 From the Network Summary menu, choose Main > Devices List. The Device List screen appears, displaying the devices currently associated with the MDM.

Step 3 Check the check box next to the hostname of the desired device.

Step 4 Click Exchange Certificate, located below the Device List table. The Certificate Exchange window opens.

Step 5 Enter the required password for accessing the device. The MDM uses the riverhead user account to access the device. You must enter the password that you assigned to the riverhead user account on the device using the device CLI.

Step 6 Click OK. The MDM and the device perform the SSL handshake and exchange certificates and public keys.

After the MDM and the device complete the SSL handshake, the MDM initializes the device, the MDM performs the following:

Opens a communication channel

Queries the device to extract the following information:

Device type (Detector or Guard).

Local time (to calculate the time difference with the MDM).

Version of the installed Remote Agent (RA). If required, the MDM updates the RA version installed on the device.

While the MDM initializes the device, the device state changes to Initializing. When initialization is complete, the state changes to Connected. To display the changes to the device state, you must refresh the MDM window.

Note When the device state is Disconnected, the MDM attempts to connect to the device once a minute. While the MDM is attempting to establish a connection, the device state changes to Initializing.

The MDM maintains a periodic update mechanism that is performed once every five minutes to coordinate the time difference between the MDM and the devices across the network. This periodic update is performed to prevent a time mismatch between the MDM and a device in case a time change has occurred.

Pinging a Device

From the Device List page, you can use the ICMP Ping option to test the communication path between the MDM and a device on the device list.

To ping a device, follow these steps:

Step 1 Access the Network Summary screen using the following methods:

From the navigation pane, click Network Summary.

From the information area located in the upper right hand corner, click Home.

The Network Summary menu and screen appear.

Step 2 From the Network Summary menu, choose Main > Devices List. The Device List screen appears, displaying the devices currently associated with the MDM.

Step 3 From the Device List table, check the check box next to the device to ping.

Step 4 Click Ping, located below the Device List table. The MDM issues the ping command to the device and the Ping window opens, displaying the results of the ping action.

Enabling or Disabling Communication with a Device

To manage the ability of the MDM to communicate with the device, you can enable or disable the communication channel between the MDM and a device. Disabling communication with a device does not affect the current operating state of the device. For example, if you disable communication with a Guard that currently has Protect active for a zone, the Guard continues to protect the zone.

Note Changing the communication state between the MDM and a device may introduce conflict error conditions (see the "Resolving MDM Database Conflicts" section in Chapter 4, "Resolving Conflicts and Synchronizing Zones").

To enable or disable the communication channel between the MDM and a device, follow these steps:

Step 1 Access the Network Summary screen using the following methods:

From the navigation pane, click Network Summary.

From the information area located in the upper right hand corner, click Home.

The Network Summary menu and screen appear.

Step 2 From the Network Summary menu, choose Main > Devices List. The Device List screen appears, displaying the devices currently associated with the MDM.

Step 3 Click the hostname of the desired device. The Device Form window appears.

Step 4 Use one of the following methods to enable or disable the MDM to communicate with the device:

Check the Enable check box to allow the MDM to communicate with the device.

Uncheck the Enable check box to disable the device or not allow the MDM to communicate with the device.

Step 5 Click OK.

Deleting a Device

When you delete a device from the MDM device list, you remove the device from the MDM database and the device is no longer associated with any zone. Once you delete the device from the database, you can no longer manage the device with this user interface. The device, however, will continue to perform according to its current operating state. For example, if you delete a Guard that currently has Protect active for a zone, the Guard continues to protect the zone.

Note You cannot delete the zone master device. To delete the device that is the master device, you must first choose another device as the master device.

To delete a device from the MDM device list, follow these steps:

Step 1 Access the Network Summary screen using the following methods:

From the navigation pane, click Network Summary.

From the information area located in the upper right hand corner, click Home.

The Network Summary menu and screen appear.

Step 2 From the Network Summary menu, choose Main > Devices List. The Device List screen appears, displaying the devices currently associated with the MDM.

Step 3 From the Device List table, check the check box next to the device to delete.

Note You cannot delete the zone master device. To delete the device that is the master device, you must first choose another device as the master device.

Step 4 Click Delete (located below the Device List table). The MDM removes the device from its database.

Where to Go Next

After adding a device to the MDM device list, where you go to next in this guide depends on whether the device was configured with zone configurations at the time that you added the device, or if you are experiencing communication problems with a device. Use the following guidelines to determine where to go next:

Zone configurations do not exist on the device—The next step is to begin defining zones on the device, which is performed by creating the zone on the master device.

Make sure that all of the devices that you plan to configure with the same zone information are on the device list, and then see Chapter 5, "Creating and Configuring Zones," to begin creating zone configurations.

Zone configurations exist on the device—When zone configurations already exist on the device, or you are not sure if they exist or not, see Chapter 4, "Resolving Conflicts and Synchronizing Zones." This chapter describes how to check for conflicts, which occur when a device contains a zone configuration that the MDM does not have in its database. The MDM resolves a conflict by pulling any zone configuration names that do not already exist in the MDM database from the device.

The MDM cannot communicate with a device—If the MDM cannot reach a Connected state with a device after you add the device to the device list and imitate a key exchange, see Chapter 12, "Troubleshooting Problems with the MDM."