Release Note for the Cisco Traffic Anomaly
Detector Module
October 20, 2008
Note
The most current Cisco documentation for released products is available on Cisco.com.
Contents
This release note applies to software versions 6.1(2) and 6.1(5) for the Cisco Traffic Anomaly Detector
Module (Detector module). The Cisco Catalyst 6500 series switch and the 7600 series router support the
Detector module. To support the Guard module:
•
The Catalyst 6500 series switch requires either:
– IOS 12.2(18)SXD3 or later and a SUP720 or a SUP2 with an MSFC2
– IOS 12.2(33)SXH1 or later and a Sup720-10GE
•
The 7600 series router requires either:
– IOS 12.2(18)SXE or later and a SUP720
– IOS 12.2(33)SRC or later and RSP720
This release note contains the following sections:
•
New Features in Software Version 6.1(2)
•
Upgrading to Software Version 6.1(x) From a Software Version Prior to 5.1(4)
•
Upgrading Module Bandwidth from 1 Gbps to 2 Gbps
•
Ordering and Installing a Software License Key for the 6.1-XG Detector Module
•
Maximum Number of Modules Supported in a Switch or Router
•
Operating Considerations
•
MultiDevice Manager Commands Omitted from the Configuration Guide
•
Software Version 6.1(5) Resolved and Open Caveats
•
Software Version 6.1(2) Resolved and Open Caveats
Americas Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA
© 2008 Cisco Systems, Inc. All rights reserved.
New Features in Software Version 6.1(2)
•
Related Documentation
•
Obtaining Documentation and Submitting a Service Request
New Features in Software Version 6.1(2)
The following new features are available in software version 6.1(2):
•
New policies for persistent low rate attacker
•
Traffic IP summarization
•
Disable VLANs if physical interface is down
•
Add zone name to capture file name
•
Configurable log capacity
•
Implicit Write Memory for router mode
•
Interfaces display order
•
Monitoring system resources from the Web-Based Manager (WBM)
•
Enhanced AAA support in WBM
Ordering and Installing a Software License Key for the 6.1-XG
Detector Module
When you order the 6.1-XG software as a spare to install in an existing Detector module, you must enter
a software license key to activate the software. This section contains the following topics that describe
how to order and install a software license key:
•
Ordering a 6.1-XG Software License Key
•
Installing the XG Software License Key
Ordering a 6.1-XG Software License Key
The software license key that is required to activate the XG software is associated with the Media Access
Control (MAC) address of the Detector module where the XG software resides. This section describes
the process that you use to order the XG software license key.
You must have the XG version of the 6.0 operating software (or newer) loaded on your Detector module
before ordering and installing the corresponding license. To verify the version of software currently
loaded on your Detector module, use the show version command. When the XG software is loaded, the
software version number has an -XG suffix (for example, version 6.1-XG).
To order the 2-Gbps license, perform the following steps:
Step 1
From the Detector module, enter the show license-key unique-identifier command (this command
requires the admin privilege level) to view the Detector module MAC address.
Step 2
Record the MAC address information because you will need this information when placing your order
for the 2-Gbps operation license.
Release Note for the Cisco Traffic Anomaly Detector Module
2
OL-16149-02
Upgrading Module Bandwidth from 1 Gbps to 2 Gbps
Step 3
Order the lic-agm-2g-k9 license using any of the available Cisco ordering tools on cisco.com.
Step 4
When you receive the Software License Claim Certificate from Cisco, complete the instructions that
direct you to the following Cisco.com website: http://www.cisco.com/go/license. Then complete the
installation procedure as described in “Installing the XG Software License Key”.
Installing the XG Software License Key
To install the 2-Gbps license, perform the following steps:
Step 1
When you receive the Software License Claim Certificate from Cisco, follow the instructions that direct
you to the following Cisco.com website: http://www.cisco.com/go/license
Step 2
Enter the Product Authorization Key (PAK) number found on the Software License Claim Certificate as
your proof of purchase.
Step 3
Provide all of the requested information to generate a license key.
Once the system generates the license key, you will receive a license key e-mail with an attached license
file and installation instructions. Save the license key e-mail in case you need it in the future.
Step 4
Open the license key file using a text editor and copy its contents into your desktop computer's clipboard.
Step 5
From the Detector module, enter the license-key add command in configuration mode. The CLI prompts
you to enter the key lines.
Step 6
Paste the contents of your desktop computer’s clipboard (containing the license key) and press the Enter
key.
Step 7
Enter an empty line and press Enter. If the Detector module contains a previously installed license, a
confirmation message displays that asks if you want to install the new license.
Step 8
Type y (yes). The XG software is now active and ready for 2-Gbps operation.
Step 9
(Optional) Enter the show license-key command to verify that the key loaded properly and is valid.
Upgrading Module Bandwidth from 1 Gbps to 2 Gbps
If your Detector module currently operates with a maximum bandwidth of 1 Gbps, you can upgrade the
bandwidth performance to 2 Gbps by installing the XG version of the software and corresponding
software license key. The software license key activates the installed XG software. When you install the
XG software, the Detector module is not operational until you install the corresponding software license
and make the necessary configuration modifications that are required for the 2-Gbps operation. The
configuration changes include the following items:
•
Activate the additional data port—Activate the additional data port on the Detector module for the
2-Gbps operation using the no shutdown command in interface configuration mode. For
configuration information, see the “Activating the Additional Data Port for the 2-Gbps Operation”
section in Chapter 13 of the Cisco Traffic Anomaly Detector Module Configuration Guide.
Release Note for the Cisco Traffic Anomaly Detector Module
OL-16149-02
3
Upgrading to Software Version 6.1(x) From a Software Version Prior to 5.1(4)
•
Regenerate the SSL certificates—Generate new SSL certificates on the Detector module and any
associated Guards. For configuration information, see the “Regenerating the SSL Certificates for the
2-Gbps Operation” section in Chapter 13 of the Cisco Traffic Anomaly Detector Module
Configuration Guide.
Installing the XG software and license does not affect the following Detector module functions:
•
Zone configurations—Existing zone configuration information is untouched.
•
Management access—Configuration parameters that are configured on mng (the management port
designator) for the 1-Gbps operation remain the same for the 2-Gbps operation.
For complete information on ordering and installing the XG license key, see the Performing Maintenance
Tasks” chapter in the Cisco Traffic Anomaly Detector Module Configuration Guide.
Upgrading to Software Version 6.1(x) From a Software Version
Prior to 5.1(4)
In software versions prior to 5.1(4), the Detector module allowed you to configure illegal subnet masks.
In software version 5.1(4) and greater, the Detector module checks to ensure that subnet masks are legal.
When you upgrade to 6.1(x) from a software version prior to 5.1(4), the Detector module corrupts all
zone configurations that contain an illegal subnet mask. To prevent the module from corrupting a zone
configuration that contains an illegal subnet mask, configure the zone configuration with a legal subnet
mask by performing the following steps prior to upgrading the software:
Step 1
Use the no ip address command to delete the subnet mask.
Step 2
Use the ip address command to configure the subnet mask with a legal subnet.
For details on configuring zone IP addresses, see the “Configuring the Zone IP address Range” section
in the Configuring Zones chapter.
Software upgrade instructions are located in the “Upgrading the Detector Module Software” section of
the Cisco Traffic Anomaly Detector Module Configuration Guide.
Maximum Number of Modules Supported in a Switch or Router
A switch or router 9-slot chassis supports a combined maximum of eight Anomaly Guard modules and
Traffic Anomaly Detector modules. You can install a maximum of eight Guard modules or a maximum
of four Detector modules in a single chassis in any combination for a total of eight modules.
A switch or router 13-slot chassis supports a combined maximum of 10 Anomaly Guard modules and
Traffic Anomaly Detector modules. You can install a maximum of eight Guard modules or a maximum
of four Detector modules in a single chassis in any combination for a total of 10 modules.
Release Note for the Cisco Traffic Anomaly Detector Module
4
OL-16149-02
Operating Considerations
Operating Considerations
The following operating considerations apply to the Detector module:
•
The copy ftp command supports active mode only.
•
The Detector module must be running software version 6.1(x) to operate with the Cisco MultiDevice
Manager software version 1.5(1).
•
Downgrading software versions is not supported.
MultiDevice Manager Commands Omitted from the
Configuration Guide
Three commands related to the Cisco DDoS MultiDevice Manager (MDM) software functionality on the
Detector module were introduced in software version 5.1(5), but were omitted from the Cisco Traffic
Anomaly Detector Module Configuration Guide. The following sections describe these commands:
•
mdm logging trap Command
•
mdm restore Command
•
show mdm Command
mdm logging trap Command
To configure traps for MDM logging, use the mdm logging trap command in global configuration
mode. To disable logging functions, use the no form of this command.
The syntax for this command is as follows:
mdm logging trap {alerts | critical | debugging | emergencies | errors | informational | notifications |
warnings}
The following table describes the keywords for the mdm logging trap command.
alerts
Immediate action needed (severity=1).
critical
Critical conditions (severity=2).
debugging
Debugging messages (severity=7).
emergencies
System is unusable (severity=0). This is the default.
errors
Error conditions (severity=3).
informational
Informational messages (severity=6).
notifications
Normal but significant conditions (severity=5).
warnings
Warning conditions (severity=4).
For example, to capture and log informational messages, use the mdm logging trap informational
command in global configuration mode.
user@DETECTOR# configure
user@DETECTOR-conf# mdm logging trap informational
Release Note for the Cisco Traffic Anomaly Detector Module
OL-16149-02
5
MultiDevice Manager Commands Omitted from the Configuration Guide
mdm restore Command
When you enable the MDM service on the Detector module to allow you to manage the device using the
MDM, the MDM automatically upgrades the RA on the device when it initiates a communication link
with the device. While the MDM is upgrading the device RA, the operating state displays on the MDM
as Initializing. The state changes to Connected when the RA upgrade is complete.
When a device appears to be constantly in a state of initialization, it may indicate that the MDM is
attempting to upgrade the device RA but cannot do so.
Use the mdm restore command to resolve issues with upgrading and connecting the device RA. To
return the device Remote Agent (RA) to the stub and force the MDM to reinstall the latest RA version,
use the mdm restore command in global configuration mode.
The syntax for this command is as follows:
mdm restore
For example:
user@DETECTOR# configure
user@DETECTOR-conf# mdm restore
show mdm Command
To check the status of MDM connections and settings, use the show mdm command in EXEC mode.
The syntax for this command is as follows:
show mdm
For example:
user@DETECTOR# show mdm
The following table describes the fields in the show mdm display.
Field
Description
MDM service state
Operating state of the MDM service: enabled or disabled.
MDM servers
List of MDM servers that you define on the device (permitting them
to access the device) and the state of the key exchange process with
each of the servers: key exchange is complete or key exchange is
required.
Connected managers
MDM server currently connected to and managing the device.
MDM syslog level
Setting of the syslog server logging level: alerts, critical, debugging,
emergencies, errors, informational, notifications, warnings.
Release Note for the Cisco Traffic Anomaly Detector Module
6
OL-16149-02
Software Version 6.1(5) Resolved and Open Caveats
Software Version 6.1(5) Resolved and Open Caveats
The following sections contain the resolved and open caveats in software version 6.1(5):
•
Software Version 6.1(5) Resolved Caveats
•
Software Version 6.1(5) Open Caveats
Software Version 6.1(5) Resolved Caveats
The following caveats are resolved in software version 6.1(5) and apply to the 1G and 2G Detector
module except where noted:
•
CSCsq63421—CM subsystem failure and reload of the guard.
•
CSCso30607—This caveat applies to the WBM. The following sequence of events causes the
Detector module to incorrectly measure the traffic rate of a policy and produce dynamic filters even
though the traffic rate does not exceed the policy threshold and there is no attack on the zone:
a. You modify a specific policy using the WBM Config Policy screen.
b. You activate anomaly detection.
c. The device detects traffic packets associated with the modified policy.
•
CSCsu33377 and CSCso41927—Disk becomes full, different show commands stop working, and
logs are not written.
•
CSCsu49999 and CSCsu49963—These caveats only apply to the 2G Detector module. Packet
dump is sampling traffic from only one of two ports.
Software Version 6.1(5) Open Caveats
The following caveats are open in software version 6.1(5):
•
CSCsb05557—Remote activation and synchronization processes from a Detector module to a
Guard do not function when the Detector module is located behind a device that is performing
Network Address Translation (NAT). Workaround: Reconfigure the network configuration to
disable NAT.
•
CSCsb20206—The Web-Based Manager (WBM) remains unresponsive while the pop up window
waits for results from the signature generation process. Even if you close the pop up window
manually, the WBM remains unresponsive while signature generation is in progress. Workaround:
Wait until the pop up window receives a result, or issue the no service wbm CLI command in
configuration mode.
•
CSCsb29083—You cannot assign an identical name to manual packet dumps that you create in
different zones. Workaround: Assign unique names to manual packet dumps.
•
CSCsc05116—The Detector module may stop functioning or start logging errors after reaching
100 percent anomaly detection engine memory utilization. Workaround: Use the show resources
command in global mode to view the amount of anomaly detection engine memory currently being
used by the Detector module. Reducing the number of active zones may free up memory.
•
CSCsc69508—After you import an HTML file to serve as login banner, some SSH clients may not
be able to connect to the product. Workaround: None.
Release Note for the Cisco Traffic Anomaly Detector Module
OL-16149-02
7
Software Version 6.1(2) Resolved and Open Caveats
•
CSCsd71002—When you use the dst-ip-by-name activation method to define a zone on the
Detector and an attack occurs on several IP addresses from the zone range, the Detector does not
create and activate all child zones that are being attacked. If global policies are active while the
dst_ip policy is not, only the first recognized IP address is protected successfully. Workaround:
Make sure the dst_ip policies are active on the zone.
•
CSCse08139—The CLI session terminates when you press Ctrl-Z several times after issuing the
more 0 command. Workaround: None.
•
CSCse27876—When you press Ctrl-C during the import of a new software version or configuration,
you interrupt the import process and the CLI session may get disconnected. Workaround: Do not
press Ctrl-C during the import process.
•
CSCse31042—A zone configuration with ip_scan or port_scan policies cannot be imported into the
Detector module. Workaround: None.
•
CSCsg42338—The Detector module CPU usage may reach 100 percent. Workaround: Reboot the
Detector module.
•
CSCsq70377—On rare occasions, shortly after the detector returns from the "Detect" to
"Detect&Learn" state, the watchdog process may reload the detector. Workaround: None required.
The reload is a result of the watchdog process recognizing an internal failure and the detector is
operational once the reload is complete.
Software Version 6.1(2) Resolved and Open Caveats
The following sections contain the resolved and open caveats in software version 6.1(2):
•
Software Version 6.1(2) Resolved Caveats
•
Software Version 6.1(2) Open Caveats
Software Version 6.1(2) Resolved Caveats
The following caveats were resolved in software version 6.1(2):
•
CSCsg76448—Multiple vulnerabilities exist in the OpenSSL library. The vulnerabilities described
in the Cisco Security Response are present in Guard and Detector sensor software, in versions 5.0(3)
and higher. See the Cisco Security Response at
http://www.cisco.com/warp/public/707/cisco-sr-20061108-openssl.shtml
•
CSCsh92933—After you enter the tacacs authorization exec tacacs+ command, the show
running-config command does not display the tacacs authorization exec tacacs command in the
configuration output.
•
CSCsi57942—After you upgrade the Detector module software to version 6.0 or 6.0-XG, SSH and
WBM connectivity to the module may be lost.
•
CSCsj27292—The Detector module does not count bypass filters correctly, which may cause the
watchdog to reload the Detector module.
•
CSCsk40023—The policy snapshot time that is shown in the Web-Based Manager (WBM) or
Central Manager (CM) is incorrect after an upgrade from version 5.1.
•
CSCsk51827—The zone list in the WBM is empty when there are recommendations on at least one
of the zones.
•
CSCsl07921—All reports may be removed during the log rotation procedure.
Release Note for the Cisco Traffic Anomaly Detector Module
8
OL-16149-02
Software Version 6.1(2) Resolved and Open Caveats
Software Version 6.1(2) Open Caveats
The following caveats are open in software version 6.1(2):
•
CSCsb05557—Remote activation and synchronization processes from a Detector module to a
Guard do not function when the Detector module is located behind a device that is performing
Network Address Translation (NAT). Workaround: Reconfigure the network configuration to
disable NAT.
•
CSCsb20206—The Web-Based Manager (WBM) remains unresponsive while the pop up window
waits for results from the signature generation process. Even if you close the pop up window
manually, the WBM remains unresponsive while signature generation is in progress. Workaround:
Wait until the pop up window receives a result, or issue the no service wbm CLI command in
configuration mode.
•
CSCsb29083—You cannot assign an identical name to manual packet dumps that you create in
different zones. Workaround: Assign unique names to manual packet dumps.
•
CSCsc05116—The Detector module may stop functioning or start logging errors after reaching
100 percent anomaly detection engine memory utilization. Workaround: Use the show resources
command in global mode to view the amount of anomaly detection engine memory currently being
used by the Detector module. Reducing the number of active zones may free up memory.
•
CSCsc69508—After you import an HTML file to serve as login banner, some SSH clients may not
be able to connect to the product. Workaround: None.
•
CSCsd71002—When you use the dst-ip-by-name activation method to define a zone on the
Detector and an attack occurs on several IP addresses from the zone range, the Detector does not
create and activate all child zones that are being attacked. If global policies are active while the
dst_ip policy is not, only the first recognized IP address is protected successfully. Workaround:
Make sure the dst_ip policies are active on the zone.
•
CSCse08139—The CLI session terminates when you press Ctrl-Z several times after issuing the
more 0 command. Workaround: None.
•
CSCse27876—When you press Ctrl-C during the import of a new software version or configuration,
you interrupt the import process and the CLI session may get disconnected. Workaround: Do not
press Ctrl-C during the import process.
•
CSCse31042—A zone configuration with ip_scan or port_scan policies cannot be imported into the
Detector module. Workaround: None.
•
CSCsg42338—The Detector module CPU usage may reach 100 percent. Workaround: Reboot the
Detector module.
•
CSCso30607—This caveat applies to the WBM. The following sequence of events causes the
Detector module to incorrectly measure the traffic rate of a policy and produce dynamic filters even
though the traffic rate does not exceed the policy threshold and there is no attack on the zone:
a. You modify a specific policy using the WBM Config Policy screen.
b. You activate anomaly detection.
c. The device detects traffic packets associated with the modified policy.
Workaround: If you can apply the policy change to more than one policy, configure the policies
using the WBM Config Policy Group screen, which you access by selecting multiple policies to
configure. If you need to apply the change to one policy only, use the device CLI.
If the problem exists already, use the one of the following methods to correct it:
Release Note for the Cisco Traffic Anomaly Detector Module
OL-16149-02
9
Related Documentation
– Use the device CLI to export the zone configuration and then import it back under a different
zone name (do not use the “copy-from” operation).
– Use the WBM or device CLI to remove the service associated with the policy and then add it
back to the zone configuration. For example, if the problem exists with the
http/80/analisys/syns/src_ip policy, remove the http/80 service and then add it back to the zone
configuration. After you add the service, you must allow the device to perform the threshold
tuning phase of the learning process. This method does not work for services that are built in,
such as the tcp_services/any and dns_udp/53 services, because these services cannot be
removed.
Related Documentation
The following documentation is available for the Cisco Traffic Anomaly Detector Module:
•
Cisco Anomaly Guard Module and Traffic Anomaly Detector Module Installation Note
•
Cisco Traffic Anomaly Detector Module Configuration Guide
•
Cisco Traffic Anomaly Detector Module Web-Based Manager Configuration Guide
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional
information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and
revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed
and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free
service and Cisco currently supports RSS version 2.0.
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, the Cisco logo, DCE, and
Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access
Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the
Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,
Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink,
Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime
Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet,
Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks
of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply
a partnership relationship between Cisco and any other company. (0809R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and
figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and
coincidental.
© 2008 Cisco Systems, Inc. All rights reserved.
Release Note for the Cisco Traffic Anomaly Detector Module
10
OL-16149-02
© Copyright 2026 Paperzz