Cisco OL-6109-01 User Manual Download | Manualshive

Page: 19 / 22

background image

4-19

Cisco Traffic Anomaly Detector User Guide

OL-6109-01

Chapter 4 Zone Configuration

Zone Detection

2.

Choose

ENTER

. The following (partial sample) screen appears:

admin@DETECTOR-conf-zone-scannet#

show policies statistics

Key Rate Policy

192.168.100.34 73.17 http/80/analysis/syns/dst_ip

N/A 0.17 http/80/analysis/syns/global

Key Ratio Policy

192.168.100.34 1.44

tcp_ratio/any/analysis/syn_by_fin/dst_ip_ratio

80 1.44

tcp_ratio/any/analysis/syn_by_fin/dst_port_ratio

Key Connections Policy

N/A 429.00

tcp_connections/any/analysis/in_nodata_conns/global

The sample screen displays that the detector policies are receiving traffic and
functioning properly.

Zone Detection

After learning the zone traffic characteristics the Detector is ready for zone
detection. The user may wish to command the Detector to detect right after
completing the zone configurations. The Detector would then begin applying its
detection policies.

To detect the zone perform the following:

1.

From the Global command group level type the following:

admin@DETECTOR#

detect

<

zone-name

>

Or alternatively:

From the Zone command group level type the following:

admin@DETECTOR-conf-zone-<

zone-name

>#

detect

Where

zone-name

specifies a zone name.

«
...
17
18
19
20
21
...
»

Summary of Contents for OL-6109-01

Page 1: ... Zone Traffic Learning Zone Detection Basic Zone Configuration This section describes the initial Zone configuration procedures that relate to zone parameters such as zone name description and zone IP address It describes the following procedures Defining a New Zone Duplicating a Zone Removing a Zone Removing All Zones Displaying Zone Templates Entering a Zone Command Level Describing a Zone Defin...

Page 2: ... up to 63 characters The string may contain underscores template Optional A template that defines the zone configuration Options are Default The Guard default zone template Bandwidth limited Link Templates Templates designed and specifically tailored for detection of large subnets segmented according to zones with known bandwidth Detection on zones defined by these templates can be assumed without...

Page 3: ...ult zone template 2 Choose ENTER Below is an example of the zone command implementation admin DETECTOR conf zone scannet admin DETECTOR conf zone scannet Duplicating a Zone The user may duplicate a desired zone and define a new identically configured zone To duplicate a zone from the Configuration command group level perform the following 1 From the Configuration command group level type the follo...

Page 4: ... of up to 63 characters The string may contain underscores 2 Choose ENTER Below is an example of the zone command implementation admin DETECTOR conf zone scannet zone mailserver copy from this admin DETECTOR conf zone mailserver Removing a Zone The user may remove a desired zone Caution Removing a zone eliminates its DDoS detection To remove a desired zone perform the following 1 From the Configur...

Page 5: ...Displaying Zone Templates The Detector enables the user to display a specific zone template or all zone templates To display all zone templates perform the following 1 From the Configuration command group level type the following admin DETECTOR conf show templates 2 Choose ENTER The following sample screen appears admin DETECTOR show templates DEFAULT LINK_1M LINK_4M LINK_128K LINK_512K admin DETE...

Page 6: ...ist of zone templates is displayed 2 Choose ENTER The following sample screen appears admin DETECTOR conf show templates DEFAULT Zone is INACTIVE Operation Mode AUTOMATIC Description Zone ID 0 Template DEFAULT PROTECT IP STATE all zone FLEX FILTER FLEX FILTER ACTION disable admin DETECTOR conf Entering a Zone Command Level The user should enter a zone command level to perform zone specific operati...

Page 7: ...ecifies a string that describes the zone The string length is limited to a maximum of 80 characters 2 Choose ENTER Below is an example of the description command implementation admin DETECTOR conf zone scannet description Scannet Zone used for demonstration purposes admin DETECTOR conf zone scannet Note To modify a zone s description repeat the zone description procedure The new description overri...

Page 8: ...erted when the zone is undetected However a zone s subnet IP address or its additional IP addresses may be added when the zone is in the detected mode Note The zone IP address procedure should repeat per each zone IP address or subnet mask Removing a Zone IP Address The user may remove a zone IP address Caution Removing a zone s IP address may compromise the zone s DDoS detection To remove a zone ...

Page 9: ...one s IP addresses perform the following 1 From the desired Zone command group level type the following admin DETECTOR conf zone zone name no ip address 2 Choose ENTER Zone Remote Guard List The Detector has a list containing a Guard or Guards to remotely activate when a traffic abnormality is detected The zone remote Guard list is part of the zone configuration When the Detector detects a traffic...

Page 10: ...n DETECTOR conf zone zone name remote guard remote guard address description Where remote guard address The desired remote Guard IP address description Optional The remote Guard description a maximum of 63 characters 2 Choose ENTER 3 Repeat steps one and two as many times as required Below is an example of the remote guard command implementation admin DETECTOR conf zone scannet remote guard 192 16...

Page 11: ...ivation of the filters the policies launch see the Interactive Recommendations Mode section in Chapter 6 Filter Procedures for details The Detector functions in accordance with the user s decision to accept ignore or time the filter s activation In this way the Detector lets the user decide on the production of its detection measures in real time Activating the Interactive Recommendation Mode The ...

Page 12: ...tomatic detection functioning such as automatically producing dynamic filters etc The user may deactivate the interactive recommendations mode from the desired zone s command group level To deactivate the interactive recommendation mode perform the following 1 Type the following sample admin DETECTOR conf zone zone name no interactive 2 Choose ENTER Zone Traffic Learning As the user initializes th...

Page 13: ...cts its policies with its user defined or self configured Policy Templates This phase consists of traffic flowing transparently through the Detector enabling it to discover which services are used by the zone This chapter will detail a procedure based on the Detector s Minimum Threshold and Maximum Services default parameters see Chapter 7 Policy Procedures for further details Learning Phase 2 Thr...

Page 14: ...t be performed for zones based on the bandwidth limited link templates LINK_128K LINK_1M LINK_4M LINK_512K Terminating Learning Phase 1 Policy Construction After a sufficient period of time see the above note the user ends the Policy Construction phase The user may accept the Detector s suggested policies The user may decide to abort the first phase of the Learning process In this case the Detecto...

Page 15: ...wing options All of the Detector s zones Issuing no learning accept means ending and accepting the learning results for all of the Detector s zones A wildcard denoting zone names i e OBL 2 Choose ENTER Aborting Learning Phase 1 Policy Construction The user may decide to abort the first phase of the Learning procedure In this case the Detector stops the process erases all its learned data and rever...

Page 16: ...es for further details To begin the second Learning phase perform the following 1 From the Global command group level type the following admin DETECTOR learning threshold tuning zone name Or alternatively From the zone command group level type the following admin DETECTOR conf zone zone name learning threshold tuning Where zone name specifies a zone name Note that the Detector enables the use of a...

Page 17: ...earning Phase Snapshot section in Chapter 7 Policy Procedures for further details Accepting Learning Phase 2 Threshold Tuning The user may accept the Detector s suggested thresholds To accept the results of the Threshold Tuning phase perform the following 1 From the Global command group level type the following admin DETECTOR no learning zone name accept Or alternatively From the Zone command grou...

Page 18: ...he Global command group level type the following admin DETECTOR conf zone zone name no learning reject Where zone name specifies a zone name Note that the Detector enables the use of an asterisk as a wildcard denoting either of the following options All of the Detector s zones Issuing no learning reject means aborting the learning phase for all of the Detector s zones A wildcard denoting zone name...

Page 19: ... tcp_connections any analysis in_nodata_conns global The sample screen displays that the detector policies are receiving traffic and functioning properly Zone Detection After learning the zone traffic characteristics the Detector is ready for zone detection The user may wish to command the Detector to detect right after completing the zone configurations The Detector would then begin applying its ...

Page 20: ...s detected This strategy is recommended when the overall zone consists of intra related zones that cannot be risked Τhe Detector activates the Guard protection over a particular zone once a traffic abnormality is traced as destined to that particular zone This is recommended when the overall zone consists of unrelated particular zones This is since the user may want to assume protection per an att...

Page 21: ...r further details 2 Choose ENTER Zone Detection Verification The user may wish now to issue the show counters command to display the zone status to verify that the detection process is functioning properly To verify that the zone detection is functioning properly perform the following 1 From the Zone command group level type the following admin DETECTOR conf zone zone name show counters history Wh...

Page 22: ...mand group level type the following admin DETECTOR no detect zone name Or alternatively From the Zone command group level type the following admin DETECTOR conf zone zone name no detect Where zone name specifies a zone name Note that the Detector enables the use of an asterisk as a wildcard denoting either of the following options All of the Detector s zones Issuing no detect means ending detectio...

Reviews:

No comments

Related manuals for OL-6109-01

3CR860-95 - OfficeConnect Secure Router

Brand: 3Com Pages: 2

Brand: 3Com Pages: 26

Brand: Lanpro Pages: 5

Brand: mikroElektronika Pages: 3

ICS-G7748A Series

Brand: Moxa Technologies Pages: 10

Brand: Zonet Pages: 2

Brand: LevelOne Pages: 31

Brand: ANEP Pages: 48

Brand: NCR Pages: 15

Brand: Tripp Lite Pages: 3

Brand: AXIOMTEK Pages: 2

Brand: HMS Pages: 18

Brand: Multi-Link Pages: 31

Brand: MicroNova Pages: 113

Brand: WTI Pages: 178

X-Pedition XSR-1850

Brand: Enterasys Pages: 114

6026 Lapbank 16 mini

Brand: Loxit Pages: 2

Brand: ADTRAN Pages: 20

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands