background image

Chapter 4      Zone Configuration

Zone Traffic Learning

4-14

Cisco Traffic Anomaly Detector User Guide

OL-6109-01

Where 

zone-name

 specifies a zone name. 

Note that the Guard enables the use of an asterisk (*) as a wildcard denoting 
either of the following options:

All of the Guard’s zones. Issuing 

learning policy-construction*

 

means 

setting the policy construction phase for all of the Detector’s zones.

A wildcard denoting zone names (i.e. OBL*).

2.

Choose 

ENTER

Note

Cisco recommends letting the Learning Phase 1 - Policy Construction continue 
for at least two hours prior to proceeding to the next phase.

Note

Policy Construction cannot be performed for zones based on the 
bandwidth-limited link templates: LINK_128K, LINK_1M, LINK_4M, 
LINK_512K.

Terminating Learning Phase 1 –Policy Construction

After a sufficient period of time (see the above note) the user ends the Policy 
Construction phase. The user may accept the Detector’s suggested policies. 

The user may decide to abort the first phase of the Learning process. In this case, 
the Detector stops the process and erases all its learned data. As a result, the 
Detector falls back into its default settings (in the case of a new zone) or to the 
zone traffic configurations it had prior to the initiation of the learning process.

The user may decide to view the learning process outcomes prior to making a 
decision. See the 

“Zone and Learning Phase Snapshot”

 section in 

Chapter 7, 

“Policy Procedures”

 for further details.

Содержание OL-6109-01

Страница 1: ... Zone Traffic Learning Zone Detection Basic Zone Configuration This section describes the initial Zone configuration procedures that relate to zone parameters such as zone name description and zone IP address It describes the following procedures Defining a New Zone Duplicating a Zone Removing a Zone Removing All Zones Displaying Zone Templates Entering a Zone Command Level Describing a Zone Defin...

Страница 2: ... up to 63 characters The string may contain underscores template Optional A template that defines the zone configuration Options are Default The Guard default zone template Bandwidth limited Link Templates Templates designed and specifically tailored for detection of large subnets segmented according to zones with known bandwidth Detection on zones defined by these templates can be assumed without...

Страница 3: ...ult zone template 2 Choose ENTER Below is an example of the zone command implementation admin DETECTOR conf zone scannet admin DETECTOR conf zone scannet Duplicating a Zone The user may duplicate a desired zone and define a new identically configured zone To duplicate a zone from the Configuration command group level perform the following 1 From the Configuration command group level type the follo...

Страница 4: ... of up to 63 characters The string may contain underscores 2 Choose ENTER Below is an example of the zone command implementation admin DETECTOR conf zone scannet zone mailserver copy from this admin DETECTOR conf zone mailserver Removing a Zone The user may remove a desired zone Caution Removing a zone eliminates its DDoS detection To remove a desired zone perform the following 1 From the Configur...

Страница 5: ...Displaying Zone Templates The Detector enables the user to display a specific zone template or all zone templates To display all zone templates perform the following 1 From the Configuration command group level type the following admin DETECTOR conf show templates 2 Choose ENTER The following sample screen appears admin DETECTOR show templates DEFAULT LINK_1M LINK_4M LINK_128K LINK_512K admin DETE...

Страница 6: ...ist of zone templates is displayed 2 Choose ENTER The following sample screen appears admin DETECTOR conf show templates DEFAULT Zone is INACTIVE Operation Mode AUTOMATIC Description Zone ID 0 Template DEFAULT PROTECT IP STATE all zone FLEX FILTER FLEX FILTER ACTION disable admin DETECTOR conf Entering a Zone Command Level The user should enter a zone command level to perform zone specific operati...

Страница 7: ...ecifies a string that describes the zone The string length is limited to a maximum of 80 characters 2 Choose ENTER Below is an example of the description command implementation admin DETECTOR conf zone scannet description Scannet Zone used for demonstration purposes admin DETECTOR conf zone scannet Note To modify a zone s description repeat the zone description procedure The new description overri...

Страница 8: ...erted when the zone is undetected However a zone s subnet IP address or its additional IP addresses may be added when the zone is in the detected mode Note The zone IP address procedure should repeat per each zone IP address or subnet mask Removing a Zone IP Address The user may remove a zone IP address Caution Removing a zone s IP address may compromise the zone s DDoS detection To remove a zone ...

Страница 9: ...one s IP addresses perform the following 1 From the desired Zone command group level type the following admin DETECTOR conf zone zone name no ip address 2 Choose ENTER Zone Remote Guard List The Detector has a list containing a Guard or Guards to remotely activate when a traffic abnormality is detected The zone remote Guard list is part of the zone configuration When the Detector detects a traffic...

Страница 10: ...n DETECTOR conf zone zone name remote guard remote guard address description Where remote guard address The desired remote Guard IP address description Optional The remote Guard description a maximum of 63 characters 2 Choose ENTER 3 Repeat steps one and two as many times as required Below is an example of the remote guard command implementation admin DETECTOR conf zone scannet remote guard 192 16...

Страница 11: ...ivation of the filters the policies launch see the Interactive Recommendations Mode section in Chapter 6 Filter Procedures for details The Detector functions in accordance with the user s decision to accept ignore or time the filter s activation In this way the Detector lets the user decide on the production of its detection measures in real time Activating the Interactive Recommendation Mode The ...

Страница 12: ...tomatic detection functioning such as automatically producing dynamic filters etc The user may deactivate the interactive recommendations mode from the desired zone s command group level To deactivate the interactive recommendation mode perform the following 1 Type the following sample admin DETECTOR conf zone zone name no interactive 2 Choose ENTER Zone Traffic Learning As the user initializes th...

Страница 13: ...cts its policies with its user defined or self configured Policy Templates This phase consists of traffic flowing transparently through the Detector enabling it to discover which services are used by the zone This chapter will detail a procedure based on the Detector s Minimum Threshold and Maximum Services default parameters see Chapter 7 Policy Procedures for further details Learning Phase 2 Thr...

Страница 14: ...t be performed for zones based on the bandwidth limited link templates LINK_128K LINK_1M LINK_4M LINK_512K Terminating Learning Phase 1 Policy Construction After a sufficient period of time see the above note the user ends the Policy Construction phase The user may accept the Detector s suggested policies The user may decide to abort the first phase of the Learning process In this case the Detecto...

Страница 15: ...wing options All of the Detector s zones Issuing no learning accept means ending and accepting the learning results for all of the Detector s zones A wildcard denoting zone names i e OBL 2 Choose ENTER Aborting Learning Phase 1 Policy Construction The user may decide to abort the first phase of the Learning procedure In this case the Detector stops the process erases all its learned data and rever...

Страница 16: ...es for further details To begin the second Learning phase perform the following 1 From the Global command group level type the following admin DETECTOR learning threshold tuning zone name Or alternatively From the zone command group level type the following admin DETECTOR conf zone zone name learning threshold tuning Where zone name specifies a zone name Note that the Detector enables the use of a...

Страница 17: ...earning Phase Snapshot section in Chapter 7 Policy Procedures for further details Accepting Learning Phase 2 Threshold Tuning The user may accept the Detector s suggested thresholds To accept the results of the Threshold Tuning phase perform the following 1 From the Global command group level type the following admin DETECTOR no learning zone name accept Or alternatively From the Zone command grou...

Страница 18: ...he Global command group level type the following admin DETECTOR conf zone zone name no learning reject Where zone name specifies a zone name Note that the Detector enables the use of an asterisk as a wildcard denoting either of the following options All of the Detector s zones Issuing no learning reject means aborting the learning phase for all of the Detector s zones A wildcard denoting zone name...

Страница 19: ... tcp_connections any analysis in_nodata_conns global The sample screen displays that the detector policies are receiving traffic and functioning properly Zone Detection After learning the zone traffic characteristics the Detector is ready for zone detection The user may wish to command the Detector to detect right after completing the zone configurations The Detector would then begin applying its ...

Страница 20: ...s detected This strategy is recommended when the overall zone consists of intra related zones that cannot be risked Τhe Detector activates the Guard protection over a particular zone once a traffic abnormality is traced as destined to that particular zone This is recommended when the overall zone consists of unrelated particular zones This is since the user may want to assume protection per an att...

Страница 21: ...r further details 2 Choose ENTER Zone Detection Verification The user may wish now to issue the show counters command to display the zone status to verify that the detection process is functioning properly To verify that the zone detection is functioning properly perform the following 1 From the Zone command group level type the following admin DETECTOR conf zone zone name show counters history Wh...

Страница 22: ...mand group level type the following admin DETECTOR no detect zone name Or alternatively From the Zone command group level type the following admin DETECTOR conf zone zone name no detect Where zone name specifies a zone name Note that the Detector enables the use of an asterisk as a wildcard denoting either of the following options All of the Detector s zones Issuing no detect means ending detectio...

Отзывы: