on 02-09-2016 04:59 AM
Quick and dirty copy/paste of the different steps used for this installation on the VSM card.
First, it's important to remind that the system does not operate in stand-alone mode, you need to pair it with a Peakflow SP (the netflow collector + attack detector + controller of the entire solution) and you need to use the proper licenses.
Before you install TMS-VSM software on the VSM blade, do the following:
0. Configure "allow TFTP" in the CoPP:
control-plane
management-plane
inband
interface all
allow TFTP
1. Insert the VSM blade in the ASR 9000 router backplane
2. Connect a serial console or laptop to the ASR 9000 router
3. Use telnet or ssh to log on to the CLI of the ASR 9000 router that has the VSM blade
4. Use the ASR 9000 CLI to perform the following tasks:
virtual-service enable
commit
- Verify that virtual services are initialized with:
show virtual-service list
- Enter the following commands to uninstall any existing services on the VSM blade:
config
no virtual-service tmsX
commit
exit
virtual-service uninstall name tmsX
To install the TMS-VSM software on the VSM blade:
1. Log on to the CLI of the ASR 9000 router that has the VSM blade.
2. To copy the .ova file to the router:
copy tftp:/Peakflow-TMS-7.0-EKU0.ova disk0:
Use the correct path/filename for your build.
- At the prompt Address or name of remote host[]?, type the IP address for the remote host (for example, 10.8.22.116)
- At the prompt Destination filename, press enter.
3. To verify that the .ova file was copied:
dir disk0:
The file should appear at the end of the directory file list.
4. To find the node name for your VSM blade:
show inventory all | include "Virtualized Services Module"
The node name will be of the form 0/slot/CPU0.
Note: To verify the node name:
show virtual-service list
5. To install the virtual service:
virtual-service install name tms3 package /disk0:/Peakflow-TMS-7.0-EKU0.ova node 0/n/CPU0
where:
n = the slot number for the VSM blade.
Allow approximately 10 to 12 minutes for installation to complete.
6. To verify that the virtual service is installed:
show virtual-service list
Note: If the installation is initializing, this show command does not show any data. If installation is in process, this command shows the message Installing. When installation is complete, you can rerun this show command to verify that the virtual service is listed as installed.
To map VNIC interfaces on the router to TMS interfaces on the VSM blade:
1. To map the interfaces, enter the following commands, replacing n with the slot number for the VSM blade:
virtual-service enable
virtual-service tmsn
vnic interface TenGigE0/n/1/0
vnic interface TenGigE0/n/1/1
vnic interface TenGigE0/n/1/2
vnic interface TenGigE0/n/1/3
vnic interface TenGigE0/n/1/4
vnic interface TenGigE0/n/1/5
vnic interface TenGigE0/n/1/6
vnic interface TenGigE0/n/1/7
vnic interface TenGigE0/n/1/8
vnic interface TenGigE0/n/1/9
vnic interface TenGigE0/n/1/10
vnic interface TenGigE0/n/1/11
commit
activate
commit
To verify that all interfaces are activated:
show virtual-service list
2. Create the interface bundle for mitigation interfaces tmsx0-3 and tmsx7-10 and to bundle the subinterfaces
3. Set up the management interfaces, tmsx5-6
4. Set up the unused interfaces, tmsx4 and tmsx11
Configuration will finally look like this:
vrf onRamp
address-family ipv4 unicast
!
address-family ipv6 unicast
!
!
vrf offRamp
address-family ipv4 unicast
!
address-family ipv6 unicast
!
!
snmp-server host 25.2.1.10 traps arbor
snmp-server community arbor
virtual-service enable
virtual-service TMS1
vnic interface TenGigE0/1/1/0
vnic interface TenGigE0/1/1/1
vnic interface TenGigE0/1/1/2
vnic interface TenGigE0/1/1/3
vnic interface TenGigE0/1/1/4
vnic interface TenGigE0/1/1/5
vnic interface TenGigE0/1/1/6
vnic interface TenGigE0/1/1/7
vnic interface TenGigE0/1/1/8
vnic interface TenGigE0/1/1/9
vnic interface TenGigE0/1/1/10
vnic interface TenGigE0/1/1/11
activate
!
control-plane
management-plane
inband
interface TenGigE0/2/0/6
allow TFTP
allow SNMP
allow SNMP peer
address ipv4 25.2.1.10
!
!
interface Bundle-Ether2
description bundle to-from vsm1
load-interval 30
!
interface Bundle-Ether2.100
description offramp subinterface
ipv4 address 13.37.13.37 255.255.255.252
bundle load-balancing hash src-ip
load-interval 30
encapsulation dot1q 100
!
interface Bundle-Ether2.101
description onramp subinterface
vrf onramp
ipv4 address 13.37.13.41 255.255.255.252
load-interval 30
encapsulation dot1q 101
!
interface Loopback0
ipv4 address 4.4.4.4 255.255.255.255
!
interface MgmtEth0/RSP0/CPU0/0
ipv4 address 1.2.3.4 255.255.255.0
!
interface TenGigE0/1/1/0
bundle id 2 mode on
load-interval 30
!
interface TenGigE0/1/1/1
bundle id 2 mode on
load-interval 30
!
interface TenGigE0/1/1/2
bundle id 2 mode on
load-interval 30
!
interface TenGigE0/1/1/3
bundle id 2 mode on
load-interval 30
!
interface TenGigE0/1/1/4
load-interval 30
!
interface TenGigE0/1/1/5
description mgt0 on TMS1
ipv4 address 25.3.1.1 255.255.255.0
load-interval 30
!
interface TenGigE0/1/1/6
description mgt1 on TMS1
load-interval 30
!
interface TenGigE0/1/1/7
bundle id 2 mode on
load-interval 30
!
interface TenGigE0/1/1/8
bundle id 2 mode on
load-interval 30
!
interface TenGigE0/1/1/9
bundle id 2 mode on
load-interval 30
!
interface TenGigE0/1/1/10
bundle id 2 mode on
load-interval 30
!
interface TenGigE0/1/1/11
shutdown
!
Last step will consist in configuring the BGP peers and BGP flowspec peers according to the divertion (offRamp/onRamp) strategy.
—————
Sun Dec 7 17:31:13.867 UTC
Trying 192.0.131.3...
Connected to 192.0.131.3.
Escape sequence is '^^e'.
010: Using CD-ROM
018: No system configuration found
020: Configuring CD-ROM
Do you want to begin the install process?
This will remove all current data and configuration [n/y] y
Initializing filesystem "boot"..........................done.
Writing boot blocks....done.
Initializing filesystem "system"..........................done.
Initializing filesystem "data"..........................done.
Initializing swap partition......done.
system: clean, 11/512064 files, 53444/2048000 blocks
data: clean, 11/407360 files, 53327/3107840 blocks
boot: clean, 28/128016 files, 26963/510976 blocks
Installing software package "cdrom:arbos-6.1-ELDN-x86_64"
Extracting package...done.
Changes to ArbOS will take effect after the next reload.
Installing software package "cdrom:Peakflow-TMS-7.0-ELDN-vm"
Extracting package...done.
Collecting inventory information..done
Building databases.......................................................................done.
virtual-service connect name TMS1 console node 0/1/CPU0
Sun Dec 7 17:31:13.867 UTC
Trying 192.0.131.3...
Connected to 192.0.131.3.
Escape sequence is '^^e'.
010: Using CD-ROM
018: No system configuration found
020: Configuring CD-ROM
Do you want to begin the install process?
This will remove all current data and configuration [n/y] y
Initializing filesystem "boot"..........................done.
Writing boot blocks....done.
Initializing filesystem "system"..........................done.
Initializing filesystem "data"..........................done.
Initializing swap partition......done.
system: clean, 11/512064 files, 53444/2048000 blocks
data: clean, 11/407360 files, 53327/3107840 blocks
boot: clean, 28/128016 files, 26963/510976 blocks
Installing software package "cdrom:arbos-6.1-ELDN-x86_64"
Extracting package...done.
Changes to ArbOS will take effect after the next reload.
Installing software package "cdrom:Peakflow-TMS-7.0-ELDN-vm"
Extracting package...done.
Collecting inventory information..done
Building databases.......................................................................done.
Do you want to begin the install process?
This will remove all current data and configuration [n/y] y
Initializing filesystem "boot"..........................done.
Writing boot blocks....done.
Initializing filesystem "system"..........................done.
Initializing filesystem "data"..........................done.
Initializing swap partition......done.
.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................*****..*************boot: …
system: clean, 24175/512064 files, 171499/2048000 blocks
data: clean, 419/407360 files, 61114/3107840 blocks
boot: clean, 64/128016 files, 129079/510976 blocks
005: Configuring swap devices
006: Configuring software packages
Collecting inventory information..done
007: Restoring system configuration
020: Configuring CD-ROM
021: Done rc.sysinit
ArbOS/6.1 (arbos)
arbos login: admin
Password:
Peakflow TMS v7.0
Copyright (c) 2000-2014 Arbor Networks, Inc. All Rights Reserved.
Welcome to ArbOS
———————————————————————————————————
Hi All,
please someone to support me on my previous request.
Thanks,
Haitham Jneid
Hey Haitham,
I need resources about the following if possible:
- Installation/Configuration of VSM inside ASR9000
- Pair VSM TMS with Peakflow SP
- Netflow/BGP configuration on TMS,ASR and Peakflow SP
- TMS policies/rules configuration guide
- Install/activate licenses
As you know that you need to have TMS appliance for setting the rules for scrubbing the packets.
If you have that than you will get the license ( which you need to purchase) for run DDoS solution using ASR9000/ VSM card with Arbor components like SP collector platform and threat management system
Below is the link which give you more insight about this solution
https://supportforums.cisco.com/document/12449061/arbor-peakflow-ddos-mitigation-asr-9000-vsm
This support forum page has VSM and TMS OVA config guidelines.
Please go through from it and let us know if need any clarity.
Information about BGP flowspec you can find from below link
https://supportforums.cisco.com/document/12226726/asr9000xr-understanding-bgp-flowspec-bgp-fs
If you have physical setup ready and seeing more challenges than request you to open TAC case and share the SR number with us.
We will assist you further on that.
HTH
Thanks
Nitin Pabbi
Hi All,
!
interface Bundle-Ether2
description bundle to-from vsm1
load-interval 30
!
interface Bundle-Ether2.100
description offramp subinterface
ipv4 address 13.37.13.37 255.255.255.252
bundle load-balancing hash src-ip
load-interval 30
encapsulation dot1q 100
on which interface I should assign 13.37.13.38 255.255.255.252???
!
interface Bundle-Ether2.101
description onramp subinterface
vrf onramp
ipv4 address 13.37.13.41 255.255.255.252
load-interval 30
encapsulation dot1q 101
on which interface I should assign 13.37.13.42 255.255.255.252???
!
interface TenGigE0/1/1/0
bundle id 2 mode on
load-interval 30
!
interface TenGigE0/1/1/1
bundle id 2 mode on
load-interval 30
!
interface TenGigE0/1/1/2
bundle id 2 mode on
load-interval 30
!
interface TenGigE0/1/1/3
bundle id 2 mode on
load-interval 30
for bundle id 2 which is used in this configuration for interfaces TenGigE0/1/1/0, 1, 2, 3 as above. where is the other end of this bundle???
!
interface TenGigE0/1/1/5
description mgt0 on TMS1
ipv4 address 25.3.1.1 255.255.255.0
load-interval 30
is this interfaces is on the VSM card itself and where to configure the gateway for this interface???
I know that we have to do BGP peering between TMS and ASR9000 and also between CP and ASR9000.
how to configure BGP between ASR9000 and TMS which is held on the VSM card? which IP address/interfaces used to do BGP peering? is it the Mgmt0 on TMS or the OFF/ON RAMP interfaces??
can you paste a sample BGP configuration for this setup?.
thanks,
Haitham Jneid
Dears,
kindly someone to support me on my previous request.
much appreciated.
thanks,
Haitham Jneid
Hi Nitin,
May you please support me on my previous request?
Also where I can find how to configure the TMS on VSM via GUI ? any documents?
thanks,
Haitham Jneid
Hi Haitham,
do you have a valid service contract for VSM? If yes then you can contact TAC
on this link:
https://mycase.cloudapps.cisco.com/case
Go to "Ask a question" and they will help you out.
Hi smailmilak,
Actually I am preparing for a project and still not have a BoQ. that's why I need to understand the solution more.
I already implemented such a project but it was totally on arbor appliances. this project will be using ASR9K VSM to act as TMS.
if you have any documents that can support me kindly share it.
thanks,
Haitham Jneid
hi Haitham,
have you looked into this document:
https://supportforums.cisco.com/document/12449061/arbor-peakflow-ddos-mitigation-asr-9000-vsm
/Aleksandar
Hi Aleksandar,
yes I went through it and it was very useful, but I need to know the exact bgp configuration from ASR side and from VSM TMS side. real example if possible.
thanks,
Haitham Jneid
Hey Haitham,
Ok lets understand the solution requirement / TMS - vSP role and than config flow here:-
Requirements :-
1. VSM-500 card
2. One peak-TMS ( Threat management system)
3. vSP ( this is collector which manages TMS)
4. Arbor DDoS license
TMS-SP role :-
Arbor PeakFlow SP is for management & collector where as,
Arbor Peakflow vTMS on VSM-500 is for Scrubbing and mitigation of traffic
Threat managment system (TMS) is Arbor OS which is designed for operation on VSM-500 card which uses linux KVM ( kernel based virtua-machine) software.
Communication of QNX with TMS happen over vNIC interfaces, some interfaces we can use for mangment ( accessibility to TMS) and some for TMS mitigation.
Configuring managment ports help you to manage TMS through GUI.
Config flow:-
1. First you need to install TMS ova.
2. After installing ova and configuring the interfaces with IP addresses suggested above.
3. BGP config peering to divert traffic to TMS for scrubbing
4. Need to configure Neflow to export packet to SP
5. optimize SP rules if needed
Your questions :
1. Offramp interface is to divert traffic from network to TMS ( scrubber) router which is installed on ASR9k VSM-500 card. The other side of this IP is at TMS
2. OnRAMP interface is for communication to re-injecting the legit traffic into the network from TMS to the router. The other side of this IP is at TMS
interface Bundle-Ether2.100
description offramp subinterface
ipv4 address 13.37.13.37 255.255.255.252
bundle load-balancing hash src-ip
load-interval 30
encapsulation dot1q 100
on which interface I should assign 13.37.13.38 255.255.255.252???
!
interface Bundle-Ether2.101
description onramp subinterface
vrf onramp
ipv4 address 13.37.13.41 255.255.255.252
load-interval 30
encapsulation dot1q 101
on which interface I should assign 13.37.13.42 255.255.255.252???
2. The Bundle is made over vNIC interfaces which are connected to linux which hosted TMS. Make sure you apply cli "bundle load-balancing hash src-ip" on bundle interface for proper load balancing.
for bundle id 2 which is used in this configuration for interfaces TenGigE0/1/1/0, 1, 2, 3 as above. where is the other end of this bundle???
3. Here is the VSM Architecture to understand where these NIC interface connected.
4. This is the MGMT interface for accessibility of TMS via GUI
is this interfaces is on the VSM card itself and where to configure the gateway for this interface???
5.
how to configure BGP between ASR9000 and TMS which is held on the VSM card? which IP address/interfaces used to do BGP peering? is it the Mgmt0 on TMS or the OFF/ON RAMP interfaces??
Once you install TMS then you need to access it by using CLI
virtual-service connect name <> console node X/n/CPU0, & then press ENTER
you will be prompted with below options :-
Do you want to begin the install process?
This will remove all current data and
configuration [n/y] y
System hostname? [arbos] router_name
IP address for interface mgt0: [none] mgt0_address
Netmask for interface mgt0: [255.255.255.0] netmask ( you should use /30 pool)
Media for interface mgt0: [none] (skip)
IP address for interface mgt1: [none] (skip)
Default route: [none] df_rte_address (this is to match the IP address for TMS interface TenGigE0/1/1/5)
set on router>
bgp access from which network? [done] 0.0.0.0/0
bgp access from which network? [done] ::/0 (for IPv6)
bgp access from which network? [done]
http access from which network? [done]
https access from which network? [done]0.0.0.0/0
https access from which network? [done] ::/0 (for IPv6)
https access from which network? [done]
ping access from which network? [done] 0.0.0.0/0
ping access from which network? [done]::/0 (for IPv6)
ping access from which network? [done]
snmp access from which network? [done]0.0.0.0/0
snmp access from which network? [done]::/0 (for IPv6)
snmp access from which network? [done]
telnetccaccess from which network? [done]
ssh access from which network? [done]0.0.0.0/0
ssh access from which network? [done] ::/0 (for IPv6)
ssh access from which network? [done]
Generating new SSH host key file.....done.
Current time and date: [181002062017.24] date and time
NTP server IP address: [done] ntp_svr_addr1
NTP server IP address: [done] ntp_svr_addr2
NTP server IP address: [done]
Press ENTER to reboot
after reboort
At the login prompt, type admin, and then press ENTER
At the password prompt, type arbor and then press ENTER
Change the administrator password. Type / services aaa local password admin interactive , and then press ENTER
a. Type the new password, and then press ENTER
b. Re-type the new password, and then press ENTER
Type / services tms start, and then press ENTER
Commit the configuration changes. Type / config write, and then press ENTER
To log off, type exit, and then press ENTER
6
can you paste a sample BGP configuration for this setup?.
router bgp 65000
bgp router-id <rtr_id>
address-family ipv4 unicast
!
address-family ipv4 flowspec
!
neighbor-group ibgp-routers
remote-as 1
update-source Loopback0
address-family ipv4 unicast
next-hop-self
!
!
neighbor-group ibgp-flowspec
remote-as 1
update-source <interface>
address-family ipv4 flowspec
!
!
neighbor <ip>
use neighbor-group ibgp-routers
!
neighbor <ip>
remote-as 1
use neighbor-group ibgp-flowspec
address-family ipv4 unicast
!
!
!
flowspec
local-install interface-all
In case if you stuck further i recommend you to open a TAC case where we can access your network and help you in setting up the solution.
Thanks
Nitin Pabbi
Haitham,
There should be no difference in BGP config whether you use ASR9K with VSM or an Arbor appliance.
Thanks
Vincent
Hi Nitin,
I really appreciate your informative feedback. could you please explain for me the BGP flowspec config.
router bgp 65000
bgp router-id <rtr_id>
address-family ipv4 unicast
!
address-family ipv4 flowspec
!
neighbor-group ibgp-routers // for which purpose this group is created??
remote-as 1
update-source Loopback0
address-family ipv4 unicast
next-hop-self
!
!
neighbor-group ibgp-flowspec// for which purpose this group is created??
remote-as 1
update-source <interface>// this interface is the Mgmt interface TenGigE0/1/1/5??
address-family ipv4 flowspec
!
!
neighbor <ip>
use neighbor-group ibgp-routers
!
neighbor <ip>
remote-as 1
use neighbor-group ibgp-flowspec
address-family ipv4 unicast
!
!
!
flowspec
local-install interface-all
why we have 2 neighbor statements? the neighbor IP in both statements is the same IP?
I used to know that only one bgp neighbor statement is required between TMS and ASR9K.
what about the BGP neighbor between ASR and Arbor Peakflow SP ?
Thanks Nitin.
much appreciated.
Haitham Jneid
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: