[c-nsp] Cisco Guard and VRF-Lite

Jimmy Changa jimmy.changa007 at gmail.com
Tue Mar 24 22:32:12 EDT 2009


Good Afternoon,

I’m in the process of setting up a proof of concept on our network for the
Cisco Guard and Detector. I had them up and running for a small /28 test
zone (I’ve attached configs and diagrams) However, in thinking through fully
implementing this into production, I realized that I needed to support the
following:

• Divert only the attack destination IP - I have 4500 customer servers I
need to protect (yes, I know this will require more cards then I am
testing). Unfortunately, the previous networking folks didn’t believe in
proper IP provisioning, so instead of assigning aggregate blocks to
switches, they assigned blocks all over the place. So I need to build zones
based on our ARIN allocation (one per allocation), with the guard only
protecting the /32 under attack (subzones).
• Inject traffic to the correct next hop – I’m not sure this is possible
unless the VRF is aware of the routes on my AGG switches. Can OSPF be
redistributed in to the VRF?

I would like to understand how best to make this a scalable solution. I
envisioned a dedicated 6500 chassis with several guard modules. This chassis
would do IBGP with GWY01, GWY02, GWY03, but how do I handle injecting
traffic to the next hop. I’m attempting to use a VRF and a GRE tunnel for my
test, but the injected traffic is not making its intended destination. I did
check to see if the /32 is being redistributed into my IGRP and it is not. I
also don’t see the /32 in the vrf instance.
-------------- next part --------------
GUARD01 Config

interface eth1
  ip address 10.10.191.42 255.255.255.252
  mtu 1500
  no shutdown
exit
interface giga2
  mtu 1500
  proxy 10.10.191.91
  proxy 10.10.191.92
  no shutdown
exit
interface giga2.50
  ip address 10.10.191.50 255.255.255.252
  mtu 1500
  no shutdown
exit
interface giga2.51
  ip address 10.10.191.90 255.255.255.248
  mtu 1500
  no shutdown
exit


default-gateway 10.10.191.41

diversion hijacking receive-via-vlan 50
diversion injection 0.0.0.0 0.0.0.0 nexthop 10.10.191.89


6500 - GWY03 Config

anomaly-guard module 9 port 1 allowed-vlan 10
anomaly-guard module 9 port 2 allowed-vlan 50,51
anomaly-guard module 9 port 1 native-vlan 10 
!
ip vrf GUARD-VRF
 rd 00088:1
 import ipv4 unicast map GRT2VRF
!
interface Tunnel1
 description [GUARD] Injection Tunnel - AGG01
 ip address 10.10.191.45 255.255.255.252
 tunnel source 10.10.191.226
 tunnel destination x.x.x.x
 !
interface Vlan50
 description [GUARD] Traffic Diversion Interface - GUARD01
 ip vrf forwarding GUARD-VRF
 ip address 10.10.191.49 255.255.255.252
!
interface Vlan51
 description [GUARD] Traffic Injection Interface - GUARD01
 ip vrf forwarding GUARD-VRF
 ip address 10.10.191.89 255.255.255.248
!
ip route vrf GUARD-VRF 0.0.0.0 0.0.0.0 XXX.XX.183.37 global ! ISP located on GWY03
ip route vrf GUARD-VRF 10.11.100.0 255.255.255.0 10.10.191.46 global
ip community-list standard RHI-INJECTED permit 00088:666
 !
route-map GRT2VRF permit 10
 match community RHI-INJECTED

!
route-map STATIC-ROUTES deny 5
 match ip address prefix-list Scatology
!
route-map STATIC-ROUTES permit 10
 match ip next-hop 50
 set community 00088:666
!
route-map STATIC-ROUTES permit 20
 match ip address prefix-list ISP-BlackedHole
 
 router bgp 00088
 !
 address-family ipv4
  redistribute static route-map STATIC-ROUTES
 exit-address-family
 !
 address-family ipv4 vrf GUARD-VRF
  no synchronization
 exit-address-family


More information about the cisco-nsp mailing list