[c-nsp] Cisco Guard and VRF-Lite
Jimmy Changa
jimmy.changa007 at gmail.com
Tue Mar 24 22:32:12 EDT 2009
Good Afternoon,
I’m in the process of setting up a proof of concept on our network for the
Cisco Guard and Detector. I had them up and running for a small /28 test
zone (I’ve attached configs and diagrams) However, in thinking through fully
implementing this into production, I realized that I needed to support the
following:
• Divert only the attack destination IP - I have 4500 customer servers I
need to protect (yes, I know this will require more cards then I am
testing). Unfortunately, the previous networking folks didn’t believe in
proper IP provisioning, so instead of assigning aggregate blocks to
switches, they assigned blocks all over the place. So I need to build zones
based on our ARIN allocation (one per allocation), with the guard only
protecting the /32 under attack (subzones).
• Inject traffic to the correct next hop – I’m not sure this is possible
unless the VRF is aware of the routes on my AGG switches. Can OSPF be
redistributed in to the VRF?
I would like to understand how best to make this a scalable solution. I
envisioned a dedicated 6500 chassis with several guard modules. This chassis
would do IBGP with GWY01, GWY02, GWY03, but how do I handle injecting
traffic to the next hop. I’m attempting to use a VRF and a GRE tunnel for my
test, but the injected traffic is not making its intended destination. I did
check to see if the /32 is being redistributed into my IGRP and it is not. I
also don’t see the /32 in the vrf instance.
-------------- next part --------------
GUARD01 Config
interface eth1
ip address 10.10.191.42 255.255.255.252
mtu 1500
no shutdown
exit
interface giga2
mtu 1500
proxy 10.10.191.91
proxy 10.10.191.92
no shutdown
exit
interface giga2.50
ip address 10.10.191.50 255.255.255.252
mtu 1500
no shutdown
exit
interface giga2.51
ip address 10.10.191.90 255.255.255.248
mtu 1500
no shutdown
exit
default-gateway 10.10.191.41
diversion hijacking receive-via-vlan 50
diversion injection 0.0.0.0 0.0.0.0 nexthop 10.10.191.89
6500 - GWY03 Config
anomaly-guard module 9 port 1 allowed-vlan 10
anomaly-guard module 9 port 2 allowed-vlan 50,51
anomaly-guard module 9 port 1 native-vlan 10
!
ip vrf GUARD-VRF
rd 00088:1
import ipv4 unicast map GRT2VRF
!
interface Tunnel1
description [GUARD] Injection Tunnel - AGG01
ip address 10.10.191.45 255.255.255.252
tunnel source 10.10.191.226
tunnel destination x.x.x.x
!
interface Vlan50
description [GUARD] Traffic Diversion Interface - GUARD01
ip vrf forwarding GUARD-VRF
ip address 10.10.191.49 255.255.255.252
!
interface Vlan51
description [GUARD] Traffic Injection Interface - GUARD01
ip vrf forwarding GUARD-VRF
ip address 10.10.191.89 255.255.255.248
!
ip route vrf GUARD-VRF 0.0.0.0 0.0.0.0 XXX.XX.183.37 global ! ISP located on GWY03
ip route vrf GUARD-VRF 10.11.100.0 255.255.255.0 10.10.191.46 global
ip community-list standard RHI-INJECTED permit 00088:666
!
route-map GRT2VRF permit 10
match community RHI-INJECTED
!
route-map STATIC-ROUTES deny 5
match ip address prefix-list Scatology
!
route-map STATIC-ROUTES permit 10
match ip next-hop 50
set community 00088:666
!
route-map STATIC-ROUTES permit 20
match ip address prefix-list ISP-BlackedHole
router bgp 00088
!
address-family ipv4
redistribute static route-map STATIC-ROUTES
exit-address-family
!
address-family ipv4 vrf GUARD-VRF
no synchronization
exit-address-family
More information about the cisco-nsp
mailing list