Anomaly Guard and VRF-Lite

Unanswered Question
Mar 24th, 2009
User Badges:

Good Afternoon,

I'm in the process of setting up a proof of concept on our network for the Cisco Guard and Detector. I had them up and running for a small /28 test zone (I've attached configs and diagrams) However, in thinking through fully implementing this into production, I realized that I needed to support the following:

• Divert only the attack destination IP - I have 4500 customer servers I need to protect (yes, I know this will require more cards then I am testing). Unfortunately, the previous networking folks didn't believe in proper IP provisioning, so instead of assigning aggregate blocks to switches, they assigned blocks all over the place. So I need to build zones based on our ARIN allocation (one per allocation), with the guard only protecting the /32 under attack (subzones).

• Inject traffic to the correct next hop - I'm not sure this is possible unless the VRF is aware of the routes on my AGG switches. Can OSPF be redistributed in to the VRF?

I would like to understand how best to make this a scalable solution. I envisioned a support 6500 chassis with several guard modules. This chassis would do IBGP with GWY01, GWY02, GWY03, but how do I handle injecting traffic to the next hope. I'm attempting to us a VRF and a GRE tunnel for my test, but the traffic is not making it to the /32. I did check to see if the /32 is being redistributed into my IGRP and it is not. I also don't see the /32 in the vrf instance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion