I'm in the process of setting up a proof of concept on our network for the Cisco Guard and Detector. I had them up and running for a small /28 test zone (I've attached configs and diagrams) However, in thinking through fully implementing this into production, I realized that I needed to support the following:
â¢ Divert only the attack destination IP - I have 4500 customer servers I need to protect (yes, I know this will require more cards then I am testing). Unfortunately, the previous networking folks didn't believe in proper IP provisioning, so instead of assigning aggregate blocks to switches, they assigned blocks all over the place. So I need to build zones based on our ARIN allocation (one per allocation), with the guard only protecting the /32 under attack (subzones).
â¢ Inject traffic to the correct next hop - I'm not sure this is possible unless the VRF is aware of the routes on my AGG switches. Can OSPF be redistributed in to the VRF?
I would like to understand how best to make this a scalable solution. I envisioned a support 6500 chassis with several guard modules. This chassis would do IBGP with GWY01, GWY02, GWY03, but how do I handle injecting traffic to the next hope. I'm attempting to us a VRF and a GRE tunnel for my test, but the traffic is not making it to the /32. I did check to see if the /32 is being redistributed into my IGRP and it is not. I also don't see the /32 in the vrf instance.