Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Anomaly Guard and VRF-Lite

Good Afternoon,

I'm in the process of setting up a proof of concept on our network for the Cisco Guard and Detector. I had them up and running for a small /28 test zone (I've attached configs and diagrams) However, in thinking through fully implementing this into production, I realized that I needed to support the following:

• Divert only the attack destination IP - I have 4500 customer servers I need to protect (yes, I know this will require more cards then I am testing). Unfortunately, the previous networking folks didn't believe in proper IP provisioning, so instead of assigning aggregate blocks to switches, they assigned blocks all over the place. So I need to build zones based on our ARIN allocation (one per allocation), with the guard only protecting the /32 under attack (subzones).

• Inject traffic to the correct next hop - I'm not sure this is possible unless the VRF is aware of the routes on my AGG switches. Can OSPF be redistributed in to the VRF?

I would like to understand how best to make this a scalable solution. I envisioned a support 6500 chassis with several guard modules. This chassis would do IBGP with GWY01, GWY02, GWY03, but how do I handle injecting traffic to the next hope. I'm attempting to us a VRF and a GRE tunnel for my test, but the traffic is not making it to the /32. I did check to see if the /32 is being redistributed into my IGRP and it is not. I also don't see the /32 in the vrf instance.