Embed Size (px)
Citation preview
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
“ Cisco DDoS Solution Design & Technical Review”
Cisco Systesm KoreaSolution S.E Team최우형 ([email protected])
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Hijacking / InjectionHijacking / Injection
L2 Hijacking / L2 InjectionL3 Hijacking / L2 InjectionL3 Hijacking / L3 PBR InjectionL3 Hijacking / L3 VRF InjectionL2 Hijacking / L3 PBR InjectionL2 Hijacking / L3 VRF Injection
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
L2 Hijacking / L2 InjectionL2 Hijacking / L2 Injection
Zone192.168.1.0/24
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
.254
NOC
Internet
.254
.253
VLAN interface
.1
Port2 (Data Port)giga2
Port1 (Management Port)eth1
10.1.1.0/24VLAN10
Guard Module Configuration
diversion hijacking receive-via-ip 192.168.100.1diversion hijacking receive-via-vlan 100diversion injection 192.168.1.0 255.255.255.0 nexthop192.168.200.253
interface eth1ip address 10.1.1.1 255.255.255.0mtu 1500no shutdown
exitinterface giga2
mtu 1500no shutdown
exitinterface giga2.100
ip address 192.168.100.1 255.255.255.0mtu 1500no shutdown
exitinterface giga2.200
ip address 192.168.200.1 255.255.255.0mtu 1500no shutdown
Exit
proxy 192.168.200.100
Gi1/1
Gi1/2
Vlan200
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
L2 Hijacking / L2 Injection (cont)L2 Hijacking / L2 Injection (cont)
Zone192.168.1.0/24
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
.254
NOC
Internet
.254
.253
Port2 (Data Port)giga2
Port1 (Management Port)eth1
VLAN interface
10.1.1.0/24
.1
MSFC Configuration
anomaly-guard module 2 port 1 allowed-vlan 10anomaly-guard module 2 port 2 allowed-vlan 100,200anomaly-guard module 2 port 1 native-vlan 10
interface GigabitEthernet1/1no ip addressswitchportswitchport trunk encapsulation dot1qswitchport mode trunk
!interface GigabitEthernet1/2no ip addressswitchportswitchport trunk encapsulation dot1qswitchport mode trunk
interface Vlan100ip address 192.168.100.254 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arp
interface Vlan200ip address 192.168.200.254 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arp
VLAN10
Gi1/1
Gi1/2
Access port setting 가능
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
Hijacking / InjectionHijacking / Injection
L2 Hijacking / L2 InjectionL3 Hijacking / L2 InjectionL3 Hijacking / L3 PBR InjectionL3 Hijacking / L3 VRF InjectionL2 Hijacking / L3 PBR InjectionL2 Hijacking / L3 VRF Injection
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
L3 Hijacking / L2 InjectionL3 Hijacking / L2 Injection
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
.254
NOC
Internet
.254
.253
.254Routed(L3) Port
VLAN interface
Port2 (Data Port)giga2
Port1 (Management Port)eth1
10.1.1.0/24VLAN10
Guard Module Configuration
diversion hijacking receive-via-ip 192.168.100.1diversion hijacking receive-via-vlan 100diversion injection 192.168.1.0 255.255.255.0 nexthop192.168.200.253
interface eth1ip address 10.1.1.1 255.255.255.0mtu 1500no shutdown
exitinterface giga2
mtu 1500no shutdown
exitinterface giga2.100
ip address 192.168.100.1 255.255.255.0mtu 1500no shutdown
exitinterface giga2.200
ip address 192.168.200.1 255.255.255.0mtu 1500no shutdown
exit
proxy 192.168.200.100
192.168.128.0/24
Zone192.168.1.0/24
.1
Gi1/2
Vlan200
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
L3 Hijacking / L2 Injection (cont)L3 Hijacking / L2 Injection (cont)
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
.254
NOC
Internet
.254
.253
.254Routed(L3) Port
VLAN interface
Port2 (Data Port)giga2
Port1 (Management Port)eth1
10.1.1.0/24VLAN10
192.168.128.0/24
Zone192.168.1.0/24
.1
Gi1/2
MSFC Configuration
anomaly-guard module 2 port 1 allowed-vlan 10anomaly-guard module 2 port 2 allowed-vlan 100,200anomaly-guard module 2 port 1 native-vlan 10
interface GigabitEthernet1/1ip address 192.168.128.254 255.255.255.0
interface GigabitEthernet1/2no ip addressswitchportswitchport trunk encapsulation dot1qswitchport mode trunk
interface Vlan100ip address 192.168.100.254 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arp
interface Vlan200ip address 192.168.200.254 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arp
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
Hijacking / InjectionHijacking / Injection
L2 Hijacking / L2 InjectionL3 Hijacking / L2 InjectionL3 Hijacking / L3 PBR InjectionL3 Hijacking / L3 VRF InjectionL2 Hijacking / L3 PBR InjectionL2 Hijacking / L3 VRF Injection
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
L3 Hijacking / L3 InjectionL3 Hijacking / L3 Injection
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
.254
NOC
Internet
.254
.1
.254Routed(L3) Port
Port2 (Data Port)giga2
Port1 (Management Port)eth1
10.1.1.0/24VLAN10
192.168.128.0/24
Zone192.168.1.0/24
.1
Gi1/2
Guard Module Configuration
diversion hijacking receive-via-ip 192.168.100.1diversion hijacking receive-via-vlan 100diversion injection 192.168.1.0 255.255.255.0 nexthop192.168.200.254
interface eth1ip address 10.1.1.1 255.255.255.0mtu 1500no shutdown
exitinterface giga2
mtu 1500no shutdown
exitinterface giga2.100
ip address 192.168.100.1 255.255.255.0mtu 1500no shutdown
exitinterface giga2.200
ip address 192.168.200.1 255.255.255.0mtu 1500no shutdown
exit
proxy 192.168.200.100
64.0.0.0/24Routed(L3) Port
Vlan200
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
L3 Hijacking / L3 PBR InjectionL3 Hijacking / L3 PBR Injection
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
.254
NOC
Internet
.254
.1
.254
Port2 (Data Port)giga2
Port1 (Management Port)eth1
10.1.1.0/24VLAN10
Zone192.168.1.0/24
.1
Gi1/2
64.0.0.0/24
MSFC Configuration
anomaly-guard module 2 port 1 allowed-vlan 10anomaly-guard module 2 port 2 allowed-vlan 100,200anomaly-guard module 2 port 1 native-vlan 10
interface GigabitEthernet1/1ip address 192.168.128.254 255.255.255.0
interface GigabitEthernet1/2ip address 64.0.0.254 255.255.255.0
interface Vlan100ip address 192.168.100.254 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arp
interface Vlan200ip address 192.168.200.254 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arpip policy route-map PBR1
access-list 100 permit ip any 192.168.1.0 0.0.0.255
route-map PBR1 permit 10match ip address 100set ip next-hop 64.0.0.1
router ospf 1network 192.168.200.0 0.0.0.255 area 0 Advertise ProxyIP Subnet
PBR
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
L3 Hijacking / L3 VRF InjectionL3 Hijacking / L3 VRF Injection
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
.254
NOC
Internet
.254
.1
.254
Port2 (Data Port)giga2
Port1 (Management Port)eth1
10.1.1.0/24VLAN10
Zone192.168.1.0/24
.1
Gi1/2
64.0.0.0/24
MSFC Configuration
anomaly-guard module 2 port 1 allowed-vlan 10anomaly-guard module 2 port 2 allowed-vlan 100,200anomaly-guard module 2 port 1 native-vlan 10
ip vrf GUARD-VRFrd 100:1
interface GigabitEthernet1/1ip address 192.168.128.254 255.255.255.0
interface GigabitEthernet1/2ip address 64.0.0.254 255.255.255.0
interface Vlan100ip address 192.168.100.254 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arp
interface Vlan200ip vrf forwarding GUARD-VRFip address 192.168.200.254 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arp
router ospf 1network 192.168.200.0 0.0.0.255 area 0
Ip route vrf GUARD-VRF 192.168.1.0 255.255.2550. 64.0.0.1 global
Advertise ProxyIP Subnet
VRF
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
L2 Hijacking / L3L2 Hijacking / L3 InjectionInjection
Zone192.168.1.0/24
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
.254
NOC
Internet
.254
.253
VLAN interface
.1
Port2 (Data Port)giga2
Port1 (Management Port)eth1
10.1.1.0/24VLAN10
Guard Module Configuration
diversion hijacking receive-via-ip 192.168.100.1diversion hijacking receive-via-vlan 100diversion injection 192.168.1.0 255.255.255.0 nexthop192.168.200.253
interface eth1ip address 10.1.1.1 255.255.255.0mtu 1500no shutdown
exitinterface giga2
mtu 1500no shutdown
exitinterface giga2.100
ip address 192.168.100.1 255.255.255.0mtu 1500no shutdown
exitinterface giga2.200
ip address 192.168.200.1 255.255.255.0mtu 1500no shutdown
Exit
proxy 192.168.200.100
Gi1/1
Gi1/2
Vlan200
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
L2 Hijacking / L3 Injection (cont)L2 Hijacking / L3 Injection (cont)
Zone192.168.1.0/24
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
.254
NOC
Internet
.254
.253
Port2 (Data Port)giga2
Port1 (Management Port)eth1
VLAN interface
10.1.1.0/24
.1
MSFC Configuration
anomaly-guard module 2 port 1 allowed-vlan 10anomaly-guard module 2 port 2 allowed-vlan 100,200anomaly-guard module 2 port 1 native-vlan 10
interface GigabitEthernet1/1no ip addressswitchportswitchport access vlan 100switchport mode access
!interface GigabitEthernet1/2no ip addressswitchportswitchport trunk encapsulation dot1qswitchport mode trunk
interface Vlan100ip address 192.168.100.254 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arp
interface Vlan200ip address 192.168.200.254 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arp
VLAN10
Gi1/1
Gi1/2
Routing Loop 를피하기위해PBR or VRF 구성가능
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
Divert Tech OverviewExternal 구성시방법
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Hijacking / InjectionHijacking / Injection
L3 iBGP Hijacking / L2 External InjectionL3 iBGP Hijacking / L3 PBR External InjectionL3 eBGP Hijacking / L3 VRF over GRE Internal InjectionSpecific BGP Instance for the VRF
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
L3 L3 iBGPiBGP Hijacking / L2 External InjectionHijacking / L2 External Injection
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
NOC
Internet
.254
.253
.254
Port2 (Data Port)giga2
Port1 (Management Port)eth1
10.1.1.0/24VLAN10
192.168.128.0/24
Zone192.168.1.0/24
.1
Gi1/2
VLAN127192.168.127.0/24
.253 .253
Gi1/1
iBGPeBGP
Area0
AS100AS200
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
L3 L3 iBGPiBGP Hijacking / L2 External Injection (cont)Hijacking / L2 External Injection (cont)
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
NOC
Internet
.254
.253
.254
Port2 (Data Port)giga2
Port1 (Management Port)eth1
10.1.1.0/24VLAN10
192.168.128.0/24
Zone192.168.1.0/24
.1VLAN127
192.168.127.0/24
.253 .253
Ex: Other Pysical Connection (Dedicate Injection Link)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
L3 L3 iBGPiBGP Hijacking / L2 External Injection (cont)Hijacking / L2 External Injection (cont)
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
NOC
Internet
.254
.253
.254Routed(L3) Port
Port2 (Data Port)giga2
Port1 (Management Port)eth1
10.1.1.0/24VLAN10
192.168.128.0/24
Zone192.168.1.0/24
.1
Gi1/2
VLAN100192.168.127.0/24
.253 .253
Guard Module Configuration
diversion hijacking receive-via-ip 192.168.100.1diversion hijacking receive-via-vlan 100diversion injection 192.168.1.0 255.255.255.0 nexthop192.168.200.253
interface eth1ip address 10.1.1.1 255.255.255.0mtu 1500no shutdown
exitinterface giga2
mtu 1500no shutdown
exitinterface giga2.100
ip address 192.168.100.1 255.255.255.0mtu 1500no shutdown
exitinterface giga2.200
ip address 192.168.200.1 255.255.255.0mtu 1500no shutdown
Exit
proxy 192.168.200.100 Vlan200
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
L3 L3 iBGPiBGP Hijacking / L2 External Injection (cont)Hijacking / L2 External Injection (cont)
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
NOC
Internet
.254
.253
.254Routed(L3) Port
Port2 (Data Port)giga2
Port1 (Management Port)eth1
10.1.1.0/24VLAN10
192.168.128.0/24
Zone192.168.1.0/24
.1
Gi1/2
VLAN100192.168.127.0/24
.253 .253
MSFC Interface Configuration
anomaly-guard module 2 port 1 allowed-vlan 10anomaly-guard module 2 port 2 allowed-vlan 100,200anomaly-guard module 2 port 1 native-vlan 10
interface GigabitEthernet1/1no ip addressswitchportswitchport trunk encapsulation dot1qswitchport mode trunk
!interface GigabitEthernet1/2no ip addressswitchportswitchport access vlan 200switchport mode access
interface Vlan100ip address 192.168.100.253 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arp
interface Vlan127ip address 192.168.127.253 255.255.255.0
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
L3 L3 iBGPiBGP Hijacking / L2 External Injection (cont)Hijacking / L2 External Injection (cont)
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
NOC
Internet
.254
.253
.254Routed(L3) Port
Port2 (Data Port)giga2
Port1 (Management Port)eth1
10.1.1.0/24VLAN10
192.168.128.0/24
Zone192.168.1.0/24
.1
Gi1/2
VLAN100192.168.127.0/24
.253 .253
MSFC Routing Configuration
:router ospf 1 *1network 192.168.100.0 0.0.0.255 area 0 *1network 192.168.127.0 0.0.0.255 area 0 *1
router bgp 100bgp log-neighbor-changesneighbor 192.168.127.254 remote-as 100!address-family ipv4redistribute static route-map GUARDneighbor 192.168.127.254 activateneighbor 192.168.127.254 next-hop-self *2neighbor 192.168.127.254 send-communityneighbor 192.168.127.254 advertisement-interval 0neighbor 192.168.127.254 soft-reconfiguration inboundno auto-summaryno synchronizationexit-address-family
!access-list 1 permit 192.168.100.1!route-map GUARD permit 10match ip next-hop 1set community no-export
!route-map GUARD permit 20!Ip route 0.0.0.0 0.0.0.0 192.168.127.254 *3
Guard 의 Hijacking Subnet 이 IGP에의해 Advertise 되면, by IGP, Router 로부터 Diversion 된것은 Guard IP Address 가BGP Next-Hop 처럼보임.
“next-hop-self”를이용해서 Nexthop을 Overwriting 시켜도됨
재분배를이용한 Static route injection 기법사용다른 BGP Peer에게 Route가 Advertise 되는것을피하기위한구성
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
L3 L3 iBGPiBGP Hijacking / L2 External InjectionHijacking / L2 External Injection
router#sh ip roO 192.168.111.0/24 [110/2] via 192.168.200.253, 00:06:22, Vlan200
69.0.0.0/32 is subnetted, 1 subnetsB 69.69.69.69 [200/0] via 99.99.99.253, 06:04:40
72.0.0.0/32 is subnetted, 1 subnetsB 72.72.72.2 [20/0] via 66.66.66.100, 06:36:59
Cat#sh ip ro72.0.0.0/32 is subnetted, 1 subnetsB 69.69.69.69 [200/0] via 99.99.99.253, 06:04:40
72.0.0.0/32 is subnetted, 1 subnetsB 72.72.72.2 [20/0] via 66.66.66.100, 06:36:59S* 0.0.0.0/0 [1/0] via 192.168.127.254
ebgp-router#sh ip ro72.0.0.0/32 is subnetted, 1 subnetsB 69.69.69.69 [200/0] via 99.99.99.253, 06:04:40
72.0.0.0/32 is subnetted, 1 subnetsB 72.72.72.2 [20/0] via 66.66.66.100, 06:36:59
6K+GuardModule
Diversion-From-Router
Any other EBGP Router
No Protection
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
L3 L3 iBGPiBGP Hijacking / L2 External Injection (cont)Hijacking / L2 External Injection (cont)
router#sh ip roO 192.168.111.0/24 [110/2] via 192.168.200.253, 00:06:22, Vlan200B 192.168.111.0/25 [200/0] via 192.168.127.253, 00:02:20B 192.168.111.128/25 [200/0] via 192.168.127.253, 00:02:20
69.0.0.0/32 is subnetted, 1 subnetsB 69.69.69.69 [200/0] via 99.99.99.253, 06:04:40
72.0.0.0/32 is subnetted, 1 subnetsB 72.72.72.2 [20/0] via 66.66.66.100, 06:36:59
Cat#sh ip ro72.0.0.0/32 is subnetted, 1 subnets
B 69.69.69.69 [200/0] via 99.99.99.253, 06:04:4072.0.0.0/32 is subnetted, 1 subnets
B 72.72.72.2 [20/0] via 66.66.66.100, 06:36:59S 192.168.111.0 [25/0] via 192.168.127.200, Vlan100S 192.168.111.128 [25/0] via 192.168.127.200, Vlan100S* 0.0.0.0/0 [1/0] via 192.168.127.254
ebgp-router#sh ip ro72.0.0.0/32 is subnetted, 1 subnetsB 69.69.69.69 [200/0] via 99.99.99.253, 06:04:40
72.0.0.0/32 is subnetted, 1 subnetsB 72.72.72.2 [20/0] via 66.66.66.100, 06:36:59
6K+GuardModule
Diversion-From-Router
Any other EBGP Router
Protection
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
L3 L3 iBGPiBGP Hijacking / L2 External Injection (cont)Hijacking / L2 External Injection (cont)
NOC
Internet
Port1 (Management Port)eth1
10.1.1.0/24VLAN10
Zone
Ex: Other Pysical Connection (Dedicate Injection Link)
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
Hijacking / InjectionHijacking / Injection
L3 iBGP Hijacking / L2 External InjectionL3 iBGP Hijacking / L3 PBR External InjectionL3 eBGP Hijacking / L3 VRF over GRE Internal InjectionSpecific BGP Instance for the VRF
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
L3 L3 iBGPiBGP Hijacking / L3 PBR External InjectionHijacking / L3 PBR External Injection
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
NOC
Internet
.254
.254
Port2 (Data Port)giga2
Port1 (Management Port)eth1
10.1.1.0/24VLAN10
192.168.128.0/24
Zone192.168.1.0/24
.1VLAN127
192.168.127.0/24
.253 .253
Gi1/1
iBGPeBGP
Area0
AS100AS200
Gi1/0
192.168.129.254
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
L3 L3 iBGPiBGP Hijacking / L3 PBR External Injection (cont)Hijacking / L3 PBR External Injection (cont)
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
NOC
Internet
.254
.254
Port2 (Data Port)giga2
Port1 (Management Port)eth1
10.1.1.0/24VLAN10
192.168.128.0/24
Zone192.168.1.0/24
.1VLAN127
192.168.127.0/24
.253 .253
Gi1/1
iBGPeBGP
Area0
AS100AS200
Guard Module Configuration
diversion injection 0.0.0.0 0.0.0.0 nexthop 192.168.200.254
interface eth1ip address 10.1.1.1 255.255.255.0mtu 1500no shutdown
exitinterface giga2
mtu 1500no shutdown
exitinterface giga2.100
ip address 192.168.100.1 255.255.255.0mtu 1500no shutdown
exitinterface giga2.200
ip address 192.168.200.1 255.255.255.0mtu 1500no shutdown
Exit
proxy 192.168.200.100 Vlan200
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
L3 L3 iBGPiBGP Hijacking / L3 PBR External Injection (cont)Hijacking / L3 PBR External Injection (cont)
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
Internet
.254
.254
Port2 (Data Port)giga2
192.168.128.0/24
Zone192.168.1.0/24
.1VLAN127
192.168.127.0/24
.253 .253
Gi1/1
iBGPeBGP
Area0
AS100AS200
MSFC Interface Configuration
anomaly-guard module 2 port 1 allowed-vlan 10anomaly-guard module 2 port 2 allowed-vlan 100,200anomaly-guard module 2 port 1 native-vlan 10
interface GigabitEthernet1/1no ip addressswitchportswitchport trunk encapsulation dot1qswitchport mode trunk
!interface GigabitEthernet1/2no ip addressshutdown
interface Vlan100ip address 192.168.100.253 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arp
interface Vlan127ip address 192.168.127.253 255.255.255.0
::
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
L3 L3 iBGPiBGP Hijacking / L3 PBR External Injection (cont)Hijacking / L3 PBR External Injection (cont)
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
Internet
.254
.254
Port2 (Data Port)giga2
192.168.128.0/24
Zone192.168.1.0/24
.1VLAN127
192.168.127.0/24
.253 .253
Gi1/1
iBGPeBGP
Area0
AS100AS200
MSFC Routing Configuration
:router bgp 100bgp log-neighbor-changesneighbor 192.168.127.254 remote-as 100!address-family ipv4redistribute static route-map GUARDneighbor 192.168.127.254 activateneighbor 192.168.127.254 next-hop-selfneighbor 192.168.127.254 send-communityneighbor 192.168.127.254 advertisement-interval 0neighbor 192.168.127.254 soft-reconfiguration inboundno auto-summaryno synchronizationexit-address-family
!access-list 1 permit 192.168.100.1!route-map GUARD permit 10match ip next-hop 1set community no-export
!route-map GUARD permit 20!Ip route 0.0.0.0 0.0.0.0 192.168.127.254
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
L3 L3 iBGPiBGP Hijacking / L3 PBR External Injection (cont)Hijacking / L3 PBR External Injection (cont)
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
NOC
Internet
.254
.254
Port2 (Data Port)giga2
Port1 (Management Port)eth1
10.1.1.0/24VLAN10
192.168.128.0/24
Zone192.168.1.0/24
.1VLAN127
192.168.127.0/24
.253 .253
Gi1/1
iBGPeBGP
Area0
AS100AS200
Gi1/0
Diversion-From-Router Configuration
interface GigabitEthernet1/0.127encapsulation dot1Q 127ip address 192.168.127.254 255.255.255.0
!interface GigabitEthernet0/0.200encapsulation dot1Q 200ip address 192.168.200.254 255.255.255.0ip policy route-map PBR
router ospf 1log-adjacency-changesnetwork 192.168.128.0 0.0.0.255 area 0network 192.168.129.0 0.0.0.255 area 0network 192.168.200.0 0.0.0.255 area 0
router bgp 100bgp log-neighbor-changesneighbor 192.168.127.253 remote-as 100neighbor 192.168.127.253 soft-reconfiguration inboundno auto-summaryno synchronization
!access-list 100 permit ip any 192.168.1.0 0.0.0.255route-map PBR permit 10match ip address 100set ip next-hop 192.168.129.254
192.168.129.254
Advertise ProxyIP Subnet to the ZonePBR
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 30
Hijacking / InjectionHijacking / Injection
L3 iBGP Hijacking / L2 External InjectionL3 iBGP Hijacking / L3 PBR External InjectionL3 eBGP Hijacking / L3 VRF over GRE Internal InjectionSpecific BGP Instance for the VRF
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 31
L3 L3 eBGPeBGP Hijacking / L3 VRF over GRE Internal InjectionHijacking / L3 VRF over GRE Internal Injection
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
NOC
Internet
.254
.254
Port2 (Data Port)giga2
Port1 (Management Port)eth1
10.1.1.0/24VLAN10
192.168.128.0/24
Zone192.168.1.0/24
.1VLAN127
192.168.127.0/24
.253 .253
Gi1/1
eBGPeBGP
Area0
AS65501AS200
Gi1/0
192.168.129.254
AS100
Tunnel0192.168.130.1
Tunnel0192.168.130.254
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 32
L3 L3 eBGPeBGP Hijacking / L3 VRF over GRE Internal Injection Hijacking / L3 VRF over GRE Internal Injection (cont)(cont)
NOC
Internet
Zone192.168.1.0/24
Cat6K + Guard ModuleDiversion-From-Router
Injection-To-Router
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 33
L3 L3 eBGPeBGP Hijacking / L3 VRF over GRE Internal Injection Hijacking / L3 VRF over GRE Internal Injection (cont)(cont)
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
NOC
Internet
.254
.254
Port2 (Data Port)giga2
Port1 (Management Port)eth1
10.1.1.0/24VLAN10
192.168.128.0/24
Zone192.168.1.0/24
.1VLAN127
192.168.127.0/24
.253 .253
Gi1/1
eBGPeBGP
Area0
AS65501AS200
Gi1/0
192.168.129.254
AS100
Tunnel0192.168.130.1
Tunnel0192.168.130.254
Guard Module Configuration
diversion injection 0.0.0.0 0.0.0.0 nexthop 192.168.200.254
interface eth1ip address 10.1.1.1 255.255.255.0mtu 1500no shutdown
exitinterface giga2
mtu 1500no shutdown
exitinterface giga2.100
ip address 192.168.100.1 255.255.255.0mtu 1500no shutdown
exitinterface giga2.200
ip address 192.168.200.1 255.255.255.0mtu 1500no shutdown
Exit
proxy 192.168.200.100 on Vlan200
If it has no statement “diversion hijacking receive-via-ip” or“diversion hijacking receive-via-vlan”,Guard will use smallest VLAN numberfor hijacking automatically
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 34
L3 L3 eBGPeBGP Hijacking / L3 VRF over GRE Internal Injection Hijacking / L3 VRF over GRE Internal Injection (cont)(cont)
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
Internet
.254
.254
Port2 (Data Port)giga2
192.168.128.0/24
Zone192.168.1.0/24
.1VLAN127
192.168.127.0/24
.253 .253
Gi1/1
eBGPeBGP
Area0
AS65501AS200
Gi1/0
192.168.129.254
AS100
Tunnel0192.168.130.1
Tunnel0192.168.130.254
MSFC Interface Configuration
anomaly-guard module 2 port 1 allowed-vlan 10anomaly-guard module 2 port 2 allowed-vlan 100,200anomaly-guard module 2 port 1 native-vlan 10
interface Tunnel0ip address 192.168.130.254 255.255.255.0tunnel source 192.168.127.253tunnel destination 192.168.129.254
!interface GigabitEthernet1/1no ip addressswitchportswitchport trunk encapsulation dot1qswitchport mode trunk
!interface Vlan100ip address 192.168.100.253 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arp
!interface Vlan127ip address 192.168.127.253 255.255.255.0
!interface Vlan200ip vrf forwarding GUARD-VRFip address 192.168.200.253 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arp
:
VRF
GRE Tunnel Interface
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 35
L3 L3 eBGPeBGP Hijacking / L3 VRF over GRE Internal Injection Hijacking / L3 VRF over GRE Internal Injection (cont)(cont)
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
Internet
.254
.254
Port2 (Data Port)giga2
192.168.128.0/24
Zone192.168.1.0/24
.1VLAN127
192.168.127.0/24
.253 .253
Gi1/1
eBGPeBGP
Area0
AS65501AS200
Gi1/0
192.168.129.254
AS100
Tunnel0192.168.130.1
MSFC Routing Configuration
ip vrf GUARD-VRFrd 100:1
router bgp 65501bgp log-neighbor-changesneighbor 192.168.127.254 remote-as 100!address-family ipv4redistribute static route-map GUARD-ROUTEneighbor 192.168.127.254 activateneighbor 192.168.127.254 send-communityneighbor 192.168.127.254 advertisement-interval 0neighbor 192.168.127.254 soft-reconfiguration inboundneighbor 192.168.127.254 route-map GUARD-COMM outno auto-summaryno synchronizationexit-address-family
!ip route 0.0.0.0 0.0.0.0 192.168.127.254ip route vrf GUARD-VRF 192.168.1.0 255.255.255.0 192.168.130.1 global
access-list 1 permit 192.168.100.1!route-map GUARD-ROUTE permit 10match ip next-hop 1
!route-map GUARD-COMM permit 10match ip next-hop 1set community no-advertise
!route-map GUARD-COMM permit 20
Static Route 재분배
Peer 에게 Advertise 하기위한Community 속성추가
Static VRF(GUARD-VRF)의 Nexthop route는GRE Peer의 Tunnel Interface가됨.
VRF
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 36
L3 L3 eBGPeBGP Hijacking / L3 VRF over GRE Internal Injection Hijacking / L3 VRF over GRE Internal Injection (cont)(cont)
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
NOC
Internet
.254
.254
Port2 (Data Port)giga2
Port1 (Management Port)eth1
10.1.1.0/24VLAN10
192.168.128.0/24
Zone192.168.1.0/24
.1VLAN127
192.168.127.0/24
.253 .253
Gi1/1
eBGPeBGP
Area0
AS65501AS200
Gi1/0
192.168.129.254
AS100
Tunnel0192.168.130.1
Tunnel0192.168.130.254
Inject-To-Router Configuration
interface Tunnel0ip address 192.168.130.1 255.255.255.0tunnel source 192.168.129.254tunnel destination 192.168.127.253
!interface GigabitEthernet1/0ip address 192.168.129.254 255.255.255.0
!router ospf 1log-adjacency-changesnetwork 192.168.129.0 0.0.0.255 area 0network 192.168.111.0 0.0.0.255 area 0
ip route 192.168.200.0 255.255.255.0 192.168.130.254
GRE Tunnel Interface
GUARD-VRF Zone의 Next Hop
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 37
L3 L3 eBGPeBGP Hijacking / L3 VRF over GRE Internal Injection Hijacking / L3 VRF over GRE Internal Injection (cont)(cont)
NOC
Internet
Port2 (Data Port)giga2
Port1 (Management Port)eth1
Zone192.168.1.0/24
eBGPeBGP
AS65501AS200
AS100iBGP
Ex: Other Routing Topology
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 38
Hijacking / InjectionHijacking / Injection
L3 iBGP Hijacking / L2 External InjectionL3 iBGP Hijacking / L3 PBR External InjectionL3 eBGP Hijacking / L3 VRF over GRE Internal InjectionSpecific BGP Instance for Injection VRF
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 39
Specific BGP Instance for Injection VRF (cont)Specific BGP Instance for Injection VRF (cont)
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
.254
.254
Port2 (Data Port)giga2
192.168.128.0/24
Zone192.168.1.0/24
.1VLAN127
192.168.127.0/24
.253 .253
Gi1/1
eBGP
GUARD-VRF
AS65501
Gi1/0
192.168.129.254
AS100
Tunnel0192.168.130.1
Tunnel0192.168.130.254
AS65501
iBGP
192.168.132.1
192.168.132.2192.168.131.2
192.168.131.1
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 40
Specific BGP Instance for Injection VRF (cont)Specific BGP Instance for Injection VRF (cont)
Zone192.168.1.0/24
Cat6K + Guard ModuleDiversion-From-Router
Injection-To-Router
Zone-Local-Router
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 41
Specific BGP Instance for Injection VRF (cont)Specific BGP Instance for Injection VRF (cont)
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
.254
.254
Port2 (Data Port)giga2
192.168.128.0/24
Zone192.168.1.0/24
.1VLAN127
192.168.127.0/24
.253 .253
Gi1/1
eBGP
GUARD-VRF
AS65501
Gi1/0
192.168.129.254
AS100
Tunnel0192.168.130.1
Tunnel0192.168.130.254
192.168.131.2
192.168.131.1AS65501
iBGP
192.168.132.1
192.168.132.2
MSFC Interface Configuration
interface Tunnel0ip address 192.168.130.254 255.255.255.0tag-switching iptunnel source 192.168.127.253tunnel destination 192.168.129.254
!interface Vlan200ip vrf forwarding GUARD-VRFip address 192.168.200.253 255.255.255.0no ip redirectsno ip unreachablesno ip proxy-arp
!
GRE Tunnel Interface
VRF
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 42
Specific BGP Instance for Injection VRF (cont)Specific BGP Instance for Injection VRF (cont)
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
.254
.254
Port2 (Data Port)giga2
192.168.128.0/24
Zone192.168.1.0/24
.1VLAN127
192.168.127.0/24
.253 .253
Gi1/1
eBGP
GUARD-VRF
AS65501
Gi1/0
192.168.129.254
AS100
Tunnel0192.168.130.1
Tunnel0192.168.130.254
192.168.131.2
192.168.131.1AS65501
iBGP
MSFC Routing Configuration
ip vrf GUARD-VRFrd 100:1route-target export 100:1route-target import 100:1
router bgp 65501bgp log-neighbor-changesneighbor 192.168.127.254 remote-as 100neighbor 192.168.131.1 remote-as 65501!address-family ipv4redistribute static route-map GUARD-ROUTEneighbor 192.168.127.254 activateneighbor 192.168.127.254 send-communityneighbor 192.168.127.254 advertisement-interval 0neighbor 192.168.127.254 soft-reconfiguration inboundneighbor 192.168.127.254 route-map GUARD-COMM outneighbor 192.168.131.1 activeno auto-summaryno synchronizationexit-address-family!address-family vpnv4neighbor 192.168.130.1 activateneighbor 192.168.130.1 send-community extendedexit-address-family!address-family ipv4 vrf GUARD-VRFredistribute connectedno auto-summaryno synchronizationexit-address-family
!
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 43
Specific BGP Instance for Injection VRF (cont)Specific BGP Instance for Injection VRF (cont)
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
.254
.254
Port2 (Data Port)giga2
192.168.128.0/24
Zone192.168.1.0/24
.1VLAN127
192.168.127.0/24
.253 .253
Gi1/1
eBGP
GUARD-VRF
AS65501
Gi1/0
192.168.129.254
AS100
Tunnel0192.168.130.1
Tunnel0192.168.130.254
AS65501
iBGP
Inject-To-Router Interface Configuration!interface Tunnel0ip address 192.168.130.1 255.255.255.0tag-switching iptunnel source 192.168.129.254tunnel destination 192.168.127.253
!interface Tunnel1ip vrf forwarding GUARD-VRFip address 192.168.131.1 255.255.255.0tunnel source 192.168.132.1tunnel destination 192.168.132.2
!interface GigabitEthernet1/0ip address 192.168.129.254 255.255.255.0
!interface GigabitEthernet1/1ip address 192.168.132.1 255.255.255.0
!:
192.168.132.1
192.168.132.2192.168.131.2
192.168.131.1
Diversion-From-Router Configuration
Same configuration
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 44
Specific BGP Instance for Injection VRF (cont)Specific BGP Instance for Injection VRF (cont)
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
.254
.254
Port2 (Data Port)giga2
192.168.128.0/24
Zone192.168.1.0/24
.1VLAN127
192.168.127.0/24
.253 .253
Gi1/1
eBGP
GUARD-VRF
AS65501
Gi1/0
192.168.129.254
AS100
Tunnel0192.168.130.1
Tunnel0192.168.130.254
AS65501
iBGP
192.168.132.1
192.168.132.2192.168.131.2
192.168.131.1
Inject-To-Router Routing Configuration!router ospf 1log-adjacency-changesnetwork 192.168.129.0 0.0.0.255 area 0network 192.168.132.0 0.0.0.255 area 0
!router bgp 65501no synchronizationbgp log-neighbor-changesneighbor 192.168.130.254 remote-as 65501neighbor 192.168.130.254 send-community extendedno auto-summary!address-family ipv4 vrf GUARD-VRFredistribute connectedredistribute staticno auto-summaryno synchronizationexit-address-family!address-family vpnv4neighbor 192.168.130.254 activateneighbor 192.168.130.254 send-community extendedno auto-summaryexit-address-family
!ip route vrf GUARD-VRF 192.168.1.0 255.255.255.0 192.168.131.2 global
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 45
Specific BGP Instance for Injection VRF (cont)Specific BGP Instance for Injection VRF (cont)
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
.254
.254
Port2 (Data Port)giga2
192.168.128.0/24
Zone192.168.1.0/24
.1VLAN127
192.168.127.0/24
.253 .253
Gi1/1
eBGP
GUARD-VRF
AS65501
Gi1/0
192.168.129.254
AS100
Tunnel0192.168.130.1
Tunnel0192.168.130.254
AS65501
iBGP
192.168.132.1
192.168.132.2192.168.131.2
192.168.131.1
Zone-Local-Router Configuration!interface Tunnel1ip address 192.168.131.2 255.255.255.0tunnel source 192.168.132.2tunnel destination 192.168.132.1
!interface GigabitEthernet1/0ip address 192.168.132.2 255.255.255.0
!router ospf 1log-adjacency-changesnetwork 192.168.1.0 0.0.0.255 area 0network 192.168.132.0 0.0.0.255 area 0
!ip route 192.168.200.0 255.255.255.0 192.168.131.1ip route 0.0.0.0 0.0.0.0 192.168.132.1
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 46
Specific BGP Instance for Injection VRF (cont)Specific BGP Instance for Injection VRF (cont)
VLAN100
VLAN200
192.168.100.0/24
192.168.200.0/24
.1
.1
.254
.254
.254
Port2 (Data Port)giga2
192.168.128.0/24
Zone192.168.1.0/24
.1VLAN127
192.168.127.0/24
.253 .253
Gi1/1
eBGP
GUARD-VRF
AS65501
Gi1/0
192.168.129.254
AS100
Tunnel0192.168.130.1
Tunnel0192.168.130.254
AS65501
iBGP
192.168.132.1
192.168.132.2192.168.131.2
192.168.131.1
Cat#sh ip roC 192.168.127.0/24 is directly connected, Vlan127
192.168.1.0/25 is subnetted, 2 subnetsS 192.168.1.0 [25/0] via 192.168.100.1, Vlan100S 192.168.1.128 [25/0] via 192.168.100.1, Vlan100C 192.168.130.0/24 is directly connected, Tunnel0C 192.168.200.0/24 is directly connected, Vlan200C 192.168.100.0/24 is directly connected, Vlan100S* 0.0.0.0/0 [1/0] via 192.168.127.254
JaffaCat#sh ip ro v GUARD-VRFRouting Table: GUARD-VRFC 192.168.200.0/24 is directly connected, Vlan200B 192.168.1.0/24 [200/0] via 192.168.130.1, 03:42:51B 192.168.131.0/24 [200/0] via 192.168.130.1, 03:42:51
Inject#sh ip roO 192.168.1.0/24 [110/2] via 192.168.132.2, 17:21:30, GigabitEthernet1/1O 192.168.127.0/24 [110/2] via 192.168.129.1, 17:21:30, GigabitEthernet1/0C 192.168.129.0/24 is directly connected, GigabitEthernet1/0C 192.168.132.0/24 is directly connected, GigabitEthernet1/1
Inject#sh ip ro v GUARD-VRFRouting Table: GUARD-VRFB 192.168.200.0/24 [200/0] via 192.168.130.254, 04:32:42C 192.168.131.0/24 is directly connected, Tunnel1S 192.168.1.0/24 [1/0] via 192.168.131.2
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 47
Loadsharing & HA 구성
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 48
Multiple Guard Module for Multiple Guard Module for LoadshareLoadshare/HA/HA
VLAN100
VLAN200
192.168.100.0/24192.168.200.0/24
.1
.1
.254
Internet
Port2 (Data Port)giga2
VLAN127192.168.127.0/24
.253 .253
BGP AS65501
.2
.2Proxy 192.168.200.102
Proxy 192.168.200.101
Zone192.168.1.0/24 Cat6K + Multiple Guard Module
Diversion-FromRouter
Injection-ToRouter
.1
.2
Port1 (Management Port)eth1
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 49
Multiple Guard Module for Multiple Guard Module for LoadshareLoadshare/HA/HA
VLAN100
VLAN200
192.168.100.0/24192.168.200.0/24
.1
.1
.254
Internet
Port2 (Data Port)giga2
VLAN127192.168.127.0/24
.253 .253
BGP AS65501
.2
.2Proxy 192.168.200.102
Proxy 192.168.200.101
Zone192.168.1.0/24 Cat6K + Multiple Guard Module
Diversion-FromRouter
Injection-ToRouter
.1
.2
Port1 (Management Port)eth1
MSFC Configuration
anomaly-guard module 2 port 1 allowed-vlan 11anomaly-guard module 2 port 2 allowed-vlan 100,200anomaly-guard module 3 port 1 allowed-vlan 11anomaly-guard module 3 port 2 allowed-vlan 100,200anomaly-guard module 2 port 1 native-vlan 11anomaly-guard module 3 port 1 native-vlan 11
interface eth1ip address 11.1.1.1
255.255.255.0mtu 1500no shutdown
exitinterface giga2
mtu 1500no shutdown
exitinterface giga2.100
ip address 192.168.100.1 255.255.255.0
mtu 1500no shutdown
exitinterface giga2.200
ip address 192.168.200.1 255.255.255.0
mtu 1500no shutdown
exit
interface eth1ip address 11.1.1.2
255.255.255.0mtu 1500no shutdown
exitinterface giga2
mtu 1500no shutdown
exitinterface giga2.100
ip address 192.168.100.2 255.255.255.0
mtu 1500no shutdown
exitinterface giga2.200
ip address 192.168.200.2 255.255.255.0
mtu 1500no shutdown
exit
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 50
Configuration ProcedureConfiguration Procedure
Loadsharing1. 구성하려는모듈을동일한 weight 값으로설정2. 두모듈에같은 Zone을 Config3. 두모듈이동시에 Traffic을 Learning4. Activate
Redundant1. Primary module에 Low weight 값을설정, Secondary module에는 High weight 값을설정
2. primary module에서 Traffic을 Learning3. Activate
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 51
Multiple Guard Module for Multiple Guard Module for LoadshareLoadshare/HA/HA
VLAN100
VLAN200
192.168.100.0/24192.168.200.0/24
.1
.1
.254
Internet
VLAN127192.168.127.0/24
.2
.2Proxy 192.168.200.102
Proxy 192.168.200.101
Zone192.168.1.0/24 Cat6K + Multiple Guard Module
Diversion-FromRouter
Injection-ToRouter
.1
.2
Cat#sh ip ro | i 192.168.1192.168.1.0/24 is variably subnetted, 3 subnets, 2 masks
B 192.168.1.0/25 [20/0] via 192.168.127.253, 04:23:11O 192.168.1.0/24 [110/2] via 192.168.129.254, 1d02h, Vlan63B 192.168.1.128/25 [20/0] via 192.168.127.253, 04:23:11
Loadsharing
Cat#sh ip ro static192.168.111.0/25 is subnetted, 2 subnetsS 192.168.111.0 [1/0] via 192.168.100.1, Vlan100
[1/0] via 192.168.100.2, Vlan100S 192.168.111.128[1/0] via 192.168.100.1, Vlan100
[1/0] via 192.168.100.2, Vlan100
Redundant (Primary Fail)
Cat#sh ip ro static192.168.111.0/25 is subnetted, 2 subnetsS 192.168.111.0 [2/0] via 192.168.100.2, Vlan100S 192.168.111.128[2/0] via 192.168.100.2, Vlan100
Redundant (Primary Active)
Cat#sh ip ro static192.168.111.0/25 is subnetted, 2 subnetsS 192.168.111.0 [1/0] via 192.168.100.1, Vlan100S 192.168.111.128[1/0] via 192.168.100.1, Vlan100
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 52
Config Sample-Confidential-실제구축사례.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 53
ADM/AGM Design & Configuration
Giga 3/2 Vlan 3192.168.63.5/30
Mgmt Vlan 1192.168.63.13/30
HijackingVlan 100 192.168.100.1/24
Injection Vlan 200192.168.200.1/24
Mgmt Vlan 1192.168.63.14/30
Vlan 100 192.168.100.254
Vlan 200 192.168.200.254
192.168.32.0 ~ 192.168.62.0/224
Giga 6/1 Vlan 1192.168.37.1/24
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 54
ADM/AGM Design & ConfigurationGuard Module Configuration
diversion hijacking receive-via-ip 192.168.100.1diversion hijacking receive-via-vlan 100diversion injection 192.168.0.0 255.255.0.0 nexthop192.168.200.254
interface eth1ip address 192.168.63.14 255.255.255.0mtu 1500no shutdown
interface giga2mtu 1500no shutdown
interface giga2.100ip address 192.168.100.1 255.255.255.0mtu 1500no shutdown
exitinterface giga2.200
ip address 192.168.200.1 255.255.255.0mtu 1500no shutdown
exit
proxy 192.168.200.100
MSFC Configurationanomaly-guard module 2 port 1 allowed-vlan 1anomaly-guard module 2 port 2 allowed-vlan 100,200anomaly-guard module 2 port 1 native-vlan 1
interface GigabitEthernet3/2switch access vlan 3
interface GigabitEthernet6/1switch access vlan 1
Interface Vlan 1Ip address 192.168.37.4 255.255.255.0
Interface Vlan 3ip address 192.168.63.
interface Vlan100ip address 192.168.100.254 255.255.255.0
interface Vlan200ip address 192.168.200.254 255.255.255.0
ip policy route-map AGM
route-map AGM permit 10match ip address 199set ip next-hop 192.168.37.1
router ospf 1network 192.168.200.0 0.0.0.255 area 0
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 55
ADM/AGM Design & Configurationaccess-list 199 remark AGM-ACLaccess-list 199 permit ip any 192.168.32.0 0.0.0.255access-list 199 permit ip any 192.168.33.0 0.0.0.255access-list 199 permit ip any 192.168.33.0 0.0.0.255access-list 199 permit ip any 192.168.34.0 0.0.0.255access-list 199 permit ip any 192.168.35.0 0.0.0.255access-list 199 permit ip any 192.168.36.0 0.0.0.255access-list 199 permit ip any 192.168.37.0 0.0.0.255access-list 199 permit ip any 192.168.38.0 0.0.0.255access-list 199 permit ip any 192.168.39.0 0.0.0.255access-list 199 permit ip any 192.168.40.0 0.0.0.255access-list 199 permit ip any 192.168.41.0 0.0.0.255access-list 199 permit ip any 192.168.42.0 0.0.0.255access-list 199 permit ip any 192.168.43.0 0.0.0.255access-list 199 permit ip any 192.168.44.0 0.0.0.255access-list 199 permit ip any 192.168.45.0 0.0.0.255access-list 199 permit ip any 192.168.46.0 0.0.0.255access-list 199 permit ip any 192.168.47.0 0.0.0.255access-list 199 permit ip any 192.168.48.0 0.0.0.255access-list 199 permit ip any 192.168.49.0 0.0.0.255access-list 199 permit ip any 192.168.50.0 0.0.0.255
access-list 199 permit ip any 192.168.51.0 0.0.0.255access-list 199 permit ip any 192.168.52.0 0.0.0.255access-list 199 permit ip any 192.168.53.0 0.0.0.255access-list 199 permit ip any 192.168.54.0 0.0.0.255access-list 199 permit ip any 192.168.55.0 0.0.0.255access-list 199 permit ip any 192.168.56.0 0.0.0.255access-list 199 permit ip any 192.168.57.0 0.0.0.255access-list 199 permit ip any 192.168.58.0 0.0.0.255access-list 199 permit ip any 192.168.59.0 0.0.0.255access-list 199 permit ip any 192.168.60.0 0.0.0.255access-list 199 permit ip any 192.168.61.0 0.0.0.255access-list 199 permit ip any 192.168.62.0 0.0.0.255access-list 199 permit ip any 192.168.63.0 0.0.0.255
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 56
AGXT & ADXT LAB Topology
Attacker11.11
Attack Net11.254 / V13G3/0/8~11
Internet12.254 / V13G3/0/12~15
G3/0/110.254
F3/4810.1
G5/1,V200
G5/1,V200
G4/1
G0, 200.1
G0, 200.2
G0
F3/13
13.13 13.14 13.15
BGP AS 10
BGP AS 100
V13
Injection NetPBR Next Hop Point
Monitor Rx
F3/1
F3/2
F3/3
Mgmt NetMgmt Net
1.11cisco12345
1.12cisco12345
1.10cisco
Divert NetDivert Net
Victim NetVictim Net
Attack NetAttack Net
Lo0 4.4.4.4proxy4.10~15
Lo0 5.5.5.5proxy5.10~15
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 57
Detector Pre-configinterface eth0
ip address 192.168.1.10 255.255.255.0!interface giga0no shutdown!service wbmservice internode-comm!permit wbm *permit ssh *permit internode-comm 192.168.1.12 permit internode-comm 192.168.1.11 !default-gateway 192.168.1.1!logging host 192.168.1.159logging host 192.168.1.150logging trap debugginglogging facility local0!remote-guard ssl 192.168.1.12remote-guard ssl 192.168.1.11
Mgmt Interface Config
Monitor (Detection) Interface
SSL & SSH Service Enable
SSL & SSH 접속 권한 설정
Mgmt Interface G.W 설정
Guard Config Sync
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 58
Guard#1 Pre-Configinterface eth0
ip address 192.168.1.11 255.255.255.0!interface giga0
ip address 192.168.200.1 255.255.255.0!interface lo:0
ip address 4.4.4.4 255.255.255.0!default-gateway 192.168.1.1!proxy 4.4.4.10proxy 4.4.4.11proxy 4.4.4.12proxy 4.4.4.13!service wbmservice internode-comm!permit wbm *permit ssh *permit internode-comm 192.168.1.10 !logging host 192.168.1.159logging host 192.168.1.150logging trap debugginglogging facility local7
Mgmt Interface Config
Divert Interface
Proxy Interface를 위한 Loopback Interface 설정
Proxy IP 설정
SSL & SSH Service Enable
SSL & SSH 접속 권한 설정
Mgmt Interface G.W 설정
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 59
Guard#1 Pre-Configrouter bgp 100
bgp router-id 192.168.200.1bgp bestpath compare-routeridredistribute guardneighbor 192.168.200.254 remote-as 10neighbor 192.168.200.254 description GW-Router neighbor 192.168.200.254 soft-reconfiguration
inboundneighbor 192.168.200.254 distribute-list nothing-in inneighbor 192.168.200.254 route-map filt-out out!ip route 0.0.0.0/0 192.168.200.254ip route 192.168.13.0/24 192.168.200.254ip route 192.168.14.0/24 192.168.200.254!access-list nothing-in deny any!route-map filt-out permit 10set community 10:100 no-export no-advertise
Hijacking Routing을 위한 BGP 설정
Injection Routing을 위한 Routing 구성
Hijacking Routing을 위한 BGP Filter
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 60
Guard#2 Pre-Configinterface eth0
ip address 192.168.1.12 255.255.255.0!interface giga0
ip address 192.168.200.2 255.255.255.0!interface lo:0
ip address 5.5.5.5 255.255.255.0!default-gateway 192.168.1.1!proxy 5.5.5.10proxy 5.5.5.11proxy 5.5.5.12proxy 5.5.5.13!service wbmservice internode-comm!permit wbm *permit ssh *permit internode-comm 192.168.1.10 !logging host 192.168.1.159logging host 192.168.1.150logging trap debugginglogging facility local7
Mgmt Interface Config
Divert Interface
Proxy Interface를 위한 Loopback Interface 설정
Proxy IP 설정
SSL & SSH Service Enable
SSL & SSH 접속 권한 설정
Mgmt Interface G.W 설정
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 61
Guard#2 Pre-Configrouter bgp 100
bgp router-id 192.168.200.2bgp bestpath compare-routeridredistribute guardneighbor 192.168.200.254 remote-as 10neighbor 192.168.200.254 description GW-Router neighbor 192.168.200.254 soft-reconfiguration inboundneighbor 192.168.200.254 distribute-list nothing-in inneighbor 192.168.200.254 route-map filt-out out!ip route 0.0.0.0/0 192.168.200.254ip route 192.168.13.0/24 192.168.200.254ip route 192.168.14.0/24 192.168.200.254!access-list nothing-in deny any!route-map filt-out permit 10set community 10:100 no-export no-advertise
Hijacking Routing을 위한 BGP 설정
Injection Routing을 위한 Routing 구성
Hijacking Routing을 위한 BGP Filter
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 62
GW-Router Configinterface GigabitEthernet3/0/1description "Server-Farm-Switch-Connected"switchport access vlan 10!interface GigabitEthernet3/0/11description "Attacker-Network"switchport access vlan 11!interface GigabitEthernet3/0/12description "Normal-Internet-Network-12"switchport mode access!interface Vlan10description "Server-Farm-Switch-Connected"ip address 192.168.10.254 255.255.255.0
!interface Vlan11description "Attacker-network"ip address 192.168.11.254 255.255.255.0
! interface Vlan12description "Normal-Internet-Network-12"ip address 192.168.12.254 255.255.255.0
!
Interface loopback 0description “Normal-Internet-Network”ip address 2.2.2.2 255.255.255.0
!ip route 192.168.1.0 255.255.255.0 192.168.10.1ip route 192.168.13.0 255.255.255.0 192.168.10.1ip route 192.168.200.0 255.255.255.0 192.168.10.1
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 63
Cat6500 Configinterface GigabitEthernet3/13switchport access vlan 13!interface GigabitEthernet3/48switchport access vlan 10!interface Vlan1ip address 192.168.1.1 255.255.255.0
!interface Vlan10ip address 192.168.10.1 255.255.255.0
!interface Vlan13ip address 192.168.13.254 255.255.255.0
!interface Vlan200ip address 192.168.200.254 255.255.255.0ip policy route-map PBR
!ip access-list extended Victimpermit ip any 192.168.13.0 0.0.0.255!
route-map PBR permit 10match ip address Victimset interface Vlan13
L2 Forwarding을 위한 PBR 설정
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 64
Cat6500 Configrouter bgp 10no synchronizationbgp router-id 192.168.200.254bgp cluster-id 16843009bgp log-neighbor-changesneighbor 192.168.200.1 remote-as 100neighbor 192.168.200.1 description GuardXTneighbor 192.168.200.1 timers 2 6neighbor 192.168.200.1 timers 2 6neighbor 192.168.200.1 soft-reconfiguration inboundneighbor 192.168.200.1 distribute-list RoutesToGuard outneighbor 192.168.200.1 route-map Guard-In inneighbor 192.168.200.2 remote-as 100neighbor 192.168.200.2 description GuardXTneighbor 192.168.200.2 timers 2 6neighbor 192.168.200.2 timers 2 6neighbor 192.168.200.2 soft-reconfiguration inboundneighbor 192.168.200.2 distribute-list RoutesToGuard outneighbor 192.168.200.2 route-map Guard-In inmaximum-paths 2no auto-summary
!ip route 2.2.2.0 255.255.255.0 192.168.10.254ip route 4.4.4.0 255.255.255.0 192.168.200.1ip route 5.5.5.0 255.255.255.0 192.168.200.2ip route 192.168.11.0 255.255.255.0 192.168.10.254ip route 192.168.12.0 255.255.255.0 192.168.10.254!ip access-list standard RoutesToGuarddeny any!route-map Guard-In permit 10match community 99 exact-match
!ip bgp-community new-formatip community-list 99 permit 10:100 no-export no-advertise
Guard와 Hijacking을 위한 BGP Config
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 65
공격발생시 BGP Routing을통한 Hijacking
Cat6509#sh ip route
S 192.168.12.0/24 [1/0] via 192.168.10.254192.168.13.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.13.0/24 is directly connected, Vlan13B 192.168.13.13/32 [20/0] via 192.168.200.2, 01:04:58
[20/0] via 192.168.200.1, 01:04:50 공격 발생시 BGP Hijacking Routing
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 66
공격발생시 Guard에서의 Injection 변경
router# sh ip routeS>* 0.0.0.0/0 [1/0] via 192.168.200.254, giga0C>* 5.5.5.0/24 is directly connected, loC>* 5.5.5.10/32 is directly connected, loC>* 5.5.5.11/32 is directly connected, loC>* 5.5.5.12/32 is directly connected, loC>* 5.5.5.13/32 is directly connected, loC>* 5.5.5.14/32 is directly connected, loC>* 5.5.5.15/32 is directly connected, loC>* 127.0.0.0/8 is directly connected, loC>* 192.168.1.0/24 is directly connected, eth0S>* 192.168.13.0/24 [1/0] via 192.168.200.254, giga0G>* 192.168.13.13/32 is directly connected, loS>* 192.168.14.0/24 [1/0] via 192.168.200.254, giga0C>* 192.168.200.0/24 is directly connected, giga0C>* 192.168.200.100/32 is directly connected, lo
공격 발생시 Injection route
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 67
Guard 경유시 Traffic 전송률
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 68
