Cisco Anomaly Guard Module Configuration Guide (Software Version 5.0) - Configuring Traffic Diversion [Cisco Services Modules]

Table Of Contents

Configuring Traffic Diversion

Understanding Traffic Diversion

Network Configurations

Understanding the Diversion Mechanism

Configuring Hijacking Parameters

Configuring Injection Parameters

Associating Hijacking Parameters with an Injection Route

Displaying the Diversion Routes

Configuring the Guard Module in an Inline Network Configuration

Configuring Hijacking

Configuring Injection

Inline Network Configuration Example

Configuring the Guard Module in an Out of Path Network Configuration

Configuring Hijacking

Configuring Injection

Out of Path Network Configuration Example

Understanding Traffic Injection Methods

Layer 2 Topology

Layer 3 Topology

Configuring VRF

Configuring Traffic Diversion

This chapter describes how to configure traffic diversion with the Cisco Anomaly Guard Module (Guard module). This chapter contains of the following sections:

•Understanding Traffic Diversion

•Configuring the Guard Module in an Inline Network Configuration

•Configuring the Guard Module in an Out of Path Network Configuration

•Understanding Traffic Injection Methods

You can install the Cisco Anomaly Guard Module (Guard module) in a Catalyst 6500 series switch or a 7600 series router. See the "Understanding the Cisco Anomaly Guard Module" section for more information.

When the Guard module detects an attack, the Guard module diverts the zone traffic to itself. The Guard module then analyzes the data flow, blocks all DDoS elements, removes the malicious packets from the diverted stream, forwards the legitimate traffic packets to their original destination allowing the traffic to continue flowing to the intended zone.

When you activate the learning process, the Guard module diverts the zone traffic to itself. The Guard module then analyzes the traffic to create protection policies and returns the traffic, without modifying it, to the zone main traffic path.

The entire cycle of diverting the zone traffic to the Guard module and returning it to the main data path is called the diversion process. When there are no suspected attacks, you do not need to activate the diversion process, and the Guard module does not see the zone traffic.

Understanding Traffic Diversion

IP traffic diversion involves two tasks:

•Hijacking—When the Guard module is protecting a zone, the Guard module diverts the routing of the zone traffic so that it flows to the Guard module, bypassing the normal supervisor engine onboard routing table.

•Injecting—The Guard module returns the legitimate traffic to the original data path.

This section contains the following topics:

•Network Configurations

•Understanding the Diversion Mechanism

Network Configurations

You can install the Guard module in one of the following network configurations:

•Configuring the Guard Module in an Inline Network Configuration—Install the Guard module in a switch or router that is in the main path (the zone traffic already flows through that switch or router). In this configuration, the Guard module diverts the zone traffic by adding a static route to the supervisor engine onboard routing table and injects the legitimate traffic back to its original destination. Figure 5-1 provides an example of an inline network configuration.

Figure 5-1 Inline Network Configuration

•Configuring the Guard Module in an Out of Path Network Configuration—Install the Guard module in a switch or router that does not stand in the regular line of zone traffic, but outside the regular line of zone traffic. In this configuration, the zone traffic is diverted from the regular line of zone traffic to the switch or router. To configure hijacking the Guard module adds static routes to the supervisor engine onboard routing table. You must set up in advance the routing tables redistribution on the switch or router so that these static routes are advertised by the relevant routing protocols, such as Border Gateway Protocol (BGP). Figure 5-2 provides an example of an out of path network configuration.

Figure 5-2 Out of Path Network Configuration

Understanding the Diversion Mechanism

The Guard module diversion configuration is global and applies to all the zones. The diversion configuration defines how packets are routed to each subnet and defines the routes needed for both hijacking and injection. When the Guard module is protecting a zone or when you activate the learning process, the Guard module consults the diversion configuration and the zone definition and determines how to divert traffic intended for that zone and how to inject traffic back to the zone main traffic path.

The Guard module uses an internal protocol, route health injection (RHI), with the supervisor engine to add routes to the supervisor engine onboard routing table. The Guard module adds routes when the Guard module is protecting a zone, or when you activate the learning process for a zone and removed the routes when zone protection and the learning process end.

Figure 5-3 shows how packets are routed between the supervisor engine onboard routing engine and the Guard module.

Figure 5-3 Diversion Mechanism

Note You can configure the same VLAN ID number for the Receive-via-vlan and the Send-via-vlan.

This section contains the following topics:

•Configuring Hijacking Parameters

•Configuring Injection Parameters

•Associating Hijacking Parameters with an Injection Route

•Displaying the Diversion Routes

Configuring Hijacking Parameters

Once protection for a zone is activated, the supervisor engine onboard routing engine diverts the zone traffic to the Guard module. The traffic from the supervisor engine to the Guard module is diverted on the receive-via-vlan VLAN. The Guard module uses the receive-via-ip IP address to receive the zone traffic on this VLAN. You can configure the same VLAN for hijacking and injecting traffic.

The Guard module installs a static route in the supervisor engine onboard routing table, that points to the Guard module as the nexthop to the zone to ensure that the zone traffic is diverted to it. The Guard module exploits the longest-prefix match algorithm; it divides each route into two routes with a longer prefix and advertises these routes to the supervisor engine onboard routing table. For example, the route for a 24-bit length zone subnet (class C) is published as two routes of 25-bit length zone subnets.

You can configure multiple hijacking routes. Each hijacking route has a weight that defines the route preference. The supervisor engine onboard routing engine prefers the path with the highest weight. By default, all hijacking routes are added with a weight of 1. You can change the default weight to define preference among multiple hijacking routes.

You can associate specific hijacking parameters with an injection route. Alternatively, you can configure global hijacking parameters that apply to all injection routes.

Note If you do not enter hijacking parameters, the Guard module configures them dynamically. The VLAN ID value is set dynamically to the VLAN ID defined on the Guard module interface giga2 and the receive-via-ip is set to the IP address of that VLAN. If no VLAN is defined, the VLAN ID is set to 1 and the receive-via-ip is set to the IP address of the interface giga2.

See the following section, "Configuring Injection Parameters", for information on how to associate hijacking parameters with an injection route.

To configure the global hijacking parameters, enter the following command:

diversion hijacking {receive-via-ip receive-via-ip | receive-via-vlan receive-via-vlan | weight weight}
Table 5-1 provides the arguments for the diversion hijacking command.

Table 5-1 Arguments for the diversion hijacking Command

Parameter

Description

receive-via-ip receive-via-ip

The IP address on the Guard module to which the supervisor engine forwards zone traffic.

receive-via-vlan receive-via-vlan

The VLAN on which the supervisor engine forwards zone traffic to the Guard module.

weight weight

The weight of the diversion hijacking route. The default value is 1.

Enter the no diversion hijacking command to restore the default values.

Configuring Injection Parameters

The Guard module removes malicious packets from the diverted stream and returns the legitimate traffic either to the supervisor engine onboard routing engine (Layer 3) or directly to the zone main traffic path (Layer 2). The Guard module sends the legitimate traffic on send-via-vlan VLAN. The next-hop router and the Guard module must be on the same VLAN for Layer 2 injection. To inject traffic to the zone main traffic path in Layer 2, configure the next hop to the zone as the next-hop router IP address.

Caution When configuring Layer 2 injection, do not enter the supervisor engine IP address as the next-hop router because routing loops could occur.

To configure the injection parameters, enter the following command:

diversion injection ip-address ip-mask nexthop next-hop
Table 5-2 provides the arguments for the diversion injection command.

Table 5-2 Arguments for the diversion injection Command

Parameter

Description

ip-address

The zone IP address. Enter the IP address in dotted-decimal notation (for example, 192.168.100.1).

ip-mask

The zone IP subnet mask. Enter the subnet mask in dotted-decimal notation (for example, 255.255.255.0). The default subnet mask is 255.255.255.255.

nexthop next-hop

The next-hop router IP address. Enter the IP address in dotted-decimal notation (for example, 192.168.100.1).

The IP address and subnet mask do not have to match the IP address and subnet mask of a specific zone. They can be a subset of the zone definition or they can consist of subnets that include several zones. For example, you can use one or two commands to configure diversion for a network that has hundreds of potential zones.

Associating Hijacking Parameters with an Injection Route

You can associate specific hijacking parameters with an injection route. Alternatively, you can configure global hijacking parameters that apply to all injection routes.

To associate hijacking parameters with an injection route, enter the following command:

diversion injection ip-address ip-mask nexthop next-hop [hijacking [receive-via-ip receive-via-ip] [receive-via-vlan receive-via-vlan] [weight weight] ]
Table 5-3 provides the arguments for the diversion injection hijacking command.

Table 5-3 Arguments for the diversion injection hijacking Command

Parameter

Description

ip-address

The zone IP address. Enter the IP address in dotted-decimal notation (for example, 192.168.100.1).

ip-mask

The zone IP subnet mask. Enter the subnet mask in dotted-decimal notation (for example, 255.255.255.0). The default subnet mask is 255.255.255.255.

nexthop next-hop

The next-hop router IP address. Enter the IP address in dotted-decimal notation (for example, 192.168.100.1).

hijacking

Associates the hijacking parameters with the injection route.

receive-via-ip receive-via-ip

The IP address on the Guard module to which the supervisor engine forwards zone traffic.

receive-via-vlan receive-via-vlan

The VLAN on which the supervisor engine forwards zone traffic to the Guard module.

weight weight

The weight of the diversion hijacking route. The default value is 1.

Displaying the Diversion Routes

The Guard module modifies the supervisor engine onboard routing table using RHI messages. The Guard module adds routes when you enable zone protection or when you activate the learning process for a zone and removes the routes when zone protection and the learning process end.

To display the diversion settings on the Guard module, enter the show diversion command.

You can display the RHI messages that the Guard module advertised on the supervisor engine when the Guard module is protecting a zone or learning the zone traffic characteristics only.

To display the routes that the Guard module advertised, enter the following command on the supervisor engine:

show anomaly-guard module module_number advertised-route
The module_number argument specifies the number of the slot that the module is installed in.

The following example shows how to display on the supervisor engine the routes that the Guard module advertised and displays an example route:
Sup# show anomaly-guard module 9 advertised-route 
RHI routes added by slot 9
	ip	mask	nexthop	vlan	weight
	--------------	--------------	---------------	------	------
A	192.168.252.8	255.255.255.0	192.168.8.10	8	1
To verify that the Guard module added the static routes, display the supervisor engine onboard routing table by entering the following command on the supervisor engine:

show ip route
The following example shows how to display the static routes that the Guard module added to the supervisor engine onboard routing table. The static routes are marked with an "S".
Sup# show ip route 
C    192.168.8.0/24 is directly connected, Vlan8
S 	 192.168.252.8/32 [1/0] via 192.168.8.10, Vlan8
Configuring the Guard Module in an Inline Network Configuration

In inline network configuration, the Guard module is installed in a switch or router which resides on the zone critical path (zone traffic flows through the switch or router whether the zone is protected by the Guard module or not).

This section contains the following topics:

•Configuring Hijacking

•Configuring Injection

•Inline Network Configuration Example

Configuring Hijacking

To configure diversion, the Guard module adds routes to the supervisor engine onboard routing table using RHI messages using the longest-prefix match. See the "Configuring Hijacking Parameters" section for more information.

Configuring Injection

To return the legitimate traffic to its original data path, configure Layer 2 or Layer 3 traffic injection. See the "Understanding Traffic Injection Methods" section for further details.

Inline Network Configuration Example

Figure 5-4 displays an example of traffic diversion in an inline network configuration. In this example, hijacking is performed in Layer 3 and injection is performed in Layer2.

Note You must configure networking before you can configure diversion. See "Configuring the Guard Module on the Supervisor Engine" and "Initializing the Guard Module" for more information.

Figure 5-4 Sample Inline Network Configuration, L3 Topology

•The Guard module is installed in slot number 9 in the switch

•Port GigabitEthernet2/2 on the switch is connected to the next-hop router on VLAN 9

To configure the supervisor engine and the Guard module as shown in the sample configuration, perform the following steps:

Step 1 Configure the switch or router interfaces on the supervisor engine by entering the following commands:
Sup# conf term
Sup(config)# vlan 8,9
Sup(config)# anomaly-guard module 9 port 2 allowed-vlan 8,9
Sup(config)# interface vlan 8
Sup(config-if)# ip address 192.168.8.3 255.255.255.0
Sup(config-if)# no ip proxy-arp
Sup(config-if)# no shutdown
Sup(config-if)# exit
Sup(config)# interface vlan 9
Sup(config-if)# ip address 192.168.9.3 255.255.255.0
Sup(config-if)# no ip proxy-arp
Sup(config-if)# no shutdown
Sup(config-if)# exit
Sup(config)# interface GigabitEthernet2/2
Sup(config-if)# switchport
Sup(config-if)# switchport mode access
Sup(config-if)# switchport access vlan 9
Step 2 Configure the Guard module interfaces on the Guard module by entering the following commands:
user@GUARD# conf term
user@GUARD-conf# interface giga 2
user@GUARD-conf-if-giga2# no shutdown
user@GUARD-conf-if-giga2# exit
user@GUARD-conf# interface giga 2.8
user@GUARD-conf-if-giga2.8# ip address 192.168.8.10 255.255.255.0
user@GUARD-conf-if-giga2.8# no shutdown
user@GUARD-conf-if-giga2.89# exit
user@GUARD-conf#interface giga 2.9
user@GUARD-conf-if-giga2.9# ip address 192.168.9.10 255.255.255.0
user@GUARD-conf-if-giga2.9# no shutdown
user@GUARD-conf-if-giga2.9# exit
Step 3 Configure Diversion on the Guard module by entering the following commands:
user@GUARD# conf term
user@GUARD-conf# diversion hijacking receive-via-ip 192.168.8.10
user@GUARD-conf# diversion hijacking receive-via-vlan 8
user@GUARD-conf# diversion injection 192.168.252.0 255.255.255.0 
nexthop 192.168.9.2
Step 4 Activate a zone by entering the protect or the learning commands.

See the "Learning the Zone Traffic Characteristics" section and the "Protecting the Zone" section for more information.

Step 5 Display the routes that the Guard module advertised by entering the show anomaly-guard module advertised-route command on the supervisor engine.

The following example shows how to display the routes that the Guard module advertised to the supervisor engine:
Sup# show anomaly-guard module 9 advertised-route 
RHI routes added by slot 9
	ip	mask	nexthop	vlan	weight
	--------------	--------------	---------------	------	------
A	192.168.252.0	255.255.255.128	192.168.8.10	8	1
A	192.168.252.128	255.255.255.128	192.168.8.10	8	1
Note The Guard module advertises these routes when the Guard module is protecting a zone or when you activate the learning process only.

Step 6 Display the static routes that were added to the supervisor engine onboard routing table by entering the show ip route command.

The following example shows how to display the static routes that were added to the supervisor engine onboard routing table:
Sup# show ip route
...
192.168.252.0/24 is variably subnetted, 3 subnets, 2 masks
S       192.168.252.0/25 [1/0] via 192.168.8.10, Vlan8
S       192.168.252.128/25 [1/0] via 192.168.8.10, Vlan8
Configuring the Guard Module in an Out of Path Network Configuration

In out of path network configuration, the Guard module is installed in a switch or router that does not stand in the regular line of zone traffic, but outside it. and the zone traffic is diverted from the regular line of zone traffic to the switch or router.

Configuring Hijacking

To configure diversion, the Guard module adds static routes to the supervisor engine onboard routing table using RHI messages using the longest-prefix match to ensure that the zone traffic is forwarded directly to the Guard module. See the "Configuring Hijacking Parameters" section for more information.

When the Guard module is protecting a zone or when you activate the learning process, the Guard modifies the supervisor engine onboard routing table. You must configure the supervisor engine or the MSFC to issue a BGP (EBGP or IBGP) announcement to the router from which the zone traffic is diverted (divert-from-router). The divert-from-router modifies its routing table based on the BGP announcement the supervisor engine advertises. The announcement lists the Guard as the best next hop to the specific zone. To ensure that the router that forwards the traffic from the Guard module on to the zone does not forward the BGP announcement, set the no-advertise and no-export BGP community strings. This ensures that when packets destined to the zone reach the next-hop router, the router forwards that packet to the zone, and not back to the Guard module.

Configuring Injection

To return the legitimate traffic to its original data path, configure Layer 2 or Layer 3 traffic injection. See the "Understanding Traffic Injection Methods" section for further details.

Out of Path Network Configuration Example

Figure 5-4 displays an example of traffic diversion in an out-of-path network configuration. In this example, hijacking is performed in Layer 3 and injection is performed in Layer 2.

Note You must configure networking before you can configure diversion. See "Configuring the Guard Module on the Supervisor Engine" and "Initializing the Guard Module" for further details.

Figure 5-5 Sample Out of Path Network Configuration, L3 Topology

•The Guard module is installed in slot number 9 in the switch or router

•Port Gigabit Ethernet 2/2 on the switch or router is connected to the next-hop router on VLAN 9

•R0 and R2 are in autonomous system (AS) 100. The Guard module is in AS 55.

Note When the Guard module is not protecting the zone, the traffic flows directly from R0 to R2. The route for the zone traffic must have either a high weight (higher than 1) or a less specific route than the route of the Guard module.

To configure the supervisor engine and the Guard module as shown in the sample configuration, perform these steps:

Step 1 Configure the switch or router interfaces on the supervisor engine by entering the following commands:
sup# conf term
Sup(config)# vlan 8,9
Sup(config)# anomaly-guard module 9 port 2 allowed-vlan 8,9
Sup(config)# interface vlan 8
Sup(config-if)# ip address 192.168.8.3 255.255.255.0
Sup(config-if)# no ip proxy-arp
Sup(config-if)# no shutdown
Sup(config-if)# exit
Sup(config)# interface vlan 9
Sup(config-if)# ip address 192.168.9.3 255.255.255.0
Sup(config-if)# no ip proxy-arp
Sup(config-if)# no shutdown
Sup(config-if)# exit
Sup(config)# interface GigabitEthernet2/2
Sup(config-if)# switchport mode trunk 
Sup(config-if)# switchport trunk encapsulation dot1q 
Sup(config-if)# switchport
Sup(config-if)# switchport access vlan 9
Sup(config-if)# switchport mode access
Step 2 Configure a route map on the supervisor engine so that only the static routes that the Guard module adds to the supervisor engine onboard routing table are published to the neighbors. Set the no-advertise and no-export BGP community strings by entering the following commands:
sup# conf term
Sup(config)# access-list 61 permit 192.168.8.10
Sup(config)# route-map PERMIT_GUARD_ONLY permit 10
Sup(config-route-map)# match ip next-hop 61
Sup(config-route-map)# set community no-export no-advertise 
Sup(config-route-map)# exit
Sup(config)# route-map PERMIT_GUARD_ONLY deny 20
Step 3 Configure the BGP redistribution routes on the supervisor engine. Define a neighbor for AS 100. Configure the supervisor engine to publish a BGP announcement each time that it adds a static route to its onboard routing table with a destination IP address that equals the Guard module receive-via-ip address by entering the following commands:
sup# conf term
Sup(config)# router bgp 55
Sup(config-router)# bgp log-neighbor-changes
Sup(config-router)# neighbor 192.168.8.29 remote-as 100
Sup(config-router)# address-family ipv4
Sup(config-router-af)# redistribute static route-map PERMIT_GUARD_ONLY
Sup(config-router-af)# neighbor 192.168.8.29 activate
Sup(config-router-af)# no auto-summary
Sup(config-router-af)# no synchronization
Sup(config-router-af)# exit-address-family
Step 4 Configure the Guard module interfaces on the Guard module by entering the following commands:
user@GUARD# conf term
user@GUARD-conf# interface giga 2.8
user@GUARD-conf-if-giga2.8# ip address 192.168.8.10 255.255.255.0
user@GUARD-conf-if-giga2.8# no shutdown
user@GUARD-conf-if-giga2.8# exit
user@GUARD-conf# interface giga 2.9
user@GUARD-conf-if-giga2.9# ip address 192.168.9.10 255.255.255.0
user@GUARD-conf-if-giga2.9# no shutdown
user@GUARD-conf-if-giga2.9# exit
Step 5 Configure Diversion on the Guard module by entering the following commands:
user@GUARD# conf term
user@GUARD-conf# diversion hijacking receive-via-ip 192.168.8.10
user@GUARD-conf# diversion hijacking receive-via-vlan 8
user@GUARD-conf# diversion injection 192.168.252.0 255.255.255.0 
nexthop 192.168.9.2
Step 6 Configure the BGP settings on router R0 by entering the following commands:
RouterR0# conf term
RouterR0(config)# router bgp 100
RouterR0(config-router)# neighbor 192.168.8.3 remote-as 55
Step 7 Activate a zone by entering the protect or the learning commands.

See the "Learning the Zone Traffic Characteristics" section and the "Protecting the Zone" section for more information.

Step 8 Display the routes that the Guard module advertised by entering the show anomaly-guard module advertised-route command on the supervisor engine.

The following example shows how to display the routes that the Guard module advertised to the supervisor engine:
Sup# show anomaly-guard module 9 advertised-route 
RHI routes added by slot 9
	ip	mask	nexthop	vlan	weight
	--------------	--------------	---------------	------	------ 
A	192.168.252.8	255.255.255.0	192.168.8.10	8	1
Note The Guard module advertises these routes when it is protecting a zone or when you activate the learning process only.

Step 9 Display the static routes that were added to the supervisor engine onboard routing table by entering the show ip route command.

The following example shows how to display the static routes that were added to the supervisor engine onboard routing table:
Sup# show ip route
...
192.168.252.0/24 is variably subnetted, 3 subnets, 2 masks
S       192.168.252.0/25 [1/0] via 192.168.8.10, Vlan8
S       192.168.252.128/25 [1/0] via 192.168.8.10, Vlan8
Step 10 Verify that the router R0 has added the new routes to the zone, which were advertised by the Guard module, to its routing table. Display the BGP routing table on router R0.

The following example shows the BGP routing table before the Guard module advertised the new routes to the zone:
RouterR0# show ip bgp         
.
.
.
	Network	Next Hop	Metric LocPrf	Weight	Path
*> 	192.168.252.0/24	192.168.9.2	0	0	100 ?
The following example shows the BGP routing table after the Guard module advertised the new routes to the zone:
RouterR0# show ip bgp         
.
.
.
	Network	Next Hop	Metric LocPrf	Weight	Path
*>	192.168.252.0/25	192.168.8.3	0	0	55 ?
*>	192.168.252.128/25	192.168.8.3	0	0	55 ?
RouterR0# 
Understanding Traffic Injection Methods

This section describes different methods used for injecting the legitimate traffic from the Guard module to the next-hop router. The methods vary according to two main network topologies:

•Layer 2 Topology

•Layer 3 Topology

Layer 2 Topology

In this topology, to return the legitimate traffic to its original destination, the Guard module forwards the legitimate traffic directly to the next-hop router. It does not require the supervisor engine to make a routing decision.

The Guard module locates the next-hop router MAC address by sending an ARP query to its IP address (see the "Configuring Injection Parameters" section for more information). It forwards the legitimate traffic to the switch or router interface that is connected to the relevant next-hop router. The supervisor engine and the next-hop router to the zone must be located on the same VLAN, and the Guard module must have an IP address on that VLAN.

See the "Inline Network Configuration Example" section and the "Out of Path Network Configuration Example" section for a configuration example.

Layer 3 Topology

In this topology, to inject the legitimate traffic back to its original destination, the supervisor engine must make a routing decision. The Guard module can inject the legitimate traffic to one of the following destinations:

•To a different router or VLAN—See the "Figure 5-4 displays an example of traffic diversion in an inline network configuration. In this example, hijacking is performed in Layer 3 and injection is performed in Layer2." section for a configuration example

•Back to where it diverted the traffic from

When activating a zone by entering the protect or the learning commands, the Guard module modifies the routing table (the supervisor engine onboard routing table or the routing table of the adjacent router, depending on the network topology) to be listed as the best path to the zone. If the Guard module returns the legitimate traffic to where it diverted the traffic from, the result could be a routing loop. To prevent a routing loop, you can associate routing rules with the legitimate traffic that the Guard module forwards to the zone and configure these routing rules to override the global routing table.

You can use a Virtual Private Network (VPN) Routing and Forwarding (VRF) instance to create an additional forwarding table in the supervisor engine onboard routing engine to forward traffic without using the supervisor engine onboard routing table and avoid routing loops. Use this forwarding table to define an alternative injection path to route packets that are sent from the Guard module to the zone. Include only information on how to forward traffic to the next-hop router to the zone.

You can forward the zone traffic directly to the next-hop router or inject it into a GRE or IPIP tunnel.

Figure 5-6 displays an example of Layer 3 injection configuration.

Figure 5-6 Sample of Layer 3 Injection Configuration

Configuring VRF

VRF is an injection method that is deployed in Layer 3 network topologies where the Guard module injects the legitimate traffic back to the same router from which the traffic was hijacked. VRF can be applied in both an inline network configuration and in an out-of-path network configuration.

VRF enables you to create a routing and forwarding table (called the VRF table) in addition to the global routing and forwarding tables. Configure this table to route traffic that is received on the interface with the Guard module.

Note The configuration in Figure 5-6 applies for both an inline network configuration and an out-of-path network configuration.

•Hijacking interface—Use this interface to divert traffic to the Guard module. Traffic on this VLAN is forwarded according to the global routing table. This example uses VLAN 8 for hijacking.

•Injection interface—Use this interface to inject the returned traffic from the Guard module to the zone main data path. Configure the VRF table on this interface. Configure a static route in the VRF table to forward all the traffic sent from the Guard module to the zone, to the next-hop router. This example uses VLAN 9 for injection.

Note You can configure multiple next-hop routers.

To configure the supervisor engine and the Guard module as shown in the sample configuration, perform the following steps:

Step 1 Create a VRF table on the supervisor engine by entering the following commands:
Sup# conf term
Sup(config)# ip vrf Guard-vrf      
Sup(config-vrf)# rd 100:1
Step 2 Configure the VRF table on the supervisor engine by either:

•Inject the traffic directly on to the next-hop router

•Inject the traffic over a tunnel

See the "Injecting Directly" section and the "Injecting Over a Tunnel" section for more information.

Step 3 Configure the VLAN interfaces on the supervisor engine and associate these interfaces with the Guard module by entering the following commands:
Sup# conf term
Sup(config)# interface vlan 8
Sup(config-if)# ip address 192.168.8.3 255.255.255.0
Sup(config-if)# no ip proxy-arp
Sup(config-if)# no ip directed-broadcast
Sup(config-if)# no shutdown
Sup(config-if)# exit
Sup(config)# interface vlan 9
Sup(config-if)# ip vrf forwarding Guard-vrf     
Sup(config-if)# ip address 192.168.9.3 255.255.255.0
Sup(config-if)# no ip proxy-arp
Sup(config-if)# no shutdown
Sup(config-if)# exit
Sup(config)# anomaly-guard module 9 port 2 allowed-vlan 8,9
Step 4 Configure the Guard module interfaces on the Guard module by entering the following commands:
user@GUARD# conf term
user@GUARD-conf# interface giga 2.8
user@GUARD-conf-if-giga2.8# ip address 192.168.8.10 255.255.255.0
user@GUARD-conf-if-giga2.8# no shutdown
user@GUARD-conf-if-giga2.8# exit
user@GUARD-conf# interface giga 2.9
user@GUARD-conf-if-giga2.9# ip address 192.168.9.10 255.255.255.0
user@GUARD-conf-if-giga2.9# no shutdown
user@GUARD-conf-if-giga2.9# exit
Step 5 Configure Diversion on the Guard module by entering the following commands:
user@GUARD# conf term
user@GUARD-conf# diversion hijacking receive-via-ip 192.168.8.10
user@GUARD-conf# diversion hijacking receive-via-vlan 8
user@GUARD-conf# diversion injection 192.168.252.0 255.255.255.0 
nexthop 192.168.9.3
Step 6 Configure injection using one of the following methods:

•Inject traffic directly to the zone

•Inject traffic to the zone over a GRE or IPIP tunnel

See the "Injecting Directly" section and the "Injecting Over a Tunnel" section for more information.

Injecting Directly

Add a static route to the VRF table to specify the route to the zone by entering the following command on the supervisor engine:
Sup(config)# ip route vrf Guard-vrf 192.168.252.0 255.255.255.0 
192.168.250.2 global
The global keyword indicates that the route to the next-hop router is learned from the global routing table.

Alternatively, you can define a specific routing protocol instance for each VRF. For example, you can use the address-family ipv4 vrf command to create a specific BGP instance for the VRF.

Injecting Over a Tunnel

To configure injection over a tunnel, perform the following steps:

Step 1 Configure a tunnel on the supervisor engine by entering the following commands:

Note This example uses a GRE tunnel.
Sup# conf term
Sup(config)# interface tunnel5
Sup(config-if)# ip address 192.168.145.2 255.255.255.252 
Sup(config-if)# tunnel source 192.168.8.3 
Sup(config-if)# tunnel destination 192.168.7.1
Step 2 Configure the tunnel end on the next-hop router by entering the following commands:
router# conf term
router(config)# interface tunnel5
router(config-if)# ip address 192.168.145.1 255.255.255.252
router(config-if)# tunnel source 192.168.7.1 
router(config-if)# tunnel destination 192.168.8.3
Step 3 Add a static route on the supervisor engine to the VRF table that specifies the route to the zone by entering the following commands:
Sup(config)# ip route vrf Guard-vrf 192.168.252.0 255.255.255.0 
192.168.145.1 global
The global keyword indicates that the route to the next-hop router is learned from the global routing table.