Cisco_DDos_Guard_配置实例.doc

7.2 流量转移/注入配置实例ip l2转移/l2注入的配置示例图7-1中显示了一个l2转移/l2注入的配置示例。图7-1 l2转移/注入配置示例guard模块配置在guard模块中，zone ( /24)的下一跳设置为 (r1)53，与agm模块注入接口位于同一vlan 200上。注入流量随后在sup 720上进行l2交换，直接注入路由器。在此类型的配置中，您必须确保只有“流量转移”路由器和具有guard服务模块的7609路由器收到用于转移流量的路由更新。如果r1也收到更新，它就会将到zone的流量传输回guard模块，形成路由环。注 相关命令以蓝色标出。agm:diversion hijacking receive-via-ip diversion hijacking receive-via-vlan 100diversion injection nexthop 53interface eth1 ip address mtu 1500 no shutdownexitinterface giga2 mtu 1500 no shutdownexitinterface giga2.100 ip address mtu 1500 no shutdownexitinterface giga2.200 ip address mtu 1500 no shutdownexit7609:7609无需进行任何特殊配置，因为注入数据包通过 l2交换。正如本文稍后所述，当zone处于保护模式时，转移可由agm模块触发，或者也可由一个noc设备外部触发。注 相关命令以蓝色标出。anomaly-guard module 2 port 1 allowed-vlan 10anomaly-guard module 2 port 2 allowed-vlan 100,200anomaly-guard module 2 port 1 native-vlan 10interface gigabitethernet1/1 no ip address switchport switchport trunk encapsulation dot1q switchport mode trunk!interface gigabitethernet1/2 no ip address switchport switchport trunk encapsulation dot1q switchport mode trunkinterface vlan100 ip address 54 no ip redirects no ip unreachables no ip proxy-arpinterface vlan200 ip address 54 no ip redirects no ip unreachables no ip proxy-arpip同一路由器上的转移和注入配置示例在图7-2所示的实验室设置中，r1为攻击的入口。图7-2实验室设置来自r1的流量被转移到拥有一个cisco 7609的清洁中心，配置一个agm模块，清洁到两个zone， 和的流量。这两个zone都为保护模式，在sup720上形成两条静态路由。所有流量随后会重导向到agm模块。通过接口vlan73流量转移进agm，通过接口vlan74注入回网络，有一个pbr可绕行正常路由表，并将所有流量传输到隧道1上的zone和隧道2上的zone。隧道1和2为预配置gre隧道，在sup720上起始，终止于相应的输出cpe。 agm-7600配置注 相关命令以蓝色标出。agm-7600-1#sh runbuilding configuration.hostname agm-7600-1anomaly-guard module 3 port 1 allowed-vlan 1anomaly-guard module 3 port 2 allowed-vlan 73,74interface tunnel1 description tunnel to p6 ip address 52 load-interval 30 keepalive 10 3 tunnel source loopback0 tunnel destination !interface tunnel2 description tunnel to ce-7600 ip address 52 load-interval 30 keepalive 10 3 tunnel source tunnel destination !interface ge-wan1/4 description ge link to p-7600-1 g2/3 ip address negotiation auto no mls qos trust!interface vlan1 ip address 2 !interface vlan73 ip address no ip redirects no ip unreachables no ip proxy-arp load-interval 30!interface vlan74 ip address no ip redirects no ip unreachables no ip proxy-arp ip policy route-map zones load-interval 30!access-list 1 permit access-list 1 permit access-list 2 permit 54access-list 101 permit ip any 55access-list 102 permit ip any 55! route-map guard-rhi-map permit 10 match ip next-hop 1 set ip next-hop 12!route-map zones permit 10 match ip address 101 set interface tunnel1!route-map zones permit 20 match ip address 102 set interface tunnel2!end因为当zone处于保护模式时安装了静态路由，所以这两个zone的攻击流量转移到guard。agm-7600-1#sh ip route routing entry for /25 known via static, distance 1, metric 0 routing descriptor blocks: * , via vlan73 route metric is 0, traffic share count is 1agm-7600-1#sh ip route routing entry for /25 known via static, distance 1, metric 0 routing descriptor blocks: * , via vlan73 route metric is 0, traffic share count is 1进行检查，以确保流量转移到了agm模块：agm-7600-1#sh int vlan73vlan73 is up, line protocol is up 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 576000 bits/sec, 1064 packets/sec 23019185 packets output, 1159423315 bytes, 0 underruns验证清洁流量被注入回接口vlan74：agm-7600-1#sh int vlan74vlan74 is up, line protocol is up 30 second input rate 614000 bits/sec, 1197 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec 23033317 packets input, 1419672776 bytes, 0 no buffer确保注入流量按照pbr策略，映射到相应的预配置gre隧道：agm-7600-1#sh int tunnel1tunnel1 is up, line protocol is up 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 427000 bits/sec, 615 packets/secagm-7600-1#sh int tunnel2tunnel2 is up, line protocol is up 30 second input rate 0 bits/sec, 0 packets/sec 30 second output rate 398000 bits/sec, 585 packets/sec使用vrflite在gre隧道上传输注入流量时的agm配置示例实验室拓扑图和相关配置如图7-3所示。图7-3使用vrflite通过gre隧道传输注入流量agm模块利用两个vlan，即vlan 12和14，来内部连接到sup-720。agm模块使用vlan 12来接收转移流量，使用vlan 14将清洁流量注入回网络。 当zone在agm模块上置于保护模式时，它在全局路由表中为该zone安装了一个静态路由，将自己的ip地址作为下一跳。在实验室设置中，通过重新在igp中分发静态路由，即isis，来进行转移，所以所有路由器都将zone的下一跳更新为agm模块。清洁流量随后注入回vlan 14。在路由器上创建一个新的“internet”vrf。vlan14接口和gre隧道接口都属于此vrf。有一个静态路由添加到vrf“internet”，使所有目的地为受保护zone的流量进入gre隧道。极为重要的是，为了使注入流量做硬件交换，您必须禁止数据包流经矩阵，迫使其通过总线传输。命令： fabric switching-mode force busmode。具体信息请参见位于以下url的“现场注意事项”： /en/us/products/hw/modules/ps2706/products_field_notice09186a00804093ee.shtml当zone处于保护模式时，7600路由器上的全局路由表中将安装一个静态路由，随后会重新分发到isis，使到该zone的流量转移到agm模块。可以在攻击入口(gsr-clean-p2)路由器上验证路由的变化。gsr-p-clean2#show ip route 00routing entry for 00/32 known via isis, distance 115, metric 20, type level-2 redistributing via isis last update from 6 on pos1/0, 04:37:56 ago routing descriptor blocks: route metric is 20, traffic share count is 1 * 6, from 4, via pos1/0现在来看cc-7600-1，即带agm模块的路由器的配置。创建一个称为“internet”的vrf，使vlan14和隧道接口这两个逻辑接口成为vrf的一部分。此外，还向这一vrf添加了一条静态路由，将受保护zone的下一跳指向隧道接口的另一端。cc-7600-1#show run building configuration.hostname cc-7600-1!anomaly-guard module 3 port 1 allowed-vlan 1anomaly-guard module 3 port 2 allowed-vlan 12-14! !ip vrf internet rd 1000:1 route-target export 1000:1 route-target import 1000:1! mls mpls tunnel-recir!interface tunnel2 ip vrf forwarding internet ip address tunnel source 4 tunnel destination 19 !interface loopback0 ip address 4 55!interface pos5/1 description connection to p rid4 ip address 4 52 ip pim sparse-dense-mode ip router isis clean no mls qos trust crc 32 clock source internal isis three-way-handshake ietf!interface gigabitethernet6/1 ip address speed nonegotiate!interface vlan12 ip address !interface vlan13 ip vrf forwarding internet ip address !interface vlan14 ip vrf forwarding internet ip address router isis clean !ip route vrf internet 55 ip route vrf internet 00 55 验证在zone置于保护模式时，已在7600上安装了静态路由。cc-7600-1#show ip route static /8 is variably subnetted, 64 subnets, 3 maskss 00/32 1/0 via , vlan12s /32 1/0 via # the static route for 00 is dynamically injected when the zone goes into analysis or protect mode清洁后，流量注入接口vlan14。因为vlan14是vrf “internet”的一部分，在此vrf上执行一次针对目的地网络的普通的fib查询，并通过gre隧道进行路由。以下是相关的show命令：cc-7600-1#show ip route vrf internet /8 is variably subnetted, 5 subnets, 2 maskss 00/32 1/0 via , tunnel2c /24 is directly connected, vlan10c /24 is directly connected, vlan14 /24 is subnetted, 1 subnetsc is directly connected, tunnel2c /24 is directly connected, vlan13c /24 is directly connected, vlan11clean-1-7600#show ip cef vrf internet 0000/32, version 14, epoch 0, cached adjacency to tunnel20 packets, 0 bytes flow: as 0, mask 32 tag information set, all rewrites owned local tag: vpn-route-head via , 0 dependencies, recursive next hop , tunnel2 via /24 (internet) valid cached adjacency tag rewrite with tu2, point2point, tags imposed: 验证数据包已从gre隧道接口交换输出：clean-1-7600#show int tu2tunnel2 is up, line protocol is up 30 second output rate 25768000 bits/sec, 47368 packets/sec 如上所示，数据包的目的地为19，即vxr-cpe-custb9的loopback地址。计数器表示数据包已从gre隧道交换输出。以下是隧道另一端直接连接受保护zone的输出cpe的相关配置：vxr-ce-custb9#show runbuilding configuration.!interface tunnel1 ip address tunnel source 19 tunnel destination 4!interface loopback0description rid:119 ip address 19 55!在使用guard设备时，gre隧道起始于guard设备，终止于输出cpe。到特定zone的路由通过设备上的静态路由映射到相应的隧道。如上所述，流量转移过程即是将流量转移到guard模块的过程。-mpls转移/ vrf注入配置示例使用guard设备对vrf注入进行实验室设置的过程如图7-4所示。攻击的目标是00，攻击入口来自对等路由器clean-p2。攻击流量被转移到guard设备，然后注入回为传输注入流量而创建的 vrf “internet”。图7-4vrf注入的实验室设置cc-7600-1和guard设备通过2个接口相连。一个接口用于转移，另一个用于注入。当zonevrf处于分析/基本模式时， guard自动通过bgp将所保护的子网注入msfc/sup720全局表中的cc-7600-1，将自己作为下一跳，此路由为所有对等路由器重新分发到isis中。 当对等路由器经收到针对02的信息，它经由终止于cc-7600-1的lsp发送受影响流量。流量清洁后，它通过gig 2接口注入回cc-7600。sup720上的vlan 13在vrf “internet”中配置。cc-7600-1和vxr-pe-clean6运行mp-bgp，到受攻击的02的路由通过vxr-pe-clean6广播到cc-7600-1。当注入流量进入7600-cc-1上的vrf “internet”，到02的bgp路由指向6的下一跳，即vxr-pe-clean6loopback地址。数据包通过vpn+标签交换到vxr-pe-clean6。当数据包到达vxe-pe-8，rib/fib/lfib查询表示，当cpe-8的下一跳地址在全局表中形成循环时，数据包必须从接口中输出。数据包到达目的地。gsr-clean-p2gsr-p-clean2# !router bgp 76 no synchronization bgp router-id no bgp fast-external-fallover bgp log-neighbor-changes bgp dampening route-map graded-flap-dampening neighbor remote-as 76 neighbor update-source loopback0 no auto-summary以下为 show 命令：gsr-p-clean2#show ip route 02routing entry for 02/32 known via isis, distance 115, metric 20, type level-2 redistributing via isis last update from 6 on pos1/0, 2d04h ago routing descriptor blocks: * 6, from 4, via pos1/0 route metric is 20, traffic share count is 1gsr-p-clean2#show mpls forwarding-table 02local outgoing prefix bytes tag outgoing next hop tag tag or vc or tunnel id switched interface 48 25 02/32 0 po1/0 point2point目标zone的路由通过isis学习，这是因为当zone处于保护模式时，路由通过cleanc-guard1路由器重新分发。本地标记为48，输出标记为25。下面是gsr-p-clean4的配置。gsr-p-clean4 (配置略) gsr-p-clean4#show mpls forwarding-table 02local outgoing prefix bytes tag outgoing next hop tag tag or vc or tunnel id switched interface 25 75 02/32 2820036560 po1/2 point2point gsr-clean4#show ip route 02routing entry for 02/32 known via isis, distance 115, metric 10, type level-2 redistributing via isis clean last update from 4 on pos1/2, 2d04h ago routing descriptor blocks: * 4, from 4, via pos1/2 route metric is 10, traffic share count is 1gsr-p-clean4#show ip cef 0202/32, version 583, epoch 0, cached adjacency to pos1/20 packets, 0 bytes tag information set, all rewrites owned local tag: 25 fast tag rewrite with po1/2, point2point, tags imposed 75 flow: as 0, mask 32 via 4, pos1/2, 0 dependencies next hop 4, pos1/2 valid cached adjacency tag rewrite with po1/2, point2point, tags imposed 75gsr-p-clean4也在isis中收到路由更新，它指出路由的下一跳是接口po1/2上的4，这是将其与cleanc-guard1路由器相连的接口。下面是7600配置。7600配置cc-7600-1#show run building configuration.hostname cc-7600-1!ip subnet-zero! !ip vrf internet rd 1000:1 route-target export 1000:1 route-target import 1000:1!interface loopback0 ip address 4 55!interface pos5/1 description connection to p rid4 ip address 4 52 ip pim sparse-dense-mode ip router isis clean mpls label protocol ldp tag-switching ip no mls qos trust crc 32 clock source internal isis three-way-handshake ietf!interface gigabitethernet6/1 ip address speed nonegotiate!interface gigabitethernet6/2 ip vrf forwarding internet ip address speed nonegotiate!router isis clean net 49.0001.0760.0100.1054.00 metric-style wide max-lsp-lifetime 65535 lsp-refresh-interval 65500 spf-interval 1 1 50 prc-interval 1 1 50 lsp-gen-interval 5 1 50 log-adjacency-changes all display-route-detail passive-interface fastethernet1/47 redistribute static passive-interface gigabitethernet6/1 passive-interface loopback0!router bgp 76 bgp router-id 4 bgp router-id allow-equal bgp log-neighbor-changes neighbor remote-as 76 neighbor shutdown neighbor update-source loopback0 neighbor remote-as 76 neighbor update-source loopback0 neighbor 6 remote-as 76 neighbor 6 shutdown neighbor 6 update-source loopback0 neighbor remote-as 76 neighbor update-source loopback0 ! address-family ipv4 redistribute static metric 10 neighbor activate neighbor activate neighbor 6 activate no auto-summary no synchronization exit-address-family ! address-family vpnv4 neighbor activate neighbor send-community both neighbor 6 activate neighbor 6 send-community extended exit-address-family ! address-family ipv4 vrf internet no auto-summary no synchronization exit-address-family!在7600上创建一个新的vrf “internet”，与设备建立bgp关系，重新将bgp分发到isis。当目标zone处于保护模式时，它发送一个bgp更新，将自己作为下一跳，随后再将其重新分发到isis。guardnsite-guard2 adminnsiteguard2#show runhostname nsiteguard2timezone america/new_yorkinterface eth0 ip address 7 mtu 1500 no shutdownexitinterface giga0 ip address mtu 1500 no shutdownexitinterface giga1 ip address mtu 1500 no shutdownexitinterface eth1 ip address 4 mtu 1500 no shutdownexitinterface lo:0 ip address 55 no shutdownexitip route giga1default-gateway proxy proxy proxy proxy ! router bgp 76 bgp router-id redistribute guard neighbor remote-as 76 neighbor route-map guard-out out ! ip route 00/32 (for injection ) ! access-list nothing-in deny any ! route-map guard-out permit 10 set ip next-hop ! write memory endexitguard配置包括建立与7600的bgp对等关系。所有从guard发出的bgp更新都将下一跳设置为自己的loopback地址，并通过一条缺省路由或特定路由将流量注入回giga1接口。下面是输出pe的配置。vxr-pe-clean6!ip vrf internet rd 1000:1 route-target export 1000:1 route-target import 1000:1!ipv6 flow-cache mpls label-positions 1 2clns routingmpls label protocol ldpno tag-switching advertise-tagstag-switching advertise-tags for clean_loopbackstag-switching tdp router-id loopback0!interface loopback0 description rid 106 ip address 6 55!interface gigabitethernet0/0 description clean-cat6k-1 gig2/12 netflow ip address 6 duplex full speed 1000 media-type gbic no negotiation auto no clns route-cache! interface atm1/0 description vxr-ce-custb9:atm1/0 ip address 52 ip flow ingress map-group atm-in atm clock internal atm pvc 1 1 5 aal5snap atm ilmi-keepalive!interface pos2/0 description connection to p rid 6 ip address 2 52 ip verify unicast source reachable-via rx ip router isis clean ip flow ingress ip pim sparse-dense-mode tag-switching ip crc 32 clock source internal no clns route-cache isis three-way-handshake ietf no isis hello padding always! interface serial3/0 description ft-vict2 ip address 52 ip flow ingress load-interval 30 dsu bandwidth 44210 framing c-bit cablelength 10 serial restart-delay 0!router isis clean net 49.0001.0760.0100.1056.00 metric-style wide max-lsp-lifetime 65535 lsp-refresh-interval 65500 spf-interval 1 1 50 prc-interval 1 1 50 lsp-gen-interval 5 1 50 log-adjacency-changes all display-route-detail redistribute connected passive-interface loopback0!router bgp 76 no synchronization bgp router-id 6 bgp log-neighbor-changes redistribute static neighbor remote-as 76 no auto-summary ! address-family vpnv4 neighbor activate neighbor send-community extended neighbor 4 activate neighbor 4 send-community extended exit-address-family ! address-family ipv4 vrf internet redistribute connected redistribute static no auto-summary no synchronization exit-address-family!ip classlessip route 18 55 ip route vrf internet 00 55 02 globalip route vrf internet