Cisco Cisco Catalyst 6500 Cisco 7600 Router Anomaly Guard Module 디자인 가이드
© 2005 Cisco Systems, Inc. All rights reserved.
Important notices, privacy statements, and trademarks of Cisco Systems, Inc. can be found on cisco.com.
Page 6 of 12
VRF traffic injection allows you to configure separate routing and forwarding tables (separate from the global routing and forwarding table) for
forwarding injected traffic sent from the Anomaly Guard Module. Without a separate routing table, the injected traffic (clean traffic from the
Anomaly Guard) would be sent back to the Anomaly Guard because of the existence of the routing entry in the global routing table that is being
used for traffic hijacking.
The VRF traffic injection configuration resides on the upstream/downstream router, from which hijacked traffic is sent to the Anomaly Guard and
to which injected traffic is sent. The only configuration on the Anomaly Guard would be a static route pointing to a next hop for the clean traffic
destined to the zone.
Whether using the integrated or dedicated configuration, you would configure one tunnel endpoint on the supervisor engine (or routing entity) and
the other endpoint at the router adjacent to the zone. A common VLAN would be configured on the Anomaly Guard to carry injected traffic to the
supervisor engine for mapping onto the appropriate tunnel.
Performance and Capacity Limits
Bandwidth/Throughput
Each Anomaly Guard Module is capable of receiving up to 1 Gbps of Ethernet traffic. In practical deployment where there is a mix of attack and
legitimate traffic the Anomaly Guard Module can process up to 1 Mpps of combined attack and legitimate traffic. This maximum of 1 Mpps can
be reduced by the following factors:
•
Use of the Strong Anti-Spoofing countermeasure (TCP Proxy).
•
The number of active dynamic filters in operation. The maximum number of active dynamic filters available per Anomaly Guard Module is
150,000. A 20-percent performance drop (from 1 Mpps to 800 Kpps) is possible when the active number of dynamic filters exceeds 100,000.
Active Zone Capacity
Each Anomaly Guard Module is capable of cleaning traffic for up to 30 active zones. A total of 500 zones can be configured, but only 30 can be
concurrently active. Each zone can contain a minimum of a single host or subnet destination address, and up to a maximum of 100 host or subnet
destination addresses.
Clustering Multiple Anomaly Guards for Higher Bandwidth/Throughput
For greater attack mitigation capacity, multiple Anomaly Guard modules can be clustered to operate as one virtual Anomaly Guard providing
multigigabit bandwidth/throughput. By using Cisco Express Forwarding load sharing, you can hijack traffic for individual zones to a maximum
of eight Anomaly Guard modules for cleaning (Cisco Express Forwarding load sharing allows for a fairly equal distribution of traffic among the
multiple Anomaly Guard modules, while maintaining connection persistence through each individual module). This provides a maximum theoretical
capacity of 8 Gbps, or a practical capacity of 8 Mpps for cleaning zone traffic.
Redundancy Options
There are two redundancy options for the Anomaly Guard Module:
•
Active-Active cluster
•
Active-Standby cluster
The Active-Active cluster is operationally identical to a cluster configuration that is deployed to provide multigigabit capacity. All zone traffic that
is diverted to the Anomaly Guard module cluster will be load-shared among all available Anomaly Guard modules.
The Active-Standby cluster is created by configuring different relative RHI weights for each Anomaly Guard Module in a cluster. In a simple
Active-Standby cluster with two Anomaly Guard modules, one module will insert a static route (via RHI) into the supervisor engine routing table