a***n 发帖数: 262 | 1 Hi All,
We are trying to deploy the 10G IPS at our campus. Attached please find the
simplified version of our network topology. All devices are standalone
catalyst 6500, and we currently have iBGP full mesh between core and
distribution. campus and resnet have different routing/security policy.
My question is where is the good place to place the IPS?
1) directly put them inline with our connection to our service provider. IPS
admins are not so confident about it even they have the fail-open hardware
kit purchased.
2) Do some tricks on core/borders, so VRF campuswan/resnetwan to peer with
service provider. "Loopback" cables between vrf campuswan<->global/default,
and vrf resnetwan<->resnet, so IPS could be stick in between the loopback
cables. There will be eBGP session between two ends of "loopback" cables, so
to inject default from campuswan to global/default, or resnetwan to resnet.
This could be done, and I am just not sure whether this is a common
practice.
Thanks for any of your input. |
z**r 发帖数: 17771 | 2 你这个直接用core router去接SP?有点奇怪,不过都是一些叫法而已,还是要看实质
的网络拓扑。
俺觉得通常IPS还是放distribution比较合适
the
IPS
hardware
【在 a***n 的大作中提到】 : Hi All, : We are trying to deploy the 10G IPS at our campus. Attached please find the : simplified version of our network topology. All devices are standalone : catalyst 6500, and we currently have iBGP full mesh between core and : distribution. campus and resnet have different routing/security policy. : My question is where is the good place to place the IPS? : 1) directly put them inline with our connection to our service provider. IPS : admins are not so confident about it even they have the fail-open hardware : kit purchased. : 2) Do some tricks on core/borders, so VRF campuswan/resnetwan to peer with
|
a***n 发帖数: 262 | 3 Well, we use traditional border routers connect to ISP. At the same time,
all of our distribution switches are dual connected to these border routers.
That's why I call them border/core. The dilemma in our case is that there
is not enough physical separation of functionality, so we are thinking of
virtual separation of functionality facilitated by L3VPN.
【在 z**r 的大作中提到】 : 你这个直接用core router去接SP?有点奇怪,不过都是一些叫法而已,还是要看实质 : 的网络拓扑。 : 俺觉得通常IPS还是放distribution比较合适 : : the : IPS : hardware
|
c*****i 发帖数: 631 | 4 你的core/border router有2个vrf,campuswan和resnet,在isp的uplink上有
subinterface对应这2个vrf,是吗?
你的option 2应该是在router上create 2 个vrf resnetwan和resnet。用ips把这2个
vrf连起来,然后用static router force traffic go through ips.我以前有看过在
学校的campus network用过,不过不清楚是不是common implementation. |
c*****i 发帖数: 631 | 5 你的core/border router有2个vrf,campuswan和resnet,在isp的uplink上有
subinterface对应这2个vrf,是吗?
你的option 2应该是在router上create 2 个vrf resnetwan和resnet。用ips把这2个
vrf连起来,然后用static router force traffic go through ips. 我以前有看过在
学校的campus network用过,不过不清楚是不是common practice. |
z**r 发帖数: 17771 | 6 separating the functionalities in L3VPN is a good idea
routers.
【在 a***n 的大作中提到】 : Well, we use traditional border routers connect to ISP. At the same time, : all of our distribution switches are dual connected to these border routers. : That's why I call them border/core. The dilemma in our case is that there : is not enough physical separation of functionality, so we are thinking of : virtual separation of functionality facilitated by L3VPN.
|
a***n 发帖数: 262 | 7 Yes, we have two VRFs in ISP.
Option 2, static route could be used, eBGP on the same box might be a better
fit for failover and redundancy. So basically, we will have another layer
of ISP WAN vs. campus LAN.
http://www.cisco.com/en/US/docs/ios/iproute_bgp/configuration/g
【在 c*****i 的大作中提到】 : 你的core/border router有2个vrf,campuswan和resnet,在isp的uplink上有 : subinterface对应这2个vrf,是吗? : 你的option 2应该是在router上create 2 个vrf resnetwan和resnet。用ips把这2个 : vrf连起来,然后用static router force traffic go through ips. 我以前有看过在 : 学校的campus network用过,不过不清楚是不是common practice.
|
c*****i 发帖数: 631 | 8 差不多是这样啦。我们当时做的是在cat6k上面用vrf把lan和wan分开,然后中间是
firewall,ips是 transparent mode在firewall前面。不过是好几年前搞的东西了。
better
【在 a***n 的大作中提到】 : Yes, we have two VRFs in ISP. : Option 2, static route could be used, eBGP on the same box might be a better : fit for failover and redundancy. So basically, we will have another layer : of ISP WAN vs. campus LAN. : http://www.cisco.com/en/US/docs/ios/iproute_bgp/configuration/g
|
a***n 发帖数: 262 | 9 You are apparently way ahead than me :-).
I just did some thing very similar to what you described several
weeks ago on cat6500. I did stateless firewall failover with
symmetric routing w/ eBGP. Firewall stateless because we do not want
to have layer 2 adjacency for the two firewalls in two geographically
separated locations.
差不多是这样啦。我们当时做的是在cat6k上面用vrf把lan和wan分开,然后中间是
firewall,ips是 transparent mode在firewall前面。不过是好几年前搞的东西了。
better
【在 c*****i 的大作中提到】 : 差不多是这样啦。我们当时做的是在cat6k上面用vrf把lan和wan分开,然后中间是 : firewall,ips是 transparent mode在firewall前面。不过是好几年前搞的东西了。 : : better
|