|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Sinkhole Architecture
I've seen some Cisco security presentations that include sinkholes composed of an ingress and egress router, interconnected with a switch. The switch provides access for tools such as packet analyzers, IDS, routing analyzers, etc. The multiple routers also provide more horsepower for inspection, filtering, and overhead-imposing measurements such as NetFlow. I am unclear about the BGP relationship between the two routers, which are meant to be treated as one subsystem. The ingress router (with respect to the outside) clearly has to have its BGP isolated from the rest of the AS, so it can't be part of the iBGP mesh. My assumption is that the ingress router has to be either a confederation AS, or router reflector client, talking to the egress router. The latter is part of the main iBGP mesh, although it could be a client in a next hierarchical reflection cluster. Do any of these iBGP arrangements impact having the sinkhole ingress with an anycast address? Is this a correct architectural assumption? Can anyone point me to, or provide a representative configuration? I also wanted to confirm the failure modes under which static ARP between the routers is desirable. Howard
|