The Loopback Interface

Similar documents
The Loopback Interface

Symbols I N D E X. (vertical bar), string searches, 19 20

ISP and IXP Design. Point of Presence Topologies. ISP Network Design. PoP Topologies. Modular PoP Design. PoP Design INET 2000 NTW

Migrating from OSPF to IS-IS

Introduction to BGP ISP/IXP Workshops

Border Gateway Protocol - BGP

Module 11 Advanced Router Configuration

Introduction to BGP. ISP/IXP Workshops

BGP Scaling (RR & Peer Group)

COM-208: Computer Networks - Homework 6

Cisco CISCO Configuring BGP on Cisco Routers Exam. Practice Test. Version

Ravi Chandra cisco Systems Cisco Systems Confidential

Using the Management Ethernet Interface

IPv6 Module 11 Advanced Router Configuration

Module 4 BGP-LS Configuration Lab

Module 7 BGP Route Reflector Lab

Using the Management Ethernet Interface

PREREQUISITES TARGET AUDIENCE. Length Days: 5

Remote Access MPLS-VPNs

BGP Commands. Network Protocols Command Reference, Part 1 P1R-355

Configuring VRF-lite CHAPTER

Lab 2 BGP route filtering and advanced features

Module 6 More ibgp, and Basic ebgp Configuration

MPLS VPN Multipath Support for Inter-AS VPNs

InterAS Option B. Information About InterAS. InterAS and ASBR

IPv6 Module 6x ibgp and Basic ebgp

Module 19 Internet Exchange Points

Module 10 An IPv6 Internet Exchange Point

Module 6 ibgp and Basic ebgp

Cisco Cookbook. Kevin Dooley and IanJ. Brown. O'REILLY 4 Beijing Cambridge Farnham Koln Paris Sebastopol Taipei Tokyo

CS 43: Computer Networks. 24: Internet Routing November 19, 2018

Using the Management Interfaces

CS 43: Computer Networks Internet Routing. Kevin Webb Swarthmore College November 16, 2017

Cisco CCNP ROUTE: Implementing Cisco IP Routing (ROUTE) 2.0. Upcoming Dates. Course Description. Course Outline

Introduction to BGP. ISP Workshops. Last updated 30 October 2013

IPv6 Module 6 ibgp and Basic ebgp

Introduction to IS-IS

BGP Scaling Techniques

2016/09/07 08:37 1/5 Internal BGP Lab. Set up Internal BGP (ibgp) within the each Group autonomous system to carry routing information within the AS.

IPv6 Module 1c ibgp. Prerequisites: IPv6 Module 1a (OSPF) or IPv6 Module 1b (ISIS).

Network security session 9-2 Router Security. Network II

2015/07/23 23:31 1/7 ibgp

BGP Scaling Techniques

Cisco Implementing Cisco IP Routing v2.0 (ROUTE)

About Chassis Manager

Migrating from OSPF to IS-IS

Module 1 Device and Infrastructure Security Lab

CCNP (Routing & Switching and T.SHOOT)

IPv6 Address Planning

Advanced Multihoming. BGP Traffic Engineering

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Introduction. Keith Barker, CCIE #6783. YouTube - Keith6783.

Introduction to OSPF

Module 6 ibgp and Basic ebgp

CCNA Routing & Switching

BGP in the Internet Best Current Practices

Implementing Cisco IP Routing

Border Gateway Protocol

Module 18 Transit. Objective: To investigate methods for providing transit services. Prerequisites: Modules 12 and 13, and the Transit Presentation

Routers / external connectivity (HSRP) Web farm, mail servers

BGP and the Internet

CCIE Routing & Switching

The Contemporary Internet p. 3 Evolution of the Internet p. 5 Origins and Recent History of the Internet p. 5 From ARPANET to NSFNET p.

Back to basics J. Addressing is the key! Application (HTTP, DNS, FTP) Application (HTTP, DNS, FTP) Transport. Transport (TCP/UDP) Internet (IPv4/IPv6)

Service Provider Multihoming

Implementing Cisco IP Routing (ROUTE)

Lecture 4: Intradomain Routing. CS 598: Advanced Internetworking Matthew Caesar February 1, 2011

Configuring BGP community 43 Configuring a BGP route reflector 44 Configuring a BGP confederation 44 Configuring BGP GR 45 Enabling Guard route

BGP101. Howard C. Berkowitz. (703)

Internet Routing Basics

IETF RFCs Supported by Cisco NX-OS Unicast Features Release 6.x

DE-CIX Academy: BGP Introduction. Notice of Liability. BGP Configuration Examples. Network Diagram for all examples. Links and Examples

BGP Attributes and Policy Control

Obtain the hostname or IP address of Cisco UCS Central. Obtain the shared secret that was configured when Cisco UCS Central was deployed.

Module 2 More ibgp, and Basic ebgp Configuration

OER uses the following default value if this command is not configured or if the no form of this command is entered: timer: 300

Configuring BGP. Cisco s BGP Implementation

BGP Attributes and Policy Control

CS 43: Computer Networks Internet Routing. Kevin Webb Swarthmore College November 14, 2013

DE-CIX Academy: BGP - Multihoming

Applied Networks & Security

Routing Protocols. Technology Description BGP CHAPTER

Cisco Router Security: Principles and Practise. The foundation of network security is router security.

Routing Overview for Firepower Threat Defense

CSc 450/550 Computer Networks Internet Routing

Advanced Computer Networks

Sink Holes, Dark IP, and HoneyNets

TSHOOT v2.0 Troubleshooting and Maintaining Cisco IP Networks 5 days, Instructor-led

Internet Routing Architectures, Second Edition

Registering Cisco UCS Domains with Cisco UCS Central

Computer Networking Introduction

Module 1 Basic Topology, OSPF and ibgp

Configuring BGP on Cisco Routers Volume 1

Multihoming Case Study

Chapter 4: Network Layer

Module 6 IPv6 ibgp and Basic ebgp

BGP Attributes and Path Selection

Module 16 An Internet Exchange Point

This appendix contains supplementary Border Gateway Protocol (BGP) information and covers the following topics:

ROUTE Curriculum Labs powered by

Transcription:

1 Overview The Loopback Interface ISP/IXP Workshops Requires IOS 11.1CC or 12.0 trains ISP software trains Covers router access, security, information gathering, configuration and scalability. 2 Motivation Motivation Most ISPs make use of the router loopback interface. IP address configured is a host address interface loopback 0 description Loopback Interface of CORE-GW3 ip address 215.18.3.34 255.255.255.255 Loopback interfaces on ISP backbone usually numbered: out of one contiguous block, or using a geographical scheme, or using a per PoP scheme Aim is to aid recognition and improve security 3 4 Loopback Interface Motivation Router w/loopback Exporting Information Backbone Topology changes do not effect the source IP address of the packets coming from the Router. ACLs TFTP NOC Services SNMP TCP Wrapper SYSLOG TACACS+ TCP Wrapper 5 With routers using a loopback address as the source for all IP packets originating from the router, it becomes very easy to construct appropriate filters to protect management systems in the ISP s network operation centres 6

7 Accessing the Router Router Access Put mapping of the router loopback address to router name into forward and reverse DNS. Telnet to router using loopback address, not interface address. ISP routers usually have multiple external paths and many interfaces. DNS Configuration example: core-gw3 A 215.17.1.8 ; Loopback of router gw3 8 Remote access using Telnet Remote access using RCMD Remote access from the router using familiar telnet Configure telnet so that the loopback address is used in packets originating from the router Remote access from router using Unix style rcmd Configure RCMD so that the loopback address is used in packets originating from the router ip telnet source-interface Loopback0 ip rcmd source-interface Loopback0 9 10 Management User Authentication Security TACACS+ distributed authentication system for management access to routers Configure TACACS+ so that the loopback address is used in packets originating from the router ip tacacs source-interface Loopback0 tacacs-server host 215.17.1.1 11 12

13 Management User Authentication RADIUS User Authentication TACACS+ servers can be protected by filters which only allow TACACS+ port to be accessed from loopback address block Motivation Easy to read/process logs: TACACS+ log records have the loopback RADIUS distributed authentication system for dial user access to routers Configure RADIUS so that the loopback address is used in packets originating from the router ip radius source-interface Loopback0 radius-server host 215.17.1.1 auth-port 1645 acct-port 1646 14 RADIUS User Authentication RADIUS servers and proxies can be protected by filters which only allow RADIUS ports to be accessed from loopback address block Motivation Easy to read/process logs: RADIUS log records have the loopback Recording Information 15 16 Exporting NetFlow records Exporting NetFlow records Exporting Cisco NetFlow statistics to a NetFlow Collector system Configure NetFlow export so that the loopback address is used in packets originating from the router NetFlow collector can be protected by filters which only allow the specified flow port to be accessed from loopback address block ip flow-export source Loopback0 17 18

19 Logging Information Logging Information Send logging information to a Unix or Windows SYSLOG server. Log packets leave router with loopback interface address as source logging source-interface loopback0 SYSLOG servers and proxies can be protected by filters which only allow the syslog port to be accessed from the loopback address block Motivation Easy to read/process logs: SYSLOG records have the loopback 20 Network Time Protocol Network Time Protocol Network Time Protocol (NTP) used to synchronize the time on all the devices. NTP packets leave router with loopback address as source ntp source loopback0 ntp server 169.223.1.1 source loopback 1 Motivation NTP Security: NTP systems can be protected by filters which only allow the NTP port to be accessed from the loopback address block Motivation Easy to understand NTP peerings: NTP associations have the loopback 21 22 SNMP SNMP If SNMP is used, send traps from router using loopback address as source. snmp-server trap-source Loopback0 snmp-server host 169.223.1.1 community Motivation Aid SNMP Server Security: SNMP management systems can be protected by filters which only allow the SNMP port to be accessed from the loopback address block Motivation Easy to read/process trap information: SNMP traps have the loopback address recorded as source address, not the egress interface. 23 24

25 Core Dumps Core Dumps Core dump feature allows routers to transfer an image of memory to a specified FTP server in case of a crash. Configure core dumps to use the loopback interface address as source. ip ftp source-interface loopback 0 exception protocol ftp exception dump 169.223.32.1 Motivation Core Dump FTP Server Security: FTP server used for core dumps can be protected by filters which only allow the FTP port to be accessed from the loopback address block This FTP server should NOT be visible to the public 26 Configuration using TFTP Configuration and Scalability Configuring the router using TFTP from tftp server Saving router configuration to a tftp server Configure TFTP so that the loopback address is used in packets originating from the router ip tftp source-interface Loopback0 27 28 Configuration using TFTP Interface Configuration Motivation Aid TFTP Server Security: TFTP server used to store configurations and IOS images can be protected by filters which only allow the TFTP port to be accessed from the loopback address block This TFTP server should NOT be visible to the public ip unnumbered no need for an IP address on point-to-point links keeps IGP small interface loopback 0 ip address 215.17.3.1 255.255.255.255! interface Serial 5/0 ip unnumbered loopback 0! ip route 215.34.10.0 255.255.252.0 Serial 5/0 29 30

31 Router ID Stable ibgp configuration If the loopback interface exists and has an IP address, that is used as the router ID in routing protocols stability! If the loopback interface does not exist, or has no IP address, the router ID is the highest IP address configured danger! If multiple loopback interfaces exist, and have IP addresses configured, then the highest IP address is chosen as the router ID Use loopback interface it never goes away ISP routers usually have multiple external paths interface loopback 0 ip address 215.17.1.34 255.255.255.255 router bgp 200 neighbor 215.17.1.35 remote-as 200 neighbor 215.17.1.35 update-source loopback 0 32 Multiple parallel ebgp Sessions Summary ebgp to loopback addresses ebgp prefixes learned with loopback address as next hop parallel paths to loopback address allows load-sharing AS200 AS 201 Loopback interface is not redundant or superfluous Multitude of uses to ease security, access, management, information and scalability of router and network Protects the ISP s Management Systems Use the loopback! 33 34 The Loopback Interface ISP/IXP Workshops 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback