Cisco ISP Software and Router Management
The importance of the loopback interface should never be overlooked, especially for general operations and management of the router. Indeed, it is surprising how few ISPs make use of this time-saving resource. The chapter continues with a discussion on how to configure router interfaces and check their status.
Following the discussion of basic management configuration is an introduction to the CEF and NetFlow capabilities that ISPs should be using on their routers. The chapter finishes with a brief look at Nagle before discussing the importance of the DNS in an ISP's operation.
Many of the features discussed here are described in the context of the ISP software covered in Chapter 1, "Software and Router Management."
IOS Software and Loopback Interfaces
The use of the loopback interface is mentioned in many instances throughout this book. Although this is not a feature unique to IOS Software, there are many and considerable advantages in making full use of the capability that the loopback interface allows. This section brings together all the occasions where the loopback interface is mentioned throughout the book and describes how they can be useful to the ISP network engineer.
Motivation for Using the Loopback Interface
ISPs endeavor to minimize the unnecessary overhead present in their networks. This unnecessary overhead can be the number of networks carried in the IGP, the number of skilled engineering staff to operate the network, or even network security. The utilization of one feature, the loopback interface on the router, goes a long way to help with each of the three scenarios mentioned here.
Control of the size of the IGP is attended to by summarization of point-to-point addresses at PoP or regional boundaries, the use of IP unnumbered on static WAN interfaces, and a carefully designed network addressing plan. ISP network security is of paramount importance, and any techniques that make the management simpler are usually welcomed. For example, when routers access core servers, ISPs apply filters or access lists to these servers so that the risk of compromise from the outside is reduced. The loopback interface is helpful here as well.
It is very common to assign all the IP addresses used for loopback interfaces from one address block. For example, an ISP with around 200 routers in a network might assign a /24 network (253 usable addresses) for addressing the loopback interface on each router. If this is done, all dependent systems can be configured to permit this address range to access the particular function concerned, whether it is security, unnumbered WAN links, or the iBGP mesh. Some examples of the use of the loopback interface in the ISP environment follow in the rest of this section.
BGP Update Source
In the following example, the iBGP mesh is built using the loopback interface on each router. The loopback doesn't ever disappear, which results in a more stable iBGP, even if the underlying physical connectivity is less than reliable.
hostname gateway1 ! interface loopback 0 ip address 22.214.171.124 255.255.255.255 ! router bgp 200 neighbor 126.96.36.199 remote-as 200 neighbor 188.8.131.52 update-source loopback 0 neighbor 184.108.40.206 remote-as 200 neighbor 220.127.116.11 update-source loopback 0 !
If a loopback interface is configured on the router, its IP address is used as the router ID. This is important for ensuring stability and predictability in the operation of the ISP's network.
OSPF chooses the designated router (DR) on a LAN as the device that has the highest IP address. If routers are added or removed from the LAN, or if a router gains an interface with a higher address than that of the existing DR, the DR likely will change if the DR or backup designated router (BDR) fails. This generally is undesirable in an ISP network because ISPs prefer to have the DR and BDR routers established deterministically. This change in DR and BDR can be avoided by ensuring that the loopback interface is configured and in use on all routers on the LAN.
The loopback interface is used for the BGP router ID. If the loopback isn't configured, BGP uses the highest IP address on the router. Again, because of the ever-changing nature of an ISP network, this value can change, possibly resulting in operational confusion. Configuring and using a loopback interface ensures stability.
If the router has two or more loopback interfaces configured, the router ID is the highest IP address of the configured loopback interfaces at the time of booting the router.
Exception Dumps by FTP
Cisco routers can be configured to dump core memory to an FTP server as part of the diagnostic and debugging process. However, this core dump should be to a system not running a public FTP server, but one heavily protected by filters (TCP Wrapper even) that allow only the routers access. If the loopback interface address is used as source address from the router and is part of one address block, the filter is very easy to configure. A 200-router network with 200 disparate IP addresses makes for a very large filter list on the FTP server. Examine the following example IOS Software configuration:
ip ftp source-interface Loopback0 ip ftp username cisco ip ftp password 7 045802150C2E exception protocol ftp exception dump 18.104.22.168
TFTP Server Access
TFTP is the most common tool for uploading and downloading configurations. The TFTP server's security is critical, which means that you should always use security tools with IP source addresses. IOS Software allows TFTP to be configured to use specific IP interfaces address. This allows a fixed ACL on the TFTP server based on a fixed address on the router (for example, the loopback interface).
ip tftp source-interface Loopback0
SNMP Server Access
If SNMP is used in the network, the loopback interface again can be brought into use for security access issues. If SNMP traffic from the router is sourced from its loopback interface, it is easy to protect the SNMP management station in the NOC. A sample IOS Software configuration follows:
access-list 98 permit 22.214.171.124 access-list 98 permit 126.96.36.199 access-list 98 deny any ! snmp-server community 5nmc02m RO 98 snmp-server trap-source Loopback0 snmp-server trap-authentication snmp-server host 188.8.131.52 5nmc02m snmp-server host 184.108.40.206 5nmc02m
TACACS/RADIUS Server Source Interface
Most ISPs use TACACS+ or RADIUS for user authentication. Very few define accounts on the router itself because this offers more opportunity for the system to be compromised. A well-protected TACACS+ server accessed only from the router's loopback interface address block offers more security of user and enable accounts. A sample configuration for standard and enable passwords follows:
aaa new-model aaa authentication login default tacacs+ enable aaa authentication enable default tacacs+ enable aaa accounting exec start-stop tacacs+ ! ip tacacs source-interface Loopback0 tacacs-server host 220.127.116.11 tacacs-server host 18.104.22.168 tacacs-server key CKr3t# !
When using RADIUS, either for user administrative access to the router or for dial user authentication and accounting, the router configuration to support loopback interfaces as the source address for RADIUS packets originating from the router looks like this:
radius-server host 22.214.171.124 auth-port 1645 acct-port 1646 radius-server host 126.96.36.199 auth-port 1645 acct-port 1646 ip radius source-interface Loopback0 !
NetFlow Flow Export
Exporting traffic that flows from the router to a NetFlow Collector for traffic analysis or billing purposes is quite common. Using the loopback interface as the source address for all exported traffic flows from the router allows for more precise and less costly filtering at or near the server. A configuration example follows:
ip flow-export destination 188.8.131.52 9996 ip flow-export source Loopback0 ip flow-export version 5 origin-as ! interface Fddi0/0/0 description FDDI link to IXP ip address 184.108.40.206 255.255.255.0 ip route-cache flow ip route-cache distributed no keepalive !
Interface FDDI0/0/0 has been configured to capture flow records. The router has been configured to export Version 5style flow records to the host at IP address 220.127.116.11 on UDP port 9996, with the source address being the router's loopback interface.
NTP Source Interface
NTP is the means of keeping the clocks on all the routers on the network synchronized to within a few milliseconds. If the loopback interface is used as the source interface between NTP speakers, it makes filtering and authentication somewhat easier to maintain. Most ISPs want to permit their customers to synchronize only with their time servers, not everyone else in the world. Look at the following configuration example:
clock timezone SST 8 ! access-list 5 permit 18.104.22.168 access-list 5 permit 22.214.171.124 ! ntp authentication-key 1234 md5 104D000A0618 7 ntp authenticate ntp trusted-key 1234 ntp source Loopback0 ntp access-group peer 5 ntp update-calendar ntp peer 126.96.36.199 ntp peer 188.8.131.52 !
Syslog Source Interface
Syslog servers also require careful protection on ISP backbones. Most ISPs prefer to see only their own systems' syslog messages, not anything from the outside world. Denial-of-service attacks on syslog devices are not unknown, either. Protecting the syslog server is again made easier if the known source of syslog messages comes from a well-defined set of address spacefor example, that used by the loopback interfaces on the routers. See the following configuration example:
logging buffered 16384 logging trap debugging logging source-interface Loopback0 logging facility local7 logging 184.108.40.206 !
Telnet to the Router
This might seem to be an odd example in a document dedicated to IOS Software essentials. However, remember that a loopback interface on a router never changes its state and rarely has any need to change its IP address. Physical interfaces can be physically swapped out or renumbered, and address ranges can change, but the loopback interface will always be there. So, if the DNS is set up so that the router name maps to the loopback interface address, there is one less change to worry about during operational and configuration changes elsewhere in the ISP backbone. ISP backbones are continuously developing entities. Here's an example from the DNS forward and reverse zone files:
; net.galaxy zone file net.galaxy. IN SOA ns.net.galaxy. hostmaster.net.galaxy. ( 1998072901 ; version == date(YYYYMMDD)+serial 10800 ; Refresh (3 hours) 900 ; Retry (15 minutes) 172800 ; Expire (48 hours) 43200 ) ; Minimum (12 hours) IN NS ns0.net.galaxy. IN NS ns1.net.galaxy. IN MX 10 mail0.net.galaxy. IN MX 20 mail1.net.galaxy. ; localhost IN A 127.0.0.1 gateway1 IN A 220.127.116.11 gateway2 IN A 18.104.22.168 gateway3 IN A 22.214.171.124 ; ;etc etc ; 1.17.215.in-addr.arpa zone file ; 1.17.215.in-addr.arpa. IN SOA ns.net.galaxy. hostmaster.net.galaxy. ( 1998072901 ; version == date(YYYYMMDD)+serial 10800 ; Refresh (3 hours) 900 ; Retry (15 minutes) 172800 ; Expire (48 hours) 43200 ) ; Minimum (12 hours) IN NS ns0.net.galaxy. IN NS ns1.net.galaxy. 1 IN PTR gateway1.net.galaxy. 2 IN PTR gateway2.net.galaxy. 3 IN PTR gateway3.net.galaxy. ; ;etc etc
On the router, set the Telnet source to the loopback interface:
ip telnet source-interface Loopback0
RCMD to the Router
RCMD requires the operator to have the UNIX rlogin/rsh clients to enable access to the router. Some ISPs use RCMD for grabbing interface statistics, uploading or downloading router configurations, or taking a snapshot of the routing table. The router can be configured so that RCMD connections use the loopback interface as the source address of all packets leaving the router:
ip rcmd source-interface Loopback0