+ All Categories
Home > Documents > The Loopback Interface - Network Startup Resource Center · Cisco ISP Workshops © 2003, Cisco...

The Loopback Interface - Network Startup Resource Center · Cisco ISP Workshops © 2003, Cisco...

Date post: 04-Jun-2020
Category:

Documents
Author: others
View: 0 times
Download: 0 times
Download Report this document
Share this document with a friend
Embed Size (px)
of 35 /35
1 © 2003, Cisco Systems, Inc. All rights reserved. Cisco ISP Workshops The Loopback Interface ISP/IXP Workshops ISP/IXP Workshops
Transcript

  • 1© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    The Loopback InterfaceISP/IXP WorkshopsISP/IXP Workshops

  • 222© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Overview

    • Requires IOS 11.1CC or 12.0 trains

    ISP software trains

    • Covers router access, security, information gathering, configuration and scalability.

  • 333© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Motivation

    • Most ISPs make use of the router loopback interface.

    • IP address configured is a host address

    • Configuration example:

    interface loopback 0

    description Loopback Interface of CORE-GW3

    ip address 215.18.3.34 255.255.255.255

  • 444© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Motivation

    • Loopback interfaces on ISP backbone usually numbered:

    out of one contiguous block, or

    using a geographical scheme, or

    using a per PoP scheme

    • Aim is to aid recognition and improve security

  • 555© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    TFTPTFTP

    NOC ServicesBackboneBackbone

    Topology changes do not effect the source IP address of the

    packets coming from the Router.

    Topology changes do not effect the source IP address of the

    packets coming from the Router.

    Loopback Interface

    SYSLOGSYSLOG

    TACACS+TACACS+SNMPSNMP

    Router w/Loopback

    Exporting Information

    TCP Wrapper

    TCP Wrapper

    ACLs

  • 666© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Motivation

    With routers using a loopback address as the source for all IP packets

    originating from the router, it becomes very easy to construct appropriate

    filters to protect management systems in the ISP’s network operation centres

  • 7© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Router Access

  • 888© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    • Put mapping of the router loopback address to router name into forward and reverse DNS.

    • Telnet to router using loopback address, not interface address. ISP routers usually have multiple external paths and many interfaces.

    • DNS Configuration example:

    core-gw3 A 215.17.1.8 ; Loopback of router gw3

    Accessing the Router

  • 999© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Remote access using Telnet

    • Remote access from the router using familiar telnet

    • Configure telnet so that the loopback address is used in packets originating from the router

    • Configuration example:

    ip telnet source-interface Loopback0

  • 101010© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Remote access using RCMD

    • Remote access from router using Unix style “rcmd”

    • Configure RCMD so that the loopback address is used in packets originating from the router

    • Configuration example:

    ip rcmd source-interface Loopback0

  • 11© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Security

  • 121212© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Management User Authentication

    • TACACS+ distributed authentication system for management access to routers

    • Configure TACACS+ so that the loopback address is used in packets originating from the router

    • Configuration example:

    ip tacacs source-interface Loopback0

    tacacs-server host 215.17.1.1

  • 131313© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Management User Authentication

    • Motivation – Aid Server Security:

    TACACS+ servers can be protected by filters which only allow TACACS+ port to be accessed from loopback address block

    • Motivation – Easy to read/process logs:

    TACACS+ log records have the loopback address recorded as source address, not the egress interface.

  • 141414© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    RADIUS User Authentication

    • RADIUS distributed authentication system for dial user access to routers

    • Configure RADIUS so that the loopback address is used in packets originating from the router

    • Configuration example:

    ip radius source-interface Loopback0

    radius-server host 215.17.1.1

    auth-port 1645 acct-port 1646

  • 151515© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    RADIUS User Authentication

    • Motivation – Aid Server Security:

    RADIUS servers and proxies can be protected by filters which only allow RADIUS ports to be accessed from loopback address block

    • Motivation – Easy to read/process logs:

    RADIUS log records have the loopback address recorded as source address, not the egress interface.

  • 16© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Recording Information

  • 171717© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Exporting NetFlow records

    • Exporting Cisco NetFlow statistics to a NetFlow Collector system

    • Configure NetFlow export so that the loopback address is used in packets originating from the router

    • Configuration example:

    ip flow-export source Loopback0

  • 181818© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Exporting NetFlow records

    • Motivation – Aid Server Security:NetFlow collector can be protected by filters which only allow the specified flow port to be accessed from loopback address block

  • 191919© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    • Send logging information to a Unix or Windows SYSLOG server.

    • Log packets leave router with loopback interface address as source

    • Configuration example:

    logging source-interface loopback0

    Logging Information

  • 202020© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Logging Information

    • Motivation – Aid Server Security:

    SYSLOG servers and proxies can be protected by filters which only allow the syslog port to be accessed from the loopback address block

    • Motivation – Easy to read/process logs:

    SYSLOG records have the loopback address recorded as source address, not the egress interface.

  • 212121© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Network Time Protocol

    • Network Time Protocol (NTP) used to synchronize the time on all the devices.

    • NTP packets leave router with loopback address as source

    • Configuration example:

    ntp source loopback0

    ntp server 169.223.1.1 source loopback 1

  • 222222© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Network Time Protocol

    • Motivation – NTP Security:

    NTP systems can be protected by filters which only allow the NTP port to be accessed from the loopback address block

    • Motivation – Easy to understand NTP peerings:

    NTP associations have the loopback address recorded as source address, not the egress interface.

  • 232323© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    SNMP

    • If SNMP is used, send traps from router using loopback address as source.

    • Configuration example:

    snmp-server trap-source Loopback0

    snmp-server host 169.223.1.1 community

  • 242424© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    SNMP

    • Motivation – Aid SNMP Server Security:

    SNMP management systems can be protected by filters which only allow the SNMP port to be accessed from the loopback address block

    • Motivation – Easy to read/process trap information:

    SNMP traps have the loopback address recorded as source address, not the egress interface.

  • 252525© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Core Dumps

    • Core dump feature allows routers to transfer an image of memory to a specified FTP server in case of a crash.

    • Configure core dumps to use the loopback interface address as source.

    • Configuration example:ip ftp source-interface loopback 0

    exception protocol ftp

    exception dump 169.223.32.1

  • 262626© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Core Dumps

    • Motivation – Core Dump FTP Server Security:FTP server used for core dumps can be protected by filters which only allow the FTP port to be accessed from the loopback address block

    This FTP server should NOT be visible to the public

  • 27© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Configuration and Scalability

  • 282828© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Configuration using TFTP

    • Configuring the router using TFTP from tftp server

    • Saving router configuration to a tftp server

    • Configure TFTP so that the loopback address is used in packets originating from the router

    • Configuration example:

    ip tftp source-interface Loopback0

  • 292929© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Configuration using TFTP

    • Motivation – Aid TFTP Server Security:TFTP server used to store configurations and IOS images can be protected by filters which only allow the TFTP port to be accessed from the loopback address block

    This TFTP server should NOT be visible to the public

  • 303030© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Interface Configuration

    • “ip unnumbered”no need for an IP address on point-to-point links

    keeps IGP small

    • Configuration example:

    interface loopback 0ip address 215.17.3.1 255.255.255.255

    !interface Serial 5/0ip unnumbered loopback 0

    !ip route 215.34.10.0 255.255.252.0 Serial 5/0

  • 313131© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Router ID

    • If the loopback interface exists and has an IP address, that is used as the router ID in routing protocols – stability!

    • If the loopback interface does not exist, or has no IP address, the router ID is the highest IP address configured – danger!

    • If multiple loopback interfaces exist, and have IP addresses configured, then the highest IP address is chosen as the router ID

  • 323232© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Stable iBGP configuration

    • Use loopback interfaceit never goes away

    ISP routers usually have multiple external paths

    • Configuration example:

    interface loopback 0ip address 215.17.1.34 255.255.255.255router bgp 200neighbor 215.17.1.35 remote-as 200neighbor 215.17.1.35 update-source loopback 0

  • 333333© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Multiple parallel eBGP Sessions

    • eBGP to loopback addresses

    • eBGP prefixes learned with loopback address as next hop

    • parallel paths to loopback address allows load-sharing

    AS200

    AS 201

  • 343434© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    Summary

    • Loopback interface is not “redundant” or “superfluous”

    • Multitude of uses to ease security, access, management, information and scalability of router and network

    • Protects the ISP’s Management Systems

    • Use the loopback!

  • 35© 2003, Cisco Systems, Inc. All rights reserved.Cisco ISP Workshops

    The Loopback InterfaceISP/IXP WorkshopsISP/IXP Workshops


Recommended
3 - OSPF for ISPs - iNESftp.ines.ro/doc/isp-workshops/Routing Presentations/3-ospf-for-isps... · OSPF for ISPs ISP Workshops ... EIGRP BGP Static Connected etc. OSPF Redistribute
3 - OSPF for ISPs - iNESftp.ines.ro/doc/isp-workshops/Routing Presentations/3-ospf-for-isps... · OSPF for ISPs ISP Workshops ... EIGRP BGP Static Connected etc. OSPF Redistribute

Documents

BGP Best Current Practices - pacnog.org · © 2005, Cisco Systems, Inc. All rights reserved. 1 Cisco ISP Workshops BGP Best Current Practices ISP/IXP Workshops
BGP Best Current Practices - pacnog.org · © 2005, Cisco Systems, Inc. All rights reserved. 1 Cisco ISP Workshops BGP Best Current Practices ISP/IXP Workshops

Documents

Introduction to ISIS - iNESftp.ines.ro/doc/isp-workshops/Routing Presentations... · Introduction to ISIS ISP Workshops Last updated 11 November 2013 1 . ISIS ! Intermediate System
Introduction to ISIS - iNESftp.ines.ro/doc/isp-workshops/Routing Presentations... · Introduction to ISIS ISP Workshops Last updated 11 November 2013 1 . ISIS ! Intermediate System

Documents

Loopback presentation by tineco
Loopback presentation by tineco

Software

1 © 2003, Cisco Systems, Inc. All rights reserved. Cisco ISP Workshops Introducción a OSPF ISP/IXP Workshops.
1 © 2003, Cisco Systems, Inc. All rights reserved. Cisco ISP Workshops Introducción a OSPF ISP/IXP Workshops.

Documents

Food - · PDF fileNew Bounce Sport / Playmags Think Stores ... Project Genius Inc. Bears for Humanity TPF Toys OOLY ... ISP 11 ISP 12 ISP 13 ISP 14 ISP 15 ISP 16 ISP 17 ISP 2
Food - · PDF fileNew Bounce Sport / Playmags Think Stores ... Project Genius Inc. Bears for Humanity TPF Toys OOLY ... ISP 11 ISP 12 ISP 13 ISP 14 ISP 15 ISP 16 ISP 17 ISP 2

Documents

BGP Best Current Practices - · PDF file© 2005, Cisco Systems, Inc. All rights reserved. 1 Cisco ISP Workshops BGP Best Current Practices ISP/IXP Workshops
BGP Best Current Practices - · PDF file© 2005, Cisco Systems, Inc. All rights reserved. 1 Cisco ISP Workshops BGP Best Current Practices ISP/IXP Workshops

Documents

BGP Attributes and Policy Control - PacNOG · Presentation_ID Cisco Confidential BGP Attributes and Policy Control ISP/IXP Workshops ...
BGP Attributes and Policy Control - PacNOG · Presentation_ID Cisco Confidential BGP Attributes and Policy Control ISP/IXP Workshops ...

Documents

Latching Loopback Protocol and Functionality
Latching Loopback Protocol and Functionality

Documents

VITA 57.4 FMC+ HSPC LOOPBACK CARD - Toby · 2019. 2. 8. · VITA 57.4-COMPLIANT FMC+ PROVIDES LOOPBACK FOR FPGA CARRIER CARDS Samtec's VITA 57.4 FMC+ HSPC Loopback Card provides FPGA
VITA 57.4 FMC+ HSPC LOOPBACK CARD - Toby · 2019. 2. 8. · VITA 57.4-COMPLIANT FMC+ PROVIDES LOOPBACK FOR FPGA CARRIER CARDS Samtec's VITA 57.4 FMC+ HSPC Loopback Card provides FPGA

Documents

1 © 2003, Cisco Systems, Inc. All rights reserved. Cisco ISP Workshops Enrutamiento Básico Talleres para ISP/IXP.
1 © 2003, Cisco Systems, Inc. All rights reserved. Cisco ISP Workshops Enrutamiento Básico Talleres para ISP/IXP.

Documents

LB LoopBack Relay Datasheet 2016
LB LoopBack Relay Datasheet 2016

Documents

New IOS Features for ISPs - ftp.ipsyn.netftp.ipsyn.net/.../workshops/isp-workshop/isp-routing/6-New_IOS_Features_for_ISPs-1up.pdfISP/IXP Workshops © 1999, Cisco Systems, Inc. 1 New
New IOS Features for ISPs - ftp.ipsyn.netftp.ipsyn.net/.../workshops/isp-workshop/isp-routing/6-New_IOS_Features_for_ISPs-1up.pdfISP/IXP Workshops © 1999, Cisco Systems, Inc. 1 New

Documents

RHCE Loopback Virtual Meetup - Red Hat · 3 Events, etc. San Jose RHCE Loopback Event: December 16 Interested in a Loopback in your area? Contact us at rhceloopback@redhat.com! Upload
RHCE Loopback Virtual Meetup - Red Hat · 3 Events, etc. San Jose RHCE Loopback Event: December 16 Interested in a Loopback in your area? Contact us at [email protected]! Upload

Documents

FTB-880 NetBlazer Multiservice Tester Opternus GmbH · Smart Loopback Flexibility The Smart Loopback functionality has been enhanced to offer five distinct loopback modes. Whether
FTB-880 NetBlazer Multiservice Tester Opternus GmbH · Smart Loopback Flexibility The Smart Loopback functionality has been enhanced to offer five distinct loopback modes. Whether

Documents

ISP Network Design - ws.edu.isoc.orgws.edu.isoc.org/workshops/2005/SANOG-VI/routing/materials/d1-6up.pdf · ISP Network Design ISP/IXP Workshops ... •Core routers – high speed
ISP Network Design - ws.edu.isoc.orgws.edu.isoc.org/workshops/2005/SANOG-VI/routing/materials/d1-6up.pdf · ISP Network Design ISP/IXP Workshops ... •Core routers – high speed

Documents

ISP Case Study – PIPEXftp.ipsyn.net/pub/mirrors/cisco/public/cons/workshops/isp-workshop/... · Friday, June 19, 1998 ISP/IXP Networking Workshop Cisco Systems, Inc. 1 170 West
ISP Case Study – PIPEXftp.ipsyn.net/pub/mirrors/cisco/public/cons/workshops/isp-workshop/... · Friday, June 19, 1998 ISP/IXP Networking Workshop Cisco Systems, Inc. 1 170 West

Documents

2 - Introduction to OSPF - PacNOG - PacNOG: The Pacific ... · PDF fileIntroduction to OSPF ISP/IXP Workshops
2 - Introduction to OSPF - PacNOG - PacNOG: The Pacific ... · PDF fileIntroduction to OSPF ISP/IXP Workshops

Documents