Figure 32 BGP Route Reflector Cluster

However, most ISPs choose to implement clusters with two route reflectors, as in Figure 3-3. This gives them redundancy in the cluster if one route reflector fails. Figure 3-3. BGP Route-Reflector Cluster with Two Route Reflectors Figure 3-3. BGP Route-Reflector Cluster with Two Route Reflectors Network designers should be aware of some caveats when configuring route reflectors. As soon as a router is configured as a route reflector, it is assigned a cluster identifier automatically by the BGP...

ISP Community Usage

RFC 1998 was written several years ago, and since then, ISPs have refined and enhanced what they use communities for. Many examples exist on the Internet, and a few of them that were publicly visible at the time of this writing are documented here. The first example is from AS 2764, an Australian-based ISP. The community policies are documented in the AS object stored in the Internet Routing Registry Announce to non customers with no-export changed mrp connect.com.au 19990506 The remarks...

RTRMonA Tool for Router Monitoring and Manipulation

The RTR system currently comes with three programs, rtrmon, rtrpass, and rtrlogin. rtrmon (for router monitor) is the core of the system. It uses predefined actions to log into routers, issue commands, process the output, archive the results, and possibly mail reports. It is designed to provide the framework for a variety of potential monitoring tasks and to be readily extensible with new reporting code if the built-in methods are insufficient for complex analysis. rtrmon can even update router...

VTY Access and SSHT21

Before IOS Software Releases 12.0S and 12.1T, the only method really used to access the VTY ports was Telnet. rlogin has been used by some ISPs, especially for executing one-off commands, but the protocol is insecure and can't be recommended for any public network. SSH version 1 support now has been added, giving ISPs greater flexibility and some security when accessing their equipment across the Internet. SSH will form an encrypted tunnel between the client and the IOS Software SSH server....

ISP Border Packet Filters

The decision of whether to install packet filters on the network border usually depends on the size of the ISP operation and whether the design and operations team feels that such filters can serve any useful purpose to protect the backbone. There is no hard-and-fast rule, but we have found that smaller ISPs tend to implement quite severe filters on their network edges, while the largest ISPs probably implement only one or two key filters to prevent DOS attacks on their networks. Much of any...

Further NTP References

Table 1-5 shows some URLs with further pointers to NTP information, software, and hardware. Table 1-5 shows some URLs with further pointers to NTP information, software, and hardware. Network Time Protocol (NTP) Master Clock for the U.S. The Time Web Server (Time Sync), by Dave Mills Coetanian Systems Time Synchronization Server 100 Keeping data on the health of an ISP's network is critical to its survival as a business. For example, an ISP must know the load on its backbone circuits and the...

Networks That Should Not Be Advertised on the Internet

As mentioned earlier, some networks are reserved for special functions on the Internet. These networks should not appear in the Internet Route Table examples are 0.0.0.0 0 and 0.0.0.0 8 Default and network 0 (unique and now historical properties) 127.0.0.0 8 Host loopback 192.0.2.0 24 TEST-NET generally used for examples in vendor documentation 10.0.0.0 8, 172.16.0.0 12, and 192.168.0.0 16 RFC 1918 private addresses 169.254.0.0 16 End-node autoconfiguration network in the absence of DHCP Any...

Example C6 Access Server Configuration Example

Version 12.0 service nagle no service pad service tcp-keepalives-in service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption logging buffered 16384 debugging aaa new-model aaa new-model aaa authentication login default group tacacs+ enable aaa authentication login radius-login group radius aaa authentication enable default group tacacs+ enable aaa authentication ppp default none aaa authentication ppp...

What OTP Systems Are Supported

Several third-party OTP systems are supported by Cisco's commercial TACACS+ server (CiscoSecure ACS) at the time of this writing. CiscoSecure ACS v2.3 for Windows NT supports token card servers from the following Safeword (Secure Computing) CiscoSecure ACS v2.2 for UNIX supports token card servers from the following Due diligence is recommended. Hence, check the latest documentation on www.cisco.com for the most current list of supported OTP systems.

Unneeded or Risky Global Services

Many of the built-in services in IOS Software are not needed in an ISP backbone environment. These features should be turned off in your default configuration. Turn them on only if there are explicit requirements. no ip finger no service pad no service udp-small-servers no service tcp-small-servers no ip bootp server Some of these services will be preconfigured in IOS Software (depending on the release) and can be turned off by default, but ISPs should ensure that they are explicitly turned off...

Turbo ACL Configuration Details and References

To activate Turbo ACLs in a Cisco router, the following global command is used This applies Turbo ACLs to all ACLs on the router, no matter what their size is. Turbo ACLs were introduced in IOS Software Release 12.0(6)S. Keyword searches on Cisco.com or t 120s 120s6 turboacl.ht will provide configuration information on Turbo ACLs. Full details of how Turbo ACLs work were given by author Andrew McRae (amcrae cisco.com), in the paper High-Speed Packet Classification, presented at the Australian...

Route Refresh

A new feature available from IOS Software Release 12.0(5)S is route refresh (documented in RFC 2918). The concept is similar to soft reconfiguration, but this is a capability shared between two BGP speakers (as opposed to soft reconfiguration, which is configured on the local router only) and it is negotiated automatically at the time the BGP session is brought up. To find out whether route refresh is supported, check the BGP neighbor using the following command alpha> sh ip bgp neighbors...

Software and Router Management

This chapter covers many of the basic questions that ISPs ask when they are first faced with setting up routers for their Internet business. Although documentation shipped with any item of equipment provides a very comprehensive description of setup processes, more experienced ISPs usually have developed a methodology for how new hardware is deployed on a living backbone. Often the vendor's well-intentioned startup process for new users becomes more of a hindrance or inconvenience in these...

What Other ISPs Are Doing

Here are just a few examples of what ISPs from all over the Internet are using to manage their network. Randy Bush (randy psg.corr) asked major ISPs in the United States on the NANOG mailing list what they used for traffic analysis. His summary follows. Notice especially the number of UNIX script-based tools. Readers can find more information by looking at the NANOG mailing list archives at www.nanog.org. We do SNMP polling every 15 minutes at SESQUINET on every line over which we have...

Example C1 Border Router Configuration Example

Version 12.0 service nagle no service pad service tcp-keepalives-in service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone boot system flash c7200-k4p-mz.120-10.S2 logging buffered 16384 debugging aaa new-model aaa authentication login default tacacs+ enable aaa authentication enable default tacacs+ enable aaa accounting exec default start-stop tacacs+ aaa accounting commands 15 default start-stop tacacs+ clock timezone GMT 0...

Copying New Images to Flash Memory

Copying a new image into Flash memory in itself isn't a complicated process, but there are a few good practice points to be aware of. The most important point is to re-emphasize that leaving a backout image somewhere on the router is good practice and plain common sense. So many network outages have been prolonged because a new router image failed and the ISP didn't leave a backout image on the device. New images should be loaded into Flash during maintenance periods, not when the router is...

Outof Band Console Server

This is the typical configuration of an access server that has been configured as an out-of-band management device (refer to Example C-7). The router in this case is a 2611 router with 32 asynchronous ports that have been wired to the consoles of the equipment used in Figure C-1 and described in the preceding configurations. Example C-7 Out-of-Band Console Server Configuration Example version 12.1 service nagle no service pad service tcp-keepalives-in service timestamps debug datetime msec...

Network Plan Starting

Network Plan For Isp

The first stage involves looking at the network design at the start of the ISP's operation. Figure 5-12 gives an example network it has four routers, three switches with some hosts connected to them, and some customer leased-line connections. There is also a dialup router. Finally, the network has a link to an upstream ISP. This is a simple network with four small PoPs at initial rollout. Figure 5-12. Network Plan at Deployment Figure 5-12. Network Plan at Deployment Also on the figure are the...

Analyzing Syslog Data

Configuring the routers to export syslog data is one step. The next step is to store the data, analyze it, and use it in day-to-day operations. Interface status, security alerts, and debugging problems are some of the most common events that ISPs monitor from the collected syslog data (an example of the output from the collected syslog data is in Figure 1-3). Some use custom-written Perl scripts to create simple reports. Others use more sophisticated software to analyze the syslog data and...

SNMP and Commercial Network Management Software

One thing to be aware of is that some commercial network management software likes to take over the network by doing autodiscovery of devices on the backbone. Many ISP engineers don't approve of this style of network management and tend to build their own tools that are suitable for monitoring the backbone. For those ISPs that rely on commercial packages, such as HP OpenView, it is worth remembering and understanding the impact that the autodiscovery function has. Autodiscovery fits very nicely...

The BGP Best Path Algorithm for IOS Software

Assign the first valid path as the current best path. Now compare the best path with the next path in list, until the end of the list of valid paths is reached. 1. Prefer the path with the largest weight. Note that weight is a Cisco specific parameter, local to the router on which it is configured. 2. Prefer the path with the largest LOCAL_PREF. 3. Prefer the path that was locally originated through a network or aggregate BGP subcommand or through redistribution from an IGP. 4. Prefer locally...