About the Authors

Barry Raveendran Greene is a Senior Consultant in the Internet Architectures Group of Consulting Engineering, Office of the CTO, Cisco Systems. Cisco's CTO Consulting group assist ISPs throughout the world to scale, grow, and expand their networks. The assistance is delivered through consulting, developing new features, working new standards (IETF and other groups), and pushing forward Best Common Practices (BCPs) to the Internet community. Barry's current topics of interests are ISP Operations...

Access

This is the edge of the ISP network facing the customer. The access layer can be made up of all kinds of devices, from a simple router supporting PSTN modem banks to cable-aggregation devices supporting broadband customers. For this reason, ISPs tend to subdivide their access layers into more manageable units. Larger businesses often have different business units running different access services, and it is useful to give these different units management access to the devices they are...

Access Control Lists Turbo ACLs

Turbo ACLs use a technique that takes a standard or extended ACL, creates a set of data tables, and compiles them for runtime processing. For this reason, Turbo ACLs also are referred to as compiled ACLs. Turbo ACLs do not change the first match wins characteristic of all ACLs. Instead, they reduce the number of CPU operations to find a match, allowing for larger ACLs to be used without an increase in packet latency. This provides ISPs with a tool to allow large ACLs without a significant...

Access List Types

Extended 48-bit MAC address access list IP standard access list (expanded range) IP extended access list (expanded range) Enables IP access-list compilation (new from 12.0(6)S) Simple rate limit-specific access list Specifies a dynamic list of permits or denies KA9Q NOS-compatible IP over IP tunneling A single source host (equivalent to a.b.c.d 255.255.255.255) Log matches against this entry, including input interface Matches packets with given precedence value Matches packets with given TOS...

Access Lists on the VTY Ports

It is important to secure the VTY ports used for Telnet access with a standard ACL. By default, there are no access controls on any of the VTY ports. If this is left this way and a password is applied l to the VTY port, the router will be wide open to anyone who attempts a brute-force crack against the password. The following configuration with access-list 3 is typical of a better approach aaa authentication login Cisco-Lab local username Ciscol password 7 11041811051B13 access-list 3 permit...

Access Network Prefixes

Access network prefixes commonly are used in nonpermanent access networks. So customers connecting using cable, ADSL, PSTN, or ISDN dialup tend to be assigned address space on a dynamic basis. When they connect, PPP or DHCP is used to assign them an address for the duration of their session. When they terminate the connection, the address goes back into the pool. Access network prefixes are not carried in the IGP. If they were carried in the IGP, then every time a customer connects to the...

Acknowledgments

This book started life as a small whitepaper called IOS Essentials, an attempt to document the various configuration and operational best practices which ISPs were using on their Cisco networking equipment. This whitepaper has, over the last few years, grown through several versions into this book, Cisco ISP Essentials. We would like to thank the numerous friends and colleagues in the industry who have contributed to both the whitepaper and this book. Many have contributed their own text, made...

ACL Option added in IOS Software Release 12010S1 ri21

The optional ACL parameter to the command can be used to control the exact behavior when the received frame fails the source IP address check. The ACL can be either a standard or an extended IP access list T131 < 1-99> IP standard access list < 100-199> IP extended access list < 1300-1999> IP standard access list (expanded range) < 2000-2699> IP extended access list (expanded range) If an ACL is specified, when (and only when) a packet fails a uRPF check the ACL is checked to...

Activate

Old style This command was not present in IOS Software Release 12.0S. The neighbor was activated for IPv4 BGP automatically. However, if the multiprotocol BGP were to be enabled, the nlri keyword in the neighbor command was used Router(config-router) neighbor 1.2.3.4 remote-as 10 nlri unicast multicast If the nlri keyword was not specified, the router exchanged IPv4 prefixes only. However, if the nlri keyword was specified with the multicast option only, only the IPv4 multicast session was...

Address Plan

It is a constant surprise to many seasoned campaigners how little attention industry newcomers pay to developing a sensible and coherent addressing plan for the backbone. ISPs often spend months of detailed design for their backbone, completely forgetting to put a plan together. A week or few before they go live, they realize that address space is required, and the ensuing panic with applications to the registries results in an inevitable slowing of the deployment plans. Designing a network and...

Address Space for Customers

Customers are assigned address space by the ISP according to the policies set out by the RIR of which the ISP is a member. As an approximate guide, ISPs are expected to follow the same procedures with their customers as they have followed with the RIR in obtaining address space. So, when the ISP makes first technical contact with the customer, an assessment of address space requirements is made according to need. Need should not be confused with want. Staff members from many organizations who...

Aggregate

set and match nlri in route maps The only caveat is that the old style commands can be used as long as no new features need to be activated. In that event, the old style BGP commands need to be translated to the new style (discussed momentarily). When in the new mode, the old commands no longer will be accepted. In other words, the old (NLRI style) and the new (address family style) commands cannot be mixed in the same configuration. As the router parses the commands, it locks into a mode...

Aggregation Router Filters

The minimum inbound filter that any ISP should be applying to the customer-facing interfaces on its aggregation routers is the unicast RPF check. This ensures that all packets coming from the customer are checked to make sure that their origin address comes out of the address block assigned to the customer. This check is much more efficient than applying any inbound filters on the aggregation router, and it is a recommended best practice throughout this book. If the customer has address space...

Aggregation Routers

If a prefix is injected into the iBGP at a gateway router (the standard way of injecting a customer prefix into the iBGP), the next-hop address is the IP address of the point-to-point link between the gateway aggregation router and the customer. This means that the iBGP has a large number of next-hop addresses to resolve from the IGP (not bad in itself) and that the IGP will be larger, resulting in slower convergence and greater potential instability in case of instability or failures in the...

And Impacts on uRPF Deployment

Typical Asymmetrical Routing Example Figure 4-24. Typical Asymmetrical Routing Example Every router on the Internet makes this best-path decision. Because these decisions are done from a point of view of the router's position in the Internet, the resulting best path might not match what the best path is on other routers. Routing protocols are created with the means to ensure that these independent best-path decisions do not cause routing loops. Although routing loops are not a...

Appendix B Cutand Paste Templates

The following are some cut-and-paste templates that you can modify to configure your routers. Make sure that you change any sample IP addresses or AS numbers used in the templates to match your own addressing Do not use the addresses in the examples because they are invalid. As described in the main text, it is considered good practice to set up a configuration template for each class of router running in the network. Use these templates, taken from running configurations in ISP backbones...

Appendix C Example Configurations

This appendix aims to give ISPs learning about the art of constructing an ISP caliber backbone a little guidance on some of the configuration steps and design hints that have been covered throughout the IOS Essentials whitepaper and this book. The common elements of an ISP's network have all been included, including border, aggregation, and dial access routers. Clearly it is almost impossible to give sample configurations suitable for all ISPs. The following aims to give guidance to small or...

Appendix E Traffic Engineering Tools

As a follow-up on how to track where your customers are going on the Internet, this appendix provides a list of publicly available tools that can be used to pull in statistics from your network. Most ISPs do not use things like HP OpenView, Sun NetManager, CiscoWorks, or Spectrum to manage their networks. These network management packages are great for the enterprise LANs, but they do not have the simple scaleable tools needed for ISP networks. Instead, ISPs pull together different, mostly...

Appendix F Example ISP Access Security Migration Plan

This appendix gives one example of how an ISP could migrate its network equipment (routers, switches, and NAS) from a state in which Telnet access is open to the outside world to the point at which only specific authorized workstations are allowed access to the Telnet prompt. Unfortunately, at the time this text was written, most ISPs were not taking these simple precautions to help secure their networks. This section is designed to help those ISPs put in the minimum necessary precautions. This...

Applying to the RIRs or Upstream ISP for Addresses

The documentation and application process for obtaining address space is different for each of the three RIRs, so it is not covered in this text. However, the actual process should be relatively straightforward. The first step in making any application for address space is to approach the upstream ISP. Many are members of one of the three RIRs and so can act on behalf of the RIR to assign address space. Some might charge a small fee for the service. When the upstream ISP cannot offer this...

AS Number

Multihoming itself is covered in the next section a huge number of options are available, and that section covers some of the configuration concepts in more detail. Using BGP to multihome requires the ISP to acquire an AS number (ASN). This can be obtained in the same way in which IPv4 address space can be obtained. The three regional registries provide ASNs to their membership upon application. The basic requirements are that the organization or ISP have at least two separate connections to...

Background

URPF is a CEF feature that uses the information in the FIB to automatically perform the BCP 38 checks. The original strict mode uRPF was designed for the customer ISP edge of the network (see Figure 4-20). The objective was to design a feature that can easily be automated in the customer provisioning system, scale as new addresses blocks are allocated to the customer, and work with the MTRIE-based CEF switching. uRPF meets these objectives, even when the customers are multihomed to one or more...

Bandwidth

Don't forget the bandwidth interface command. It is used by interior routing protocols to decide optimum routing, and it is especially important to set this command properly in the case of backbone links using only a portion of the available bandwidth support by the interface. For example, a serial interface (Serial0 0) on a router supports speeds up to 4 Mbps but has a default bandwidth setting of 1.5 Mbps. If the backbone has different size links from 64 Kbps to 4 Mbps and the bandwidth...

Basics

Before pushing ahead and installing a new circuit, some of the basics of multihoming must be understood and remembered The new circuit should go to a different PoP of the upstream ISP. If it goes to the same upstream PoP, site redundancy of the upstream is lost. Complete PoP outages can occur because of electrical, operational, or environmental problems. If the upstream ISP has only one PoP, request or insist that the new connection be terminated in a different router, one with a different...

BCP 38 Implementation with uRPF Strict Mode

URPF's key BCP 38 implementation principles follow A route must exist in the FIB matching the prefix to the interface. This can be done through a connected interface, a static route, a network statement (BGP, OSPF, RIPv2, and so on), or dynamic routing updates. Traffic from the interface must match the prefixes for the interface. If there are multiple entries for the prefix in the route tables, the prefix local to the router implementing uRPF must be preferred (using BGP weight with multihomed...

Benefits of Neighbor Authentication

When configured, neighbor authentication occurs whenever routing updates are exchanged between neighbor routers. This authentication ensures that a router receives reliable routing information from a trusted source. Without neighbor authentication, unauthorized or deliberately malicious routing updates could compromise the security of your network traffic. A security compromise could occur if an unfriendly party diverts or analyzes your network traffic. For example, an unauthorized router could...

BGP Autosummary

In IOS Software, autosummarization is turned on by default for all prefixes that are redistributed into BGP from other routing protocols. This feature automatically summarizes subprefixes to the classful network boundaries when crossing classful network boundaries. The Internet registries now are allocating from the former Class A space an ISP today is more likely to be allocated a 18 IPv4 address from what used to be the Class A space. BGP's default behavior is to take that 18 and advertise a...

BGP Community Format

Many ISPs make extensive use of BGP communities for routing policy decision making. A BGP community tutorial is beyond the scope of this book, but ISP engineers should be aware of the two formats supported in IOS Software. The original format for a community number took the form of a 32-bit integer. More recently, the representation of a community was redefined in the Internet space as being two 16-bit integers separated by a colon, per the BGP standard. The first 16bit number is accepted as...

BGP Conditional Advertisement

Conditional advertisement of prefixes has been introduced into IOS Software Releases 11.1CC, 11.2, 12.0 and more recent versions, in an effort to contribute to the stability of large BGP-based networks (specifically, the Internet). Conditional advertisement usually is configured when an AS has at least two connections to another AS. The inter-AS peering routers watch the links between the autonomous systems. If one link fails, prefixes are advertised out of the other link. This allows ISPs to...

BGP Deterministic MED

If bgp deterministic-med is not enabled, the order in which routes are received could impact MED-based best-path decisions. This can occur when the same route is received from multiple autonomous systems or confederation sub-autonomous systems, with exactly the same path length and different MEDs. For example, consider the following routes, received in the order shown A- ASPATH 1, MED 100, internal, IGP metric to NEXT_HOP 10 B- ASPATH 2, MED 150, internal, IGP metric to NEXT_HOP 5 C - ASPATH 1,...

BGP Dynamic Reconfiguration

Two methods are available now to dynamically reset a BGP peering session without tearing down the entire peering. Normally, when an ISP requires changing the policy in a BGP peering, the peering itself has to be torn down so that the new policy can be implemented. For peerings exchanging a large number of routes in the Internet, this can be extremely disruptive, putting load on the CPU of both routers involved and resulting in a routing flap through the backbone as the ISP's network...

BGP fastexternalfallover

By default, if the physical connection to the eBGP neighbor goes down, the peering relationship is reset immediately. By adding the no bgp fast-external-fallover configuration, the peering is held open for the duration of the BGP keepalive timer. This configuration is desirable, if not essential, in the case of long-distance peering links or unreliable or long-latency connections to other autonomous systems, and when ISPs prefer stability over convergence speed in large networks. router bgp 109...

BGP Filter Processing Order

When constructing BGP filters, most ISPs use prefix lists or distribute lists, AS path filters, and route maps to implement their filtering policies. It is important to realize that these lists are processed in a particular order newer engineers sometimes are unaware of the standard IOS Software sequence. In the following, example the IOS Software configuration generator (NVGEN) has printed the configuration into the previous order 0.1 prefix-list rfc1918-out out Implementation order is...

BGP Flap Damping

A consequence of the churning in the Internet caused by indiscriminate clearing of BGP sessions, by unstable infrastructure, and by antisocial configuration practices is the request for BGP flap damping to be available in IOS Software. Prefixes that appear and disappear from the Internet Route Table cause a CPU hit on the router Withdrawing a prefix means that it has to be withdrawn from the BGP and forwarding tables the prefix also has to be withdrawn from neighbors and so on throughout all...

BGP Flap Damping Configuration

Recommended route flap-damping parameters for use by ISPs were composed into a document by the RIPE Routing Working Group and are available at www.ripe.net docs ripe-229.html. These values are used by many European and U.S. ISPs, and they are based on the operational experienced gained in the industry. The configuration examples are reproduced here for convenience the values have been updated to include recent changes in the locations of the root nameservers. The current address list is...

BGP Flap Statistics

It is possible to monitor the flaps of all the paths that are flapping. The statistics will be lost when the route is not suppressed and stable for at least one half-life time. The display looks like the following cerdiwen sh ip bgp neighbors 171.69.232.56 flap-statistics BGP table version is 18, local router ID is 172.19.82.53 Status codes s suppressed, d damped, h history, * valid, > best, i - Origin codes i - IGP, e - EGP, - incomplete Network From Flaps Duration Sup-time Path *> 5.0.0.0...

Bgp Med Not

When an MED is not set on a route, Cisco IOS Software has always assumed that the MED is 0. Some other vendors have assumed that the MED is 4,294,967,295 (232 -1). This divergence can result in eBGP routing loops between Cisco routers and other vendors' routers. This confusion was the result of a lack of any definition in the BGP standard on what to do if a MED was not set. The most recent IETF decision regarding BGP MED assigns a value of infinity to the missing MED, making the route lacking...

BGP Multipath

The BGP implementation in IOS Software supports three ways of load sharing over parallel circuits. Two of them are applicable to eBGP. eBGP multihop has been used in IOS Software for several years and is the common way of setting up an eBGP peering without using the directly connected peer addresses the common use of this is for load sharing over parallel peering circuits. More recently, eBGP multipath was added to give an alternative mechanism for load sharing without some of the side effects...

BGP Neighbor Authentication

You can invoke MD5 authentication between two BGP peers. This feature must be configured with the same password on both BGP peers otherwise, the connection between them will not be made. Invoking authentication causes the Cisco IOS Software to generate and check the MD5 digest of every segment sent on the TCP connection. If authentication is invoked and a segment fails authentication, a message appears on the console. Configuring a password for a neighbor causes an existing session to be torn...

BGP Neighbor Changes

It is possible to log neighbor state changes to a UNIX syslog server. This is extremely useful for most syslog-based monitoring systems because it gives early warning of problems with iBGP peers, and more especially external BGP neighbors. The logging is enabled by the following commands router bgp 109 bgp log-neighbor-changes Note that, as of IOS Software Releases 12.1(4) and 12.0(12)ST, the default action is to log all BGP neighbor changes (see DDTS CSCdm59903). At time of writing, the...

BGP Neighbor Shutdown

A new feature introduced into 11.1CC and 12.0 software is the capability to shut down a BGP peering without actually removing the configuration. Previously, the only way to disable a BGP peering was to delete the configuration from the router. This was very disruptive to the router's functioning, and it significantly increased the likelihood of making mistakes when reinstating the configuration at a later stage. A neighboring peering is shut down with this command example router bgp 200...

BGP network Statement

A historical limitation was placed on the number of network statements that could be applied to the BGP configuration. In the early days of IOS Software, in which the average router had at most 30 interfaces, the limit of 200 network statements seemed a large number compared with the number of networks that such a router could originate. However, in the last five years or so, routers have grown through having hundreds of interfaces to the thousands of interfaces that we see on some of the...

BGP Outbound Route Filter Capability

This new feature, supported from IOS Software Release 12.0(5)S onward, allows one BGP speaker to install its inbound locally configured prefix-list filter on the remote BGP speaking router. This is used especially to reduce the number of unwanted routing updates from the remote peer. The remote BGP speaker applies the received prefix-list filter in addition to its locally configured outbound filters (if any), to constrain or filter its outbound routing updates to the neighbor. This mechanism...

BGP Peer Group Examples

This example shows an iBGP peer group for a router inside an ISP's backbone neighbor internal remote-as 109 neighbor internal update-source loopback 0 neighbor internal send-community neighbor internal route-map send-domestic out neighbor internal filter-list 1 out neighbor 131.108.10.1 peer-group internal neighbor 131.108.20.1 peer-group internal neighbor 131.108.30.1 peer-group internal neighbor 131.108.30.1 filter-list 3 in This example shows an eBGP peer Group for a router peering with...

BGP Peer Group [3

The major benefit of BGP peer groups is a reduction of resources (CPU load and memory) required in update generation. Peer groups also simplify BGP configuration. With BGP peer groups, the routing table is walked only once per peer group, and updates are replicated to all other peer-group members that are in sync. Depending on the number of members, the number of prefixes in the table, and the number of prefixes advertised, this could significantly reduce the load. Thus, it is highly...

BGP Peer Groups

The second essential feature is the BGP peer group. This groups the BGP peers with the same outbound policy into one group. The normal situation without using peer groups is for the router to calculate the update to be sent to each neighbor individually. For a low number of peers, there is probably not much impact on the router CPU, but as the number of neighbors increases, so does the burden on the CPU for example, 50 neighbors means that 50 updates have to be computed and sent individually....

BGP Route Flap Damping

Route flap damping (introduced in Cisco IOS Software at Release 11.0) is a mechanism for minimizing the instability caused by route flapping. A route flap occurs when a BGP network prefix is withdrawn and reannounced specifically, this happens when a BGP speaker hears a WITHDRAW followed by an UPDATE for a prefix. (A peering with an eBGP neighbor being reset does not count as a flap.) Whenever a network goes down, the rest of the Internet is told about it. Hence, BGP propagates this state...

BGP Synchronization

The (historical) default in IOS Software is for BGP not to advertise a route until all routers within the AS have learned about the route through an IGP. In today's Internet, and certainly since the mid-1990s, ISPs have designed their networks so that the iBGP carries customer and Internet prefixes and the IGP carries the infrastructure addresses. It is very uncommon for a prefix to appear both because of an IGP and because of iBGP. So synchronization must be turned off for all ISP...

BGP Update Source

In the following example, the iBGP mesh is built using the loopback interface on each router. The loopback doesn't ever disappear, which results in a more stable iBGP, even if the underlying physical connectivity is less than reliable. ip address 215.17.1.34 255.255.255.255

Black Hole Routing as a Packet Filter Forwarding to NullO

Another way of implementing destination-based packet filtering on a router is to create a specific list of static host routes and point them to the pseudo-interface NullO. This technique commonly is referred to as black-hole routing. Null0 is a pseudo-interface, which functions similarly to the null devices available on most operating systems. This interface is always up and can never forward or receive traffic. Although Null0 is a pseudo-interface, within CEF it is not a valid interface....

Border Router

The border router is perhaps the most important router in an ISP's backbone network operation. It provides connectivity to the rest of the Internet for the ISP and also protects the ISP's network and customers from the ravages of the Internet. In ISP workshop presentations, we use the analogy of the front door of your house or the garden gate protecting you from the world out there. The configuration of the border router is critical to the correct and reliable operation of the rest of the ISP's...

Caching DNS

The third type of DNS service is generally a mystery to many of the smaller ISPs because it is hardly discussed outside DNS operator circles and outside larger ISPs. The caching DNS is a system that maintains a cache of DNS information it doesn't provide a secondary function for any zone files, but it knows where to go to retrieve the information. Caching nameservers typically are used by the ISP to answer day-to-day DNS queries. End hosts usually ask for a DNS resolver when they are being...

Caida

The Cooperative Association for Internet Data Analysis (CAIDA) has a very comprehensive web site listing a lot of tools and pointers. This CAIDA effort is supported through sponsorship provided by the United States National Science Foundation (NSF), Cisco Systems, and other organizations. CAIDA Internet Tools Taxonomy

Car

Active defenses are tools, techniques, or procedures executed during attacks. They are used to limit or block the attack in progress. In many instances, these tools will have an effect on other Internet applications and services, yet the trade-off is between no Internet services and limited disruption. It is highly recommended that the ISP document and train staff on the use of these tools. That way, the ISP's NOC can quickly respond to an attack in progress. Cisco IOS Software has security...

Case Study

The following case study implements the techniques described previously for an ISP that recently needed to multihome to the Internet. The scenario is quite simple, but it covers a situation that causes many newcomers to BGP and the Internet quite a lot of trouble. The network in Figure 5-31 shows the network layout. AS 5400 is based in Europe, and AS 2516 is based in Japan this in itself poses a challenge because the multihoming is between entities that are quite literally on opposite sides of...

Caution

Do not remove the enable password as in the previous example if the boot ROMs or boot image of the router does not support the enable secret configuration. The use of enable secret is supported in IOS Software Release 11.0 and later. With an older boot ROM and no enable password, it is possible to gain access to the router without supplying any password if the router ends up running the boot image because of some network problem or malfunction. A network's first line of defense is the routers...

General Features

This chapter covers general features that ISPs should consider for their routers and network implementations. Most are good design practices and don't leverage particular unique Cisco IOS Software features, but each demonstrates how IOS Software can aid the smooth operation of an ISP's business. Many of the features discussed here are described in the context of the ISP software covered in Chapter 1, Software and Router Management. The importance of the loopback interface should never be...

Routing Protocols

The book so far has concentrated on getting the core equipment in the ISP backbone up to a state in which it can be introduced safely into the larger network and the Internet. This chapter introduces the major routing protocols and some of the most useful features in those routing protocols that are available for ISPs. Most of this chapter's content covers BGP, the Border Gateway Protocol used by ISP networks to pass routing information between each other. In fact, BGP has grown to be more than...

Security

This chapter on Cisco IOS Software security features assumes that the ISP engineer has a working grasp of the fundamentals of system security. If not, the materials listed in the reference section should be reviewed first to help gain an understanding of some of the fundamentals. It is also important to note that the following sections are intended to supplement, not replace, Cisco documentation. It is assumed that the ISP engineer will read such documentation in parallel with this chapter....

Operational Practices

So far this book has given specific and detailed advice about router-configuration best practices for ISP backbones. It is important to see these suggestions in the bigger picture of an actual ISP business. This chapter covers some of the operational issues regarding the establishment of an ISP backbone, the choices made, the positioning of hardware, the configuration of software, and the establishment of external relationships. Aspects of ISP business operations have been covered in other...

Choosing an IGP

A general discussion on the appropriate technical choice of IGPs for an ISP backbone is currently beyond the scope of this book. Many good comparisons have been done describing the pros and cons of the different IGPs. A commonly quoted example is the presentation by Dave Katz at the June 2000 NANOG comparing IS-IS and OSPF. The choice of IGP generally seems to be made on the basis of experience because technically there is little way to choose among the three for most practical purposes. Those...

Cisco IOS Software release designations definedSoftware Lifecycle Definitions

Software naming conventions for Cisco IOS Cisco IOS reference guide Cisco IOS roadmap Cisco Resource Manager Private I http www.opensystems.com index.asp Crystal Reports Netforensics http www.netforensics.com NTP RFCs RFC 1128, RFC 1129, RFC 1165, and RFC 1305, all available at http www.ietf.org rfc

CLI String Search

After a considerable number of requests from ISPs, a UNIX qrep-like function (pattern search) has been introduced as a new feature in IOS Software from releases 11.1CC and 12.0. It allows operators to search for common expressions in configuration and other terminal output. Again, only salient points are covered here because the IOS Software documentation now gives more detailed information at 20t1 cliparse.ht . The function is invoked by using a vertical bar , like the UNIX pipe command begin...

Client Server Models and Association Modes

NTP servers can associate with each other in a number of modes. The mode of each server in the pair indicates the behavior that the other server can expect from it. An association is formed when two peers exchange messages and one or both of them create and maintain an instantiation of the protocol machine. The association can operate in one of several modes server, client, peer, and broadcast multicast. The modes further are classified as active and passive. In active modes, the host continues...

Command Group Organization

The commands listed in the first preceding group have no ambiguity, so they all can appear under the router bgp < as> definition. The commands listed in the second group have no ambiguity either, so they can follow the first group of commands under the main BGP definition (with the exception of VPNs). The commands listed in the third group can have potential ambiguity and thus are listed under a new address family submode A neighbor can have different route map or prefix list statements,...

Command Syntax

The following are the commands used to control route damping bgp dampening route-map map-name half-life-time reuse-value suppress-value maximum-suppress-time half-life-time Has a range of 1 to 45 minutes current default is 15 minutes. reuse-value Has a range of 1 to 20,000 default is 750. suppress-value Has a range of 1 to 20,000 default is 2000. max-suppress-time Gives the maximum duration that a route can be suppressed. Its range is 1 to 255 the default is four times the half-life time (60...

Commentary

Figure 5-6 typifies the PoP design that ISPs generally use in their PoPs. The smaller ISPs obviously won't have as much sophistication and segregation of equipment, and the larger ISPs will have a significantly larger layout. Many types of access layers are possible two have been shown by way of example, although other access layers are very similar in implementation. Having established the principle of subdividing the PoP into units depending on function and management, the next important...

Committed Access Rate CAR

Configuring Committed Access Rate c f qcprt1 qcfcar.ht RFC 1812. Requirements for IP Version 4 Routers. F. Baker (ed). June 1995. (Status Proposed standard.) Also see the update, RFC 2644. RFC 2196 FYI8. Site Security Handbook. B. Fraser. September 1997. (Obsoletes RFC 1244) (Status Informational.) One of the most useful starting places for Internet security. RFC 2827 BCP 38. Network Ingress Filtering Defeating Denial-of-Service Attacks Which Employ IP Source Address Spoofing. P. Ferguson and...

Communities Conclusion

These examples hopefully have shown some of the benefits of using communities in ISP networks. A large number of options are possible, not just for multihoming, as has been covered here. Communities have been used to color different prefixes for announcement within an ISP's own backbone, to replace complex external filters on border routers, and to remove the generation of filters from the border routers to the aggregation routers where the customers first connect to the backbone. All these...

Comparing Router IDs

As part of the standard path-selection process in IOS Software, the router does not switch between two eBGP paths based solely upon the router ID. Consider a situation in which a router hears two announcements of a particular prefix from two different neighbors. If the path-selection process determines that all attributes are identical apart from the router ID, it currently takes the path with the oldest entry in the routing table, not the entry with the lowest router ID. This choice was made...

Conclusion

This section gave an example of how to work out an addressing scheme for a developing ISP network. This is intended to help the growing ISP business work out how to apply addressing to its network and how to allocate assigned address space to its infrastructure. Indeed, following these processes should aid in the application process for address space from the RIRs. One of the hardest questions that a vendor is posed at the time of an RFP is which IGP the new ISP network should choose. As...

Conditional Advertisement Example

Consider the example depicted in Figure 3-8. This shows a dual-homed enterprise network (AS 300) that has received address space from its two upstream ISPs. It announces the 215.10.0.0 22 prefix to ISP 1 (AS 100) and the 202.9.64 23 prefix to ISP 2 (AS 200). These networks are part of the respective upstream ISPs address blocks, so all that the Internet sees are the two aggregates as originated by ISP 1 and ISP 2. This is the steady state situation. Figure 3-8. BGP Conditional Advertisement...

Configuration

Router A is in AS 109, and Router B is in AS 159. However, when A peers with B, it uses AS 210 as its AS number. As far as B is concerned, it is peering with a router in AS 210. Operationally, this is equivalent to Router B peering with a router in AS 210, and that router peering with Router A in AS 109. The AS path for all prefixes learned from Router B as seen on Router A would be 210_159. AS 210 is inserted into the AS path sequence. The AS path for all prefixes learned from Router A by...

Configuration Commands

Three configuration commands are related to the prefix list. The following command can be used to delete a prefix list Here, list-name is the string identifier of a prefix list. This next command can be used to add or delete a text description for a prefix list no ip prefix-list list-name description text The following command can be used to configure or delete an entry of a prefix list no ip prefix-list list-name seq seq-value deny permit network len ge ge-value le le-value Several command...

Configurations

The following Cisco IOS Software configurations work and have been tested in a lab environment. They are based heavily on known current configurations used in the field today, with additions modifications to include as many recommendations from the main text of this book as is feasible. The configurations have been annotated using IOS Software comments (with ) where more explanation is required. This should make it easier to cut and paste configurations into your own test environment. But...

Configuring EIGRP

EIGRP also is used quite extensively in ISP backbones, finding favor with ISPs that have been required to support multiple protocols in the past. It's also accepted that EIGRP is probably the easiest routing protocol to get started with. It found favor (in the form of IGRP) with ISPs that didn't want to use IS-IS in the earlier days of the Internet when implementations of OSPF were still not mature enough for their needs. EIGRP has no area concept the network runs as one large IGP. EIGRP does...

Configuring ISIS

IS-IS is quite similar to OSPF in many ways, and both use the same Dijkstra SPF algorithm for path calculation. Implementation is slightly different, though, and IS-IS support in IOS Software has benefited from many years of experience in the major ISP backbones in the United States. IS-IS does not have an area concept like OSPF. Instead, it has two levels Level 1 (areas) and Level 2 (the backbone). The IS-IS backbone is simply a contiguous collection of Level 2-capable routers linking Level 1...

Configuring OSPF

OSPF enforces a fairly rigid design for an ISP backbone. Area 0 is the backbone area and must exist if there are to be more than two OSPF areas in a network. Area 0 provides transit between the other areas, and every other area must be connected to it. OSPF offers a multitude of area types, including backbone, regular, stub, totally stubby, and not so stubby areas. Most ISPs tend to use only backbone and regular areas very few make use of OSPF inter-area summarization capabilities. The reason...

Console Server

The next logical step from using one modem or multiple modems is to install a console server. This is a device to which all the equipment consoles are connected. The most popular console server in recent years has been the Cisco 2511 router it has 1 Ethernet, 2 WANs, and 16 asynchronous serial ports. Originally intended as a dialup router, it has long since been retired from that function in most ISPs and now is used as a console server throughout many ISP backbones. The configuration is...

Core

The PoP core has devices called core routers. These support high-bandwidth links only, interconnections between similar core devices, connections to other units within the PoP, and connections to other PoPs. It is very common for ISPs to install two core routers one device implies a single point of failure, something that high-quality and high-availability networks won't tolerate. The definition of high bandwidth depends on the region of the world. In some countries, intracore connections often...

Core Router

Two core routers were given in the example in Figure C-1. However, only one configuration is given here the configuration for Core-router2 is almost identical. Notice that the core router has a simpler configuration than the routers at the edge of the ISP's network. Core routers tend not to do packet filtering or routing policy the design goal is more reliability and a configuration that requires no change in the short to medium terms. Example C-2 assumes that the core router is a Cisco 7206.

Creating Your Own Net Police Filter

ISPs that want to create their own net police filters are strongly encouraged to do the following Consider the impact Shutting the door doesn't make the storm go away it shuts out everything, good and bad. Maintain an accurate list Consult each of the RIR's published CIDR blocks for the default allocations. Ensure that you have an up-to-date list, and create a process for validating your filter with future updates of the RIR's list. Consult with colleagues Consult with your peers about the...

Customer Networks

Customer network assignments have not been covered here because this section concentrates only on infrastructure. However, when an ISP is running BGP within its network, there is no benefit to be had by either aggregating or assigning networks on a regional basis. Customers move and want their connections to move to different parts of the country, so there is little purpose in trying to allocate address space to them regionally. Besides, BGP easily can handle huge numbers of customer-assigned...

Customer networks Loopback Interfaces

The loopback interface on the router is always the first consideration on an ISP network. It is a helpful general-purpose feature used for many things, including iBGP peering and source address for packets originating from the router (useful for authentication or filtering). The early chapters of this book made many references to the loopback interface, and a whole section was devoted to the benefits of using its address as the source of all IP packets originating from the router. By the end of...

Customer Router Filters

As a service to their customers, all ISPs should be supplying sample filters for routers that are used to connect permanently connected networks to the Internet. If the customers are using routers that are incapable of filtering, to quote an ISP overheard recently, that device should be replaced with a real router. It is an unfortunate fact today that too many people equate security with firewalls and completely fail to remember that a router is a very sophisticated first-line security device...

Designing a Test

From the description of the previous test scenario, it should be quite clear what components make up an ISP's test lab. Some ISPs build a replica of one of their PoPs others simply have a few of the major devices used on their backbone connected in a simple network. Preference usually is given to the PoP replica design because it becomes very simple to replicate problems that occur on the live network. Several ISPs even have this test lab as part of their backbones the lab won't take an active...

Designing Flap Damping Parameters

It is important to note that prefixes are suppressed only when they are heard from a neighbor and have a flap history and a penalty value that will cause them to be suppressed. A prefix attracts a penalty of 1000 when the WITHDRAW is heard from the neighboring eBGP peer. However, because the prefix has been withdrawn, it is not present in the BGP table apart from having a history entry, so it will not be damped. The penalty will decay, however. When the prefix is reannounced by the neighbor, if...

Details Behind uRPF Multihomed Customers and Asymmetrical Routing

Understanding what is happening with routing on the Internet is essential to the configuration of uRPF strict mode on multihomed leased-line customers. For starters, realize that asymmetrical routing is very common for a multihomed leased-line customer (see Figure 4-24). When traffic travels over the Internet asymmetrically, it usually means that packets will take one path to get to the destination and another path to return to the source from the destination. TCP IP, of course, works perfectly...

Displaying BGP Policy Accounting Statistics

The statistics are stored in a table of packet byte counters per input software interface (with the assumption that each customer is connected to an input software interface). You can display them with show cef interface interface policy-statistics. SNMP support will be added sometime in the near future. The statistics actually are displayed per configured table map match category. Using a route map, you can match against configured community lists, AS paths, and so on, and you can set this to...

Displaying BGP Policy Accounting Status

To inspect which prefix is assigned which bucket and which communities, do the following 196.240.5.0 24, version 21, cached adjacency to POS7 2 packets, 0 bytes, traffic_index 4 Look Here via 14.1.1.1, 0 dependencies, recursive next hop 14.1.1.1, POS7 2 via 14.1.1.0 30 valid cached adjacency BGP routing table entry for 196.240.5.0 24, version 2 Paths (1 available, best 1) Not advertised to any peer 100 14.1.1.1 from 14.1.1.1 (32.32.32.32) Origin IGP, metric 0, localpref 100, valid, external,...

Displaying Prefix List ORF

The command to display the prefix-list ORF received from a neighbor is shown here show ip bgp neighbor x.x.x.x received prefix-filter This displays the received prefix list. Changes to the output of show ip bgp neighbor x.x.x.x now include information about whether ORF is supported or available, as can be seen in the following snippet Capability advertised received Filter sent received (25 entries) BGP policy accounting allows you to account for IP traffic differentially by assigning counters...

Distribution

The distribution layer is one step removed from the core and gets its name from its function of acting as a distribution layer between the core routers and the access part of the network. Indeed, many small- to medium-size ISPs don't have any distribution layer they simply connect the access part of the network to the core. It all depends on the size of the PoP. The distribution layer can be made up of two or more routers quite often there could be considerably more. ISPs conscious of providing...

DNS Resolver in IOS Software

You can specify a default domain name that the Cisco IOS Software will use to complete domain name requests for functions such as Telnet, TFTP, and other instances of name completion (for example, ip ospf domain-lookup). You can specify either a single domain name or a list of domain names. Any IP host name that does not contain a domain name will have the domain name that you specify appended to it before being added to the host table. ip domain-name name ip domain-list name It is also...

EBGP Multihop

AS 100 connects to AS 200 using three parallel circuits between their two border routers. An eBGP multipath IOS Software configuration example is given here that will let the border router in AS 100 to load-share outbound traffic on the three circuits interface serial 1 0 ip address 1.1.1.2 255.255.255.252 interface serial 1 1 ip address 1.1.1.6 255.255.255.252 router bgp 100 neighbor 1.1.1.1 remote-as 200 neighbor 1.1.1.1 prefix-list AS200peer in neighbor 1.1.1.5...

EBGP Multipath

With IOS Software Release 11.1CC came a new BGP feature that allows more than one path to the same destination to be installed in the forwarding table. This feature, called eBGP multipath, is designed to allow ISPs to load-share over external circuits to eBGP neighbors. When the border router has more than one path to the same external network, the BGP path-selection process makes a decision at Step 11, installing the oldest received path into the RIB. So only one of the external paths is used....

Editing Keys

Several keys are very useful as shortcuts for editing the IOS Software configuration. Although these are covered in detail in the IOS Software release 12.0 documentation set, it is useful to point out those used most commonly, shown in Table 1-2. Completes the command being typed in. This saves typing effort and is especially useful when the operator is still learning the IOS Software command set. Lists the available commands starting with the characters entered so far. Allows the operator to...

Effects of CIDRization

One of the most critical issues that could threaten the stability of the Internet is the size of the global Internet Route Table. The table's growth influences scalability, increases operational capital cost, and has posed a security risk to the Internet. For a variety of reasons, ISPs throughout the world have injected all sorts of networks into the Internet, ranging from 8s (old Class A's) to 32s (host routes). The result is rapid growth of the Internet Route Table. Classless interdomain...

End Sites

Two types of end sites exist as far as traffic flows are concerned. The first is the ISP that is connecting customers to the Internet. The traffic flow in this case is mostly inbound a typical volume ratio might be 70 percent inbound and 30 percent outbound. The second is the content provider, and traffic flow levels typically are reversed. This section considers only the first scenario the later section on Outbound Traffic Loadsharing considers the case for the content provider.

Example

An ISP has filtered its IRC server from receiving ICMP echo-reply packets to protect it. Now many attackers are going after the customer's devices to fill some network segments. The ISP chose to use CAR to limit all ICMP echo and echo-reply traffic received at the borders to 256 Kbps. An example follows traffic we want to limit access-list 102 permit icmp any any echo access-list 102 permit icmp any any echo-reply interface configurations for borders interface Serial3 0 0 rate-limit input...

Example 21 Sample Output from Displaying Flow Information on a Net FlowEnabled Router

IP packet size distribution (410772243 total packets) 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .000 .168 .384 .102 .160 .107 .019 .005 .003 .001 .001 .000 .000 .000 .003 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .001 .000 .035 .000 .003 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 4456704 bytes 15074 active, 50462 inactive, 125120769 added 369493980 ager polls, 0 flow alloc failures last clearing of statistics 4d05h Total Flows 605 3494 4104 845158 87119 59...