You are previewing Cisco® ISP Essentials.
O'Reilly logo
Cisco® ISP Essentials

Book Description

A comprehensive guide to the best common practices for Internet service providers

  • Learn the best common practices for configuring routers on the Internet from experts who helped build the Internet

  • Gain specific advice through comprehensive coverage of all Cisco routers and current versions of Cisco IOS Software

  • Understand the Cisco IOS tools essential to building and maintaining reliable networks

  • Increase your knowledge of network security

  • Learn how to prevent problems and improve performance through detailed configuration examples and diagrams

  • Cisco IOS Software documentation is extensive and detailed and is often too hard for many Internet service providers (ISPs) who simply want to switch on and get going. Cisco ISP Essentials highlights many of the key Cisco IOS features in everyday use in the major ISP backbones of the world to help new network engineers gain understanding of the power of Cisco IOS Software and the richness of features available specifically for them. Cisco ISP Essentials also provides a detailed technical reference for the expert ISP engineer, with descriptions of the various knobs and special features that have been specifically designed for ISPs. The configuration examples and diagrams describe many scenarios, ranging from good operational practices to network security. Finally a whole appendix is dedicated to using the best principles to cover the configuration detail of each router in a small ISP Point of Presence.

    Table of Contents

    1. Copyright
    2. About the Authors
      1. About the Technical Reviewers
    3. Acknowledgments
    4. Introduction
      1. Motivation
      2. Intended Audience
      3. Organization
      4. Further Information
    5. Technical References and Recommended Reading
      1. Software and Router Management
      2. General Features
      3. Security
      4. Routing
      5. Other References and Recommended Reading
    6. 1. Software and Router Management
      1. Which Cisco IOS Software Version Should I Be Using?
        1. Where to Get Information on Release 12.0S
        2. Further Reference on IOS Software Releases
      2. IOS Software Management
        1. Flash Memory
        2. System Memory
        3. When and How to Upgrade
        4. Copying New Images to Flash Memory
          1. Copying Using TFTP
          2. Copying Using FTP
          3. Reloading the Routers
      3. Configuration Management
        1. NVRAM, TFTPserver, and FTPserver
        2. Large Configurations
      4. Command-Line Interface
        1. Editing Keys
        2. CLI String Search
      5. Detailed Logging
        1. Syslog Topologies
        2. Analyzing Syslog Data
      6. Network Time Protocol
        1. NTP Architecture [2]
        2. Client/Server Models and Association Modes
        3. Implementing NTP on an ISP’s Routers
        4. NTP Deployment Examples
        5. NTP in a PoP (Example)
        6. Further NTP References
      7. Simple Network Management Protocol
        1. SNMP in Read-Only Mode
        2. SNMP in Read-Write Mode
        3. SNMP and Commercial Network Management Software
      8. HTTP Server
      9. Core Dumps
      10. Conclusion
      11. Endnotes
    7. 2. General Features
      1. IOS Software and Loopback Interfaces
        1. Motivation for Using the Loopback Interface
        2. BGP Update Source
        3. Router ID
        4. Exception Dumps by FTP
        5. TFTP Server Access
        6. SNMP Server Access
        7. TACACS/RADIUS Server Source Interface
        8. NetFlow Flow Export
        9. NTP Source Interface
        10. Syslog Source Interface
        11. Telnet to the Router
        12. RCMD to the Router
      2. Interface Configuration
        1. description
        2. bandwidth
        3. ip unnumbered
          1. Caveats
          2. ip unnumbered Configuration Example
      3. Interface Status Checking
        1. show interface switching
        2. show interface stats
        3. show IDB
      4. Cisco Express Forwarding
      5. NetFlow
        1. NetFlow Feature Acceleration
        2. NetFlow Statistics—Basics
        3. NetFlow Data Export
      6. Turn On Nagle
      7. DNS and Routers
        1. Mapping IP Addresses to Names
        2. DNS Resolver in IOS Software
      8. Conclusion
      9. Endnotes
    8. 3. Routing Protocols
      1. CIDR Features
        1. IP Classless
          1. The Old Classful Route Lookup Rules
          2. The Classful Route Lookup Rules
        2. The Zero IP Subnet
      2. Selective Packet Discard
      3. Hot Standby Routing Protocol
      4. IP Source Routing
      5. Configuring Routing Protocols
        1. Router ID
        2. Choosing an IGP
        3. Putting Prefixes into the IGP
          1. The network Statement
          2. redistribute connected into an IGP
          3. redistribute static into an IGP
        4. IGP Summarization
        5. IGP Adjacency Change Logging
        6. Putting Prefixes into BGP
          1. The network Statement
          2. redistribute connected into BGP
          3. redistribute static into BGP
      6. IGP Configuration Hints
        1. Network Design
        2. Prefix Types
          1. Access Network Prefixes
          2. Infrastructure Prefixes
          3. External Prefixes
        3. Configuring OSPF
        4. Configuring IS-IS
        5. Configuring EIGRP
        6. Design Summary
      7. The BGP Path-Selection Process [1]
        1. The BGP Best-Path Algorithm for IOS Software
      8. BGP Features and Commands
        1. Stable iBGP Configuration
        2. BGP Autosummary
        3. BGP Synchronization
        4. BGP Community Format
        5. BGP Neighbor Shutdown
        6. BGP Dynamic Reconfiguration
          1. Soft Reconfiguration
          2. Route Refresh
        7. BGP Route Reflectors and the BGP Cluster ID
        8. next-hop-self
          1. External Connections
          2. Aggregation Routers
        9. BGP Route Flap Damping
          1. Command Syntax
          2. Implementation
          3. Designing Flap Damping Parameters
          4. BGP Flap Statistics
        10. BGP Neighbor Authentication
        11. BGP MED Not Set
        12. BGP Deterministic MED
        13. Comparing Router IDs
        14. BGP network Statement
        15. Removing Private Autonomous Systems
        16. BGP local-as
          1. Configuration
          2. Motivation
        17. BGP Neighbor Changes
        18. Limiting the Number of Prefixes from a Neighbor
        19. Limiting the AS Path Length from a Neighbor
        20. BGP fast-external-fallover
        21. BGP Peer Group [3]
          1. Requirements
          2. Historical Limitations
          3. Typical Peer Group Usage
          4. BGP Peer Group Examples
        22. BGP Multipath
          1. eBGP Multipath
          2. eBGP Multihop
          3. iBGP Multipath
      9. Applying Policy with BGP
        1. Using Prefix Lists in BGP Route Filtering [4]
          1. Configuration Commands
          2. Incremental Configuration
          3. How a Prefix List Match Works
          4. show and clear Commands
          5. Using Prefix Lists with BGP
          6. Using Prefix Lists in a Route Map
          7. Using Prefix Lists in Other Routing Protocols
        2. BGP Filter Processing Order
        3. BGP Conditional Advertisement
          1. Conditional Advertisement Example
        4. BGP Outbound Route Filter Capability
          1. Configuration
          2. Pushing Out a Prefix-List ORF
          3. Displaying Prefix-List ORF
      10. BGP Policy Accounting
        1. Configuration
        2. Displaying BGP Policy Accounting Status
        3. Displaying BGP Policy Accounting Statistics
      11. Multiprotocol BGP [5]
        1. Motivation for a New CLI
        2. Command Group Organization
        3. Comparison Between Old and New Styles
          1. activate
          2. network
          3. Peer Groups
          4. Route Maps
          5. Redistribution
          6. Route Reflector
          7. Aggregation
        4. Upgrading to the New CLI
        5. Examples of the New CLI in Use
      12. Summary
      13. Endnotes
    9. 4. Security
      1. Securing the Router
        1. Unneeded or Risky Global Services
      2. Unneeded or Risky Interface Services
      3. Cisco Discovery Protocol
      4. Login Banners
      5. Use enable secret
      6. The ident Feature
      7. SNMP Security
        1. Using the trap-source loopback 0
      8. Router Access: Controlling Who Can Get into the Router
        1. Principles
        2. VTY and Console Port Timeouts
        3. Access Lists on the VTY Ports
        4. VTY Access and SSH[2]
        5. User Authentication
        6. Using AAA to Secure the Router
        7. Router Command Auditing
        8. One-Time Password
          1. What OTP Systems Are Supported?
          2. OTP Configuration Hints
        9. Managing ICMP Unreachables from the Router
          1. ICMP Unreachable Rate Limiting
          2. No IP Unreachables
        10. Building a New Router or Switch
          1. The Process
          2. Full Example
      9. Securing the Routing Protocol
        1. Authenticating Routing Protocol Updates
          1. Benefits of Neighbor Authentication
          2. Protocols That Use Neighbor Authentication
          3. When to Configure Neighbor Authentication
          4. How Neighbor Authentication Works
          5. Plain-Text Authentication
          6. MD5 Authentication
          7. Routing Protocol Authentication Summary
      10. Securing the Network
        1. Egress and Ingress Filtering
        2. Route Filtering
          1. Networks That Should Not Be Advertised on the Internet
          2. Effects of CIDR-ization
          3. Do Net Police Filters Help Secure a Network?
          4. Negative Impact of Net Police Filters
          5. Creating Your Own Net Police Filter
        3. Packet Filtering
      11. Access Control Lists: General Sequential-Based ACLs
        1. Access Control Lists: Turbo ACLs
          1. Turbo ACL Configuration Details and References
        2. ASIC-Based ACLs
          1. Salsa ACLs in the Cisco 12000 Engine 1 Line Card [9]
          2. PSA ACLs in the Cisco 12000 Engine 2 Line Card
        3. Using ACLs for Egress Packet Filtering: Preventing Transmission of Invalid IP Addresses
        4. Using ACLs for Ingress Packet Filtering: Preventing Reception of Invalid IP Addresses
        5. Black-Hole Routing as a Packet Filter (Forwarding to Null0)
      12. BCP 38 Using Unicast RPF [10]
        1. Background
          1. How uRPF Works: Strict Mode uRPF
          2. RPF Configuration Details (as of IOS Software Version 12.0(10)S1)
          3. ACL Option (added in IOS Software Release 12.0(10)S1) [12]
          4. uRPF’s Debug Options
        2. Routing Tables Requirements
          1. uRPF Exceptions
        3. BCP 38 Implementation with uRPF Strict Mode
          1. uRPF Strict Mode with a Single-Homed Leased-Line Customers
          2. uRPF Strict Mode with Multihomed Leased-Line Customers (One ISP)
          3. Details Behind uRPF, Multihomed Customers, and Asymmetrical Routing
          4. Working Example of uRPF, Multihomed Customers, and Asymmetrical Routing
          5. Multihomed Leased-Line Customers (Two ISPs)
      13. Committed Access Rate to Rate-Limit or Drop Packets [21]
        1. The Smurf Attack
        2. Rate-Limiting with CAR
          1. Example 1
          2. Example 2
          3. ISP CAR Configuration Template
        3. Smurf Defense Summary
      14. Reacting to Security Incidents
        1. Approaches
        2. Some Examples
      15. Summary
      16. Endnotes
    10. 5. Operational Practices
      1. Point-of-Presence Topologies
        1. Core
        2. Distribution
        3. Access
        4. Hosting
        5. Commentary
      2. Point-of-Presence Design
      3. Backbone Network Design
      4. ISP Services
        1. DNS
          1. Primary DNS
          2. Secondary DNS
          3. Caching DNS
        2. Mail
        3. News
          1. Network Design
          2. Commentary
        4. Keeping Software Up-to-Date
      5. IPv4 Addressing in an ISP Backbone
        1. Business Model and IP Address Space
        2. Address Plan
          1. Network Plan: Starting Off
          2. Network Plan: After Six Months
          3. Network Plan: End of First Year
        3. Putting Together an Address-Deployment Plan
          1. Loopback Interfaces
          2. WAN Links
          3. LANs
          4. Customer Networks
          5. Plan Summary
          6. Planning for Future Growth
        4. Address Space for Customers
        5. Applying to the RIRs or Upstream ISP for Addresses
        6. Conclusion
      6. Interior Routing
        1. The ISP IGP Versus BGP Model
        2. Scaling Interior Routing Protocols
          1. Route Reflectors
          2. BGP Peer Groups
      7. Exterior Routing
        1. AS Number
        2. Scalable External Peering
          1. Route Refresh Capability
          2. BGP Flap Damping
      8. Multihoming
        1. Basics
        2. Multihoming Options
          1. Stub Network
          2. Multihomed Stub Network
          3. eBGP Multihop
          4. BGP Multipath
          5. General Multihoming
        3. Multihoming to the Same ISP
          1. End Sites
          2. Primary and Backup Paths
          3. Load Sharing
          4. Multiple Dual-Homed Customers (RFC 2270)
        4. Multihoming to Different ISPs
          1. Primary and Backup Paths
          2. Load Sharing
        5. Outbound Traffic Load Sharing
          1. One Upstream ISP and One Local Peer
          2. Two Upstreams ISPs and One Local Peer
          3. Multiple Upstream ISPs and IXP
          4. Case Study
        6. Using Communities
          1. RFC 1998
          2. ISP Community Usage
          3. Communities Conclusion
      9. Security
        1. ISP Border Packet Filters
        2. Aggregation Router Filters
        3. Customer Router Filters
        4. ISP Server Considerations
        5. Firewalls
        6. Remote Access
      10. Out-of-Band Management
        1. Modem
        2. Console Server
        3. Out-of-Band ISDN
        4. Out-of-Band Circuits
        5. Testing Out of Band
        6. Commentary
      11. Test Laboratory
        1. Testing New Hardware and Software
        2. Designing a Test Lab
        3. Commentary
      12. Operational Considerations
        1. Maintenance
        2. Network Operations Versus Customer Support
        3. Engineering
        4. Change Management
          1. Background
          2. ISP Practices
      13. Summary
      14. Endnotes
    11. A. Access Lists and Regular Expressions
      1. Access List Types
      2. IOS Software Regular Expressions
      3. Endnotes
    12. B. Cut-and-Paste Templates
      1. General System Template
      2. General Interface Template
      3. General Security Template
      4. General iBGP Template
      5. General eBGP Template
      6. Martian and RFC 1918 Networks Template
        1. IP Access List Example
        2. IP Prefix List Example
    13. C. Example Configurations
      1. Simple Network Plan
      2. Configurations
        1. ISP Addressing Plan
          1. NOC Hosts
          2. ISP Services LAN
        2. Border Router
        3. Core Router
        4. Aggregation Router
        5. Service Router
        6. NOC Router
        7. Access Server
        8. Out-of-Band Console Server
      3. Summary
    14. D. Route Flap Damping
      1. BGP Flap Damping Configuration
        1. IP Access List Example
        2. IP Prefix List Example
    15. E. Traffic Engineering Tools
      1. Internet Traffic and Network Engineering Tools
        1. CAIDA
        2. Scion/NetScarf
        3. NeTraMet/NetFlowMet
        4. cflowd
        5. MRTG
        6. RRDTool
        7. Linux Network Management Tools
        8. Vulture
        9. Net SNMP
        10. SysMon
        11. Treno
        12. Scotty—Tcl Extensions for Network Management Applications
        13. NetSaint
        14. Big Brother
      2. Other Useful Tools to Manage Your Network
        1. traceroute
        2. Looking Glasses
        3. whois
        4. Gnuplot
        5. RTRMon—A Tool for Router Monitoring and Manipulation
        6. RAToolSet/IRRToolSet
        7. Cisco’s MIBs
        8. Replacement Syslog Daemons
          1. syslog-ng
          2. Modular Syslog (msyslog)
      3. Overall Internet Status and Performance Tools
        1. NetStat
      4. What Other ISPs Are Doing
      5. Summary
    16. F. Example ISP Access Security Migration Plan
      1. Phase 1—Close Off Access to Everyone Outside the CIDR Block
      2. Phase 2—Add Antispoofing Filters to Your Peers
        1. Where to Place the Antispoofing Packet Filters
      3. Phase Three—Close Off Network Equipment to Unauthorized Access
      4. Summary
      5. Endnotes
    17. Glossary