A comprehensive guide to the best common practices for Internet service providers Learn the best common practices for configuring routers on the Internet from experts who helped build the Internet Gain specific advice through comprehensive coverage of all Cisco routers and current versions of Cisco IOS Software Understand the Cisco IOS tools essential to building and maintaining reliable networks Increase your knowledge of network security Learn how to prevent problems and improve performance through detailed configuration examples and diagrams Cisco IOS Software documentation is extensive and detailed and is often too hard for many Internet service providers (ISPs) who simply want to switch on and get going. Cisco ISP Essentials highlights many of the key Cisco IOS features in everyday use in the major ISP backbones of the world to help new network engineers gain understanding of the power of Cisco IOS Software and the richness of features available specifically for them. Cisco ISP Essentials also provides a detailed technical reference for the expert ISP engineer, with descriptions of the various knobs and special features that have been specifically designed for ISPs. The configuration examples and diagrams describe many scenarios, ranging from good operational practices to network security. Finally a whole appendix is dedicated to using the best principles to cover the configuration detail of each router in a small ISP Point of Presence.
1 Front Matter Table of Contents About the Author Cisco® ISP Essentials Barry Raveendran Greene Philip Smith Publisher: Cisco Press First Edition April 19, 2002 ISBN: 1-58705-041-2, 448 pages Cisco IOS(r) Software documentation is extensive and detailed and is often too hard for many Internet service providers (ISPs) who simply want to switch on and get going. Cisco ISP Essentials highlights many of the key Cisco IOS features in everyday use in the major ISP backbones of the world to help new network engineers gain understanding of the power of Cisco IOS Software and the richness of features available specifically for them. Cisco ISP Essentials also provides a detailed technical reference for the expert ISP engineer, with descriptions of the various knobs and special features that have been specifically designed for ISPs. The configuration examples and diagrams describe many scenarios, ranging from good operational practices to network security. Finally a whole appendix is dedicated to using the best principles to cover the configuration detail of each router in a small ISP Point of Presence. This book is part of the Cisco Press Networking Technologies Series, which offers networking professionals valuable information for constructing efficient networks, understanding new technologies, and building successful careers. 2 Cisco® ISP Essentials Published by: Cisco Press 201 West 103rd Street Indianapolis, IN 46290 USA All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without written permission from the publisher, except for the inclusion of brief quotations in a review. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 First Printing April 2002 Library of Congress Cataloging-in-Publication Number: 2001090435 Warning and Disclaimer This book is designed to provide information about best common practices for Internet service providers (ISPs). Every effort has been made to make this book as complete and as accurate as possible, but no warranty or fitness is implied. The information is provided on an “as is” basis. The authors, Cisco Press, and Cisco Systems, Inc., shall have neither liability nor responsibility to any person or entity with respect to any loss or damages arising from the information contained in this book or from the use of the discs or programs that may accompany it. The opinions expressed in this book belong to the author and are not necessarily those of Cisco Systems, Inc. Feedback Information At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, 3 undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers’ feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book, or otherwise alter it to better suit your needs, you can contact us through e-mail at feedback@ciscopress.com. Please make sure to include the book title and ISBN in your message. We greatly appreciate your assistance. Trademark Acknowledgments All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Cisco Press or Cisco Systems, Inc., cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. Publisher John Wait Editor-In-Chief John Kane Cisco Systems Program Management Michael Hakkert Tom Geitner William Warren Acquisitions Editor Amy Lewis Production Manager Patrick Kanouse Development Manager 4 Howard Jones Project Editor San Dee Phillips Copy Editor Krista Hansing Technical Editors Brian Morgan and Bill Wagner Team Coordinator Tammi Ross Book Designer Gina Rexrode Cover Designer Louisa Klucznik Production Team Octal Publishing, Inc. Indexer Tim Wright Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com 5 Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 European Headquarters Cisco Systems Europe 11 Rue Camille Desmoulins 92782 Issy-les-Moulineaux Cedex 9 France http://www-europe.cisco.com Tel: 33 1 58 04 60 00 Fax: 33 1 58 04 61 00 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-7660 Fax: 408 527-0883 Asia Pacific Headquarters Cisco Systems Australia, Pty., Ltd 6 Level 17, 99 Walker Street North Sydney NSW 2059 Australia http://www.cisco.com Tel: +61 2 8448 7100 Fax: +61 2 9957 4350 Cisco Systems has more than 200 offices in the following countries. Addresses, phone numbers, and fax numbers are listed on the Cisco Web site at www.cisco.com/go/offices Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China • Colombia • Costa Rica • Croatia • Czech Republic • Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong Hungary • India • Indonesia • Ireland • Israel • Italy • Japan • Korea • Luxembourg • Malaysia • Mexico The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam Zimbabwe Copyright © 2000, Cisco Systems, Inc. All rights reserved. Access Registrar, AccessPath, Are You Ready, ATM Director, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, CiscoLink, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Networking Academy, Fast Step, FireRunner, Follow Me Browsing, FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, iQ Breakthrough, iQ Expertise, iQ FastTrack, iQuick Study, iQ Readiness Scorecard, The iQ Logo, Kernel Proxy, MGX, Natural Network Viewer, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy Builder, RateMUX, ReyMaster, ReyView, ScriptShare, Secure Script, Shop with Me, SlideCast, SMARTnet, SVX, TrafficDirector, TransPath, VlanDirector, Voice LAN, Wavelength Router, Workgroup Director, and Workgroup Stack are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, Cisco, the Cisco Certified Internetwork Expert Logo, Cisco 7 IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Collision Free, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, IOS, IP/TV, IPX, LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre- Routing, Registrar, StrataView Plus, Stratm, SwitchProbe, TeleRouter, are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other brands, names, or trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0010R) Cisco® ISP Essentials About the Authors About the Technical Reviewers Acknowledgments Introduction Motivation Intended Audience Organization Further Information 1. Software and Router Management Which Cisco IOS Software Version Should I Be Using? IOS Software Management Configuration Management Command-Line Interface Detailed Logging Network Time Protocol Simple Network Management Protocol HTTP Server Core Dumps Conclusion Endnotes 2. General Features IOS Software and Loopback Interfaces Interface Configuration Interface Status Checking Cisco Express Forwarding NetFlow Turn On Nagle DNS and Routers Conclusion 8 Endnotes 3. Routing Protocols CIDR Features Selective Packet Discard Hot Standby Routing Protocol IP Source Routing Configuring Routing Protocols IGP Configuration Hints The BGP Path-Selection Process [1] BGP Features and Commands Applying Policy with BGP BGP Policy Accounting Multiprotocol BGP [5] Summary Endnotes 4. Security Securing the Router Unneeded or Risky Interface Services Cisco Discovery Protocol Login Banners Use enable secret The ident Feature SNMP Security Router Access: Controlling Who Can Get into the Router Securing the Routing Protocol Securing the Network Access Control Lists: General Sequential-Based ACLs BCP 38 Using Unicast RPF [10] Committed Access Rate to Rate-Limit or Drop Packets [21] Reacting to Security Incidents Summary Endnotes 5. Operational Practices Point-of-Presence Topologies Point-of-Presence Design Backbone Network Design ISP Services IPv4 Addressing in an ISP Backbone Interior Routing Exterior Routing Multihoming Security Out-of-Band Management Test Laboratory Operational Considerations Summary Endnotes A. Access Lists and Regular Expressions Access List Types 9 IOS Software Regular Expressions Endnotes B. Cut-and-Paste Templates General System Template General Interface Template General Security Template General iBGP Template General eBGP Template Martian and RFC 1918 Networks Template C. Example Configurations Simple Network Plan Configurations Summary D. Route Flap Damping BGP Flap Damping Configuration E. Traffic Engineering Tools Internet Traffic and Network Engineering Tools Other Useful Tools to Manage Your Network Overall Internet Status and Performance Tools What Other ISPs Are Doing Summary F. Example ISP Access Security Migration Plan Phase 1—Close Off Access to Everyone Outside the CIDR Block Phase 2—Add Antispoofing Filters to Your Peers Phase Three—Close Off Network Equipment to Unauthorized Access Summary Endnotes Glossary Glossary Technical References and Recommended Reading Software and Router Management General Features Security Routing Other References and Recommended Reading 10 About the Authors Barry Raveendran Greene is a Senior Consultant in the Internet Architectures Group of Consulting Engineering, Office of the CTO, Cisco Systems. Cisco’s CTO Consulting group assist ISPs throughout the world to scale, grow, and expand their networks. The assistance is delivered through consulting, developing new features, working new standards (IETF and other groups), and pushing forward Best Common Practices (BCPs) to the Internet community. Barry’s current topics of interests are ISP Operations and Security as well as developing the features, functionality, and techniques to enhance an ISP’s success. Barry has been with Cisco since 1996, traveling to all parts of the world helping ISPs and telcos build the Internet. He is a former board member for the Asia Pacific Internet Association (APIA), co-creator for the APRICOT Conferences, Program Committee Member for ITU’s Telecom 99, and facilitator for the creation of several Internet eXchange Points (IXPs) in Asia and Pacific. Barry is the co-coordinator for Cisco’s ISP Workshop Program, which is designed to empower engineering talent in ISPs all over the world. Mr. Greene has over 22 years experience in systems integration, security, operations, maintenance, management, and training on a variety of computer, internetworking, and telecommunications technologies. Before Cisco Systems, Barry was Deputy Director Planning and Operations for Singapore Telecom’s SingNet Internet Service and the Singapore Telecom Internet Exchange (STIX); Network Engineer and Systems Integrator at Johns Hopkins University/ Applied Physics Lab (JHU/APL), Network Engineer and Systems Integrator Science Application International Corporation (SAIC), and a veteran of the United States Air Force. Philip Smith is a Consulting Engineer in the Internet Architectures Group of Consulting Engineering, Office of the CTO, Cisco Systems. His role includes providing consultation and advice to ISPs primarily in the Asia Pacific region and also with other providers around the world. He concentrates specifically on network strategies, design, technology, and operations, as well as configuration, scaling, and training. He plays or has played a major role in training ISP engineers, co-founding the Cisco ISP/IXP Workshop programme, and providing ISP training and tutorials at many networking events around the world, including NANOG, RIPE, APNIC, ISOC, and APRICOT conferences. His other key interests include IPv6, BGP, IGPs, and network performance and data analysis. Philip has been with Cisco since January 1998. Since joining, he has been working to promote and develop the Internet in the entire Asia Pacific region and has been actively involved in bringing the Internet to some countries in the region. He is a member of the APRICOT Executive Committee (the region’s annual ISP operational and technology conference) as well as its Programme Committee, co-chair of APOPS (the region’s ISP operational forum), and chair of two of APNIC’s special interest groups (SIG)—the Routing SIG and the Exchange Point SIG. He also has a particular research interest in the growth of the Internet and provides a detailed daily analysis of the routing table as seen in the Asia Pacific to the general operator community worldwide. Prior to joining Cisco, he spent five years at PIPEX (now part of UUNET’s global ISP business), the UK’s first commercial ISP, where he was Head of Network [...]... files in ascii Force display to hex/text format Display binary files in ebcdic File to display File to display File to display File to display File to display File to display File to display File to display File to display File to display File to display File to display By using the | after the more command and its option, it is possible to search within the file for the strings of interest in the... http://www .cisco. com/univercd/) or on the CD-ROM that comes with each router Cisco. com Local Cisco Systems’ support channels Public discussion lists The list that focuses specifically on ISPs that use Cisco Systems equipment is cisco- nsp hosted by Jared Mauch cisco- nsp is a mailing list which has been created specifically for ISPs to discuss Cisco Systems products and their use To subscribe, send an e- mail... technical editor of numerous other Cisco Press titles Acknowledgments This book started life as a small whitepaper called “IOS Essentials, ” an attempt to document the various configuration and operational best practices which ISPs were using on their Cisco networking equipment This whitepaper has, over the last few years, grown through several versions into this book, Cisco ISP Essentials We would like to... Roadmap from 12.1 Onward 19 Cisco IOS Software releases: http://www .cisco. com/warp/public/732/Releases/ Types of Cisco IOS Software releases: http://www .cisco. com/warp/customer/cc/pd/iosw/iore/prodlit/537_pp.htm Release designations defined—software lifecycle definitions: http://www .cisco. com/warp/customer/417/109.html Software naming conventions for Cisco IOS Software: http://www .cisco. com/warp/customer/432/7.html... Regular expressions (as in the preceding example) can be used with more The options available with more follow in this example: beta7200#more /ascii /binary /ebcdic bootflash: disk0: disk1: flash: ftp: null: nvram: rcp: slot0: slot1: system: tftp: beta7200# ? Display binary files in ascii Force display to hex/text format Display binary files in ebcdic File to display File to display File to display File... book— http://www.ispbook.com The web site http://www .cisco. com/public/cons /isp also contains other reference materials that may be useful for ISPs Where topics are not apparently covered in sufficient technical depth, the reader is encouraged to consult the following reference sources: • • • • Cisco System’s Documentation (available to the general public on Cisco s website at http://www .cisco. com/univercd/)... mentioned here Consult the Product Bulletin page on Cisco. com for up-to-date information The online supplements to this book will list the current recommendations for ISPs NOTE Cisco Systems’ most up-to-date recommendations on which IOS Software branch an ISP should be using are on the Product Bulletin page, available at Cisco. com, at http://www .cisco. com/warp/public/cc/general/bulletin/index.shtml... 12.0S ordering procedures and platform hardware support: http://www .cisco. com/warp/public/cc/pd/iosw/iore/iomjre12/prodlit/935_pb.htm Cisco IOS Software release notes for Release 12.0S: http://www .cisco. com/univercd/cc/td/doc/product/software/ios120/relnote/7000fam /rn120s.htm Cisco IOS Software release 12.0S migration guide: http://www .cisco. com/warp/public/cc/pd/iosw/iore/iomjre12/prodlit/940_pb.htm... the ISP arena and other marketplaces in which Cisco is present—these visual roadmaps have been created to show the interrelation of the different IOS Software versions The current up-to-date roadmap can be seen at http://www .cisco. com/warp/public/620/roadmap.shtml Consult the following URLs on Cisco. com for more detailed and up-to-date information on IOS Software release structure: Figure 1-1 Cisco. .. Software images for ISPs, the Service Provider feature set was added to all Cisco IOS Software released This software is based on the IP-only image but with additional features for ISPs Such software can be recognized by the “-p-” in the image name This image is usually all that any ISP needs to run These images cannot be ordered at time of router purchase, but they can be downloaded from Cisco. com before