The local loopback interface (or address), also known as the loopback address.
This type of interface is the most widely used virtual interface, which is used on almost every router. Common uses are as follows:
1 As the management address of a router After the
system administrator completes network planning, in order to facilitate management, a loopback interface will be created for each router, and a separate IP address will be designated as the management address on this interface. The administrator will use this address to remotely log in to the router (telnet). This address actually functions like a device name.
But there are usually many interfaces and addresses on each router, why not pick one out of them?
The reason is as follows: Because the telnet command uses TCP packets, there will be the following situation: a certain interface of the router is down due to a failure, but other interfaces can still telnet, that is, the TCP connection to this router still exists. Therefore, the selected telnet address must never be down, and the virtual interface just meets such requirements. Since this type of interface has no requirement for interconnection with the peer, in order to save address resources, the address of the loopback interface is usually designated as a 32-bit mask.
2 Use the interface address as the router id of the dynamic routing protocols OSPF and BGP. During operation, the dynamic routing protocols OSPF and BGP need to specify a router id for the protocol as the unique identifier of the router, and it is required to be unique in the entire autonomous system. Since the router id is a 32-bit unsigned integer, it is very similar to an IP address. In addition, there is no duplication of IP addresses, so the router id of the router is usually specified as the same as the address of an interface on the device. Since the IP address of the loopback interface is usually regarded as the identifier of the router, it has become the best choice for the router id.
3. Use the interface address as the source address for BGP to establish a TCP connection
In the BGP protocol, the neighbor relationship between two routers running BGP is established through TCP connection.
When configuring neighbors, usually specify the loopback interface as the source address for establishing a TCP connection (usually only used for IBGP, the reason is the same as 2.1, all to enhance the robustness of the TCP connection) The
configuration command is as follows:
router id 61.235.66.1
interface loopback 0
ip address 61.235.66.1 255.255.255.255
router bgp 100
neighbor 61.235.66.7 remote-as 200
neighbor 61.235.66.7 update-source LoopBack0
4. In the Windows system, use 127.0.0.1 as the local loopback address.
5. BGP Update-Source
Because the Loopback port as long as the Router is still alive, it will always remain Active. In this way, as long as the loopback ports of the BGP peers are reachable, the BGP reply can be established. In short, the loopback port is used in BGP. Can improve the robustness of the network.
neighbor 215.17.1.35 update-source loopback 0
6, Router ID
Use the interface address as the Router-ID of OSPF and BGP, as the unique identifier of this router, and it is required to be unique in the entire autonomous system. The Router-ID of BGP/O SPF in IPv6 is still a 32-bit IP address. The router priority in OSPF is manually set under the interface, and then the router-ID of OSPF is compared (the election of Router-ID is not mentioned here, PS: After a router starts the OSPF routing protocol, it will Select the largest IP address of the physical interface as its RouterID, but if the Loopback interface is configured, select the largest IP address from the Loopback as RouterID. In addition, once the RouterID is selected, OSPF will not easily change it in order to ensure stability, unless it is used as the IP of the RouterID The address is deleted or OSPF is restarted), the Router-ID in OSPF and BGP can be set manually in the routing configuration mode.
OSPF: Router-ID…
BGP: BGP Router-ID…
7. IP Unnumbered Interfaces Unnumbered
addresses can borrow strong loopback port addresses to save network IP address allocation.
Example:
interface loopback 0
ip address 215.17.3.1 255.255.255.255
!
Interface Serial 5/0
bandwidth 128
ip unnumbered loopback 0
8. Exception Dumps by FTP
When the Router is down, the files in the system memory still retain a copy of the software kernel. The CISCO router can be configured to export the kernel to an FTP server as part of the router diagnosis and debugging process. However, this kernel The export function must be directed to a system that does not run public FTP server software, but an FTP server that is specifically protected by ACLS filtering (TCP address spoofing) that only allows router access. If the Loopback port address is used as the source address of the Router and is part of the corresponding address block, the ACLS filtering function is easy to configure.
Sample IOS configuration:
ip ftp source-interface Loopback0
ip ftp username cisco
ip ftp password 7 045802150C2E
exception protocol ftp
exception dump 169.223.32.1
9.
The security of TFTP-SERVER Access means that the security of the IP source address should be configured frequently CISCO IOS software allows the TFTP server to be configured to use a special IP interface address. Based on the fixed IP address of the Router, the TFTP server will run with a fixed ACLS.
ip tftp source-interface Loopback0
10,
the Loopback port of the SNMP-SERVER Access router is the same It can be used to control access security. If the SNMP network management data sent from a router originates from the Loopback port, it is easy to protect the SNMP server in the network management center.
Sample IOS configuration:
access-list 98 permit 215.17.34.1
access- list 98 permit 215.17.1.1
access-list 98 deny any
!
snmp-server community 5nmc02m RO 98
snmp-server trap-source Loopback0
snmp-server trap-authentication
snmp-server host 215.17.34.1 5nmc02m
snmp-server host 215.17.1.1 5nmc02m.Wednesday, June 06, 2001
11. When TACACS/RADIUS-Server Source Interface
adopts TACACS/RADIUS protocol, regardless of user management The access to the Router still authenticates dial-up users, and the Router is configured to use the Loopback port as the source address of the Router to send TACACS/RADIUS data packets to improve security.
TACACS
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable
aaa accounting exec start-stop tacacs+
!
Ip tacacs source-interface Loopback0
tacacs-server host 215.17.1.2
tacacs-server host 215.17.34.10
tacacs-server key CKr3t #
!
RADIUS
radius-server host 215.17.1.2 auth-port 1645 acct-port 1646
radius-server host 215.17.34.10 auth-port 1645 acct-port 1646
ip radius source-interface Loopback0
!
12. NetFlow Flow-Export
from a router to a NetFlow collector To transmit traffic data for traffic analysis and billing purposes, the Loopback address of the router is used as the source address of all output traffic statistics packets of the router, which can provide more accurate and lower-cost filtering configuration on the server or at the periphery of the server.
ip flow-export destination 215.17.13.1 9996
ip flow-export source Loopback0
ip flow-export version 5 origin-as
!
interface Fddi0/0/0
des cription FDDI link to IXP
ip address 215.18.1.10 255.255.255.0
ip route-cache flow
ip route-cache distributed
no keepalive
!
The FDDDI 0/0/0 interface is configured for traffic collection. The router is configured to output traffic information of the fifth version type to a host with an IP address of 215.17.13.1, using the UDP protocol, port number 9996, and the source address of the statistical data packet using the Loopback address of the Router.
13. NTP Source Interface
NTP is used to ensure that all Rdouter clocks in a network are synchronized to ensure that the error is within a few milliseconds. If the Loopback address is used as the source address of the router between the NTP speakers, the address filtering and authentication will be To a degree easy to maintain and implement, many ISPs expect their customers to only synchronize with their customers and only with the ISP's own time servers and not with time servers elsewhere in the world.
clock timezone SST 8
!
access-list 5 permit 192.36.143.150
access-list 5 permit 169.223.50.14
!. Cisco ISP Essentials
39
ntp authentication-key 1234 md5 104D000A0618 7
ntp authenticate
ntp trusted-key 1234
ntp source Loopback0
ntp access-group peer 5
ntp update-calendar
ntp peer 192.36.143.150
ntp peer 169.223.50.14
!
14. The SYSLOG Source Interface
system log server also needs to be properly protected in the ISP backbone network. Many ISPs only want to collect their own logs and not the old log information sent from the outside network. The DDOS attack on the syslog server is not unknown. If the source address of the system information packet comes from a well-planned address space, for example, using the loopback port address of the router, the security configuration of the syslog server will also be improved. easy.
A configuration example:
logging buffered 16384
logging trap debugging
logging source-interface Loopback0
logging facility local7
logging 169.223.32.1
!
15. Only the Telnet to the Router
remote router uses the Loopback port as the target interface for remote access, which on the one hand improves the robustness of the network On the other hand, if you make a DNS mapping entry of the Router on the DNS server, you can Telnet to this Router from any routable place in the world, and the ISP will continue to expand and add new devices.
Because the telnet command uses TCP packets, there will be the following situation: a certain interface of the router is down due to a failure, but other interfaces can still telnet, that is, the TCP connection to this router still exists. Therefore, the selected telnet address must never be down, and the virtual interface just meets such requirements. Since this type of interface has no requirement for interconnection with the peer, in order to save address resources, the address of the loopback interface is usually designated as a 32-bit mask.
Examples of DNS forward and reverse forwarding zone files
:; net.galaxy zone file
net.galaxy. IN SOA ns.net.galaxy. hostmaster.net.galaxy. (
1998072901; version == date(YYYYMMDD)+serial
10800; Refresh (3 hours)
900; Retry (15 minutes)
172800; Expire (48 hours)
43200); Mimimum (12 hours)
IN NS ns0.net.galaxy.
IN NS ns1.net.galaxy.
IN MX 10 mail0.net. galaxy.
IN MX 20 mail1.net.galaxy
.;
localhost IN A 127.0.0.1
gateway1 IN A 215.17.1.1
gateway2 IN A 215.17.1.2
gateway3 IN A 215.17.1.3
;
;etc etc
; 1.17.215.in-addr.arpa zone file
;
1.17.215.in-addr.arpa. IN SOA ns.net.galaxy. hostmaster.net.galaxy. (
1998072901; version == date(YYYYMMDD)+serial
10800; Refresh (3 hours)
900; Retry (15 minutes)
172800; Expire (48 hours)
43200); Mimimum (12 hours)
IN NS ns0.net.galaxy.
IN NS ns1.net.galaxy.
1 IN PTR gateway1.net.galaxy.
2 IN PTR gateway2.net.galaxy…Wednesday, June 06, 2001
3 IN PTR gateway3.net.galaxy
.;
;etc etc
On the router, set the telnet source to the loopback interface:
ip telnet source-interface Loopback0
16. RCMD to the router
RCMD requires the network administrator to have a UNIX rlogin/rsh client to access the router. Some ISPs use RCMD to capture interface statistics, upload or download router configuration files, or obtain simple information about the router routing table. The router can be configured to use the loopback address as the source address, so that the source address of all packets sent by the router is Use Loopback address to establish RCMD connection:
ip rcmd source-interface Loopback0