|
<P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT size=3><SPAN lang=EN-US>Loopback</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">口的作用汇总</SPAN></FONT></P><P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><FONT size=3><SPAN lang=EN-US>Loop</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">口在实际中有非常广泛的应用,这个文章是是关于</SPAN><SPAN lang=EN-US>Loopback</SPAN><SPAN style="FONT-FAMILY: 宋体; mso-ascii-font-family: 'Times New Roman'; mso-hansi-font-family: 'Times New Roman'">口使用的大全。</SPAN></FONT></P><P><SPAN lang=EN-US><FONT face=宋体 size=3>BGP Update-Source </FONT></SPAN></P><P><FONT face=宋体 size=3>因为<SPAN lang=EN-US style="COLOR: red">Loopback</SPAN><SPAN style="COLOR: red">口只要<SPAN lang=EN-US>Router</SPAN>还健在,则它就会一直保持<SPAN lang=EN-US>Active</SPAN></SPAN>,这样,只要<SPAN lang=EN-US>BGP</SPAN>的<SPAN lang=EN-US>Peer</SPAN>的<SPAN lang=EN-US>Loopback</SPAN>口之间满足路由可达,就可以建立<SPAN lang=EN-US>BGP </SPAN>回话,总之<SPAN lang=EN-US>BGP</SPAN>中使用<SPAN lang=EN-US>loopback</SPAN>口可以提高网络的健壮性。</FONT><SPAN lang=EN-US><FONT face=宋体 size=3> <BR>neighbor 215.17.1.35 update-source loopback 0 </FONT></SPAN></P><P><SPAN lang=EN-US><BR><FONT face=宋体 size=3>Router ID </FONT></SPAN></P><P><FONT face=宋体 size=3>使用该接口地址作为<SPAN lang=EN-US>OSPF </SPAN>、<SPAN lang=EN-US>BGP </SPAN>的<SPAN lang=EN-US>Router-ID</SPAN>,作为此路由器的唯一标识,并要求在整个自治系统内唯一,在<SPAN lang=EN-US>Ipv6</SPAN>中的<SPAN lang=EN-US>BGP/OSPF</SPAN>的<SPAN lang=EN-US>Router-ID</SPAN>仍然是<SPAN lang=EN-US>32</SPAN>位的<SPAN lang=EN-US>IP</SPAN>地址。在<SPAN lang=EN-US>OSPF</SPAN>中的路由器优先级是在接口下手动设置的,接着才是比较<SPAN lang=EN-US>OSPF</SPAN>的<SPAN lang=EN-US>Router-ID</SPAN>(<SPAN lang=EN-US>Router-ID</SPAN>的选举在这里就不多说了,<SPAN lang=EN-US>PS</SPAN>:一台路由器启动<SPAN lang=EN-US>OSPF</SPAN>路由协议后,将选取物理接口的最大<SPAN lang=EN-US>IP</SPAN>地址作为其<SPAN lang=EN-US>RouterID</SPAN>,但是如果配置<SPAN lang=EN-US>Loopback</SPAN>接口,则从<SPAN lang=EN-US>Loopback</SPAN>中选取<SPAN lang=EN-US>IP</SPAN>地址最大者为<SPAN lang=EN-US>RouterID</SPAN>。另外一旦选取<SPAN lang=EN-US>RouterID</SPAN>,<SPAN lang=EN-US>OSPF</SPAN>为了保证稳定性,不会轻易更改,除非作为<SPAN lang=EN-US>RouterID</SPAN>的<SPAN lang=EN-US>IP</SPAN>地址被删除或者<SPAN lang=EN-US>OSPF</SPAN>被重新启动),在<SPAN lang=EN-US>OSPF</SPAN>和<SPAN lang=EN-US>BGP</SPAN>中的<SPAN lang=EN-US>Router-ID</SPAN>都是可以手动在路由配置模式下设置的。</FONT><SPAN lang=EN-US><FONT face=宋体 size=3> <BR>OSPF: Router-ID *.*.*.* <BR>BGP:BGP Router-ID *.*.*.* <BR> </FONT></SPAN></P><P><SPAN lang=EN-US><BR><FONT face=宋体 size=3>IP Unnumbered Interfaces </FONT></SPAN></P><P><FONT face=宋体 size=3>无编号地址可以借用强壮的<SPAN lang=EN-US>loopback</SPAN>口地址,来节约网络<SPAN lang=EN-US>IP</SPAN>地址的分配。</FONT><FONT size=3><FONT face=宋体><SPAN lang=EN-US> <BR></SPAN>例子:</FONT></FONT><SPAN lang=EN-US><FONT face=宋体 size=3> <BR>interface loopback 0 <BR>ip address 215.17.3.1 255.255.255.255 <BR>! <BR>interface Serial 5/0 <BR>bandwidth 128 <BR>ip unnumbered loopback 0 </FONT></SPAN></P><P><SPAN lang=EN-US><BR><FONT face=宋体 size=3>Exception Dumps by FTP </FONT></SPAN></P><P><FONT face=宋体 size=3>当<SPAN lang=EN-US>Router </SPAN>宕机,系统内存中的文件还保留着一份软件内核的备份,<SPAN lang=EN-US>CISCO</SPAN>路由器可以被配置为向一台<SPAN lang=EN-US>FTP</SPAN>服务器进行内核导出,作为路由器诊断和调试处理过程的一部分,可是,这种内核导出功能必须导向一台没有运行公共<SPAN lang=EN-US>FTP</SPAN>服务器软件的系统,而是一台通过<SPAN lang=EN-US>ACLS</SPAN>过滤(<SPAN lang=EN-US>TCP</SPAN>地址欺骗)被重点保护的只允许路由器访问的<SPAN lang=EN-US>FTP</SPAN>服务器。如果<SPAN lang=EN-US>Loopback</SPAN>口地址作为<SPAN lang=EN-US>Router</SPAN>的源地址,并且是相应地址块的一部分,<SPAN lang=EN-US>ACLS</SPAN>的过滤功能很容易l置。</FONT><SPAN lang=EN-US><FONT face=宋体 size=3> <BR> <BR>Sample IOS configuration: <BR>ip ftp source-interface Loopback0 <BR>ip ftp username cisco <BR>ip ftp password 7 045802150C2E <BR>exception protocol ftp <BR>exception dump 169.223.32.1 </FONT></SPAN></P><P><SPAN lang=EN-US><BR><FONT face=宋体 size=3>TFTP-SERVER Access </FONT></SPAN></P><P><FONT face=宋体 size=3>对于<SPAN lang=EN-US>TFTP</SPAN>的安全意味着应该经常对<SPAN lang=EN-US>IP</SPAN>源地址进行安全方面的配置,<SPAN lang=EN-US>CISCO IOS</SPAN>软件允许<SPAN lang=EN-US>TFTP</SPAN>服务器被配置为使用特殊的<SPAN lang=EN-US>IP</SPAN>接口地址,基于<SPAN lang=EN-US>Router</SPAN>的固定<SPAN lang=EN-US>IP</SPAN>地址,将运行<SPAN lang=EN-US>TFTP</SPAN>服务器配置固定的</FONT><SPAN lang=EN-US><FONT face=宋体 size=3>ACLS. <BR>ip tftp source-interface Loopback0 </FONT></SPAN></P><P><SPAN lang=EN-US><BR><FONT face=宋体 size=3>SNMP-SERVER Access </FONT></SPAN></P><P><FONT face=宋体 size=3>路由器的<SPAN lang=EN-US>Loopback</SPAN>口一样可以被用来对访问安全进行控制,如果从一个路由器送出的<SPAN lang=EN-US>SNMP</SPAN>网管数据起源于<SPAN lang=EN-US>Loopback</SPAN>口,则很容易在网络管理中心对<SPAN lang=EN-US>SNMP</SPAN>服务器进行保护</FONT><SPAN lang=EN-US><FONT face=宋体 size=3> <BR>Sample IOS configuration: <BR>access-list 98 permit 215.17.34.1 <BR>access-list 98 permit 215.17.1.1 <BR>access-list 98 deny any <BR>! <BR>snmp-server community 5nmc02m RO 98 <BR>snmp-server trap-source Loopback0 <BR>snmp-server trap-authentication <BR>snmp-server host 215.17.34.1 5nmc02m <BR>snmp-server host 215.17.1.1 5nmc02m.Wednesday, June 06, 2001 </FONT></SPAN></P><P><SPAN lang=EN-US><BR><FONT face=宋体 size=3>TACACS/RADIUS-Server Source Interface </FONT></SPAN></P><P><FONT face=宋体 size=3>当采用<SPAN lang=EN-US>TACACS/RADIUS</SPAN>协议,无论是用户管理性的接入<SPAN lang=EN-US>Router</SPAN>还是对拨号用户进行认证,<SPAN lang=EN-US>Router</SPAN>都是被配置为将<SPAN lang=EN-US>Loopback</SPAN>口作为<SPAN lang=EN-US>Router</SPAN>发送<SPAN lang=EN-US>TACACS/RADIUS</SPAN>数据包的源地址,提高安全性。</FONT><SPAN lang=EN-US><FONT face=宋体 size=3> <BR>TACACS <BR>aaa new-model <BR>aaa authentication login default tacacs+ enable <BR>aaa authentication enable default tacacs+ enable <BR>aaa accounting exec start-stop tacacs+ <BR>! <BR>ip tacacs source-interface Loopback0 <BR>tacacs-server host 215.17.1.2 <BR>tacacs-server host 215.17.34.10 <BR>tacacs-server key CKr3t# <BR>! <BR>RADIUS <BR>radius-server host 215.17.1.2 auth-port 1645 acct-port 1646 <BR>radius-server host 215.17.34.10 auth-port 1645 acct-port 1646 <BR>ip radius source-interface Loopback0 <BR>! </FONT></SPAN></P><P><SPAN lang=EN-US><BR><FONT face=宋体 size=3>NetFlow Flow-Export </FONT></SPAN></P><P><FONT face=宋体 size=3>从一个路由器向<SPAN lang=EN-US>NetFlow</SPAN>采集器传送流量数据,以实现流量分析和计费目的,将路由器的<SPAN lang=EN-US>Router</SPAN>的<SPAN lang=EN-US>Loopback</SPAN>地址作为路由器所有输出流量统计数据包的源地址,可以在服务器或者是服务器外围提供更精确,成本更低的过滤配置。</FONT><FONT size=3><FONT face=宋体><SPAN lang=EN-US> <BR>ip flow-export destination 215.17.13.1 9996 <BR>ip flow-export source Loopback0 <BR>ip flow-export version 5 origin-as <BR>! <BR>interface Fddi0/0/0 <BR>description FDDI link to IXP <BR>ip address 215.18.1.10 255.255.255.0 <BR>ip route-cache flow <BR>ip route-cache distributed <BR>no keepalive <BR>! <BR>FDDDI 0/0/0 </SPAN>接口被配置成为进行流量采集。路由器被配置为输出第五版本类型的流量信息到<SPAN lang=EN-US>IP</SPAN>地址为<SPAN lang=EN-US>215.17.13.1</SPAN>的主机上,采用<SPAN lang=EN-US>UDP</SPAN>协议,端口号<SPAN lang=EN-US>9996</SPAN>,统计数据包的源地址采用<SPAN lang=EN-US>Router</SPAN>的<SPAN lang=EN-US>Loopback</SPAN>地址。<SPAN lang=EN-US> </SPAN></FONT></FONT></P><P><SPAN lang=EN-US><BR><FONT face=宋体 size=3>NTP Source Interface </FONT></SPAN></P><P><FONT size=3><FONT face=宋体><SPAN lang=EN-US>NTP</SPAN>用来保证一个网络内所有<SPAN lang=EN-US>Rdouter</SPAN>的时钟同步,确保误差在几毫秒之内,如果在<SPAN lang=EN-US>NTP</SPAN>的<SPAN lang=EN-US>Speaker</SPAN>之间采用<SPAN lang=EN-US>Loopback</SPAN>地址作为路由器的源地址,会使得地址过滤和认证在某种程度上容易维护和实现,许多<SPAN lang=EN-US>ISP</SPAN>希望他们的客户只与他们的客户只与<SPAN lang=EN-US>ISP</SPAN>自己的而不是世界上其他地方的时间服务器同步。</FONT></FONT><SPAN lang=EN-US><FONT face=宋体 size=3> <BR>clock timezone SST 8 <BR>! <BR>access-list 5 permit 192.36.143.150 <BR>access-list 5 permit 169.223.50.14 <BR>!.Cisco ISP Essentials <BR>39 <BR>ntp authentication-key 1234 md5 104D000A0618 7 <BR>ntp authenticate <BR>ntp trusted-key 1234 <BR>ntp source Loopback0 <BR>ntp access-group peer 5 <BR>ntp update-calendar <BR>ntp peer 192.36.143.150 <BR>ntp peer 169.223.50.14 <BR>! </FONT></SPAN></P><P><SPAN lang=EN-US><BR><FONT face=宋体 size=3>SYSLOG Source Interface </FONT></SPAN></P><P><FONT face=宋体 size=3>系统日志服务器同样也需要在<SPAN lang=EN-US>ISP</SPAN>骨干网络中被妥善保护。许多<SPAN lang=EN-US>ISP</SPAN>只希望采集他们自己的而不是外面网络发送来的昔日日志信息。对系统日志服务器的<SPAN lang=EN-US>DDOS</SPAN>攻击并不是不知道,如果系统信息数据包的源地址来自于被很好规划了的地址空间,例如,采用路由器的<SPAN lang=EN-US>Loopback</SPAN>口地址,对系统日志服务器的安全配置同样会更容易。</FONT><SPAN lang=EN-US><FONT face=宋体 size=3> <BR>A configuration example: <BR>logging buffered 16384 <BR>logging trap debugging <BR>logging source-interface Loopback0 <BR>logging facility local7 <BR>logging 169.223.32.1 <BR>! </FONT></SPAN></P><P><SPAN lang=EN-US><BR><FONT face=宋体 size=3>Telnet to the Router </FONT></SPAN></P><P><FONT face=宋体 size=3>远程路由器才用<SPAN lang=EN-US>Loopback</SPAN>口做远程接入的目标接口,这个一方面提高网络的健壮性,另一方面,如果在<SPAN lang=EN-US>DNS</SPAN>服务器做了<SPAN lang=EN-US>Router</SPAN>的<SPAN lang=EN-US>DNS</SPAN>映射条目,则可以在世界上任何路由可达的地方<SPAN lang=EN-US>Telnet</SPAN>到这台<SPAN lang=EN-US>Router</SPAN>,<SPAN lang=EN-US>ISP</SPAN>会不断扩展,增加新的设备</FONT><FONT size=3><FONT face=宋体><SPAN lang=EN-US> <BR> <BR></SPAN>由于<SPAN lang=EN-US>telnet </SPAN>命令使用<SPAN lang=EN-US>TCP </SPAN>报文,会存在如下情况:路由器的某一个接口由于故障<SPAN lang=EN-US>down </SPAN>掉了,但是其他的接口却仍旧可以<SPAN lang=EN-US>telnet </SPAN>,也就是说,到达这台路由器的<SPAN lang=EN-US>TCP </SPAN>连接依旧存在。所以选择的<SPAN lang=EN-US>telnet </SPAN>地址必须是永远也不会<SPAN lang=EN-US>down </SPAN>掉的,而虚接口恰好满足此类要求。由于此类接口没有与对端互联互通的需求,所以为了节约地址资源,<SPAN lang=EN-US>loopback </SPAN>接口的地址通常指定为<SPAN lang=EN-US>32 </SPAN>位掩码。<SPAN lang=EN-US> </SPAN></FONT></FONT></P><P><SPAN lang=EN-US><BR><FONT face=宋体 size=3>DNS</FONT></SPAN><FONT face=宋体 size=3>前向和反向转发区域文件的例子:</FONT><SPAN lang=EN-US><FONT face=宋体 size=3> <BR>; net.galaxy zone file <BR>net.galaxy. IN SOA ns.net.galaxy. hostmaster.net.galaxy. ( <BR>1998072901 ; version == date(YYYYMMDD)+serial <BR>10800 ; Refresh (3 hours) <BR>900 ; Retry (15 minutes) <BR>172800 ; Expire (48 hours) <BR>43200 ) ; Mimimum (12 hours) <BR>IN NS ns0.net.galaxy. <BR>IN NS ns1.net.galaxy. <BR>IN MX 10 mail0.net.galaxy. <BR>IN MX 20 mail1.net.galaxy. <BR>; <BR>localhost IN A 127.0.0.1 <BR>gateway1 IN A 215.17.1.1 <BR>gateway2 IN A 215.17.1.2 <BR>gateway3 IN A 215.17.1.3 <BR>; <BR>;etc etc <BR>; 1.17.215.in-addr.arpa zone file <BR>; <BR>1.17.215.in-addr.arpa. IN SOA ns.net.galaxy. hostmaster.net.galaxy. ( <BR>1998072901 ; version == date(YYYYMMDD)+serial <BR>10800 ; Refresh (3 hours) <BR>900 ; Retry (15 minutes) <BR>172800 ; Expire (48 hours) <BR>43200 ) ; Mimimum (12 hours) <BR>IN NS ns0.net.galaxy. <BR>IN NS ns1.net.galaxy. <BR>1 IN PTR gateway1.net.galaxy. <BR>2 IN PTR gateway2.net.galaxy..Wednesday, June 06, 2001 <BR>3 IN PTR gateway3.net.galaxy. <BR>; <BR>;etc etc <BR>On the router, set the telnet source to the loopback interface: <BR>ip telnet source-interface Loopback0 </FONT></SPAN></P><P><SPAN lang=EN-US><BR><FONT face=宋体 size=3>RCMD to the router </FONT></SPAN></P><P><FONT size=3><FONT face=宋体><SPAN lang=EN-US>RCMD </SPAN>要求网络管理员拥有<SPAN lang=EN-US>UNIX</SPAN>的<SPAN lang=EN-US>rlogin/rsh</SPAN>客户端来访问路由A。某些<SPAN lang=EN-US>ISP</SPAN>采用<SPAN lang=EN-US>RCMD</SPAN>来捕获接口统计信息,上载或下载路由器配置文件,或者获取<SPAN lang=EN-US>Router</SPAN>路由选择表的简易信息,<SPAN lang=EN-US>Router</SPAN>可以被配置采用<SPAN lang=EN-US>Loopback</SPAN>地址作为源地址,使得路由器发送的所有数据包的源地址都采用<SPAN lang=EN-US>Loopback</SPAN>地址来建立<SPAN lang=EN-US>RCMD</SPAN>连接:</FONT></FONT><SPAN lang=EN-US><FONT face=宋体 size=3> <BR>ip rcmd source-interface Loopback0 </FONT></SPAN></P><P class=MsoNormal style="MARGIN: 0cm 0cm 0pt"><SPAN lang=EN-US><?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p><FONT size=3> </FONT></o:p></SPAN></P> |
|