Loop ports are widely used in practice. This article is a complete collection of Loopback ports.
BGP Update-Source
Because as long as the Router is still alive, it will remain Active. In this way, as long as the Loopback ports of the BGP Peer are reachable, a BGP reply can be established. In short, using the loopback port in BGP can improve the robustness of the network.
neighbor 215.17.1.35 update-source loopback 0
Router ID
Use this interface address as the Router-ID of OSPF and BGP, as the unique identifier of this router, and requires it to be unique within the entire autonomous system. The Router-ID of BGP/OSPF in IPv6 is still a 32-bit IP address. The priority of routers in OSPF is manually set under the interface, and then the Router-ID of OSPF (I won't talk about the election of Router-ID here. PS: After a router starts the OSPF routing protocol, it will select the maximum IP address of the physical interface as its RouterID. However, if the Loopback interface is configured, the one with the largest IP address selected from the Loopback is RouterID. In addition, once RouterID is selected, OSPF will not be easily changed in order to ensure stability, unless the IP address as the RouterID is deleted or the OSPF is restarted), the Router-ID in OSPF and BGP can be manually set in routing configuration mode.
OSPF: Router-ID *.*.*.*
BGP:BGP Router-ID *.*.*.*
IP Unnumbered Interfaces
Unnumbered address can be borrowed from a strong loopback address to save the allocation of network IP addresses.
example:
interface loopback 0
ip address 215.17.3.1 255.255.255.255
!
interface Serial 5/0
bandwidth 128
ip unnumbered loopback 0
Exception Dumps by FTP
When Router goes down, the files in the system memory still retain a backup of the software kernel. The CISCO router can be configured to kernel export to an FTP server as part of the router's diagnosis and debugging process. However, this kernel export function must be directed to a system that does not run the public FTP server software, but an FTP server that is mainly protected by ACLS filtering (TCP address spoofing). If the Loopback port address is the source address of the Router and is part of the corresponding address block, the filtering function of ACLS is easy to configure.
Sample IOS configuration:
ip ftp source-interface Loopback0
ip ftp username cisco
ip ftp password 7 045802150C2E
exception protocol ftp
exception dump 169.223.32.1
TFTP-SERVER Access
For TFTP security, it means that the IP source address should be configured frequently. The CISCO IOS software allows the TFTP server to be configured to use a special IP interface address, based on the fixed IP address of the Router, and will run the TFTP server to configure a fixed ACLS.
ip tftp source-interface Loopback0
SNMP-SERVER Access
The router's Loopback port can also be used to control access security. If the SNMP network management data sent from a router originates from the Loopback port, it is easy to protect the SNMP server in the network management center.
Sample IOS configuration:
access-list 98 permit 215.17.34.1
access-list 98 permit 215.17.1.1
access-list 98 deny any
!
snmp-server community 5nmc02m RO 98
snmp-server trap-source Loopback0
snmp-server trap-authentication
snmp-server host 215.17.34.1 5nmc02m
snmp-server host 215.17.1.1 , June 06, 2001
TACACS/RADIUS-Server Source Interface
When using the TACACS/RADIUS protocol, whether it is a user-management access to the Router or authenticating dialing users, the Router is configured to use the Loopback port as the source address for sending TACACS/RADIUS packets to improve security.
TACACS
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable
aaa accounting exec start-stop tacacs+
!
ip tacacs source-interface Loopback0
tacacs-server host 215.17.1.2
tacacs-server host 215.17.34.10
tacacs-server key CKr3t#
!
RADIUS
radius-server host 215.17.1.2 auth-port 1645 acct-port 1646
radius-server host 215.17.34.10 auth-port 1645 acct-port 1646
ip radius source-interface Loopback0
!
NetFlow Flow-Export
Transfer traffic data from a router to the NetFlow collector for traffic analysis and billing purposes. Using the router's Router's Loopback address as the source address of all output traffic statistics packets of the router, it can provide a more accurate and lower-cost filtering configuration on the server or the periphery of the server.
ip flow-export destination 215.17.13.1 9996
ip flow-export source Loopback0
ip flow-export version 5 origin-as
!
interface Fddi0/0/0
description FDDI link to IXP
ip address 215.18.1.10 255.255.255.0
ip route-cache flow
ip route-cache distributed
no keepalive
!
The FDDDI 0/0/0 interface is configured to perform traffic acquisition. The router is configured to output traffic information of the fifth version type to a host with an IP address of 215.17.13.1, using the UDP protocol, port number 9996, and the source address of the statistical packet is the Router's Loopback address.
NTP Source Interface
NTP is used to ensure the clock synchronization of all Rdouters in a network, ensuring the error is within a few milliseconds. If a Loopback address is used between NTP's Speakers as the source address of the router, it will make address filtering and authentication easy to maintain and implement to some extent. Many ISPs want their customers to synchronize only with their customers with the ISP's own and not with time servers elsewhere in the world.
clock timezone SST 8
!
access-list 5 permit 192.36.143.150
access-list 5 permit 169.223.50.14
!.Cisco ISP Essentials
39
ntp authentication-key 1234 md5 104D000A0618 7
ntp authenticate
ntp trusted-key 1234
ntp source Loopback0
ntp access-group peer 5
ntp update-calendar
ntp peer 192.36.143.150
ntp peer 169.223.50.14
!
SYSLOG Source Interface
The system log server also needs to be properly protected in the ISP backbone network. Many ISPs only want to collect their own log information rather than the former logs sent from outside the network. DDOS attacks on the system log server are not unknown. If the source address of the system information packet comes from a well-planned address space, for example, using the router's Loopback address, it will be easier to configure the system log server security.
A configuration example:
logging buffered 16384
logging trap debugging
logging source-interface Loopback0
logging facility local7
logging 169.223.32.1
!
Telnet to the Router
Only the remote router uses the Loopback port as the target interface for remote access. On the one hand, this improves the robustness of the network. On the other hand, if the DNS mapping entry of the Router is done on the DNS server, you can Telnet to this Router from any route accessible in the world. The ISP will continue to expand and add new devices.
Since the telnet command uses TCP packets, there will be the following situation: one of the router's interfaces is down due to failure, but other interfaces can still telnet, that is, the TCP connection to this router still exists. Therefore, the selected telnet address must never be down, and the virtual interface just meets this requirement. Since such interfaces do not have the need to be interconnected with the peer, in order to save address resources, the address of the loopback interface is usually specified as a 32-bit mask.
Examples of DNS forward and reverse forwarding zone files:
; zone file
. IN SOA . . (
1998072901 ; version == date(YYYYMMDD)+serial
10800 ; Refresh (3 hours)
900 ; Retry (15 minutes)
172800 ; Expire (48 hours)
43200 ) ; Mimimum (12 hours)
IN NS .
IN NS .
IN MX 10 .
IN MX 20 .
localhost IN A 127.0.0.1
gateway1 IN A 215.17.1.1
gateway2 IN A 215.17.1.2
gateway3 IN A 215.17.1.3
;etc etc
; 1.17. zone file
1.17.. IN SOA . . (
1998072901 ; version == date(YYYYMMDD)+serial
10800 ; Refresh (3 hours)
900 ; Retry (15 minutes)
172800 ; Expire (48 hours)
43200 ) ; Mimimum (12 hours)
IN NS .
IN NS .
1 IN PTR .
2 IN PTR ..Wednesday, June 06, 2001
3 IN PTR .
;etc etc
On the router, set the telnet source to the loopback interface:
ip telnet source-interface Loopback0
RCMD to the router
RCMD requires network administrators to have UNIX rlogin/rsh clients to access the router. Some ISPs use RCMD to capture interface statistics, upload or download router configuration files, or obtain simple information of Router routing table. Router can be configured to use Loopback address as the source address, so that the source address of all data packets sent by the router uses Loopback address to establish RCMD connection:
ip rcmd source-interface Loopback0