After Configuring the loopback0 interface what command can we do to see the interfaces state

AppleTalk Remote Access [ARA] protocol

NetBIOS Frame Protocol Control protocol

Novell Asynchronous Services Interface [NASI]

X.25 PAD connection

Designing & Planning…

A total of seven interfaces are shown. The last three, ppp0, s10, and faith0 are all shown as down in the admin and oper columns. If your m0n0wall system is running slip or ppp, you may see different results here. Interface number 4 is the standard local loopback interface at 127.0.0.1 and can usually be ignored.

The first three interfaces are the most interesting. The Ethernet interface names are sis0 and sis1. Other systems might report eth0 and eth2. These interfaces correspond to the local and WAN Ethernet ports on the m0n0wall device. A clue for which port is which is provided by the IP address column. This column shows that one interface is 10.0.1.1 and the other interface is 69.17.112.245 [the static IP of the WAN Internet connection]. Therefore, in this example, sis0 is likely the local Ethernet port and sis1 is likely the WAN Ethernet port. The very first interface is wi0. This corresponds to the wireless radio card in the m0n0wall running at IP 10.0.0.1. On Linux-based systems, this would likely appear as wlan0 or ath0.

What have we achieved so far? Quite a lot! We're remotely querying our router, m0n0wall in this case, and seeing all the interfaces available along with some basic data about them. Be sure to use the horizontal scroll bar to see what other information is available. Some devices will report the Medium Access Control [MAC] address [sometimes referred to as the “Hardware” or “Ethernet” address] in the phys column, along with the corresponding hardware vendor.

PE-200 will send a BGP VPNv4 update to ASBR-200 with the NLRI=[X] and BGP next hop=PE-200.

ASBR-200 has an eBGP session with ASBR-300; therefore, it will always rewrite the BGP next hop of any local VPNv4 route it receives to the value of its interface/loopback before passing it to ASBR-300. ABSR-200 sends NLRI=[X] and BGP next hop=ASBR-200.

The behavior of ASBR-300 will depend on whether next-hop-self is set on the peering session to PE-300. If next-hop-self is not set, then the VPNv4 update for [X] will be passed as it was received with a BGP next hop of ASBR-200. In our example, the next-hop-self has been set; therefore, the BGP next hop in the VPNv4 at PE-300 update will be set to ASBR-300.

This process breaks the RPF check for the Source [X] inside the MVPN [and any other source address in that VRF]. For the mVPN RPF check to succeed, the rule is that the next hop of the Source in the VRF routing table must=the PIM adjacency address. In our example, for the RPF check to succeed for X, the BGP next hop must be 166.50.10.3, and the PIM Neighbor must be 166.50.10.3. This is not the case as the PIM Neighbor is 166.50.10.3 [PE-200] but the BGP next hop for X is ASBR-300; therefore, Multicast traffic from Source X to the receiver in AS300 will be dropped.

The BGP connector attribute rectifies this problem by preserving the originating PE router address across the Inter-AS boundary as illustrated in Figure 2.105. The connector attribute is a little similar to the Originator ID attribute used by an RR, which preserves the originator of the route in the local AS; however, the Originator ID is a non-transitive attribute.

Figure 2.105 shows that the VPNv4 updates now include the BGP connector attribute that carries the value PE-200. Because this attribute is transitive, it will be carried across the AS boundary. Therefore, the process is the same as it was in the Figure 2.104 except that the connector preserves the originating PE router across the AS boundary, whereas the BGP next hop changes to the value of the ABSR. Therefore, PE-300 receives two pieces of information relating to the VPNv4 source address; the BGP next hop is its own AS, and the originating PE router address is in the remote AS.

When PE-300 receives the update, it will use the BGP connector value [if present] in the RPF check instead of the BGP next hop. Figure 2.106 details the logic involved.

As it is not possible to know whether a VPNv4 update will go across an AS boundary or not, every VPNv4 update in a Multicast-enabled VRF must carry the BGP connector attribute. Figure 2.107 shows the BGP connector attribute for address 192.168.2.3 [the [X] in our previous diagrams] on a VRF called VPN_RECEIVER. As you can see, the connector has the value 166.50.10.3 [PE-200] while the BGP next hop is 156.50.10.1 [which is ASBR-300]. The RPF check has been modified so that it will give precedence to the BGP Connector if present instead of the BGP next hop.

GRE redirection:

In the GRE redirection scheme, the entire intercepted packet is GRE encapsulated with the GRE header containing the routing information to the selected WAN optimizer. The WAN optimizer then decapsulates the packet for optimization.

When using GRE encapsulation for WCCP redirection, the WCCP router uses the WCCP router ID as its source IP address. The WCCP router ID is the highest loopback address on the WCCP router, or if the loopback interface is not configured, the highest address of the physical interfaces.

Since the WCCP router ID is used as the source address for packets redirected from the router to the WAN optimizer, it is also the corresponding destination address for traffic from the WAN optimizer to the router during GRE return [for more details, see the WCCP Return Schemes section].

The GRE redirection scheme allows the intercepted packets to reach the WAN optimizer even if there are multiple hops in the path between the WCCP router and the WAN optimizer. This allows the flexible placement of the WAN optimizer in cases where only L3 adjacency is provisioned.

In GRE redirection, the packet redirection is handled entirely by the router software. Therefore, the GRE redirection scheme is by default used by software routers [C7200 and Integrated Services Router] and the ASR1K.

Note:

In WCCPv2, the WCCP router ID is selected based on the highest IP address on the router or highest loopback [if configured]. The WCCP process will automatically perform this task and you cannot override it with another user-defined value. Currently, the user-configurable WCCP router ID is only supported on the ASR1K router running IOS-XE Release 3.1S, using the “ip wccp source-interface” global command.

L2 redirection:

In the L2 redirection scheme, the original Ethernet frame header is rewritten with the MAC address of the selected WAN optimizer as the destination MAC. The Ethernet frame containing the intercepted packet is then forwarded to the WAN optimizer.

The L2 redirection scheme requires L2 adjacency. In this case, WCCP router ID configuration of the WAN optimizer must reference the directly connected interface IP address of the WCCP router and not a loopback IP address or any other IP address configured on the WCCP router.

The L2 redirection is performed in hardware and is typically available on L3 switches such as the Cat6K and C7600 platforms as well as the Nexus 7000 switch.

Because L2 redirection is hardware assisted, it incurs a lower CPU utilization on the WCCP router. For this reason, L2 redirection is generally preferred over GRE redirection.

Note:

In L2 redirection, unless multicast IP addresses are used and multicast routing is enabled, the WCCP configuration of the WAN optimizer must reference the directly connected interface IP address of each WCCP router.

Note:

L2 redirection requires ingress redirection.

The simplest way to run an anycast service on the Internet is to buy the infrastructure from someone who has already set it up. Most large hosting providers do not publish price lists publicly, but they will offer the service at negotiated rates. Often times BGP routing tables will only store entries for each /24 netblock, so one would need to control at least a class C of IP address and anycast the entire range. Then routes to those IPs would need to be advertised or otherwise added to BGP tables around the Internet.12 On a private network, one would simply need to configure the routing tables on edge routers to implement the same thing. For example, one could use the same IP for the root DNS server in an enterprise with locations in New York and Berlin, and add a route on the core router in each site to send that IP to a local destination. The usual practice when setting up anycast is to use two interfaces on the server: one for the shared IP address and one specific to that host. That way one can always connect to a specific server to perform maintenance.

Anycast is becoming a popular choice for distributing services, but it has many limitations both in theory and in practice. One is that it does not provide any load-balancing guarantees. From our example, the German server will probably be busier than the American server when it is morning in the United States and the middle of the night in Germany, and anycast makes no attempt to balance those. For a service like the DNS root where both users and infrastructure are widely distributed, this just means that not all nodes will have the same level of usage at the same time.

Anycast can also create routing headaches. For example, on an internal network a host may be equally close to two different anycast nodes. Using a routing algorithm where distance is the primary factor, such as OSPF, the client may constantly flip between destinations. For DNS this usually is not a problem since it primarily uses single UDP packets and is a stateless protocol. The public Internet uses BGP for internetwork routing which tends to choose stable routes. But for a stateful application like a web site, or even for any TCP session that involved multiple packets, there is always a chance that routes will flap mid-session. The closer topologically the instances are, and the longer the sessions run, the more likely these issues are to arise. Also in all cases the routing state needs to be closely coupled with the status of the application. For example, a route should not be advertised before the application is available, and it should be withdrawn whenever the service is off-line.

Another potential problem is the “cascading failures” scenario, where a large volume of traffic going to a single node will overwhelm it, then all that traffic will be routed to the next closest node and repeat the problem. One configuration to help avoid this is to use many local nodes and a few global nodes, which can be thought of as two tiers of service. If a local node fails the clients will be directed to a more powerful global node instead of failing over to another local node. The F root server uses this configuration, with two global nodes in San Francisco and Palo Alto, and more than 30 local nodes around the world. They tend to deploy the local nodes at Internet exchange points and mark the routes as nonexportable in BGP.13

For extremely high availability, a related best practice is to avoid doing software upgrades at the same time across all nodes, and in fact to vary the version and software packages themselves at different points in the network. This is to prevent bugs from taking down the entire system. Sometimes bugs can be extremely subtle and will only manifest based on the large volume of real-world Internet traffic. This practice can be seen at large scale across the DNS root, where different providers run BIND, NSD, and Knot DNS. Of course, running different types and versions of software is much more administratively complex; this can result in human errors that are worse than the cascading software failures. Therefore it should only be attempted on critical infrastructure with a large administrative operation.

One final hurdle an administrator may encounter is that many routers employ reverse path forwarding [RPF] checks to verify that they are not forwarding traffic with a spoofed source IP. They do this by checking if the interface on which they receive a packet matches the current routing table. Specifically, the interface on which a packet is received must match the interface on which it would be sent if going back to that source IP. There are scenarios where anycast will break this assumption, since the network view from the source IP may not be identical to the view from the intermediate router. For administrators facilitating anycast traffic, the topic of RPF within multihomed networks is discussed in RFC 3704. There is not much an end user can do if an upstream router blocks anycast traffic from part of their network, other than trying to negotiate with that provider. This is another argument for leasing infrastructure that has already been set up and tested.

Anycast creates several challenges for security analysis, mostly around detecting route hijacking. For example, without anycast, one may try connecting to a service from different regions to verify they all get routed to the same place. Or, one may try tracerouting from different locations to see if the connection includes unexpected hops. On an anycast network, one would expect to see wildly different routes depending on the origin or even the current state of the network. For example, if a user in Country A connects to an anycast service that has a node in Country A, but is actually routed to an end point in Country B, is that an example of route hijacking or is it simply a time when the network in Country A was experiencing congestion? These analyses can still be accomplished by comparing many different hosts that are topologically close together, but it is more difficult than the pre-anycast scenario. DNS helps with this problem by providing an optional NSID field that can return an id number for each server. Administrators can use this to determine which server they are being routed to. Dig will provide this info with the +nsid option.