Posted by formatc on Monday February 15, 2010 @ 07:16am
>> [ reply ][ rating +0  

 

 

]

Ok.. new topic. Loopback addresses. Seeing that we have a network inspection coming up, there's a number of CAT II and CAT III findings regarding having snmp/syslog/snmp/etc coming from loopback addresses. We aren't using loopbaks now, we do single in/out routes, statically with only one AS at one site and the rest are static routes back to the provider so it's not like source/destination ips change for management. We have lots of extra /24's that I can use to figure out a scheme to address the devices, but I'm more curious as to how the routing should be done. We aren't doing any out-of-band or tunneling the inband over and site-2-site, but that could be setup also. So.. does anyone use loopbacks for management? Do you use 10.xxx.yyy.zzz addresses with site2site tunnels or routable /32 addresses with lots of static route maps?

The system is working now, but as we come up to speed with the new inspection requirements, well, I'm left to make it work. It's not hard, it's just I don't really know what the best practices are and there doesn't seem to be a good source of general "here's the best way to do it" type things, besides Cisco's sucky white papers. A lot of the material seemed to be designed to talk about multi-peered routers or those with direct connections of a sort.

Anyways.. any edumication is a good thing.. so thanks in advance!

Man, I have been out of the layer 3 heavy lifting for way too long. Loopback addresses? As in the class A 127.0.0.0/8? My guess is you may be talking about RFC1918 address space. Preserve the routables or do VLSMs and have a flat routing network. More info please. I love this shit.

Posted by Stealth on Saturday February 20, 2010 @ 05:46pm
>> [ reply ][ rating +0  

 

 

]

Man, I have been out of the layer 3 heavy lifting for way too long. Loopback addresses? As in the class A 127.0.0.0/8? My guess is you may be talking about RFC1918 address space. Preserve the routables or do VLSMs and have a flat routing network. More info please. I love this shit.

that's what I had thought at first.. then i started reading some stuff and that lead me to this question. heheh

It really helps me to have examples of how people use this stuff to understand how it works.. it's just hard to find live working examples that make sense.

Posted by Krux on Tuesday February 16, 2010 @ 12:55pm
>> [ reply ][ rating +0  

 

 

]

Ok.. new topic. Loopback addresses. Seeing that we have a network inspection coming up, there's a number of CAT II and CAT III findings regarding having snmp/syslog/snmp/etc coming from loopback addresses. We aren't using loopbaks now, we do single in/out routes, statically with only one AS at one site and the rest are static routes back to the provider so it's not like source/destination ips change for management. We have lots of extra /24's that I can use to figure out a scheme to address the devices, but I'm more curious as to how the routing should be done. We aren't doing any out-of-band or tunneling the inband over and site-2-site, but that could be setup also. So.. does anyone use loopbacks for management? Do you use 10.xxx.yyy.zzz addresses with site2site tunnels or routable /32 addresses with lots of static route maps?

The system is working now, but as we come up to speed with the new inspection requirements, well, I'm left to make it work. It's not hard, it's just I don't really know what the best practices are and there doesn't seem to be a good source of general "here's the best way to do it" type things, besides Cisco's sucky white papers. A lot of the material seemed to be designed to talk about multi-peered routers or those with direct connections of a sort.

Anyways.. any edumication is a good thing.. so thanks in advance!

Man, I have been out of the layer 3 heavy lifting for way too long. Loopback addresses? As in the class A 127.0.0.0/8? My guess is you may be talking about RFC1918 address space. Preserve the routables or do VLSMs and have a flat routing network. More info please. I love this shit.

You use loopback addresses, which is a valid IP address on a virtual interface on the router, usually with a /32 netmask, for things like providing a consistent address for network management, snmp, and log messages. Also routing protocols will make use of the loopback address. They are generally a good idea. As for what type of address you give it, well that depends on what fits into your IP addressing scheme. If it's on the public internet, your loopback address is likely to be publicly routable. Internal, well if you're using RFC1918 for things, then one of those. Mainly you want it to fit in with your existing addressing scheme, assuming that you have one.

Speaking of IP addressing, what are people using to manage their address space. I just use an excel spreadsheet with network name, subnet in CIDR format, and vlan info. Then I wrote a couple macros to sort everything correctly based on the IP address. Macro just does a search and replace on the column to format the IP to a fixed width (010.050.128.000/24), sorts it, then changes it back. I should write macros to split and join subnets since I deal with a lot of VLSM, though at that point I should just write a web app that does what I want and be done with it.

Posted by Stealth on Saturday February 20, 2010 @ 05:45pm
>> [ reply ][ rating +0  

 

 

]

You use loopback addresses, which is a valid IP address on a virtual interface on the router, usually with a /32 netmask, for things like providing a consistent address for network management, snmp, and log messages. Also routing protocols will make use of the loopback address. They are generally a good idea. As for what type of address you give it, well that depends on what fits into your IP addressing scheme. If it's on the public internet, your loopback address is likely to be publicly routable. Internal, well if you're using RFC1918 for things, then one of those. Mainly you want it to fit in with your existing addressing scheme, assuming that you have one.

Right.. so.. how would you handle he routing for those multiple devices at multiple sites? you make static ip route statements? But would you only then route back that traffic to your NOC right? I suppose you can't use that with outside BGP type routing, since it might not be part of the AS you are using.. This is where I start to get a little fuzzy.

Also, do you assign the loopbacks to your switches? I suppose you could do it on a vlan, but then it's a SVI address right? Not a loopback address? The reason I bring it up is some of the new DISA requirements and they don't ever provide examples for this type of stuff.

Speaking of IP addressing, what are people using to manage their address space. I just use an excel spreadsheet with network name, subnet in CIDR format, and vlan info. Then I wrote a couple macros to sort everything correctly based on the IP address. Macro just does a search and replace on the column to format the IP to a fixed width (010.050.128.000/24), sorts it, then changes it back. I should write macros to split and join subnets since I deal with a lot of VLSM, though at that point I should just write a web app that does what I want and be done with it.

Excel spread sheet.. I only have to B class addresses and almost all of it is split into single C's.. it makes it easy.


Third Question - How do most of you guys do your management? In-bandwith a vlan/different ip subnet? Serial/modem pool thing? If you had money to change how you did it (yeah DoD 'budget') what would you do? What about your mgmt workstations? dual nics or ssh/rdpo to the mgmt hardware and go that way? It's a balance of security vs simplicity, I get that.. but I would think at some point, to much security becomes overkill.

Posted by Krux on Sunday February 21, 2010 @ 07:46pm
>> [ reply ][ rating +0  

 

 

]

Right.. so.. how would you handle he routing for those multiple devices at multiple sites? you make static ip route statements? But would you only then route back that traffic to your NOC right? I suppose you can't use that with outside BGP type routing, since it might not be part of the AS you are using.. This is where I start to get a little fuzzy.

No, just advertise the loopback addresses in your routing protocol.

Also, do you assign the loopbacks to your switches? I suppose you could do it on a vlan, but then it's a SVI address right? Not a loopback address? The reason I bring it up is some of the new DISA requirements and they don't ever provide examples for this type of stuff.

I don't run routing on my switches, so I don't bother there, I just give the switch a management VLAN interface that gets trunked back to the the routers the switch is attached to. Now there are a couple instances where you actually do have to run routing on the switch, but that's only when you have switch modules that plug into a 3845 router... they are a 3570 on a blade, but you can't run trunk across the router back plane, so you have a routed vlan between the router and the switch. Kind of screwey, but it works.

I have seen talks on actually pushing your routing out to the edge, now that you can do sub-millisecond routing topology changes. In which case then, yes your switches would have loopback interfaces. Personally I don't see there as being a real need for routing at the edge on any network I've managed. Not to say there isn't a case where it would make sense to do that, just I haven't seen it.

Excel spread sheet.. I only have to B class addresses and almost all of it is split into single C's.. it makes it easy.

Since I manage a thousand or so subnets easily with an Excel spreadsheet, that's probably what I'll continue to do, unless I see a compelling reason to do otherwise. More curious what other people were doing.

Third Question - How do most of you guys do your management? In-bandwith a vlan/different ip subnet? Serial/modem pool thing? If you had money to change how you did it (yeah DoD 'budget') what would you do? What about your mgmt workstations? dual nics or ssh/rdpo to the mgmt hardware and go that way? It's a balance of security vs simplicity, I get that.. but I would think at some point, to much security becomes overkill.

Mostly in band. I started putting in an out of band network for management, but everything didn't get moved over, and it only really got used if the inband was not working for some reason.

Posted by formatc on Tuesday February 16, 2010 @ 05:44pm
>> [ reply ][ rating +0  

 

 

]

You use loopback addresses, which is a valid IP address on a virtual interface on the router, usually with a /32 netmask, for things like providing a consistent address for network management, snmp, and log messages. Also routing protocols will make use of the loopback address. They are generally a good idea. As for what type of address you give it, well that depends on what fits into your IP addressing scheme. If it's on the public internet, your loopback address is likely to be publicly routable. Internal, well if you're using RFC1918 for things, then one of those. Mainly you want it to fit in with your existing addressing scheme, assuming that you have one.

Oh yeah; I remember that. I have been living above layer three to too long.

Speaking of IP addressing, what are people using to manage their address space. I just use an excel spreadsheet with network name, subnet in CIDR format, and vlan info. Then I wrote a couple macros to sort everything correctly based on the IP address. Macro just does a search and replace on the column to format the IP to a fixed width (010.050.128.000/24), sorts it, then changes it back. I should write macros to split and join subnets since I deal with a lot of VLSM, though at that point I should just write a web app that does what I want and be done with it.

At WM, we had a whole IPAM team that wrote a custom app. There may be some open source tools for IPAM, not sure. I understand Infoblox is supposed to be pretty good in this space. Doesn't Solarwinds have something too?

Posted by voltaic on Sunday February 14, 2010 @ 07:39am
>> [ reply ][ rating +0  

 

 

]

Seven.