Cisco DistributedDirector 2500 Series Install and Config Guide
Configuring Cisco Routers as DRP Server Agents
Downloads: This chapterpdf (PDF - 63.0KB) | Feedback

Configuring Cisco Routers as DRP Server Agents

Table Of Contents

Configuring Cisco Routers as DRP Server Agents

Choosing the Cisco Routers to Configure

Configuring the DRP Server Agent

Sample Configuration


Configuring Cisco Routers as DRP Server Agents


This chapter describes how to configure DRP server agents on Cisco routers. For the Director to be able to efficiently distribute traffic load, it needs to query border routers (or peers to border router) for BGP and IGP metrics. The Director obtains these metrics via the Director Response Protocol (DRP). The chapter contains the following sections:

Choosing the Cisco Routers to Configure

Configuring the DRP Server Agent

Sample Configuration

For more complete information about Director commands, see the chapter "."

Choosing the Cisco Routers to Configure

When you enable DRP on a Cisco router, the router gains the additional functionality of being a DRP server agent. The router that will also be a DRP server agent must meet these requirements:

The DRP server agent should be topologically close to each distributed server it supports.

If the distributed servers assigned to one subdomain or host name are in different autonomous systems, the DRP server agent must have access to full BGP Internet routing tables. For example, the DRP server agent could be a border router or a peer to a border router. The DRP external metric is derived from BGP information. In addition, if you want to use the DRP internal metric, the DRP server agent must have access to full IGP routing tables.

If the distributed servers assigned to one subdomain or host name are in the same autonomous system, the DRP server agent must have access to full IGP routing tables (but BGP information is not needed). The DRP internal metric is derived from IGP information.

When you use the DRP internal metric for distributed servers assigned to one subdomain or host name, all of the associated DRP server agents should use the same type of IGP, such as RIP, RIP2, IGRP, or OSPF.

Remember that a DRP server agent can communicate with multiple Directors and support multiple distributed servers.

Configuring the DRP Server Agent

Perform the following tasks on a Cisco router in global configuration mode to configure the router as a DRP server agent:


Note   The router must support the DRP protocol, which is present in Cisco IOS versions 11.2(4)F and later.

Task

Command

Step 1 Turn on the DRP agent.

ip drp server

Step 2 Enable security for DRP by defining a standard access list that permits requests from the Director only.

access-list number permit [Director-IP-address]
access-list number deny any

Step 3 Ensure that the router accepts DRP queries from the IP addresses associated with the standard access list only.

ip drp access-group access-list-number

Set up Message Digest (MD5) authentication with passwords as another security measure.
 

Step 4 Enable the DRP authentication key chain.

ip drp authentication key-chain name-of-chain

Step 5 Set up a key chain, using the same name used in the prior step.

key chain name-of-chain
key number
key-string text
exit

This sets up an authentication key chain containing one key.

Step 6 Check the configuration with the EXEC command.

show ip drp



The key chain is an encrypted password that helps prevent DRP-based denial-of-service attacks, which can be a security threat. The key chain, a string of characters without spaces, must match the key chain of the Directors it communicates with. If MD5 authentication is configured on a DRP server agent, the Director must be similarly configured to recognize messages from that MD5 authentication-configured DRP server agent, and any other DRP server agents configured for MD5 authentication.

Configuring additional DRP server agents for MD5 authentication is optional.

The following show ip drp output example indicates that all 30 requests were successfully looked up and replied to. If any requests had been denied due to MD5 authorization failing or because of access lists, then "failures" would report denied requests.

30 director requests, 30 successful lookups, 0 failures

Sample Configuration

This section shows a sample configuration, using the network arrangement in .

Figure 5-1 Sample Network Arrangement

For each router shown in , you would turn on the DRP server agent with the following global configuration command:

ip drp server

To set up security, you might enter the following global configuration commands on each router.

To set up an access list, you would enter these global configuration commands:

access-list 1 permit 10.0.0.1 
access-list 1 deny any

Then enter the following global configuration command to ensure that the router accepts DRP queries from the IP addresses associated with the access list only:

ip drp access-group 1

To set up MD5 authentication with passwords, you must first set up a key chain by entering a sequence of global configuration commands like the following:

key chain violet 
key 5 
key-string carnation 
exit

This sets up an authentication key chain containing one key.

Then make this the DRP authentication key chain with the following global configuration command:

ip drp authentication key-chain violet