Dragon0x40
asked on
Definition of the networking term source
I have heard the term source used a lot in networking. What exactly do people mean when they say things like:
please modify your config so you can source both ssh and tacacs to the loopback interface.
or
ping the device with a source address from network nn.n.n.n
My take is that the loopback interface should be assigned the ip address that will be used to ssh to the device and that the tacacs server should have an entry for the ip address assigned to the loopback interface. If so wouldn't have been easier to say please make sure you create a loopback interface and assign it the correct address?
I am not sure how you ping with an ip sourced from a particular network, I have tried on certain devices by just typing ping and then enter to get options but I have not seen a source network option?
please modify your config so you can source both ssh and tacacs to the loopback interface.
or
ping the device with a source address from network nn.n.n.n
My take is that the loopback interface should be assigned the ip address that will be used to ssh to the device and that the tacacs server should have an entry for the ip address assigned to the loopback interface. If so wouldn't have been easier to say please make sure you create a loopback interface and assign it the correct address?
I am not sure how you ping with an ip sourced from a particular network, I have tried on certain devices by just typing ping and then enter to get options but I have not seen a source network option?
ASKER
thanks DonConsolio,
Is that ping - "eye" I or "ell" l? and is that from a windows box or a router?
10.0.0.7 is the sending interface and pinghost is the device you want to ping?
On my xp computer i option specifies ttl and the L option buffer size
c:\>ping /?
Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]
[-r count] [-s count] [[-j host-list] | [-k host-list]]
[-w timeout] target_name
Options:
-t Ping the specified host until stopped.
To see statistics and continue - type Control-Break;
To stop - type Control-C.
-a Resolve addresses to hostnames.
-n count Number of echo requests to send.
-l size Send buffer size.
-f Set Don't Fragment flag in packet.
-i TTL Time To Live.
-v TOS Type Of Service.
-r count Record route for count hops.
-s count Timestamp for count hops.
-j host-list Loose source route along host-list.
-k host-list Strict source route along host-list.
-w timeout Timeout in milliseconds to wait for each reply.
Is that ping - "eye" I or "ell" l? and is that from a windows box or a router?
10.0.0.7 is the sending interface and pinghost is the device you want to ping?
On my xp computer i option specifies ttl and the L option buffer size
c:\>ping /?
Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]
[-r count] [-s count] [[-j host-list] | [-k host-list]]
[-w timeout] target_name
Options:
-t Ping the specified host until stopped.
To see statistics and continue - type Control-Break;
To stop - type Control-C.
-a Resolve addresses to hostnames.
-n count Number of echo requests to send.
-l size Send buffer size.
-f Set Don't Fragment flag in packet.
-i TTL Time To Live.
-v TOS Type Of Service.
-r count Record route for count hops.
-s count Timestamp for count hops.
-j host-list Loose source route along host-list.
-k host-list Strict source route along host-list.
-w timeout Timeout in milliseconds to wait for each reply.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I just found out that you have to put a "y" in the extended commands prompt and it will ask for the source interface
#ping
Protocol [ip]:
Target IP address: nn.nnn.n.n
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: vlan###
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to nn.nnn.n.n, timeout is 2 seconds:
Packet sent with a source address of nn.nnn.n.n
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
#ping
Protocol [ip]:
Target IP address: nn.nnn.n.n
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: vlan###
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to nn.nnn.n.n, timeout is 2 seconds:
Packet sent with a source address of nn.nnn.n.n
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
ASKER
thanks muff,
>>This "please modify your config so you can source both ssh and tacacs to the loopback interface" is >>looking to set up something more permanent. With IOS you can define a loopback interface, which is >>effectively a virtual interface. You give it an IP address.
>>Then you can use the command:
>> ip ssh source-interface loopback0
>>Which means that any ssh packets will originate with the ip address bound to the loopback0 interface.
Why would this be done? To allow this switch to match an ACL when it is used to form an SSH connection?
>>This "please modify your config so you can source both ssh and tacacs to the loopback interface" is >>looking to set up something more permanent. With IOS you can define a loopback interface, which is >>effectively a virtual interface. You give it an IP address.
>>Then you can use the command:
>> ip ssh source-interface loopback0
>>Which means that any ssh packets will originate with the ip address bound to the loopback0 interface.
Why would this be done? To allow this switch to match an ACL when it is used to form an SSH connection?
ASKER
I learned something else: By default the closest exit interface is used as the source for the SSH packet.
ip ssh source-interface
To specify the IP address of an interface as the source address for a Secure Shell (SSH) client device, use the ip ssh source-interface command in global configuration mode. To remove the IP address as the source address, use the no form of this command.
ip ssh source-interface interface
no ip ssh source-interface interface
Syntax Description
interface
The interface whose address is used as the source address for the SSH client.
Defaults
The address of the closest interface to the destination is used as the source address (the closest interface is the output interface through which the SSH packet is sent).
Command Modes
Global configuration
Command History
Release Modification
12.2(8)T
This command was introduced.
Usage Guidelines
By specifying this command, you can force the SSH client to use the IP address of the source interface as the source address.
Examples
In the following example, the IP address assigned to Ethernet interface 0 will be used as the source address for the SSH client:
ip ssh source-interface ethernet0
ip ssh source-interface
To specify the IP address of an interface as the source address for a Secure Shell (SSH) client device, use the ip ssh source-interface command in global configuration mode. To remove the IP address as the source address, use the no form of this command.
ip ssh source-interface interface
no ip ssh source-interface interface
Syntax Description
interface
The interface whose address is used as the source address for the SSH client.
Defaults
The address of the closest interface to the destination is used as the source address (the closest interface is the output interface through which the SSH packet is sent).
Command Modes
Global configuration
Command History
Release Modification
12.2(8)T
This command was introduced.
Usage Guidelines
By specifying this command, you can force the SSH client to use the IP address of the source interface as the source address.
Examples
In the following example, the IP address assigned to Ethernet interface 0 will be used as the source address for the SSH client:
ip ssh source-interface ethernet0
ASKER
So if the loopback address is what you identify your routers and switches by then setting the "ip ssh source-interface" woulld make it easier for you to allow/deny ssh connections and to track what devices are connecting to other devices?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you have multiple interfaces on one machine and start a ping you can give the "-I" option to specify the sending interface
e.g. "ping -I nn.n.n.n pinghost"