DRP Server Agent

Description

The Director Response Protocol (DRP) is a simple User Datagram Protocol (UDP)-based application developed by Cisco Systems. It enables Cisco's DistributedDirector product to query routers (DRP Server Agents) in the field for Border Gateway Protocol (BGP) and Interior Gateway Protocol (IGP) routing table metrics between distributed servers and clients. DistributedDirector, a separate standalone product, uses DRP to transparently redirect end-user service requests to the topologically closest responsive server. DRP enables DistributedDirector to provide dynamic, scalable, and "network intelligent" Internet traffic load distribution between multiple geographically dispersed servers.

DRP Server Agents are border routers (or peers to border routers) that support the geographically distributed servers for which DistributedDirector service distribution is desired. Note that, because DistributedDirector makes decisions based on BGP and IGP information, all DRP Server Agents must have access to full BGP and IGP routing tables.

Refer to the Cisco DistributedDirector 2501 Installation and Configuration Guide or the Cisco DistributedDirector 4700-M Installation and Configuration Guide for information on how to configure DistributedDirector.

Platforms

This feature is supported on these platforms:

Cisco 2500 series
Cisco 4000-M, Cisco 4500-M, Cisco 4700
Cisco 7000 series
Cisco 7200 series
Cisco 7500 series

Note Cisco IOS Release 11.2(4)F does not support the DRP Server Agent feature on the Cisco 3600 router.

Configuration Tasks

Perform the following tasks to configure and maintain the DRP Server Agent. The first task is required; the remaining tasks are optional.

Enable the DRP Server Agent

The DRP Server Agent is disabled by default. To enable it, perform the following task in global configuration mode:

Task	Command
Enable the DRP Server Agent.	ip drp server

Limit the Source of DRP Queries

As a security measure, you can limit the source of valid DRP queries. If a standard IP access list is applied to the interface, the Server Agent will respond only to DRP queries originating from an IP address in the list. If no access list is configured, the server agent will answer all queries.

If both an access group and a key chain (described in the next section) have been configured, both security mechanisms must allow access before a request is processed.

To limit the source of valid DRP queries, perform the following task in global configuration mode:

Task	Command
Control the sources of valid DRP queries by applying a standard IP access list.	ip drp access-group access-list-number

Configure Authentication of DRP Queries and Responses

Another available security measure is to configure the DRP Server Agent to authenticate DRP queries and responses. You define a key chain, identify the keys that belong to the key chain, and specify how long each key is valid. To do so, perform the following tasks beginning in global configuration mode:

Task	Command
Step 1 Identify which key chain to use to authenticate all DRP requests and responses.	ip drp authentication key-chain name-of-chain
Step 2 Identify a key chain (match the name configured in Step 1).	key chain name-of-chain
Step 3 In key chain configuration mode, identify the key number.	key number
Step 4 In key chain key configuration mode, identify the key string.	key-string text
Step 5 Optionally specify the time period during which the key can be received.	accept-lifetime start-time {infinite \| end-time \| duration seconds}
Step 6 Optionally specify the time period during which the key can be sent.	send-lifetime start-time {infinite \| end-time \| duration seconds}

When configuring your key chains and keys, keep these points in mind:

The key chain configured for the DRP Server Agent in Step 1 must match the key chain in Step 2.
The key configured in the primary agent in the remote router must match the key configured in the DRP Server Agent in order for responses to be processed.
You can configure multiple keys with lifetimes, and the software will rotate through them. Note that the router needs to know the time. Refer to the NTP and calendar commands in the "Managing the System" chapter of the Cisco IOS Release 11.2 Configuration Fundamentals Configuration Guide.
If authentication is enabled and multiple keys on the key chain happen to be active based on the send-lifetime values, the software uses only the first key it encounters for authentication.
Use the show key chain command to display key chain information.

Monitor and Maintain the DRP Server Agent

To monitor and maintain the DRP Server Agent, perform the following tasks in EXEC mode:

Task	Command
Clear statistics being collected on DRP requests and responses.	clear ip drp
Display information about the DRP Server Agent.	show ip drp

Configuration Example

The following example enables the DRP Server Agent. Sources of DRP queries are limited by access list 1, which permits only queries from the host at 33.45.12.4. Authentication is also configured for the DRP queries and responses.

ip drp server
access-list 1 permit 33.45.12.4
ip drp access-group 1
ip drp authentication key-chain mktg
key chain mktg
 key 1
  key-string internal
exit
exit

Command Reference

The commands used in the "Configuration Tasks" section that do not appear in this section were previously documented in the Cisco IOS Release 11.2 Network Protocols Command Reference, Part 1, in the "IP Routing Protocols Commands" chapter.

This section documents the following new commands:

clear ip drp

To clear all statistics being collected on Director Response Protocol (DRP) requests and replies, use the clear ip drp EXEC command.

clear ip drp

Syntax Description

This command has no arguments or keywords.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 F.

Example

The following example clears all DRP statistics:

clear ip drp

Related Commands

ip drp access-group
ip drp authentication key-chain

ip drp access-group

To control the sources of Director Response Protocol (DRP) queries to the DRP Server Agent, use the ip drp access-group global configuration command. To remove the access list, use the no form of this command.

ip drp access-group access-list-number
no ip drp access-group access-list-number

Syntax Description

access-list-number

Number of a standard IP access list in the range 1 to 99.

Default

The DRP Server Agent will answer all queries.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 F.

This command applies an access list to the interface, thereby controlling who can send queries to the DRP Server Agent.

If both an authentication key chain and an access group have been specified, both security measures must permit access before a request is processed.

Example

The following example configures access list 1, which permits only queries from the host at 33.45.12.4:

access-list 1 permit 33.45.12.4
ip drp access-group 1

Related Commands

ip drp authentication key-chain
show ip drp

ip drp authentication key-chain

To configure authentication on the DRP Server Agent for DistributedDirector, use the ip drp authentication key-chain global configuration command. To remove the key chain, use the no form of this command.

ip drp authentication key-chain name-of-chain
no ip drp authentication key-chain name-of-chain

Syntax Description

name-of-chain

Name of the key chain containing one or more authentication keys.

Default

No authentication is configured for the DRP Server Agent.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 F.

When a key chain and key are configured, the key is used to authenticate all Director Response Protocol requests and responses. The active key on the DRP Server Agent must match the active key on the primary agent. Use the key and key-string commands to configure the key.

Example

The following example configures a key chain named ddchain:

ip drp authentication key-chain ddchain

Related Commands

accept-lifetime
ip drp access-group
key
key chain
key-string
send-lifetime
show ip drp
show key chain

ip drp server

To enable the Director Response Protocol (DRP) Server Agent that works with DistributedDirector, use the ip drp server global configuration command. To disable the DRP Server Agent, use the no form of this command.

ip drp server
no ip drp server

Syntax Description

This command has no arguments or keywords.

Default

Disabled

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Reelease 11.2 F.

Example

The following example enables the DRP Server Agent:

ip drp server

Related Commands

ip drp access-group
ip drp authentication key-chain
show ip drp

show ip drp

To display information about the DRP Server Agent for DistributedDirector, use the show ip drp EXEC command.

show ip drp

Syntax Description

This command has no arguments or keywords.

Command Mode

EXEC

Usage Guidelines

This command first appeared in Cisco IOS Release 11.2 F.

Sample Display

The following is sample output from the show ip drp command:

Router# show ip drp
Director Responder Protocol Agent is enabled
717 director requests, 712 successful lookups, 5 failures, 0 no route
Authentication is enabled, using "test" key-chain

Table 6 describes the significant fields in the display.

Table 6: Show IP DRP Field Descriptions

Field	Description
director requests	Number of DRP requests that have been received (including any using authentication key-chain encryption that failed).
successful lookups	Number of successful DRP lookups that produced responses.
failures	Number of DRP failures (for various reasons including authentication key-chain encryption failures).

Related Commands

ip drp access-group
ip drp authentication key-chain

Debug Command

This section describes the debug command related to the DRP Server Agent.

debug ip drp

To control debugging information related to the Director Response Protocol (DRP), use the debug ip drp EXEC command. To disable debugging output, use the no form of this command.

[no] debug ip drp

Sample Display

Figure 10 shows sample debug ip drp output.

Figure 10: Sample Debug IP DRP Output

Router# debug ip drp
Director Response Protocol debugging is on
Router#
DRP: received v1 packet from 171.69.232.68, via Ethernet0
DRP: RTQUERY for 171.69.113.50 returned internal=0, external=0
DRP: RTQUERY for 171.69.58.119 returned internal=0, external=0

Table 7 describes the significant fields in the sample output.

**Table 7: Debug IP DRP Field Descriptions**
Field	Description
DRP: received v1 packet from 171.69.232.68, via Ethernet0	The router received a version 1 DRP packet from the IP address shown, via the interface shown.
DRP: RTQUERY for 171.69.113.50	The DRP packet contained two Route Query requests. The first request was for the distance to the IP address 171.69.113.50.
returned internal	Returned value for the DRP internal metric.
external	Returned value for the DRP external metric.

Table of Contents

DRP Server Agent

Description

Platforms

Configuration Tasks

Configuration Example

Command Reference

Debug Command

Syntax Description

Command Mode

Usage Guidelines

Example

Related Commands

Syntax Description

Default

Command Mode

Usage Guidelines

Example

Related Commands

Syntax Description

Default

Command Mode

Usage Guidelines

Example

Related Commands

Syntax Description

Default

Command Mode

Usage Guidelines

Example

Related Commands

Syntax Description

Command Mode

Usage Guidelines

Sample Display

Related Commands

Sample Display