====== ASBR03 ======
Rôle principal : routeur BGP
Machine physique (R210)
Linux asbr03.grifon.fr 6.1.57-gentoo #1 SMP PREEMPT_DYNAMIC Sun Oct 29 12:30:28 CET 2023 x86_64 Intel(R) Xeon(R) CPU X3450 @ 2.67GHz GenuineIntel GNU/Linux
Configuration matérielle :
* Intel(R) Xeon(R) CPU X3450 @ 2.67GHz
* 16G de RAM
* eno1 : Admin
* eno2 : NL-IX via Breizh-IX
* enp1s0 : L2 vers TH2
* enp1s0d1 : Lien vers grifon
asbr03 ~ # ethtool -i eno1
driver: bnx2
version: 6.1.57-gentoo
firmware-version: 6.2.12 bc 5.2.3 NCSI 2.0.11
expansion-rom-version:
bus-info: 0000:02:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no
asbr03 ~ # ethtool -i eno2
driver: bnx2
version: 6.1.57-gentoo
firmware-version: 6.2.12 bc 5.2.3 NCSI 2.0.11
expansion-rom-version:
bus-info: 0000:02:00.1
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no
asbr03 ~ # ethtool -i enp1s0
driver: mlx4_en
version: 4.0-0
firmware-version: 2.9.1200
expansion-rom-version:
bus-info: 0000:01:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: yes
asbr03 ~ # ethtool -i enp1s0d1
driver: mlx4_en
version: 4.0-0
firmware-version: 2.9.1200
expansion-rom-version:
bus-info: 0000:01:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: no
supports-register-dump: no
supports-priv-flags: yes
01:00.0 Ethernet controller: Mellanox Technologies MT26448 [ConnectX EN 10GigE, PCIe 2.0 5GT/s] (rev b0)
Subsystem: Mellanox Technologies Device 0019
Kernel driver in use: mlx4_core
Kernel modules: mlx4_core
02:00.0 Ethernet controller: Broadcom Inc. and subsidiaries NetXtreme II BCM5716 Gigabit Ethernet (rev 20)
DeviceName: Embedded NIC 1
Subsystem: Dell Device 02a5
Kernel driver in use: bnx2
Kernel modules: bnx2
02:00.1 Ethernet controller: Broadcom Inc. and subsidiaries NetXtreme II BCM5716 Gigabit Ethernet (rev 20)
DeviceName: Embedded NIC 2
Subsystem: Dell Device 02a5
Kernel driver in use: bnx2
Kernel modules: bnx2
Services :
* ntp
* firewall (vers le vlan d’admin)
* snmp (vers le LibreNMS de [[machines:grifon:gurvant]])
* munin-node
* smartctl
* nrpe (monitoring des sessions BGP)
* bird2 ([[reseau:bgp#ipv4|bgp]], [[reseau:ospf:nominoe|ospf]])
Administrateurs :
* alarig
* gizmo
* dam
===== Configuration réseau (partiellement à jour) =====
asbr03 ~ # ip l
1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno1: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether bc:30:5b:df:99:56 brd ff:ff:ff:ff:ff:ff
alias Core: admin
altname enp2s0f0
3: eno2: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether bc:30:5b:df:99:57 brd ff:ff:ff:ff:ff:ff
alias Core: cogent02
altname enp2s0f1
4: enp1s0: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 00:02:c9:28:92:be brd ff:ff:ff:ff:ff:ff
alias Core: ASR Hivane
5: enp1s0d1: mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
alias Core: sw02
6: enp1s0.201@enp1s0: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:02:c9:28:92:be brd ff:ff:ff:ff:ff:ff
alias Core: TH2LF Hivane via Ielo
7: enp1s0d1.30@enp1s0d1: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
alias Core: hosting
8: enp1s0d1.33@enp1s0d1: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
alias Core: backbone
9: enp1s0d1.58@enp1s0d1: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
alias Cust: dam64
10: enp1s0d1.100@enp1s0d1: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
alias Cust: petrus
11: enp1s0d1.102@enp1s0d1: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
alias Cust: AS112
12: enp1s0d1.106@enp1s0d1: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
alias Cust: Jaguar-OOB
13: gre0@NONE: mtu 1476 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/gre 0.0.0.0 brd 0.0.0.0
14: gretap0@NONE: mtu 1462 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
15: erspan0@NONE: mtu 1450 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
16: gre64@NONE: mtu 1476 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/gre 89.234.186.15 peer 85.14.132.185
alias Cust: stolon
17: vrrp.1@enp1s0d1.30: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:00:5e:00:01:01 brd ff:ff:ff:ff:ff:ff
18: vrrp6.1@enp1s0d1.30: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:00:5e:00:02:01 brd ff:ff:ff:ff:ff:ff
19: vrrp.2@enp1s0d1.30: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:00:5e:00:02:02 brd ff:ff:ff:ff:ff:ff
20: eno2.1848@eno2: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether bc:30:5b:df:99:57 brd ff:ff:ff:ff:ff:ff
alias Peering: NL-ix
asbr03 ~ # ip a
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
valid_lft forever preferred_lft forever
inet 89.234.186.226/32 scope global lo
valid_lft forever preferred_lft forever
inet6 2a00:5884:0:1::2/128 scope global
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host proto kernel_lo
valid_lft forever preferred_lft forever
2: eno1: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether bc:30:5b:df:99:56 brd ff:ff:ff:ff:ff:ff
altname enp2s0f0
inet 172.17.0.16/24 brd 172.17.0.255 scope global eno1
valid_lft forever preferred_lft forever
inet6 fe80::be30:5bff:fedf:9956/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
3: eno2: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether bc:30:5b:df:99:57 brd ff:ff:ff:ff:ff:ff
altname enp2s0f1
inet6 fe80::be30:5bff:fedf:9957/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
4: enp1s0: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:02:c9:28:92:be brd ff:ff:ff:ff:ff:ff
inet6 fe80::202:c9ff:fe28:92be/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
5: enp1s0d1: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
inet6 fe80::202:c9ff:fe28:92bf/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
6: enp1s0.201@enp1s0: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:02:c9:28:92:be brd ff:ff:ff:ff:ff:ff
inet 89.234.186.144/31 scope global enp1s0.201
valid_lft forever preferred_lft forever
inet6 2a00:5884:0:2::/127 scope global
valid_lft forever preferred_lft forever
inet6 fe80::202:c9ff:fe28:92be/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
7: enp1s0d1.30@enp1s0d1: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
inet 89.234.186.15/27 brd 89.234.186.31 scope global enp1s0d1.30
valid_lft forever preferred_lft forever
inet6 2a00:5884::d/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::202:c9ff:fe28:92bf/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
8: enp1s0d1.33@enp1s0d1: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
inet 89.234.186.43/27 brd 89.234.186.63 scope global enp1s0d1.33
valid_lft forever preferred_lft forever
inet6 2a00:5884:0:6::b/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::202:c9ff:fe28:92bf/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
9: enp1s0d1.58@enp1s0d1: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
inet 45.67.83.236/31 scope global enp1s0d1.58
valid_lft forever preferred_lft forever
inet6 2001:678:984:b00b::236/127 scope global
valid_lft forever preferred_lft forever
inet6 fe80::202:c9ff:fe28:92bf/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
10: enp1s0d1.100@enp1s0d1: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
inet 89.234.186.153/29 brd 89.234.186.159 scope global enp1s0d1.100
valid_lft forever preferred_lft forever
inet6 2a00:5884:0:100::1/112 scope global
valid_lft forever preferred_lft forever
inet6 fe80::202:c9ff:fe28:92bf/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
11: enp1s0d1.102@enp1s0d1: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
inet 89.234.186.129/29 brd 89.234.186.135 scope global enp1s0d1.102
valid_lft forever preferred_lft forever
inet6 2a00:5884:0:100::1:1/112 scope global
valid_lft forever preferred_lft forever
inet6 fe80::202:c9ff:fe28:92bf/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
12: enp1s0d1.106@enp1s0d1: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
inet 89.234.186.146/31 scope global enp1s0d1.106
valid_lft forever preferred_lft forever
inet6 2a00:5884:0:100::4:0/127 scope global
valid_lft forever preferred_lft forever
inet6 fe80::202:c9ff:fe28:92bf/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
13: gre0@NONE: mtu 1476 qdisc noop state DOWN group default qlen 1000
link/gre 0.0.0.0 brd 0.0.0.0
14: gretap0@NONE: mtu 1462 qdisc noop state DOWN group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
15: erspan0@NONE: mtu 1450 qdisc noop state DOWN group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
16: gre64@NONE: mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000
link/gre 89.234.186.15 peer 85.14.132.185
inet 89.234.146.52/31 scope global gre64
valid_lft forever preferred_lft forever
inet6 2a00:5880:1400:fe::c/127 scope global
valid_lft forever preferred_lft forever
inet6 fe80::59ea:ba0f/64 scope link
valid_lft forever preferred_lft forever
17: vrrp.1@enp1s0d1.30: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:00:5e:00:01:01 brd ff:ff:ff:ff:ff:ff
inet 89.234.186.1/32 scope global vrrp.1
valid_lft forever preferred_lft forever
18: vrrp6.1@enp1s0d1.30: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:00:5e:00:02:01 brd ff:ff:ff:ff:ff:ff
inet6 fe80::204:92:100:1/128 scope link nodad deprecated
valid_lft forever preferred_lft 0sec
19: vrrp.2@enp1s0d1.30: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:00:5e:00:02:02 brd ff:ff:ff:ff:ff:ff
inet6 2a00:5884::1/128 scope global nodad deprecated
valid_lft forever preferred_lft 0sec
20: eno2.1848@eno2: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether bc:30:5b:df:99:57 brd ff:ff:ff:ff:ff:ff
inet 193.239.117.189/22 brd 193.239.119.255 scope global eno2.1848
valid_lft forever preferred_lft forever
inet6 2001:7f8:13::a520:4092:1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::be30:5bff:fedf:9957/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
===== Configuration système (partiellement à jour) =====
config_eno1="172.17.0.16/24"
config_eno2="null"
vlans_eno2="1848"
config_eno2_1848="193.239.117.189/22 2001:7f8:13::a520:4092:1/64"
config_enp1s0d1="null"
vlans_enp1s0d1="30 33 58 100 102 106"
config_enp1s0d1_30="89.234.186.15/27 2a00:5884::d/64"
config_enp1s0d1_33="89.234.186.43/27 2a00:5884:0:6::b/64"
config_enp1s0d1_58="45.67.83.236/31 2001:678:984:b00b::236/127"
config_enp1s0d1_100="89.234.186.153/29 2a00:5884:0:100::1/112"
config_enp1s0d1_102="89.234.186.129/29 2a00:5884:0:100::1:1/112"
config_enp1s0d1_106="89.234.186.146/31 2a00:5884:0:100::4:0/127"
config_enp1s0d1_203="null"
config_enp1s0="null"
vlans_enp1s0="201"
config_enp1s0_201="89.234.186.144/31 2a00:5884:0:2::/127"
iptunnel_gre64="mode gre remote 85.14.132.185 local 89.234.186.15 ttl 225"
config_gre64="89.234.146.52/31 2a00:5880:1400:fe::c/127"
postup() {
ip addr add 89.234.186.226/32 dev lo
ip addr add 2a00:5884:0:1::2/128 dev lo
ip link set eno1 alias "Core: admin"
ip link set eno2 alias "Core: cogent02"
ip link set eno2.1848 alias "Peering: NL-ix"
ip link set enp1s0 alias "Core: ASR Hivane"
ip link set enp1s0.201 alias "Core: TH2LF Hivane via Ielo"
ip link set enp1s0d1 alias "Core: sw02"
ip link set enp1s0d1.30 alias "Core: hosting"
ip link set enp1s0d1.33 alias "Core: backbone"
ip link set enp1s0d1.58 alias "Cust: dam64"
ip link set enp1s0d1.100 alias "Cust: petrus"
ip link set enp1s0d1.102 alias "Cust: AS112"
ip link set enp1s0d1.106 alias "Cust: Jaguar-OOB"
ip link set gre64 alias "Cust: stolon"
}
===== Firewall (iptables) =====
==== IPv4 ====
# Generated by iptables-save v1.6.1 on Sat Nov 16 14:47:37 2019
*raw
:PREROUTING ACCEPT [21304832:11386992336]
:OUTPUT ACCEPT [288699:56274724]
[88918:9728560] -A PREROUTING -d 89.234.186.0/27 -i enp3s0f1.30 -j ACCEPT
[12:480] -A PREROUTING -i enp3s0f1.30 -m rpfilter --invert -j DROP
COMMIT
# Completed on Sat Nov 16 14:47:37 2019
# Generated by iptables-save v1.6.1 on Sat Nov 16 14:47:37 2019
*mangle
:PREROUTING ACCEPT [132234153727:93632518659386]
:INPUT ACCEPT [1178873036:128728540617]
:FORWARD ACCEPT [130606185646:93319042146056]
:OUTPUT ACCEPT [1424650747:295422619851]
:POSTROUTING ACCEPT [132030342852:93614371016984]
COMMIT
# Completed on Sat Nov 16 14:47:37 2019
# Generated by iptables-save v1.6.1 on Sat Nov 16 14:47:37 2019
*filter
:INPUT ACCEPT [233515:25224294]
:FORWARD ACCEPT [19601882:10307523144]
:OUTPUT ACCEPT [281849:55139719]
[1:40] -A INPUT -s 172.16.0.0/12 ! -d 172.16.0.0/12 -j DROP
[493095:93640260] -A FORWARD ! -s 172.16.0.0/12 -d 172.16.0.0/12 -j DROP
[169:12320] -A OUTPUT ! -s 172.16.0.0/12 -d 172.16.0.0/12 -j DROP
COMMIT
# Completed on Sat Nov 16 14:47:37 2019
==== IPv6 ====
# Generated by ip6tables-save v1.6.1 on Sat Nov 16 14:47:37 2019
*raw
:PREROUTING ACCEPT [1986857:626283728]
:OUTPUT ACCEPT [88819:17155151]
[19412:1526783] -A PREROUTING -d 2a00:5884::/64 -i enp3s0f1.30 -j ACCEPT
[0:0] -A PREROUTING -i enp3s0f1.30 -m rpfilter --invert -j DROP
COMMIT
# Completed on Sat Nov 16 14:47:37 2019
# Generated by ip6tables-save v1.6.1 on Sat Nov 16 14:47:37 2019
*mangle
:PREROUTING ACCEPT [11347829482:6010020980272]
:INPUT ACCEPT [401028762:53267790995]
:FORWARD ACCEPT [10860741310:5947615657952]
:OUTPUT ACCEPT [471704985:150519751283]
:POSTROUTING ACCEPT [11332341239:6098127808893]
COMMIT
# Completed on Sat Nov 16 14:47:37 2019
# Generated by ip6tables-save v1.6.1 on Sat Nov 16 14:47:37 2019
*filter
:INPUT ACCEPT [67118:6418660]
:FORWARD ACCEPT [1931788:624945312]
:OUTPUT ACCEPT [89251:17246365]
[785719:56571768] -A INPUT ! -s fd00:1e02:40::/64 -d fd00:1e02:40::/64 -j DROP
[2266:199462] -A FORWARD ! -s fd00:1e02:40::/64 -d fd00:1e02:40::/64 -j DROP
[102859:7405848] -A OUTPUT -s fd00:1e02:40::/64 ! -d fd00:1e02:40::/64 -j DROP
COMMIT
# Completed on Sat Nov 16 14:47:37 2019