====== ASBR02 ======
Rôle principal : routeur BGP secondaire
Machine physique (APU)
Linux asbr02.cogent-rns.grifon.fr 4.14.152-gentoo #1 SMP Sat Nov 16 14:37:48 CET 2019 x86_64 Intel(R) Xeon(R) CPU X3450 @ 2.67GHz GenuineIntel GNU/Linux
Configuration matérielle :
* Intel(R) Xeon(R) CPU X3450 @ 2.67GHz
* 4G de RAM
* eno0 : IPMI
* eno1 : Admin
* enp3s0f0 : WAN
* enp3s0f1 : LAN
asbr02 ~ # ethtool -i enp3s0f0
driver: igb
version: 5.4.0-k
firmware-version: 1.5.1
expansion-rom-version:
bus-info: 0000:03:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: yes
asbr02 ~ # ethtool -i eno1
driver: bnx2
version: 2.2.6
firmware-version: 6.2.12 bc 5.2.3 NCSI 2.0.11
expansion-rom-version:
bus-info: 0000:05:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no
03:00.0 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)
Subsystem: Intel Corporation Gigabit ET Quad Port Server Adapter
Kernel driver in use: igb
03:00.1 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)
Subsystem: Intel Corporation Gigabit ET Quad Port Server Adapter
Kernel driver in use: igb
04:00.0 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)
Subsystem: Intel Corporation Gigabit ET Quad Port Server Adapter
Kernel driver in use: igb
04:00.1 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)
Subsystem: Intel Corporation Gigabit ET Quad Port Server Adapter
Kernel driver in use: igb
05:00.0 Ethernet controller: Broadcom Inc. and subsidiaries NetXtreme II BCM5716 Gigabit Ethernet (rev 20)
Subsystem: Dell NetXtreme II BCM5716 Gigabit Ethernet
Kernel driver in use: bnx2
05:00.1 Ethernet controller: Broadcom Inc. and subsidiaries NetXtreme II BCM5716 Gigabit Ethernet (rev 20)
Subsystem: Dell NetXtreme II BCM5716 Gigabit Ethernet
Kernel driver in use: bnx2
Services :
* ntpd
* iptables
* snmpd (vers le LibreNMS de [[machines:grifon:gurvant]])
* munin-node
* smartctl
* nrpe (monitoring des sessions BGP)
* bird2 ([[reseau:bgp#ipv4|bgp]], [[reseau:ospf:nominoe|ospf]])
Administrateurs :
* alarig
* petrus
* gizmo
* dotux
* nemo
===== Configuration réseau (partiellement à jour) =====
* enp3s0f0, interface sans IP
* enp3s0f0.20, interconnexion avec Cogent
* enp3s0f0.22, interconnexion avec Breizh-IX
* enp3s0f0.50, interconnexion avec Quantic
* enp3s0f1, interface réseau grifon (sans IP)
* enp3s0f1.30, VLAN data
* enp3s0f1.31, Interco VPN
* enp3s0f1.32, Interco ADSL
* enp3s0f1.41, Interco iBGP
* enp3s0f1.100, livraison transit petrus
* enp3s0f1.101, livraison transit guizmo34
* enp3s0f1.102, livraison transit AS112
* eno1, interface IPMI
* eno2, interface LAN admin
* gre1, tunnel de backup pour Stolon
1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eno1: mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether bc:30:5b:df:9d:03 brd ff:ff:ff:ff:ff:ff
3: eno2: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether bc:30:5b:df:9d:04 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.10/24 brd 172.17.0.255 scope global eno2
valid_lft forever preferred_lft forever
inet6 fd00:1e02:40::a/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::be30:5bff:fedf:9d04/64 scope link
valid_lft forever preferred_lft forever
4: enp3s0f0: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:1b:21:48:68:98 brd ff:ff:ff:ff:ff:ff
inet6 fe80::21b:21ff:fe48:6898/64 scope link
valid_lft forever preferred_lft forever
5: enp3s0f1: mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:1b:21:48:68:99 brd ff:ff:ff:ff:ff:ff
inet6 fe80::21b:21ff:fe48:6899/64 scope link
valid_lft forever preferred_lft forever
6: enp4s0f0: mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 00:1b:21:48:68:9c brd ff:ff:ff:ff:ff:ff
7: enp4s0f1: mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 00:1b:21:48:68:9d brd ff:ff:ff:ff:ff:ff
8: enp3s0f0.20@enp3s0f0: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:1b:21:48:68:98 brd ff:ff:ff:ff:ff:ff
inet 149.6.72.99/29 brd 149.6.72.103 scope global enp3s0f0.20
valid_lft forever preferred_lft forever
inet6 2001:978:2:4e::5:3/112 scope global
valid_lft forever preferred_lft forever
inet6 fe80::21b:21ff:fe48:6898/64 scope link
valid_lft forever preferred_lft forever
9: enp3s0f0.21@enp3s0f0: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:1b:21:48:68:98 brd ff:ff:ff:ff:ff:ff
inet 46.18.103.42/30 brd 46.18.103.43 scope global enp3s0f0.21
valid_lft forever preferred_lft forever
inet6 2a02:2778:2:102::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::21b:21ff:fe48:6898/64 scope link
valid_lft forever preferred_lft forever
10: enp3s0f0.22@enp3s0f0: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:1b:21:48:68:98 brd ff:ff:ff:ff:ff:ff
inet 185.1.89.13/24 brd 185.1.89.255 scope global enp3s0f0.22
valid_lft forever preferred_lft forever
inet6 2001:7f8:b1::d/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::21b:21ff:fe48:6898/64 scope link
valid_lft forever preferred_lft forever
11: enp3s0f0.50@enp3s0f0: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:1b:21:48:68:98 brd ff:ff:ff:ff:ff:ff
inet 169.254.1.3/29 brd 169.254.1.7 scope global enp3s0f0.50
valid_lft forever preferred_lft forever
inet6 2a06:e040:3501:101:2::3/80 scope global
valid_lft forever preferred_lft forever
inet6 fe80::21b:21ff:fe48:6898/64 scope link
valid_lft forever preferred_lft forever
12: enp3s0f0.104@enp3s0f0: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:1b:21:48:68:98 brd ff:ff:ff:ff:ff:ff
inet6 fe80::21b:21ff:fe48:6898/64 scope link
valid_lft forever preferred_lft forever
13: enp3s0f1.30@enp3s0f1: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:1b:21:48:68:99 brd ff:ff:ff:ff:ff:ff
inet 89.234.186.6/27 brd 89.234.186.31 scope global enp3s0f1.30
valid_lft forever preferred_lft forever
inet 80.67.190.195/27 brd 80.67.190.223 scope global enp3s0f1.30
valid_lft forever preferred_lft forever
inet6 2a00:5884::6/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::21b:21ff:fe48:6899/64 scope link
valid_lft forever preferred_lft forever
14: enp3s0f1.33@enp3s0f1: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:1b:21:48:68:99 brd ff:ff:ff:ff:ff:ff
inet 89.234.186.34/27 brd 89.234.186.63 scope global enp3s0f1.33
valid_lft forever preferred_lft forever
inet6 2a00:5884:0:6::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::21b:21ff:fe48:6899/64 scope link
valid_lft forever preferred_lft forever
15: enp3s0f1.100@enp3s0f1: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:1b:21:48:68:99 brd ff:ff:ff:ff:ff:ff
inet6 2a00:5884:0:100::2/112 scope global
valid_lft forever preferred_lft forever
inet6 fe80::21b:21ff:fe48:6899/64 scope link
valid_lft forever preferred_lft forever
16: enp3s0f1.101@enp3s0f1: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:1b:21:48:68:99 brd ff:ff:ff:ff:ff:ff
inet6 2a00:5884:0:101::2/112 scope global
valid_lft forever preferred_lft forever
inet6 fe80::21b:21ff:fe48:6899/64 scope link
valid_lft forever preferred_lft forever
17: enp3s0f1.102@enp3s0f1: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:1b:21:48:68:99 brd ff:ff:ff:ff:ff:ff
inet 89.234.186.130/29 brd 89.234.186.135 scope global enp3s0f1.102
valid_lft forever preferred_lft forever
inet6 2a00:5884:0:100::1:2/112 scope global
valid_lft forever preferred_lft forever
inet6 fe80::21b:21ff:fe48:6899/64 scope link
valid_lft forever preferred_lft forever
18: enp3s0f1.105@enp3s0f1: mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:1b:21:48:68:99 brd ff:ff:ff:ff:ff:ff
inet 89.234.186.202/29 brd 89.234.186.207 scope global enp3s0f1.105
valid_lft forever preferred_lft forever
inet6 2a00:5884:0:100::3:2/112 scope global
valid_lft forever preferred_lft forever
inet6 fe80::21b:21ff:fe48:6899/64 scope link
valid_lft forever preferred_lft forever
19: gre0@NONE: mtu 1476 qdisc noop state DOWN group default qlen 1000
link/gre 0.0.0.0 brd 0.0.0.0
20: gretap0@NONE: mtu 1462 qdisc noop state DOWN group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
21: erspan0@NONE: mtu 1450 qdisc noop state DOWN group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
22: gre1@NONE: mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000
link/gre 149.6.72.99 peer 46.182.210.14
inet 89.234.146.54 peer 89.234.146.55/32 scope global gre1
valid_lft forever preferred_lft forever
inet6 2a00:5880:1400:b00b:b00b:b00b::/127 scope global
valid_lft forever preferred_lft forever
inet6 fe80::200:5efe:9506:4863/64 scope link
valid_lft forever preferred_lft forever
===== Configuration système (partiellement à jour) =====
hostname="budic.cogent-rns.grifon.fr"
keymap="fr"
ifconfig_bce1="inet 172.17.0.10/24"
ifconfig_igb0="up"
ifconfig_igb1="up"
defaultrouter="149.6.72.97"
ipv6_defaultrouter="2001:978:2:4e::5:1"
gateway_enable="YES"
ipv6_gateway_enable="YES"
ntpdate_enable="YES"
ntpdate_hosts="89.234.186.7"
syslogd_enable="YES"
syslogd_flags="-ss"
sshd_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
# pf
pf_enable="YES"
pf_rules="/etc/pf.conf" # rules definition file for pf
pf_flags="" # additional flags for pfctl startup
pflog_enable="YES" # start pflogd(8)
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_flags="" # additional flags for pflogd startup
pflogd_enable="YES"
# SNMP
snmpd_enable="YES"
snmpd_flags="-a"
snmpd_conffile="/usr/local/etc/snmpd.conf"
snmptrapd_enable="YES"
snmptrapd_flags="-a -p /var/run/snmptrapd.pid"
bsnmpd_enable="YES"
# munin
munin_node_enable="YES"
# smartctl
smartd_enable="YES"
# NRPE
nrpe3_enable="YES"
# https://grifon.fr/comptes-rendus/2016-06-06_reunion-hackerspace.html#quagga-ou-bird
bird_enable="YES"
bird6_enable="YES"
# routes statiques IPv6
config_eno2="172.17.0.10/24 fd00:1e02:40::a/64"
config_enp3s0f0="null"
config_enp3s0f1="null"
vlans_enp3s0f0="20 21 22 50"
config_enp3s0f0_20="149.6.72.99/29 2001:978:2:4e::5:3/112"
config_enp3s0f0_21="46.18.103.42/30 2a02:2778:2:0102::2/64"
config_enp3s0f0_22="185.1.89.13/24 2001:7f8:b1::d/64"
config_enp3s0f0_50="169.254.1.3/29 2a06:e040:3501:0101:0002::3/80"
vlans_enp3s0f1="30 33 100 101 102 105"
config_enp3s0f1_30="89.234.186.6/27 80.67.190.195/27 2a00:5884::6/64"
config_enp3s0f1_33="89.234.186.34/27 2a00:5884:0:6::2/64"
config_enp3s0f1_100="2a00:5884:0:100::2/112"
config_enp3s0f1_101="2a00:5884:0:101::2/112"
config_enp3s0f1_102="89.234.186.130/29 2a00:5884:0:100::1:2/112"
config_enp3s0f1_105="89.234.186.202/29 2a00:5884:0:100::3:2/112"
# Stolon
iptunnel_gre1="mode gre remote 46.182.210.14 local 149.6.72.99 ttl 255"
config_gre1="89.234.146.54 peer 89.234.146.55
2a00:5880:1400:b00b:b00b:b00b::/127"
postup() {
ip link set eno2 alias "Core: admin"
ip link set enp3s0f0.20 alias "Transit: cogent"
ip link set enp3s0f0.21 alias "Transit: netensia"
ip link set enp3s0f0.22 alias "Peering: breizhix"
ip link set enp3s0f0.50 alias "Transit: quantic"
ip link set enp3s0f1.30 alias "Core: hosting"
ip link set enp3s0f1.33 alias "Core: backbone"
ip link set enp3s0f1.100 alias "Cust: petrus"
ip link set enp3s0f1.101 alias "Cust: guizmo34"
ip link set enp3s0f1.102 alias "Cust: AS112"
ip link set enp3s0f1.105 alias "Cust: nemo"
ip link set gre1 alias "Cust: Stolon"
# Machine physique NUC TTNN
ip -6 route add 2a00:5884:128::/48 via fe80::96c6:91ff:feaa:d4ee dev enp3s0f1.30
# Machine physique RPi Meseira
ip -6 route add 2a00:5884:134::/48 via fe80::ba27:ebff:fee2:fd5f dev enp3s0f1.30
# Machine physique NAS Nemo
ip -6 route add 2a00:5884:104::/48 via fe80::471:11ff:fe80:e379 dev enp3s0f1.30
}
===== Firewall (iptables) =====
==== IPv4 ====
# Generated by iptables-save v1.6.1 on Sat Nov 16 14:47:37 2019
*raw
:PREROUTING ACCEPT [21304832:11386992336]
:OUTPUT ACCEPT [288699:56274724]
[88918:9728560] -A PREROUTING -d 89.234.186.0/27 -i enp3s0f1.30 -j ACCEPT
[12:480] -A PREROUTING -i enp3s0f1.30 -m rpfilter --invert -j DROP
COMMIT
# Completed on Sat Nov 16 14:47:37 2019
# Generated by iptables-save v1.6.1 on Sat Nov 16 14:47:37 2019
*mangle
:PREROUTING ACCEPT [132234153727:93632518659386]
:INPUT ACCEPT [1178873036:128728540617]
:FORWARD ACCEPT [130606185646:93319042146056]
:OUTPUT ACCEPT [1424650747:295422619851]
:POSTROUTING ACCEPT [132030342852:93614371016984]
COMMIT
# Completed on Sat Nov 16 14:47:37 2019
# Generated by iptables-save v1.6.1 on Sat Nov 16 14:47:37 2019
*filter
:INPUT ACCEPT [233515:25224294]
:FORWARD ACCEPT [19601882:10307523144]
:OUTPUT ACCEPT [281849:55139719]
[1:40] -A INPUT -s 172.16.0.0/12 ! -d 172.16.0.0/12 -j DROP
[493095:93640260] -A FORWARD ! -s 172.16.0.0/12 -d 172.16.0.0/12 -j DROP
[169:12320] -A OUTPUT ! -s 172.16.0.0/12 -d 172.16.0.0/12 -j DROP
COMMIT
# Completed on Sat Nov 16 14:47:37 2019
==== IPv6 ====
# Generated by ip6tables-save v1.6.1 on Sat Nov 16 14:47:37 2019
*raw
:PREROUTING ACCEPT [1986857:626283728]
:OUTPUT ACCEPT [88819:17155151]
[19412:1526783] -A PREROUTING -d 2a00:5884::/64 -i enp3s0f1.30 -j ACCEPT
[0:0] -A PREROUTING -i enp3s0f1.30 -m rpfilter --invert -j DROP
COMMIT
# Completed on Sat Nov 16 14:47:37 2019
# Generated by ip6tables-save v1.6.1 on Sat Nov 16 14:47:37 2019
*mangle
:PREROUTING ACCEPT [11347829482:6010020980272]
:INPUT ACCEPT [401028762:53267790995]
:FORWARD ACCEPT [10860741310:5947615657952]
:OUTPUT ACCEPT [471704985:150519751283]
:POSTROUTING ACCEPT [11332341239:6098127808893]
COMMIT
# Completed on Sat Nov 16 14:47:37 2019
# Generated by ip6tables-save v1.6.1 on Sat Nov 16 14:47:37 2019
*filter
:INPUT ACCEPT [67118:6418660]
:FORWARD ACCEPT [1931788:624945312]
:OUTPUT ACCEPT [89251:17246365]
[785719:56571768] -A INPUT ! -s fd00:1e02:40::/64 -d fd00:1e02:40::/64 -j DROP
[2266:199462] -A FORWARD ! -s fd00:1e02:40::/64 -d fd00:1e02:40::/64 -j DROP
[102859:7405848] -A OUTPUT -s fd00:1e02:40::/64 ! -d fd00:1e02:40::/64 -j DROP
COMMIT
# Completed on Sat Nov 16 14:47:37 2019