machines:grifon:asbr03
Table des matières
ASBR03
Rôle principal : routeur BGP
Machine physique (R210)
Linux asbr03.grifon.fr 6.1.57-gentoo #1 SMP PREEMPT_DYNAMIC Sun Oct 29 12:30:28 CET 2023 x86_64 Intel(R) Xeon(R) CPU X3450 @ 2.67GHz GenuineIntel GNU/Linux
Configuration matérielle :
- Intel(R) Xeon(R) CPU X3450 @ 2.67GHz
- 16G de RAM
- eno1 : Admin
- eno2 : NL-IX via Breizh-IX
- enp1s0 : L2 vers TH2
- enp1s0d1 : Lien vers grifon
asbr03 ~ # ethtool -i eno1 driver: bnx2 version: 6.1.57-gentoo firmware-version: 6.2.12 bc 5.2.3 NCSI 2.0.11 expansion-rom-version: bus-info: 0000:02:00.0 supports-statistics: yes supports-test: yes supports-eeprom-access: yes supports-register-dump: yes supports-priv-flags: no asbr03 ~ # ethtool -i eno2 driver: bnx2 version: 6.1.57-gentoo firmware-version: 6.2.12 bc 5.2.3 NCSI 2.0.11 expansion-rom-version: bus-info: 0000:02:00.1 supports-statistics: yes supports-test: yes supports-eeprom-access: yes supports-register-dump: yes supports-priv-flags: no asbr03 ~ # ethtool -i enp1s0 driver: mlx4_en version: 4.0-0 firmware-version: 2.9.1200 expansion-rom-version: bus-info: 0000:01:00.0 supports-statistics: yes supports-test: yes supports-eeprom-access: no supports-register-dump: no supports-priv-flags: yes asbr03 ~ # ethtool -i enp1s0d1 driver: mlx4_en version: 4.0-0 firmware-version: 2.9.1200 expansion-rom-version: bus-info: 0000:01:00.0 supports-statistics: yes supports-test: yes supports-eeprom-access: no supports-register-dump: no supports-priv-flags: yes 01:00.0 Ethernet controller: Mellanox Technologies MT26448 [ConnectX EN 10GigE, PCIe 2.0 5GT/s] (rev b0) Subsystem: Mellanox Technologies Device 0019 Kernel driver in use: mlx4_core Kernel modules: mlx4_core 02:00.0 Ethernet controller: Broadcom Inc. and subsidiaries NetXtreme II BCM5716 Gigabit Ethernet (rev 20) DeviceName: Embedded NIC 1 Subsystem: Dell Device 02a5 Kernel driver in use: bnx2 Kernel modules: bnx2 02:00.1 Ethernet controller: Broadcom Inc. and subsidiaries NetXtreme II BCM5716 Gigabit Ethernet (rev 20) DeviceName: Embedded NIC 2 Subsystem: Dell Device 02a5 Kernel driver in use: bnx2 Kernel modules: bnx2
Services :
- ntp
- firewall (vers le vlan d’admin)
- snmp (vers le LibreNMS de gurvant)
- munin-node
- smartctl
- nrpe (monitoring des sessions BGP)
Administrateurs :
- alarig
- gizmo
- dam
Configuration réseau (partiellement à jour)
asbr03 ~ # ip l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether bc:30:5b:df:99:56 brd ff:ff:ff:ff:ff:ff
alias Core: admin
altname enp2s0f0
3: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether bc:30:5b:df:99:57 brd ff:ff:ff:ff:ff:ff
alias Core: cogent02
altname enp2s0f1
4: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 00:02:c9:28:92:be brd ff:ff:ff:ff:ff:ff
alias Core: ASR Hivane
5: enp1s0d1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
alias Core: sw02
6: enp1s0.201@enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:02:c9:28:92:be brd ff:ff:ff:ff:ff:ff
alias Core: TH2LF Hivane via Ielo
7: enp1s0d1.30@enp1s0d1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
alias Core: hosting
8: enp1s0d1.33@enp1s0d1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
alias Core: backbone
9: enp1s0d1.58@enp1s0d1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
alias Cust: dam64
10: enp1s0d1.100@enp1s0d1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
alias Cust: petrus
11: enp1s0d1.102@enp1s0d1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
alias Cust: AS112
12: enp1s0d1.106@enp1s0d1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
alias Cust: Jaguar-OOB
13: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/gre 0.0.0.0 brd 0.0.0.0
14: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
15: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
16: gre64@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/gre 89.234.186.15 peer 85.14.132.185
alias Cust: stolon
17: vrrp.1@enp1s0d1.30: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:00:5e:00:01:01 brd ff:ff:ff:ff:ff:ff
18: vrrp6.1@enp1s0d1.30: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:00:5e:00:02:01 brd ff:ff:ff:ff:ff:ff
19: vrrp.2@enp1s0d1.30: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:00:5e:00:02:02 brd ff:ff:ff:ff:ff:ff
20: eno2.1848@eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether bc:30:5b:df:99:57 brd ff:ff:ff:ff:ff:ff
alias Peering: NL-ix
asbr03 ~ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
valid_lft forever preferred_lft forever
inet 89.234.186.226/32 scope global lo
valid_lft forever preferred_lft forever
inet6 2a00:5884:0:1::2/128 scope global
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host proto kernel_lo
valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether bc:30:5b:df:99:56 brd ff:ff:ff:ff:ff:ff
altname enp2s0f0
inet 172.17.0.16/24 brd 172.17.0.255 scope global eno1
valid_lft forever preferred_lft forever
inet6 fe80::be30:5bff:fedf:9956/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
3: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether bc:30:5b:df:99:57 brd ff:ff:ff:ff:ff:ff
altname enp2s0f1
inet6 fe80::be30:5bff:fedf:9957/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
4: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:02:c9:28:92:be brd ff:ff:ff:ff:ff:ff
inet6 fe80::202:c9ff:fe28:92be/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
5: enp1s0d1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
inet6 fe80::202:c9ff:fe28:92bf/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
6: enp1s0.201@enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:02:c9:28:92:be brd ff:ff:ff:ff:ff:ff
inet 89.234.186.144/31 scope global enp1s0.201
valid_lft forever preferred_lft forever
inet6 2a00:5884:0:2::/127 scope global
valid_lft forever preferred_lft forever
inet6 fe80::202:c9ff:fe28:92be/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
7: enp1s0d1.30@enp1s0d1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
inet 89.234.186.15/27 brd 89.234.186.31 scope global enp1s0d1.30
valid_lft forever preferred_lft forever
inet6 2a00:5884::d/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::202:c9ff:fe28:92bf/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
8: enp1s0d1.33@enp1s0d1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
inet 89.234.186.43/27 brd 89.234.186.63 scope global enp1s0d1.33
valid_lft forever preferred_lft forever
inet6 2a00:5884:0:6::b/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::202:c9ff:fe28:92bf/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
9: enp1s0d1.58@enp1s0d1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
inet 45.67.83.236/31 scope global enp1s0d1.58
valid_lft forever preferred_lft forever
inet6 2001:678:984:b00b::236/127 scope global
valid_lft forever preferred_lft forever
inet6 fe80::202:c9ff:fe28:92bf/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
10: enp1s0d1.100@enp1s0d1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
inet 89.234.186.153/29 brd 89.234.186.159 scope global enp1s0d1.100
valid_lft forever preferred_lft forever
inet6 2a00:5884:0:100::1/112 scope global
valid_lft forever preferred_lft forever
inet6 fe80::202:c9ff:fe28:92bf/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
11: enp1s0d1.102@enp1s0d1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
inet 89.234.186.129/29 brd 89.234.186.135 scope global enp1s0d1.102
valid_lft forever preferred_lft forever
inet6 2a00:5884:0:100::1:1/112 scope global
valid_lft forever preferred_lft forever
inet6 fe80::202:c9ff:fe28:92bf/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
12: enp1s0d1.106@enp1s0d1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:02:c9:28:92:bf brd ff:ff:ff:ff:ff:ff
inet 89.234.186.146/31 scope global enp1s0d1.106
valid_lft forever preferred_lft forever
inet6 2a00:5884:0:100::4:0/127 scope global
valid_lft forever preferred_lft forever
inet6 fe80::202:c9ff:fe28:92bf/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
13: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
link/gre 0.0.0.0 brd 0.0.0.0
14: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
15: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
16: gre64@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000
link/gre 89.234.186.15 peer 85.14.132.185
inet 89.234.146.52/31 scope global gre64
valid_lft forever preferred_lft forever
inet6 2a00:5880:1400:fe::c/127 scope global
valid_lft forever preferred_lft forever
inet6 fe80::59ea:ba0f/64 scope link
valid_lft forever preferred_lft forever
17: vrrp.1@enp1s0d1.30: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:00:5e:00:01:01 brd ff:ff:ff:ff:ff:ff
inet 89.234.186.1/32 scope global vrrp.1
valid_lft forever preferred_lft forever
18: vrrp6.1@enp1s0d1.30: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:00:5e:00:02:01 brd ff:ff:ff:ff:ff:ff
inet6 fe80::204:92:100:1/128 scope link nodad deprecated
valid_lft forever preferred_lft 0sec
19: vrrp.2@enp1s0d1.30: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:00:5e:00:02:02 brd ff:ff:ff:ff:ff:ff
inet6 2a00:5884::1/128 scope global nodad deprecated
valid_lft forever preferred_lft 0sec
20: eno2.1848@eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether bc:30:5b:df:99:57 brd ff:ff:ff:ff:ff:ff
inet 193.239.117.189/22 brd 193.239.119.255 scope global eno2.1848
valid_lft forever preferred_lft forever
inet6 2001:7f8:13::a520:4092:1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::be30:5bff:fedf:9957/64 scope link proto kernel_ll
valid_lft forever preferred_lft forever
Configuration système (partiellement à jour)
- /etc/conf.d/net
config_eno1="172.17.0.16/24" config_eno2="null" vlans_eno2="1848" config_eno2_1848="193.239.117.189/22 2001:7f8:13::a520:4092:1/64" config_enp1s0d1="null" vlans_enp1s0d1="30 33 58 100 102 106" config_enp1s0d1_30="89.234.186.15/27 2a00:5884::d/64" config_enp1s0d1_33="89.234.186.43/27 2a00:5884:0:6::b/64" config_enp1s0d1_58="45.67.83.236/31 2001:678:984:b00b::236/127" config_enp1s0d1_100="89.234.186.153/29 2a00:5884:0:100::1/112" config_enp1s0d1_102="89.234.186.129/29 2a00:5884:0:100::1:1/112" config_enp1s0d1_106="89.234.186.146/31 2a00:5884:0:100::4:0/127" config_enp1s0d1_203="null" config_enp1s0="null" vlans_enp1s0="201" config_enp1s0_201="89.234.186.144/31 2a00:5884:0:2::/127" iptunnel_gre64="mode gre remote 85.14.132.185 local 89.234.186.15 ttl 225" config_gre64="89.234.146.52/31 2a00:5880:1400:fe::c/127" postup() { ip addr add 89.234.186.226/32 dev lo ip addr add 2a00:5884:0:1::2/128 dev lo ip link set eno1 alias "Core: admin" ip link set eno2 alias "Core: cogent02" ip link set eno2.1848 alias "Peering: NL-ix" ip link set enp1s0 alias "Core: ASR Hivane" ip link set enp1s0.201 alias "Core: TH2LF Hivane via Ielo" ip link set enp1s0d1 alias "Core: sw02" ip link set enp1s0d1.30 alias "Core: hosting" ip link set enp1s0d1.33 alias "Core: backbone" ip link set enp1s0d1.58 alias "Cust: dam64" ip link set enp1s0d1.100 alias "Cust: petrus" ip link set enp1s0d1.102 alias "Cust: AS112" ip link set enp1s0d1.106 alias "Cust: Jaguar-OOB" ip link set gre64 alias "Cust: stolon" }
Firewall (iptables)
IPv4
- /var/lib/iptables/rules-save
# Generated by iptables-save v1.6.1 on Sat Nov 16 14:47:37 2019 *raw :PREROUTING ACCEPT [21304832:11386992336] :OUTPUT ACCEPT [288699:56274724] [88918:9728560] -A PREROUTING -d 89.234.186.0/27 -i enp3s0f1.30 -j ACCEPT [12:480] -A PREROUTING -i enp3s0f1.30 -m rpfilter --invert -j DROP COMMIT # Completed on Sat Nov 16 14:47:37 2019 # Generated by iptables-save v1.6.1 on Sat Nov 16 14:47:37 2019 *mangle :PREROUTING ACCEPT [132234153727:93632518659386] :INPUT ACCEPT [1178873036:128728540617] :FORWARD ACCEPT [130606185646:93319042146056] :OUTPUT ACCEPT [1424650747:295422619851] :POSTROUTING ACCEPT [132030342852:93614371016984] COMMIT # Completed on Sat Nov 16 14:47:37 2019 # Generated by iptables-save v1.6.1 on Sat Nov 16 14:47:37 2019 *filter :INPUT ACCEPT [233515:25224294] :FORWARD ACCEPT [19601882:10307523144] :OUTPUT ACCEPT [281849:55139719] [1:40] -A INPUT -s 172.16.0.0/12 ! -d 172.16.0.0/12 -j DROP [493095:93640260] -A FORWARD ! -s 172.16.0.0/12 -d 172.16.0.0/12 -j DROP [169:12320] -A OUTPUT ! -s 172.16.0.0/12 -d 172.16.0.0/12 -j DROP COMMIT # Completed on Sat Nov 16 14:47:37 2019
IPv6
- /var/lib/ip6tables/rules-save
# Generated by ip6tables-save v1.6.1 on Sat Nov 16 14:47:37 2019 *raw :PREROUTING ACCEPT [1986857:626283728] :OUTPUT ACCEPT [88819:17155151] [19412:1526783] -A PREROUTING -d 2a00:5884::/64 -i enp3s0f1.30 -j ACCEPT [0:0] -A PREROUTING -i enp3s0f1.30 -m rpfilter --invert -j DROP COMMIT # Completed on Sat Nov 16 14:47:37 2019 # Generated by ip6tables-save v1.6.1 on Sat Nov 16 14:47:37 2019 *mangle :PREROUTING ACCEPT [11347829482:6010020980272] :INPUT ACCEPT [401028762:53267790995] :FORWARD ACCEPT [10860741310:5947615657952] :OUTPUT ACCEPT [471704985:150519751283] :POSTROUTING ACCEPT [11332341239:6098127808893] COMMIT # Completed on Sat Nov 16 14:47:37 2019 # Generated by ip6tables-save v1.6.1 on Sat Nov 16 14:47:37 2019 *filter :INPUT ACCEPT [67118:6418660] :FORWARD ACCEPT [1931788:624945312] :OUTPUT ACCEPT [89251:17246365] [785719:56571768] -A INPUT ! -s fd00:1e02:40::/64 -d fd00:1e02:40::/64 -j DROP [2266:199462] -A FORWARD ! -s fd00:1e02:40::/64 -d fd00:1e02:40::/64 -j DROP [102859:7405848] -A OUTPUT -s fd00:1e02:40::/64 ! -d fd00:1e02:40::/64 -j DROP COMMIT # Completed on Sat Nov 16 14:47:37 2019
machines/grifon/asbr03.txt · Dernière modification : 2024/10/02 09:23 de alarig