Outils pour utilisateurs

Outils du site


machines:grifon:asbr02

ASBR02

Rôle principal : routeur BGP secondaire

Machine physique (APU)

Linux asbr02.cogent-rns.grifon.fr 4.14.152-gentoo #1 SMP Sat Nov 16 14:37:48 CET 2019 x86_64 Intel(R) Xeon(R) CPU X3450 @ 2.67GHz GenuineIntel GNU/Linux

Configuration matérielle :

  • Intel(R) Xeon(R) CPU X3450 @ 2.67GHz
  • 4G de RAM
  • eno0 : IPMI
  • eno1 : Admin
  • enp3s0f0 : WAN
  • enp3s0f1 : LAN
asbr02 ~ # ethtool -i enp3s0f0                                                                                                                                                      
driver: igb
version: 5.4.0-k
firmware-version: 1.5.1
expansion-rom-version: 
bus-info: 0000:03:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: yes
asbr02 ~ # ethtool -i eno1
driver: bnx2
version: 2.2.6
firmware-version: 6.2.12 bc 5.2.3 NCSI 2.0.11
expansion-rom-version: 
bus-info: 0000:05:00.0
supports-statistics: yes
supports-test: yes
supports-eeprom-access: yes
supports-register-dump: yes
supports-priv-flags: no

03:00.0 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)                                                                                             
        Subsystem: Intel Corporation Gigabit ET Quad Port Server Adapter                                                                                                             
        Kernel driver in use: igb                                                                                                                                                    
03:00.1 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)                                                                                             
        Subsystem: Intel Corporation Gigabit ET Quad Port Server Adapter                                                                                                             
        Kernel driver in use: igb                                                                                                                                                    
04:00.0 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)                                                                                             
        Subsystem: Intel Corporation Gigabit ET Quad Port Server Adapter                                                                                                             
        Kernel driver in use: igb                                                                                                                                                    
04:00.1 Ethernet controller: Intel Corporation 82576 Gigabit Network Connection (rev 01)                                                                                             
        Subsystem: Intel Corporation Gigabit ET Quad Port Server Adapter                                                                                                             
        Kernel driver in use: igb                                                                                                                                                    
05:00.0 Ethernet controller: Broadcom Inc. and subsidiaries NetXtreme II BCM5716 Gigabit Ethernet (rev 20)                     
        Subsystem: Dell NetXtreme II BCM5716 Gigabit Ethernet                                                                                                                        
        Kernel driver in use: bnx2
05:00.1 Ethernet controller: Broadcom Inc. and subsidiaries NetXtreme II BCM5716 Gigabit Ethernet (rev 20)
        Subsystem: Dell NetXtreme II BCM5716 Gigabit Ethernet
        Kernel driver in use: bnx2

Services :

  • ntpd
  • iptables
  • snmpd (vers le LibreNMS de gurvant)
  • munin-node
  • smartctl
  • nrpe (monitoring des sessions BGP)
  • bird2 (bgp, ospf)

Administrateurs :

  • alarig
  • petrus
  • gizmo
  • dotux
  • nemo

Configuration réseau (partiellement à jour)

  • enp3s0f0, interface sans IP
    • enp3s0f0.20, interconnexion avec Cogent
    • enp3s0f0.22, interconnexion avec Breizh-IX
    • enp3s0f0.50, interconnexion avec Quantic
  • enp3s0f1, interface réseau grifon (sans IP)
    • enp3s0f1.30, VLAN data
    • enp3s0f1.31, Interco VPN
    • enp3s0f1.32, Interco ADSL
    • enp3s0f1.41, Interco iBGP
    • enp3s0f1.100, livraison transit petrus
    • enp3s0f1.101, livraison transit guizmo34
    • enp3s0f1.102, livraison transit AS112
  • eno1, interface IPMI
  • eno2, interface LAN admin
  • gre1, tunnel de backup pour Stolon
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo                                                                                                                               
       valid_lft forever preferred_lft forever        
    inet6 ::1/128 scope host                                                              
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000                                                                                                
    link/ether bc:30:5b:df:9d:03 brd ff:ff:ff:ff:ff:ff
3: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether bc:30:5b:df:9d:04 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.10/24 brd 172.17.0.255 scope global eno2                                                                                                                           
       valid_lft forever preferred_lft forever        
    inet6 fd00:1e02:40::a/64 scope global                                                 
       valid_lft forever preferred_lft forever
    inet6 fe80::be30:5bff:fedf:9d04/64 scope link                                                                                                                                    
       valid_lft forever preferred_lft forever        
4: enp3s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:1b:21:48:68:98 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::21b:21ff:fe48:6898/64 scope link                                                                                                                                     
       valid_lft forever preferred_lft forever        
5: enp3s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000                                                                                    
    link/ether 00:1b:21:48:68:99 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::21b:21ff:fe48:6899/64 scope link                                                                                                                                     
       valid_lft forever preferred_lft forever        
6: enp4s0f0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000                                                                                            
    link/ether 00:1b:21:48:68:9c brd ff:ff:ff:ff:ff:ff
7: enp4s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 00:1b:21:48:68:9d brd ff:ff:ff:ff:ff:ff
8: enp3s0f0.20@enp3s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 
    link/ether 00:1b:21:48:68:98 brd ff:ff:ff:ff:ff:ff
    inet 149.6.72.99/29 brd 149.6.72.103 scope global enp3s0f0.20   
       valid_lft forever preferred_lft forever
    inet6 2001:978:2:4e::5:3/112 scope global  
       valid_lft forever preferred_lft forever
    inet6 fe80::21b:21ff:fe48:6898/64 scope link 
       valid_lft forever preferred_lft forever
9: enp3s0f0.21@enp3s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:1b:21:48:68:98 brd ff:ff:ff:ff:ff:ff
    inet 46.18.103.42/30 brd 46.18.103.43 scope global enp3s0f0.21
       valid_lft forever preferred_lft forever
    inet6 2a02:2778:2:102::2/64 scope global  
       valid_lft forever preferred_lft forever
    inet6 fe80::21b:21ff:fe48:6898/64 scope link 
       valid_lft forever preferred_lft forever
10: enp3s0f0.22@enp3s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:1b:21:48:68:98 brd ff:ff:ff:ff:ff:ff
    inet 185.1.89.13/24 brd 185.1.89.255 scope global enp3s0f0.22
       valid_lft forever preferred_lft forever
    inet6 2001:7f8:b1::d/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::21b:21ff:fe48:6898/64 scope link 
       valid_lft forever preferred_lft forever
11: enp3s0f0.50@enp3s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:1b:21:48:68:98 brd ff:ff:ff:ff:ff:ff
    inet 169.254.1.3/29 brd 169.254.1.7 scope global enp3s0f0.50
       valid_lft forever preferred_lft forever
    inet6 2a06:e040:3501:101:2::3/80 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::21b:21ff:fe48:6898/64 scope link 
       valid_lft forever preferred_lft forever
12: enp3s0f0.104@enp3s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:1b:21:48:68:98 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::21b:21ff:fe48:6898/64 scope link 
       valid_lft forever preferred_lft forever
13: enp3s0f1.30@enp3s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:1b:21:48:68:99 brd ff:ff:ff:ff:ff:ff
    inet 89.234.186.6/27 brd 89.234.186.31 scope global enp3s0f1.30
       valid_lft forever preferred_lft forever
    inet 80.67.190.195/27 brd 80.67.190.223 scope global enp3s0f1.30
       valid_lft forever preferred_lft forever
    inet6 2a00:5884::6/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::21b:21ff:fe48:6899/64 scope link 
       valid_lft forever preferred_lft forever
14: enp3s0f1.33@enp3s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:1b:21:48:68:99 brd ff:ff:ff:ff:ff:ff
    inet 89.234.186.34/27 brd 89.234.186.63 scope global enp3s0f1.33
       valid_lft forever preferred_lft forever
    inet6 2a00:5884:0:6::2/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::21b:21ff:fe48:6899/64 scope link 
       valid_lft forever preferred_lft forever
15: enp3s0f1.100@enp3s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:1b:21:48:68:99 brd ff:ff:ff:ff:ff:ff
    inet6 2a00:5884:0:100::2/112 scope global  
       valid_lft forever preferred_lft forever
    inet6 fe80::21b:21ff:fe48:6899/64 scope link 
       valid_lft forever preferred_lft forever
16: enp3s0f1.101@enp3s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:1b:21:48:68:99 brd ff:ff:ff:ff:ff:ff
    inet6 2a00:5884:0:101::2/112 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::21b:21ff:fe48:6899/64 scope link 
       valid_lft forever preferred_lft forever
17: enp3s0f1.102@enp3s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:1b:21:48:68:99 brd ff:ff:ff:ff:ff:ff
    inet 89.234.186.130/29 brd 89.234.186.135 scope global enp3s0f1.102
       valid_lft forever preferred_lft forever
    inet6 2a00:5884:0:100::1:2/112 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::21b:21ff:fe48:6899/64 scope link 
       valid_lft forever preferred_lft forever
18: enp3s0f1.105@enp3s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:1b:21:48:68:99 brd ff:ff:ff:ff:ff:ff
    inet 89.234.186.202/29 brd 89.234.186.207 scope global enp3s0f1.105
       valid_lft forever preferred_lft forever
    inet6 2a00:5884:0:100::3:2/112 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::21b:21ff:fe48:6899/64 scope link 
       valid_lft forever preferred_lft forever
19: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
20: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
21: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
22: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default qlen 1000
    link/gre 149.6.72.99 peer 46.182.210.14
    inet 89.234.146.54 peer 89.234.146.55/32 scope global gre1
       valid_lft forever preferred_lft forever
    inet6 2a00:5880:1400:b00b:b00b:b00b::/127 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::200:5efe:9506:4863/64 scope link 
       valid_lft forever preferred_lft forever

Configuration système (partiellement à jour)

/etc/rc.conf
hostname="budic.cogent-rns.grifon.fr"
keymap="fr"
ifconfig_bce1="inet 172.17.0.10/24"

ifconfig_igb0="up"
ifconfig_igb1="up"
defaultrouter="149.6.72.97"
ipv6_defaultrouter="2001:978:2:4e::5:1"

gateway_enable="YES"
ipv6_gateway_enable="YES"

ntpdate_enable="YES"
ntpdate_hosts="89.234.186.7"
syslogd_enable="YES"
syslogd_flags="-ss"

sshd_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"

# pf
pf_enable="YES"
pf_rules="/etc/pf.conf"         # rules definition file for pf
pf_flags=""                     # additional flags for pfctl startup
pflog_enable="YES"              # start pflogd(8)
pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
pflog_flags=""                  # additional flags for pflogd startup
pflogd_enable="YES"

# SNMP
snmpd_enable="YES"
snmpd_flags="-a"
snmpd_conffile="/usr/local/etc/snmpd.conf"
snmptrapd_enable="YES"
snmptrapd_flags="-a -p /var/run/snmptrapd.pid"
bsnmpd_enable="YES"

# munin
munin_node_enable="YES"

# smartctl
smartd_enable="YES"

# NRPE
nrpe3_enable="YES"

# https://grifon.fr/comptes-rendus/2016-06-06_reunion-hackerspace.html#quagga-ou-bird
bird_enable="YES"
bird6_enable="YES"

# routes statiques IPv6
/etc/conf.d/net
config_eno2="172.17.0.10/24 fd00:1e02:40::a/64"

config_enp3s0f0="null"             
config_enp3s0f1="null"

vlans_enp3s0f0="20 21 22 50"

config_enp3s0f0_20="149.6.72.99/29 2001:978:2:4e::5:3/112"
config_enp3s0f0_21="46.18.103.42/30 2a02:2778:2:0102::2/64"
config_enp3s0f0_22="185.1.89.13/24 2001:7f8:b1::d/64"
config_enp3s0f0_50="169.254.1.3/29 2a06:e040:3501:0101:0002::3/80"

vlans_enp3s0f1="30 33 100 101 102 105"

config_enp3s0f1_30="89.234.186.6/27 80.67.190.195/27 2a00:5884::6/64"
config_enp3s0f1_33="89.234.186.34/27 2a00:5884:0:6::2/64"
config_enp3s0f1_100="2a00:5884:0:100::2/112"
config_enp3s0f1_101="2a00:5884:0:101::2/112"
config_enp3s0f1_102="89.234.186.130/29 2a00:5884:0:100::1:2/112"
config_enp3s0f1_105="89.234.186.202/29 2a00:5884:0:100::3:2/112"

# Stolon
iptunnel_gre1="mode gre remote 46.182.210.14 local 149.6.72.99 ttl 255"
config_gre1="89.234.146.54 peer 89.234.146.55
2a00:5880:1400:b00b:b00b:b00b::/127"

postup() {
        ip link set eno2 alias "Core: admin"
        ip link set enp3s0f0.20 alias "Transit: cogent"
        ip link set enp3s0f0.21 alias "Transit: netensia"
        ip link set enp3s0f0.22 alias "Peering: breizhix"
        ip link set enp3s0f0.50 alias "Transit: quantic"
        ip link set enp3s0f1.30 alias "Core: hosting"
        ip link set enp3s0f1.33 alias "Core: backbone"
        ip link set enp3s0f1.100 alias "Cust: petrus"
        ip link set enp3s0f1.101 alias "Cust: guizmo34"
        ip link set enp3s0f1.102 alias "Cust: AS112"
        ip link set enp3s0f1.105 alias "Cust: nemo"
        ip link set gre1 alias "Cust: Stolon"
        # Machine physique NUC TTNN
        ip -6 route add 2a00:5884:128::/48 via fe80::96c6:91ff:feaa:d4ee dev enp3s0f1.30
        # Machine physique RPi Meseira
        ip -6 route add 2a00:5884:134::/48 via fe80::ba27:ebff:fee2:fd5f dev enp3s0f1.30
        # Machine physique NAS Nemo
        ip -6 route add 2a00:5884:104::/48 via fe80::471:11ff:fe80:e379 dev enp3s0f1.30
}

Firewall (iptables)

IPv4

/var/lib/iptables/rules-save
# Generated by iptables-save v1.6.1 on Sat Nov 16 14:47:37 2019
*raw                                                                                      
:PREROUTING ACCEPT [21304832:11386992336]
:OUTPUT ACCEPT [288699:56274724]                                                          
[88918:9728560] -A PREROUTING -d 89.234.186.0/27 -i enp3s0f1.30 -j ACCEPT
[12:480] -A PREROUTING -i enp3s0f1.30 -m rpfilter --invert -j DROP
COMMIT                                                                                    
# Completed on Sat Nov 16 14:47:37 2019
# Generated by iptables-save v1.6.1 on Sat Nov 16 14:47:37 2019
*mangle                               
:PREROUTING ACCEPT [132234153727:93632518659386]
:INPUT ACCEPT [1178873036:128728540617]                                                   
:FORWARD ACCEPT [130606185646:93319042146056]                           
:OUTPUT ACCEPT [1424650747:295422619851]                                                  
:POSTROUTING ACCEPT [132030342852:93614371016984]
COMMIT                                 
# Completed on Sat Nov 16 14:47:37 2019
# Generated by iptables-save v1.6.1 on Sat Nov 16 14:47:37 2019
*filter                                                                                                                                                                              
:INPUT ACCEPT [233515:25224294]                                                           
:FORWARD ACCEPT [19601882:10307523144]
:OUTPUT ACCEPT [281849:55139719]      
[1:40] -A INPUT -s 172.16.0.0/12 ! -d 172.16.0.0/12 -j DROP
[493095:93640260] -A FORWARD ! -s 172.16.0.0/12 -d 172.16.0.0/12 -j DROP
[169:12320] -A OUTPUT ! -s 172.16.0.0/12 -d 172.16.0.0/12 -j DROP
COMMIT
# Completed on Sat Nov 16 14:47:37 2019

IPv6

/var/lib/ip6tables/rules-save
# Generated by ip6tables-save v1.6.1 on Sat Nov 16 14:47:37 2019
*raw
:PREROUTING ACCEPT [1986857:626283728]
:OUTPUT ACCEPT [88819:17155151]
[19412:1526783] -A PREROUTING -d 2a00:5884::/64 -i enp3s0f1.30 -j ACCEPT
[0:0] -A PREROUTING -i enp3s0f1.30 -m rpfilter --invert -j DROP
COMMIT
# Completed on Sat Nov 16 14:47:37 2019
# Generated by ip6tables-save v1.6.1 on Sat Nov 16 14:47:37 2019
*mangle
:PREROUTING ACCEPT [11347829482:6010020980272]
:INPUT ACCEPT [401028762:53267790995]
:FORWARD ACCEPT [10860741310:5947615657952]
:OUTPUT ACCEPT [471704985:150519751283]
:POSTROUTING ACCEPT [11332341239:6098127808893]
COMMIT
# Completed on Sat Nov 16 14:47:37 2019
# Generated by ip6tables-save v1.6.1 on Sat Nov 16 14:47:37 2019
*filter
:INPUT ACCEPT [67118:6418660]
:FORWARD ACCEPT [1931788:624945312]
:OUTPUT ACCEPT [89251:17246365]
[785719:56571768] -A INPUT ! -s fd00:1e02:40::/64 -d fd00:1e02:40::/64 -j DROP
[2266:199462] -A FORWARD ! -s fd00:1e02:40::/64 -d fd00:1e02:40::/64 -j DROP
[102859:7405848] -A OUTPUT -s fd00:1e02:40::/64 ! -d fd00:1e02:40::/64 -j DROP
COMMIT
# Completed on Sat Nov 16 14:47:37 2019
machines/grifon/asbr02.txt · Dernière modification: 2019/11/16 15:02 de alarig