Intercontext routing dla ipv6

Konfiguracja:

context local

interface first-isis-intf intercontext p2p 1
  ipv6 address 10::1/64

interface router-A-id loopback
  ipv6 address 194::100/128

router isis my-backbone
  net 47.0001.1111.2222.3333.00
  is type level-1
  no address-family ipv4 unicast
  address-family ipv6 unicast
   redistribute connected level-1
   redistribute static level-1
 !
  interface router-A-id
   passive-interface
   no address-family ipv4 unicast
   address-family ipv6 unicast
 !
  interface first-isis-intf
   no address-family ipv4 unicast
   address-family ipv6 unicast

context clips

interface eth-10-1 intercontext p2p 1
  ipv6 address 10::2/64

interface router-B-id loopback
  ipv6 address 192::200/128

router isis my-backbone
  net 47.0001.0001.0002.0003.00
  is type level-1
  no address-family ipv4 unicast
  address-family ipv6 unicast
   redistribute connected level-1
   redistribute static level-1
 !
  interface router-B-id
   passive-interface
   no address-family ipv4 unicast
   address-family ipv6 unicast
 !
  interface eth-10-1
   no address-family ipv4 unicast
   address-family ipv6 unicast

Weryfikacja

[local]Train-3#ping ipv6 192::200 source 194::100
PING6 192::200 : 8 data bytes
timeout is 1 second, source 194::100
!!!!!

--- 192::200 ping6 statistics ---
5 packets transmitted, 5 packets received, 0.00000% packet loss
round-trip min/avg/max/std-dev = 1.713/1.951/2.111/0.131 ms



[local]Train-3#sh ipv6 rout
Codes: C - connected, S - static, S dv - dvsr, R - RIP, e B - EBGP, i B - IBGP
       O   - OSPF, O3  - OSPFv3, IA - OSPF(v3) inter-area,
       N1  - OSPF(v3) NSSA external type 1, N2  - OSPF(v3) NSSA external type 2
       E1  - OSPF(v3) external type 1, E2  - OSPF(v3) external type 2
       i   - IS-IS, L1 - IS-IS level-1,  L2  - IS-IS level-2, N - NAT
       IPH - IP Host, SUB A - Subscriber address, SUB S - Subscriber static
       SUB P - AAA downloaded aggregate subscriber routes
       SUB N - Subscriber ND, SUB D - Subscriber DHCP-PD
       M F - Mobile Sub Foreign Agent, M H - Mobile Sub Home Agent,
       M G - Mobile Sub GTP
       E P - EPS Aggregate(Prefix), E A - EPS Address, E S - EPS Static
       ICR - Inter-Chassis Resilience
       EPG - Evolved Packet Gateway
       A - Derived Default, MeH - Media Nexthop
       TSC - tunnel shortcut
       >   - Active Route, * - LSP

Type    Network              Next Hop        Dist    Metric    UpTime  Interface
> C     10::/64                                 0         0  00:32:26  first-isis-intf
> i L1  192::200/128                          115        11  00:10:02
> C     194::100/128         194::100           0         0  00:33:05  router-A-id



[clips]Train-3#sh ipv6 interf brief
Fri Apr  8 09:26:40 2016
Name              Address                   MTU   State    Bindings
eth-10-1          10::2/64                  1500  Up       (inter-cxt-p2p)
router-B-id       192::200/128              1500  Up       (Loopback)
[clips]Train-3#sh ipv6 rout
Codes: C - connected, S - static, S dv - dvsr, R - RIP, e B - EBGP, i B - IBGP
       O   - OSPF, O3  - OSPFv3, IA - OSPF(v3) inter-area,
       N1  - OSPF(v3) NSSA external type 1, N2  - OSPF(v3) NSSA external type 2
       E1  - OSPF(v3) external type 1, E2  - OSPF(v3) external type 2
       i   - IS-IS, L1 - IS-IS level-1,  L2  - IS-IS level-2, N - NAT
       IPH - IP Host, SUB A - Subscriber address, SUB S - Subscriber static
       SUB P - AAA downloaded aggregate subscriber routes
       SUB N - Subscriber ND, SUB D - Subscriber DHCP-PD
       M F - Mobile Sub Foreign Agent, M H - Mobile Sub Home Agent,
       M G - Mobile Sub GTP
       E P - EPS Aggregate(Prefix), E A - EPS Address, E S - EPS Static
       ICR - Inter-Chassis Resilience
       EPG - Evolved Packet Gateway
       A - Derived Default, MeH - Media Nexthop
       TSC - tunnel shortcut
       >   - Active Route, * - LSP

Type    Network              Next Hop        Dist    Metric    UpTime  Interface
> C     10::/64                                 0         0  00:53:35  eth-10-1
> C     192::200/128         192::200           0         0  00:50:59  router-B-id
> i L1  194::100/128                          115        11  00:10:50


Retencja Cisco seria Nexus 3000 i pokrewne

monitor session 1 
  description monitorowania-polaczen
  filter access-group retencja
  source interface port-channel1 rx
  destination interface Ethernet1/45
  no shut

ip access-list retencja
  100 permit tcp any any syn 
  101 permit tcp any any fin 

Skrypt BASH jak w https://hunta.pl/2019/01/16/retencja-d-link-3120/

GIT klonowanie i push

Jeśli zrobimy git clone https://github.com/zxc/repo.git, a potem:

git push origin master
Username for 'https://github.com': zxc
Password for 'https://zxc@github.com':
remote: Invalid username or password.
fatal: Authentication failed for 'https://github.com/zxc/repo.git/'

Rozwiązaniem jest klonowanie po SSH a nie HTTPS.

Istniejące repozytorium możemy poprawić poleceniem:

git remote set-url origin git@github.com:username/repo.git

Więce na stronie Switching remote URLs from HTTPS to SSH

PS: Oczywiście, żeby procedura zadziałała należy skopiować klucz publiczny na githuba

Protekcja dostępu SSH do SmartEdge

Acl dopisane do interfejsu 2/3

Przez interfejs 2/3 przedostaje się jedynie ruch SSH od hosta 192.168.2.2 Cały pozostały ruch IP od wszystkich hostów/sieci jest akceptowany przez port 2/3.

!
context test
!
 no ip domain-lookup
!
 interface 2/2
  ip address 192.168.1.2/24
!
 interface 2/3
  ip address 192.168.2.1/24
  ip access-group ACL-1 in
!
 interface llop1 loopback
  ip address 20.20.20.20/32
 no logging console
!
 ip access-list ACL-1 ssh-and-telnet-acl
  seq 10 permit tcp host 192.168.2.2 any eq ssh max-sessions 5 min-sessions 0
  seq 20 deny tcp any any eq ssh
  seq 30 permit ip any any
!
 enable encrypted 1 $1$........$.nNQmFppgs3ECnFPrOgpx/
!
!
 administrator admin encrypted 1 $1$........$.nNQmFppgs3ECnFPrOgpx/
!
!
 ip route 0.0.0.0/0 192.168.1.1
 service ftp client
 service ssh
 service telnet
!
!
!
!
End

Użycie admin-access-group ACL-2 in

Inaczej niż w przykładzie powyżej ACL-2 dopięty jest do kontekstu, a nie interfejsu. Kontekst Test akceptuje wykonanie wewnątrz serwisu SSH. Tylko dla hostów 192.168.2.2, 192.168.2.3

context test
!
 no ip domain-lookup
!
 interface 2/2
  ip address 192.168.1.2/24
!
 interface 2/3
  ip address 192.168.2.1/24
!
 interface llop1 loopback
  ip address 20.20.20.20/32
 no logging console
!
 ip access-list ACL-1 ssh-and-telnet-acl
  seq 10 permit tcp host 192.168.2.2 any eq ssh max-sessions 5 min-sessions 0
  seq 20 deny tcp any any eq ssh
  seq 30 permit ip any any
!
 ip access-list ACL-2
  seq 10 permit tcp host 192.168.2.2 any eq ssh
  seq 15 permit tcp host 192.168.2.3 any eq ssh
  seq 20 deny tcp any any eq ssh
  seq 30 permit ip any any
!
 enable encrypted 1 $1$........$.nNQmFppgs3ECnFPrOgpx/
!
!
 administrator admin encrypted 1 $1$........$.nNQmFppgs3ECnFPrOgpx/
!
!
 ip route 0.0.0.0/0 192.168.1.1
 service ftp client
 service ssh
 service telnet
!
 admin-access-group ACL-2 in
!
!
!
!
end

SmartEdge: Simple NAPT configuration

Rules – how to apply NAT

  • NAT policy should be apply to incoming traffic
  • IP outgoing interface cannot be used in the NAT pool
  • NAT pool must be on separate subnet (not part of interface subnet)
  • In dynamic nat, NAT type of route is automatically created (no need extra route configuration)
  • In static nat, extra route must by added (ip route 6.6.6.0/24 1.1.2.2) to point nat interface for coming back packet
  • If we do “clear ip route * ” dynamic nat is stop working and nat policy must be recreated on interface level (SEOS 6.2)
  • On “multibind” interface, combination with static and dynamic nat is not working (only dynamic is operational), pool should be configured as multibind
 ip nat pool my-pool napt multibind”
  • NAT policy could be applied on the subscriber level
subscriber default
     ip address pool
     nat policy my-nat

Dynamic NAT:

The ping from “LAN” context with any source address will be NAT-ed in “local” context in LAN interface. Example source address 1.1.2.2 will be replace to POOL-1 address 2.2.2.0/24 (dynamic mapping) and routed to context WAN.

Static NAT:

The ping from “LAN” context will be NAT-ed in “local” context in LAN interface. Source address 5.5.5.5 will be replace to 6.6.6.6 (static mapping) address and routed to context WAN.

Configuration

!
context local
!
 ip nat pool POOL-1 napt
  address 2.2.2.0/24
!
 nat policy POL-NAT
! Default class
  pool POOL-1 local
! Static rules
  ip static in source 5.5.5.5 6.6.6.6
!
 interface LAN
  ip address 1.1.2.1/24
  ip nat POL-NAT acl-counters
!
 interface WAN
  ip address 192.168.1.1/24
!
 ip route 0.0.0.0/0 192.168.1.2
 ip route 5.5.5.0/24 1.1.2.2
 ip route 6.6.6.0/24 1.1.2.2
 ip route 159.107.0.0/16 159.107.90.1
!
context WAN
!
 interface to-local
  ip address 192.168.1.2/24
 no logging console
!
 ip route 1.1.2.0/24 192.168.1.1
 ip route 1.1.3.0/24 192.168.1.1
 ip route 2.2.2.0/24 192.168.1.1
 ip route 6.6.6.0/24 192.168.1.1
!
context LAN
!
 interface Static loopback
  ip address 5.5.5.5/24
!
 interface to-local
  ip address 1.1.2.2/24
 no logging console
!
 ip route 0.0.0.0/0 1.1.2.1
!
! ** End Context **
!
card carrier 2
 mic 1 fe-12-port
!
port ethernet 2/1
 no shutdown
 medium-type copper
 bind interface to-local LAN
!
port ethernet 2/2
 no shutdown
 medium-type copper
 bind interface LAN local
!
port ethernet 2/3
 no shutdown
 bind interface WAN local
!
port ethernet 2/4
 no shutdown
 bind interface to-local WAN
!
end

Checking nat translation

[LAN]Redback# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2): source 1.1.2.2, 36 data bytes,
timeout is 1 second
!!!!!

[LAN]Redback# ping 192.168.1.2 source 5.5.5.5
PING 192.168.1.2 (192.168.1.2): source 5.5.5.5, 36 data bytes,
timeout is 1 second
!!!!!

[local]Redback# show nat policy POL-NAT detail

Policy name          	:  POL-NAT
Policy grid          	:  0x1
Number of rules          :  1
Slot mask            	:  0xc
Number of binds      	:  1
  Circuit            	:  2/2

Reference counters (in circuits * classes):
Slot     2
           1

Static NAT Rules:
In/Out  	Protocol  	Src-Addr         	Port   	NAT-Src-Addr     	Port   	NAT-Ctx-Id
in      		ip        		5.5.5.5          	0      	6.6.6.6          		0      	0x40080001

Class-Name          	Action/  Pool-Grid/   Dest-IP-Addr/   Timeout(sec)  Admit-Ctrl
                    		P2MP    Context-Id  Context-Id

default             na[p]t  0x1                         		tcp    86400
                    	Off     	0x40080001                  	udp    120
                                                       			finrst 240
                                                       			icmp   60
                                                       			syn    128
                                                        			basic  3600

Note: This is not official command and should be use with extra attention.

The syntax could be changed in new release:

Checking dynamic translations

[local]Redback# show card 2 nat ?
  circuit        Display circuit nat information
  counters       Display NAT counters (without drop counters)
  drop-counters  Display NAT drop counters
  log            NAT Message Log
  policy         Display policy information
  pool           Display pool information
  translation    Display translation information

[local]Redback# show context
Context Name               Context ID        VPN-RD               Description
------------------------------------------------------------------------------
local                      0x40080001

[local]Redback# show card 2 nat translation context 0x40080001 source any

Slot 2 Ingress:

 Type  IP From          IP To            Ports      Flag   Pointer     Ctx Flag
 Flag: D-Dynamic, R-remote, Z-dmz, A-admission, I-ignore translation,
       d-dest NAT, U - p2mp UDP
 NAPT  1.1.2.2          2.2.2.0          1990/0009  0x0014 0x50024440  1/1 D
 NAPT  1.1.2.2          2.2.2.0          1991/0010  0x0014 0x500244a0  1/1 D
 NAPT  1.1.2.2          2.2.2.0          1989/0008  0x0014 0x500243e0  1/1 D

Checking static translation

[local]Redback# show card 2 nat circuit 2/2:1023:63/1/1/7 detail

 Circuit 2/2:1023:63/1/1/7 ingress
  Feature block pointer: 0x4ea8b4e0
  Policy: grid=1 version=1 pointer=0xf0536ae0
  Number src  rules: 1 ptr 0xf05877c0
  Number dst  rules: 0 ptr 0x0
  Number napt rules: 0 ptr 0x0
  Out nat ptr 0xd053c2c0 napt ptr 0xf053eac0
  class 0 ptr 0x4eaab500
 Rule table:
 Type     	IP From           IP To            Ports      		Csum    Idx   Ctx   Vrs
 src nat  	5.5.5.5          	6.6.6.6          0000/0000  	0xfdfd    65    1       1

 Circuit 2/2:1023:63/1/1/7 egress
  Feature block pointer: 0x4ae2c520
  Policy: grid=1 version=1 pointer=0xd00eb240
  Number src  rules: 0 ptr 0x0
  Number dst  rules: 1 ptr 0xd09cf0e0
  Number napt rules: 0 ptr 0x0
 Rule table:
 Type     IP From          IP To            Ports      Csum    Idx   Ctx   Vrs
 dst nat  6.6.6.6          5.5.5.5          0000/0000  0x0202  129   1     1

Checking translation by using “access-list”

!
 ip access-list dyn
  seq 10 permit ip 2.2.2.0 0.0.0.255 any
  seq 15 permit ip host 6.6.6.6 any
  seq 20 permit ip any any
!
!
 interface to-local
  ip address 192.168.1.2/24
  ip access-group dyn in count log
 no logging console
!

[WAN]Redback# clear access-group ip-filter interface to-local in all
[WAN]Redback# show access-group ip-filter interface to-local in counters
Circuit 2/4, slot 2, IPv4 access-list dyn, in, 3 rules

Hit Count:         0  No Match (Default)
Hit Count:         0  seq 10 permit ip 2.2.2.0 0.0.0.255 any
Hit Count:         0  seq 15 permit ip host 6.6.6.6 any
Hit Count:         0  seq 20 permit ip any any

[LAN]Redback# ping 192.168.1.2 source 5.5.5.5
PING 192.168.1.2 (192.168.1.2): source 5.5.5.5, 36 data bytes,
timeout is 1 second
!!!!!
[LAN]Redback# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2): source 1.1.2.2, 36 data bytes,
timeout is 1 second
!!!!!
[WAN]Redback# show access-group ip-filter interface to-local in counters

Circuit 2/4, slot 2, IPv4 access-list dyn, in, 3 rules

Hit Count:         0  No Match (Default)
Hit Count:         5  seq 10 permit ip 2.2.2.0 0.0.0.255 any
Hit Count:         5  seq 15 permit ip host 6.6.6.6 any
Hit Count:         0  seq 20 permit ip any any

Proxmox problem z Kernel Samepage Merging

Co jakiś czas jedna z wirtualek przestawała działać. Problemem okazał się KSM. Możliwe, że jakiś bug. Rozwiązanie problemu jest banalne. Wystarczy wyłączyć KSM.

systemctl disable ksmtuned

Poniżej wycinek z logów wirtualki.

Jan 29 10:21:20 plus kernel: kworker/0:0: page allocation failure: order:0, mode:0x310da
Jan 29 10:21:20 plus kernel: CPU: 0 PID: 25322 Comm: kworker/0:0 Not tainted 3.10.0-957.1.3.el7.x86_64 #1
Jan 29 10:21:20 plus kernel: Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014
Jan 29 10:21:20 plus kernel: Workqueue: events_freezable update_balloon_size_func [virtio_balloon]
Jan 29 10:21:20 plus kernel: Call Trace:
Jan 29 10:21:20 plus kernel: [<ffffffffb8361e41>] dump_stack+0x19/0x1b
Jan 29 10:21:20 plus kernel: [<ffffffffb7dbcaa0>] warn_alloc_failed+0x110/0x180
Jan 29 10:21:20 plus kernel: [<ffffffffb835d44e>] __alloc_pages_slowpath+0x6b6/0x724
Jan 29 10:21:20 plus kernel: [<ffffffffb7dc1105>] __alloc_pages_nodemask+0x405/0x420
Jan 29 10:21:20 plus kernel: [<ffffffffb7e0df68>] alloc_pages_current+0x98/0x110
Jan 29 10:21:20 plus kernel: [<ffffffffb7e3dc55>] balloon_page_alloc+0x15/0x20
Jan 29 10:21:20 plus kernel: [<ffffffffc0475811>] update_balloon_size_func+0xb1/0x290 [virtio_balloon]
Jan 29 10:21:20 plus kernel: [<ffffffffb7cb9d4f>] process_one_work+0x17f/0x440
Jan 29 10:21:20 plus kernel: [<ffffffffb7cbade6>] worker_thread+0x126/0x3c0
Jan 29 10:21:20 plus kernel: [<ffffffffb7cbacc0>] ? manage_workers.isra.25+0x2a0/0x2a0
Jan 29 10:21:20 plus kernel: [<ffffffffb7cc1c31>] kthread+0xd1/0xe0
Jan 29 10:21:20 plus kernel: [<ffffffffb7cc1b60>] ? insert_kthread_work+0x40/0x40
Jan 29 10:21:20 plus kernel: [<ffffffffb8374c37>] ret_from_fork_nospec_begin+0x21/0x21
Jan 29 10:21:20 plus kernel: [<ffffffffb7cc1b60>] ? insert_kthread_work+0x40/0x40

Vaping alternatywa dla SmokePing

Vaping czeka w mojej kolejce do testowania. Prezentuje się przyzwoicie i jest napisany w pythonie. Atutem jest prosta instalacja, bo smokeping może być kapryśny.

pip install vaping

Na nanog można znaleźć krótką prezentację. Vaping – A healthy alternative to SmokePing! Także wkrótce pewnie będzie jakiś wpis po praktycznych testach.