Bonjou. Sa vle di gen yon rezo 5k kliyan. Dènyèman, yon moman pa trè bèl te parèt - nan sant rezo a nou gen yon Brocade RX8 epi li te kòmanse voye anpil pake enkoni-unicast, depi rezo a divize an vlan - sa a se pasyèlman pa yon pwoblèm, MEN gen vlan espesyal pou adrès blan, elatriye. epi yo lonje nan tout direksyon rezo a. Se konsa, kounye a imajine yon koule fèk ap rantre nan adrès la nan yon kliyan ki pa etidye kòm yon elèv fwontyè ak koule sa a vole nan direksyon yon lyen radyo nan kèk (oswa tout) vilaj - kanal la bouche - kliyan yo fache - tristès ...
Objektif la se vire yon ensèk nan yon karakteristik. Mwen te panse nan direksyon q-in-q ak yon vlan kliyan plen véritable, men tout kalite pyès ki nan konpitè tankou P3310, lè dot1q pèmèt, sispann kite DHCP pase, yo menm tou yo pa konnen ki jan yo selektif qinq ak anpil. enkonvenyans nan kalite sa a. Ki sa ki ip-unnambered ak ki jan li travay? Trè yon ti tan: adrès pòtay + wout sou koòdone la. Pou travay nou an, nou bezwen: koupe shaper a, distribye adrès bay kliyan, ajoute wout kliyan atravè sèten interfaces. Ki jan fè tout bagay sa yo? Shaper - lisg, dhcp - db2dhcp sou de serveurs endepandan, dhcprelay kouri sou serveurs aksè yo, ucarp tou kouri sou serveurs aksè yo - pou backup. Men, ki jan yo ajoute wout? Ou ka ajoute tout bagay davans ak yon gwo script - men sa a se pa vre. Se konsa, nou pral fè yon beki pwòp tèt ou-ekri.
Apre yon bon jan rechèch sou entènèt la, mwen jwenn yon bèl bibliyotèk wo nivo pou C++, ki pèmèt ou trè byen santi trafik. Algorithm pou pwogram ki ajoute wout yo se jan sa a - nou koute demann arp sou koòdone a, si nou gen yon adrès sou koòdone lo sou sèvè a ki mande, Lè sa a, nou ajoute yon wout atravè koòdone sa a epi ajoute yon arp estatik. anrejistre nan ip sa a - an jeneral, yon kèk kopi-kole, yon ti adjektif epi w ap fini
Sous 'routeur' la
#include <stdio.h>
#include <sys/types.h>
#include <ifaddrs.h>
#include <netinet/in.h>
#include <string.h>
#include <arpa/inet.h>
#include <tins/tins.h>
#include <map>
#include <iostream>
#include <functional>
#include <sstream>
using std::cout;
using std::endl;
using std::map;
using std::bind;
using std::string;
using std::stringstream;
using namespace Tins;
class arp_monitor {
public:
void run(Sniffer &sniffer);
void reroute();
void makegws();
string iface;
map <string, string> gws;
private:
bool callback(const PDU &pdu);
map <string, string> route_map;
map <string, string> mac_map;
map <IPv4Address, HWAddress<6>> addresses;
};
void arp_monitor::makegws() {
struct ifaddrs *ifAddrStruct = NULL;
struct ifaddrs *ifa = NULL;
void *tmpAddrPtr = NULL;
gws.clear();
getifaddrs(&ifAddrStruct);
for (ifa = ifAddrStruct; ifa != NULL; ifa = ifa->ifa_next) {
if (!ifa->ifa_addr) {
continue;
}
string ifName = ifa->ifa_name;
if (ifName == "lo") {
char addressBuffer[INET_ADDRSTRLEN];
if (ifa->ifa_addr->sa_family == AF_INET) { // check it is IP4
// is a valid IP4 Address
tmpAddrPtr = &((struct sockaddr_in *) ifa->ifa_addr)->sin_addr;
inet_ntop(AF_INET, tmpAddrPtr, addressBuffer, INET_ADDRSTRLEN);
} else if (ifa->ifa_addr->sa_family == AF_INET6) { // check it is IP6
// is a valid IP6 Address
tmpAddrPtr = &((struct sockaddr_in6 *) ifa->ifa_addr)->sin6_addr;
inet_ntop(AF_INET6, tmpAddrPtr, addressBuffer, INET6_ADDRSTRLEN);
} else {
continue;
}
gws[addressBuffer] = addressBuffer;
cout << "GW " << addressBuffer << " is added" << endl;
}
}
if (ifAddrStruct != NULL) freeifaddrs(ifAddrStruct);
}
void arp_monitor::run(Sniffer &sniffer) {
cout << "RUNNED" << endl;
sniffer.sniff_loop(
bind(
&arp_monitor::callback,
this,
std::placeholders::_1
)
);
}
void arp_monitor::reroute() {
cout << "REROUTING" << endl;
map<string, string>::iterator it;
for ( it = route_map.begin(); it != route_map.end(); it++ ) {
if (this->gws.count(it->second) && !this->gws.count(it->second)) {
string cmd = "ip route replace ";
cmd += it->first;
cmd += " dev " + this->iface;
cmd += " src " + it->second;
cmd += " proto static";
cout << cmd << std::endl;
cout << "REROUTE " << it->first << " SRC " << it->second << endl;
system(cmd.c_str());
cmd = "arp -s ";
cmd += it->first;
cmd += " ";
cmd += mac_map[it->first];
cout << cmd << endl;
system(cmd.c_str());
}
}
for ( it = gws.begin(); it != gws.end(); it++ ) {
string cmd = "arping -U -s ";
cmd += it->first;
cmd += " -I ";
cmd += this->iface;
cmd += " -b -c 1 ";
cmd += it->first;
system(cmd.c_str());
}
cout << "REROUTED" << endl;
}
bool arp_monitor::callback(const PDU &pdu) {
// Retrieve the ARP layer
const ARP &arp = pdu.rfind_pdu<ARP>();
if (arp.opcode() == ARP::REQUEST) {
string target = arp.target_ip_addr().to_string();
string sender = arp.sender_ip_addr().to_string();
this->route_map[sender] = target;
this->mac_map[sender] = arp.sender_hw_addr().to_string();
cout << "save sender " << sender << ":" << this->mac_map[sender] << " want taregt " << target << endl;
if (this->gws.count(target) && !this->gws.count(sender)) {
string cmd = "ip route replace ";
cmd += sender;
cmd += " dev " + this->iface;
cmd += " src " + target;
cmd += " proto static";
// cout << cmd << std::endl;
/* cout << "ARP REQUEST FROM " << arp.sender_ip_addr()
<< " for address " << arp.target_ip_addr()
<< " sender hw address " << arp.sender_hw_addr() << std::endl
<< " run cmd: " << cmd << endl;*/
system(cmd.c_str());
cmd = "arp -s ";
cmd += arp.sender_ip_addr().to_string();
cmd += " ";
cmd += arp.sender_hw_addr().to_string();
cout << cmd << endl;
system(cmd.c_str());
}
}
return true;
}
arp_monitor monitor;
void reroute(int signum) {
monitor.makegws();
monitor.reroute();
}
int main(int argc, char *argv[]) {
string test;
cout << sizeof(string) << endl;
if (argc != 2) {
cout << "Usage: " << *argv << " <interface>" << endl;
return 1;
}
signal(SIGHUP, reroute);
monitor.iface = argv[1];
// Sniffer configuration
SnifferConfiguration config;
config.set_promisc_mode(true);
config.set_filter("arp");
monitor.makegws();
try {
// Sniff on the provided interface in promiscuous mode
Sniffer sniffer(argv[1], config);
// Only capture arp packets
monitor.run(sniffer);
}
catch (std::exception &ex) {
std::cerr << "Error: " << ex.what() << std::endl;
}
}script enstalasyon libtins
#!/bin/bash
git clone https://github.com/mfontanini/libtins.git
cd libtins
mkdir build
cd build
cmake ../
make
make install
ldconfig
Kòmand pou konstwi binè a
g++ main.cpp -o arp-rt -O3 -std=c++11 -lpthread -ltinsKi jan yo lanse li?
start-stop-daemon --start --exec /opt/ipoe/arp-routes/arp-rt -b -m -p /opt/ipoe/arp-routes/daemons/eth0.800.pid -- eth0.800
Wi - li pral rebati tab yo ki baze sou siyal HUP la. Poukisa ou pat itilize netlink? Se jis parès ak Linux se yon script sou yon script - kidonk tout bagay anfòm. Oke, wout yo se wout, kisa ki pwochen? Apre sa, nou bezwen voye wout yo ki sou sèvè sa a nan fwontyè a - isit la, akòz menm pyès ki nan konpitè demode, nou te pran chemen an nan pi piti rezistans - nou asiyen travay sa a nan BGP.
bgp konfigirasyonhostname ******
modpas ******
dosye log /var/log/bgp.log
!
# AS nimewo, adrès ak rezo yo se fiktif
routeur bgp 12345
bgp routeur-id 1.2.3.4
redistribiye konekte
redistribiye estatik
vwazen 1.2.3.1 remote-as 12345
vwazen 1.2.3.1 next-hop-self
vwazen 1.2.3.1 wout-map okenn nan
vwazen 1.2.3.1 wout-kat ekspòtasyon soti
!
aksè-lis ekspòtasyon pèmi 1.2.3.0/24
!
pèmi ekspòtasyon wout-kat 10
matche ak ekspòtasyon adrès ip
!
wout-kat ekspòtasyon refize 20
Ann kontinye. Pou sèvè a reponn demann arp, ou dwe aktive proxy arp la.
echo 1 > /proc/sys/net/ipv4/conf/eth0.800/proxy_arp
Ann kontinye - ucarp. Nou ekri scripts lansman pou mirak sa a tèt nou.
Egzanp kouri yon sèl demon
start-stop-daemon --start --exec /usr/sbin/ucarp -b -m -p /opt/ipoe/ucarp-gen2/daemons/$iface.$vhid.$virtualaddr.pid -- --interface=eth0.800 --srcip=1.2.3.4 --vhid=1 --pass=carpasword --addr=10.10.10.1 --upscript=/opt/ipoe/ucarp-gen2/up.sh --downscript=/opt/ipoe/ucarp-gen2/down.sh -z -k 10 -P --xparam="10.10.10.0/24"
moute.sh
#!/bin/bash
iface=$1
addr=$2
gw=$3
vlan=`echo $1 | sed "s/eth0.//"`
ip ad ad $addr/32 dev lo
ip ro add blackhole $gw
echo 1 > /proc/sys/net/ipv4/conf/$iface/proxy_arp
killall -9 dhcrelay
/etc/init.d/dhcrelay zap
/etc/init.d/dhcrelay start
killall -HUP arp-rt
desann.sh
#!/bin/bash
iface=$1
addr=$2
gw=$3
ip ad d $addr/32 dev lo
ip ro de blackhole $gw
echo 0 > /proc/sys/net/ipv4/conf/$iface/proxy_arp
killall -9 dhcrelay
/etc/init.d/dhcrelay zap
/etc/init.d/dhcrelay start
Pou dhcprelay travay sou yon koòdone, li bezwen yon adrès. Se poutèt sa, sou interfaces ke nou itilize nou pral ajoute adrès gòch - pou egzanp 10.255.255.1/32, 10.255.255.2/32, elatriye. Mwen pa pral di ou ki jan yo konfigirasyon relè a - tout bagay se senp.
Se konsa, sa nou genyen? Sovgad nan pòtay, oto-konfigirasyon nan wout, dhcp. Sa a se seri a minimòm - lisg tou vlope tout bagay alantou li epi nou deja gen yon shaper. Poukisa tout bagay se konsa long ak konplike? Èske li pa pi fasil pou pran accel-pppd epi sèvi ak pppoe tout ansanm? Non, li pa pi senp - moun ka diman anfòm yon patchcord nan yon routeur, nou pa mansyone pppoe. accel-ppp se yon bagay fre - men li pa t 'travay pou nou - gen yon anpil nan erè nan kòd la - li konfizyon, li koupe kwochi, ak bagay ki pi tris la se ke si li egeye - Lè sa a, moun bezwen rechaje. tout bagay - telefòn yo wouj - li pa t 'travay ditou. Ki avantaj ki genyen nan itilize ucarp olye ke keepalived? Wi, nan tout bagay - gen 100 pòtay, keepalived ak yon erè nan konfigirasyon an - tout bagay pa travay. 1 gateway pa travay ak ucarp. Konsènan sekirite, yo di ke moun gòch yo pral anrejistre adrès pou tèt yo epi sèvi ak yo sou pataje a - pou kontwole moman sa a, nou mete kanpe dhcp-snooping + source-guard + arp enspeksyon sou tout switch/olts/baz yo. Si kliyan an pa gen dhpc men estatik - lis aksè sou pò a.
Poukisa tout bagay sa yo te fèt? Pou detwi trafik sipèfli. Koulye a, chak switch gen pwòp vlan li yo ak enkoni-unicast pa pè ankò, depi li sèlman bezwen ale nan yon sèl pò epi yo pa nan tout ... Oke, efè segondè yo se yon konfigirasyon ekipman estanda, pi gwo efikasite nan allocation espas adrès.
Ki jan yo konfigirasyon lisg se yon sijè separe. Lyen bibliyotèk yo tache. Petèt sa ki pi wo a pral ede yon moun nan reyalize objektif yo. Vèsyon 6 poko aplike sou rezo nou an - men pral gen yon pwoblèm - gen plan pou reekri lisg pou vèsyon 6, epi li pral nesesè pou korije pwogram ki ajoute wout yo.
Sous: www.habr.com