Hello. Tani waxay ka dhigan tahay inay jirto shabakad macaamiisha 5k ah. Dhowaan daqiiqad aan aad u wacnayn ayaa soo baxday - bartamaha shabakadda waxaan ku leenahay Brocade RX8 waxayna bilowday inay soo dirto baakado badan oo Unicast ah oo aan la garanayn, maadaama shabakadu u qaybsanto vlans - tani qayb ahaan dhib ma aha, laakiin waxaa jira. vlans gaar ah cinwaanada cad, iwm. oo waxay ku fidsan yihiin dhammaan jihooyinka shabakadda. Haddaba bal hadda qiyaas qulqulka soo socda ee ciwaanka macmiilka oo aan waxba u baran sidii arday xuduud ah oo socodkani wuxuu u duulayaa isku xirka raadiyaha ee qaar (ama dhammaan) tuulada - kanaalka waa xiran yahay - macaamiisha ayaa xanaaqsan - murugo ...
Ujeedadu waa in cayayaanka loo rogo sifo. Waxaan ka fekerayay jihada q-in-q oo leh vlan macmiil buuxa, laakiin dhammaan noocyada qalabka sida P3310, marka dot1q la furo, waxay joojiyaan DHCP inay soo maraan, sidoo kale ma yaqaaniin sida loo doorto qinq iyo qaar badan. godad caynkaas ah. Waa maxay ip-aan la magacaabin sideese u shaqeeyaa? Si aad u kooban: ciwaanka albaabka + dariiqa interface-ka. Hawsheenna, waxaan u baahanahay inaan: gooyno qaabeeyaha, u qaybinno cinwaannada macaamiisha, ku dar dariiqyada macaamiisha iyada oo loo marayo is-dhexgalka qaarkood. Sidee loo sameeyaa waxaas oo dhan? Shaper - lisg, dhcp - db2dhcp laba server oo madax banaan, dhcprelay wuxuu ku shaqeeyaa server-yada gelitaanka, ucarp wuxuu kaloo ku shaqeeyaa server-yada gelitaanka - si loogu kaydiyo. Laakiin sida loo daro waddooyinka? Waxa aad ku dari kartaa wax walba ka hor qoraal weyn - laakiin tani run maaha. Markaa waxaanu samayn doonaa qolof iskeed u qoran.
Ka dib markii aan si qoto dheer u baadhay internetka, waxaan helay maktabad heer sare ah oo cajiib ah oo loogu talagalay C++, taas oo kuu ogolaanaysa inaad si qurux badan u uriso gaadiidka. Algorithm-ka barnaamijka ee ku daraya dariiqyada waa sida soo socota - waxaan dhageysaneynaa codsiyada arp ee interface-ka, haddii aan ku hayno ciwaanka lo interface ee server-ka la codsado, ka dibna waxaan ku darnaa dariiqo dhex mara interface-kan oo aan ku darno arp taagan. ku duub ip-kan - guud ahaan, dhawr koobi-koobi ah, sifo yar oo waad dhammaysay
Ilaha 'router'
#include <stdio.h>
#include <sys/types.h>
#include <ifaddrs.h>
#include <netinet/in.h>
#include <string.h>
#include <arpa/inet.h>
#include <tins/tins.h>
#include <map>
#include <iostream>
#include <functional>
#include <sstream>
using std::cout;
using std::endl;
using std::map;
using std::bind;
using std::string;
using std::stringstream;
using namespace Tins;
class arp_monitor {
public:
void run(Sniffer &sniffer);
void reroute();
void makegws();
string iface;
map <string, string> gws;
private:
bool callback(const PDU &pdu);
map <string, string> route_map;
map <string, string> mac_map;
map <IPv4Address, HWAddress<6>> addresses;
};
void arp_monitor::makegws() {
struct ifaddrs *ifAddrStruct = NULL;
struct ifaddrs *ifa = NULL;
void *tmpAddrPtr = NULL;
gws.clear();
getifaddrs(&ifAddrStruct);
for (ifa = ifAddrStruct; ifa != NULL; ifa = ifa->ifa_next) {
if (!ifa->ifa_addr) {
continue;
}
string ifName = ifa->ifa_name;
if (ifName == "lo") {
char addressBuffer[INET_ADDRSTRLEN];
if (ifa->ifa_addr->sa_family == AF_INET) { // check it is IP4
// is a valid IP4 Address
tmpAddrPtr = &((struct sockaddr_in *) ifa->ifa_addr)->sin_addr;
inet_ntop(AF_INET, tmpAddrPtr, addressBuffer, INET_ADDRSTRLEN);
} else if (ifa->ifa_addr->sa_family == AF_INET6) { // check it is IP6
// is a valid IP6 Address
tmpAddrPtr = &((struct sockaddr_in6 *) ifa->ifa_addr)->sin6_addr;
inet_ntop(AF_INET6, tmpAddrPtr, addressBuffer, INET6_ADDRSTRLEN);
} else {
continue;
}
gws[addressBuffer] = addressBuffer;
cout << "GW " << addressBuffer << " is added" << endl;
}
}
if (ifAddrStruct != NULL) freeifaddrs(ifAddrStruct);
}
void arp_monitor::run(Sniffer &sniffer) {
cout << "RUNNED" << endl;
sniffer.sniff_loop(
bind(
&arp_monitor::callback,
this,
std::placeholders::_1
)
);
}
void arp_monitor::reroute() {
cout << "REROUTING" << endl;
map<string, string>::iterator it;
for ( it = route_map.begin(); it != route_map.end(); it++ ) {
if (this->gws.count(it->second) && !this->gws.count(it->second)) {
string cmd = "ip route replace ";
cmd += it->first;
cmd += " dev " + this->iface;
cmd += " src " + it->second;
cmd += " proto static";
cout << cmd << std::endl;
cout << "REROUTE " << it->first << " SRC " << it->second << endl;
system(cmd.c_str());
cmd = "arp -s ";
cmd += it->first;
cmd += " ";
cmd += mac_map[it->first];
cout << cmd << endl;
system(cmd.c_str());
}
}
for ( it = gws.begin(); it != gws.end(); it++ ) {
string cmd = "arping -U -s ";
cmd += it->first;
cmd += " -I ";
cmd += this->iface;
cmd += " -b -c 1 ";
cmd += it->first;
system(cmd.c_str());
}
cout << "REROUTED" << endl;
}
bool arp_monitor::callback(const PDU &pdu) {
// Retrieve the ARP layer
const ARP &arp = pdu.rfind_pdu<ARP>();
if (arp.opcode() == ARP::REQUEST) {
string target = arp.target_ip_addr().to_string();
string sender = arp.sender_ip_addr().to_string();
this->route_map[sender] = target;
this->mac_map[sender] = arp.sender_hw_addr().to_string();
cout << "save sender " << sender << ":" << this->mac_map[sender] << " want taregt " << target << endl;
if (this->gws.count(target) && !this->gws.count(sender)) {
string cmd = "ip route replace ";
cmd += sender;
cmd += " dev " + this->iface;
cmd += " src " + target;
cmd += " proto static";
// cout << cmd << std::endl;
/* cout << "ARP REQUEST FROM " << arp.sender_ip_addr()
<< " for address " << arp.target_ip_addr()
<< " sender hw address " << arp.sender_hw_addr() << std::endl
<< " run cmd: " << cmd << endl;*/
system(cmd.c_str());
cmd = "arp -s ";
cmd += arp.sender_ip_addr().to_string();
cmd += " ";
cmd += arp.sender_hw_addr().to_string();
cout << cmd << endl;
system(cmd.c_str());
}
}
return true;
}
arp_monitor monitor;
void reroute(int signum) {
monitor.makegws();
monitor.reroute();
}
int main(int argc, char *argv[]) {
string test;
cout << sizeof(string) << endl;
if (argc != 2) {
cout << "Usage: " << *argv << " <interface>" << endl;
return 1;
}
signal(SIGHUP, reroute);
monitor.iface = argv[1];
// Sniffer configuration
SnifferConfiguration config;
config.set_promisc_mode(true);
config.set_filter("arp");
monitor.makegws();
try {
// Sniff on the provided interface in promiscuous mode
Sniffer sniffer(argv[1], config);
// Only capture arp packets
monitor.run(sniffer);
}
catch (std::exception &ex) {
std::cerr << "Error: " << ex.what() << std::endl;
}
}qoraalka rakibaadda libtins
#!/bin/bash
git clone https://github.com/mfontanini/libtins.git
cd libtins
mkdir build
cd build
cmake ../
make
make install
ldconfig
Amarka si loo dhiso binary-ga
g++ main.cpp -o arp-rt -O3 -std=c++11 -lpthread -ltinsSidee loo bilaabayaa?
start-stop-daemon --start --exec /opt/ipoe/arp-routes/arp-rt -b -m -p /opt/ipoe/arp-routes/daemons/eth0.800.pid -- eth0.800
Haa - waxay dib u dhisi doontaa miisaska iyadoo lagu saleynayo calaamadda HUP. Maxaad u isticmaali weyday netlink? Waa caajisnimo kaliya Linux-na waa qoraal qoraal ah - marka wax walba waa hagaagsan yihiin. Hagaag, waddooyinku waa waddooyin, maxaa xiga? Marka xigta, waxaan u baahanahay inaan u dirno dariiqyada ku jira server-kan xadka - halkan, iyadoo ay ugu wacan tahay isla qalabkii duugoobay, waxaan qaadnay dariiqa iska caabinta ugu yar - waxaan u xilsaarnay hawshan BGP.
qaabka bgpmagaca martida *******
password *******
log file /var/log/bgp.log
!
Nambarka AS, ciwaanada iyo shabakadaha waa khiyaali
router bgp 12345
bgp router-id 1.2.3.4
dib u qaybi ku xidhan
dib u qaybiso taagan
deriska 1.2.3.1 fog-sida 12345
deriska 1.2.3.1 soo socda-hop-self
deriska 1.2.3.1 khariidad-maabka midna kuma jiro
deriska 1.2.3.1 khariidad-maabka dhoofinta dibadda
!
ogolaanshaha dhoofinta liiska gelitaanka 1.2.3.0/24
!
Ogolaanshaha dhoofinta marin-maabka 10
u dhigma ip ciwaanka dhoofinta
!
diidmada dhoofinta marin-maabka 20
Aan sii wadno. Si uu serverku uga jawaabo codsiyada arp, waa inaad awood u yeelataa wakiilka arp.
echo 1 > /proc/sys/net/ipv4/conf/eth0.800/proxy_arp
Aan hore u socono - ucarp. Waxaan u qornaa qoraallada bilowga ah ee mucjisadan nafteena.
Tusaale ahaan orodka hal daemon
start-stop-daemon --start --exec /usr/sbin/ucarp -b -m -p /opt/ipoe/ucarp-gen2/daemons/$iface.$vhid.$virtualaddr.pid -- --interface=eth0.800 --srcip=1.2.3.4 --vhid=1 --pass=carpasword --addr=10.10.10.1 --upscript=/opt/ipoe/ucarp-gen2/up.sh --downscript=/opt/ipoe/ucarp-gen2/down.sh -z -k 10 -P --xparam="10.10.10.0/24"
kor.sh
#!/bin/bash
iface=$1
addr=$2
gw=$3
vlan=`echo $1 | sed "s/eth0.//"`
ip ad ad $addr/32 dev lo
ip ro add blackhole $gw
echo 1 > /proc/sys/net/ipv4/conf/$iface/proxy_arp
killall -9 dhcrelay
/etc/init.d/dhcrelay zap
/etc/init.d/dhcrelay start
killall -HUP arp-rt
hoos.sh
#!/bin/bash
iface=$1
addr=$2
gw=$3
ip ad d $addr/32 dev lo
ip ro de blackhole $gw
echo 0 > /proc/sys/net/ipv4/conf/$iface/proxy_arp
killall -9 dhcrelay
/etc/init.d/dhcrelay zap
/etc/init.d/dhcrelay start
Si ay dhcprelay uga shaqeyso is dhexgalka, waxay u baahan tahay ciwaanka Sidaa darteed, interfaces-yada aan isticmaalno waxaan ku dari doonaa ciwaannada bidix - tusaale ahaan 10.255.255.1/32, 10.255.255.2/32, iwm. Ma kuu sheegi doono sida loo habeeyo gudbinta - wax walba waa sahlan yihiin.
Haddaba maxaan haynaa? Dib u habeynta albaabada, habeynta tooska ah ee wadooyinka,dhcp. Tani waa habka ugu yar - lisg sidoo kale waxay ku duubtaa wax kasta oo ku wareegsan waxaanan horey u haysannay qaabeeyaha. Waa maxay sababta wax walba ay u dheer yihiin oo ay u wareersan yihiin? Miyayna sahlanayn in la qaato accel-ppd oo la isticmaalo gebi ahaanba pppoe? Maya, ma fududa - dadku si dhib leh ugu xidhi karaan patchcord-ka router-ka, iyada oo aan la xusin pppoe. accel-ppp waa wax aad u fiican - laakiin anaga ma shaqeyn - khaladaad badan ayaa ku jira koodka - wuu burburaa, si qalloocan ayuu u gooyaa, tan ugu murugada leh ayaa ah in haddii ay iftiimisay - markaa dadku waxay u baahan yihiin inay dib u soo celiyaan. wax walba - telefoonadu waa casaan - ma shaqeynin gabi ahaanba. Waa maxay faa'iidada isticmaalka ucarp halkii la ilaalin lahaa? Haa, wax walba - waxaa jira 100 albaabbada, dhawrista iyo hal qalad oo ku jira qaabeynta - wax walba ma shaqeeyaan. 1 gateway kuma shaqeeyo ucarp. Dhanka amniga, waxay yiraahdeen kuwa bidixda ah ayaa diiwaan gelin doona ciwaannada naftooda oo ay u isticmaali doonaan saamiga - si loo xakameeyo xilligan, waxaan dejinay dhcp-snooping + isha-ilaaliye + kormeerka arp ee dhammaan furayaasha/olts/bases. Haddii macmiilku aanu haysan dhpc balse taagan - liiska gelitaanka ee dekedda.
Maxaa waxaas oo dhan loo sameeyay? Si loo burburiyo gaadiidka aan loo baahnayn. Hadda beddelaad kastaa wuxuu leeyahay vlan u gaar ah oo aan la garanayn-unicast mar dambe cabsi ma aha, tan iyo markii ay u baahan tahay oo kaliya in ay aado hal deked oo aan dhammaan ... Waa hagaag, waxyeellooyinku waa qalab qalabaysan oo habaysan, waxtarka weyn ee qoondaynta booska cinwaanka.
Sida loo habeeyo lisg waa mawduuc gaar ah. Xiriirinta maktabadaha ayaa ku lifaaqan. Waxa laga yaabaa in kuwan kor ku xusani ay qof ka caawiyaan in ay gaadhaan himilooyinkooda. Nooca 6 weli lagama hirgelin shabakadeena - laakiin waxaa jiri doona dhibaato - waxaa jira qorshayaal dib loogu qorayo lisg version 6, waxaana loo baahan doonaa in la saxo barnaamijka ku daraya waddooyinka.
Source: www.habr.com