User Tools

Site Tools


documentation:examples:maximum_bsdrp_features_lab

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:examples:maximum_bsdrp_features_lab [2019/05/29 17:32] (current)
Line 1: Line 1:
 +====== Maximum BSDRP features lab ======
 +{{description>​Complex example showing some of available features}}
 +This lab is used for testing BSDRP before releasing new version.
 +
 +===== Presentation =====
 +
 +==== Network diagram ====
 +
 +Here is the logical and physical view:
 +
 +{{:​documentation:​examples:​maximum_bsdrp_features_lab.png|}}
 +
 +===== Setting-up the lab =====
 +
 +==== Downloading BSD Router Project images ====
 +
 +Download BSDRP serial image (prevent to have to use an X display) on Sourceforge.
 +
 +==== Download Lab scripts =====
 +
 +More information on these BSDRP lab scripts available on [[documentation:​examples:​How to build a BSDRP router lab]].
 +
 +Start the lab with full-meshed 6 routers.
 +
 +An example with bhyve under FreeBSD:
 +
 +<​code>​
 +tools/​BSDRP-lab-bhyve.sh -i /​usr/​obj/​BSDRP.amd64/​BSDRP-1.80-full-amd64-serial.img.xz -n 5 -e
 +Setting-up a virtual lab with 5 VM(s):
 +- Working directory: /tmp/BSDRP
 +- Each VM have 1 core(s) and 256M RAM
 +- Emulated NIC: e1000
 +- Switch mode: bridge + tap
 +- 0 LAN(s) between all VM
 +- Full mesh Ethernet links between each VM
 +VM 1 have the following NIC:
 +- em0 connected to VM 2
 +- em1 connected to VM 3
 +- em2 connected to VM 4
 +- em3 connected to VM 5
 +VM 2 have the following NIC:
 +- em0 connected to VM 1
 +- em1 connected to VM 3
 +- em2 connected to VM 4
 +- em3 connected to VM 5
 +VM 3 have the following NIC:
 +- em0 connected to VM 1
 +- em1 connected to VM 2
 +- em2 connected to VM 4
 +- em3 connected to VM 5
 +VM 4 have the following NIC:
 +- em0 connected to VM 1
 +- em1 connected to VM 2
 +- em2 connected to VM 3
 +- em3 connected to VM 5
 +VM 5 have the following NIC:
 +- em0 connected to VM 1
 +- em1 connected to VM 2
 +- em2 connected to VM 3
 +- em3 connected to VM 4
 +To connect VM'​serial console, you can use:
 +- VM 1 : cu -l /​dev/​nmdm-BSDRP.1B
 +- VM 2 : cu -l /​dev/​nmdm-BSDRP.2B
 +- VM 3 : cu -l /​dev/​nmdm-BSDRP.3B
 +- VM 4 : cu -l /​dev/​nmdm-BSDRP.4B
 +- VM 5 : cu -l /​dev/​nmdm-BSDRP.5B
 +</​code>​
 +===== Routers configuration =====
 +
 +In this order for avoiding DHCP client timeout problems.
 +
 +All these routers can be configured with labconfig tool (use it only on a lab, because it will replace your current running configuration):​
 +<​code>​
 +labconfig full_vm[VM-NUMBER]
 +</​code>​
 +
 +==== Router 5 (including jail5 and jail6) ====
 +
 +(you can use script “labconfig vm5” for automatically pushing full configuration): ​
 +
 +<​code>​
 +sysrc hostname=R5
 +sysrc ifconfig_em3=up
 +sysrc cloned_interfaces=epair0
 +sysrc ifconfig_epair0a=up
 +sysrc kld_list+="​ if_lagg carp"
 +ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​rc.conf
 +cat > /​etc/​devfs.rules <<EOF
 +[devfsrules_jailpf=4]
 +add include \$devfsrules_hide_all
 +add include \$devfsrules_unhide_basic
 +add include \$devfsrules_unhide_login
 +add path '​bpf*'​ unhide
 +EOF
 +
 +hostname R5
 +service devfs restart
 +service netif restart
 +service kld start
 +if ifconfig -l | grep -q vtnet; then
 + tenant -c -j jail5 -i vtnet3,​epair0a
 +else
 + tenant -c -j jail5 -i em3,epair0a
 +fi
 +tenant -c -j jail6 -i epair0b
 +sysrc -f /​etc/​jails/​jail5/​rc.conf hostname=jail5
 +sysrc -f /​etc/​jails/​jail5/​rc.conf ifconfig_em3="​inet 10.0.45.5/​24"​
 +sysrc -f /​etc/​jails/​jail5/​rc.conf ifconfig_em3_ipv6="​inet6 2001:​db8:​45::​5 prefixlen 64"
 +sysrc -f /​etc/​jails/​jail5/​rc.conf ifconfig_epair0a="​10.0.56.5/​24"​
 +sysrc -f /​etc/​jails/​jail5/​rc.conf ifconfig_epair0a_ipv6="​inet6 2001:​db8:​56::​5 prefixlen 64"
 +sysrc -f /​etc/​jails/​jail5/​rc.conf ifconfig_epair0a_alias0="​inet 10.0.56.254/​32 vhid 1 pass testpass"​
 +sysrc -f /​etc/​jails/​jail5/​rc.conf ifconfig_epair0a_alias1="​inet6 2001:​db8:​56::​fe prefixlen 128 vhid 1 pass testpass"​
 +sysrc -f /​etc/​jails/​jail5/​rc.conf rtadvd_enable=YES
 +sysrc -f /​etc/​jails/​jail5/​rc.conf rtadvd_interfaces=epair0a
 +sysrc -f /​etc/​jails/​jail5/​rc.conf dhcpd_enable=YES
 +sysrc -f /​etc/​jails/​jail5/​rc.conf dhcpd_flags="​-q"​
 +sysrc -f /​etc/​jails/​jail5/​rc.conf dhcpd_conf="/​usr/​local/​etc/​dhcpd.conf"​
 +sysrc -f /​etc/​jails/​jail5/​rc.conf frr_enable=YES
 +sysrc -f /​etc/​jails/​jail5/​rc.conf frr_vtysh_boot="​YES"​
 +sysrc -f /​etc/​jails/​jail5/​rc.conf nfacctd_enable=YES
 +sysrc -f /​etc/​jails/​jail5/​rc.conf pimd_enable=YES
 +ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​jails/​jail5/​rc.conf
 +mkdir -p /​etc/​jails/​jail5/​local/​frr
 +cat > /​etc/​jails/​jail5/​local/​dhcpd.conf <<EOF
 +option domain-name "​bsdrp.net";​
 +default-lease-time 600;
 +max-lease-time 7200;
 +ddns-update-style none;
 +#Declare useless network
 +subnet 10.0.45.0 netmask 255.255.255.0 {
 +}
 +#Declare R1 LAN and gateway
 +subnet 10.0.12.0 netmask 255.255.255.0 {
 +  range 10.0.12.1 10.0.12.1;
 +  option routers 10.0.12.254;​
 +}
 +#Declare R6 subnet and gateway
 +subnet 10.0.56.0 netmask 255.255.255.0 {
 +  range 10.0.56.6 10.0.56.6;
 +  option routers 10.0.56.254;​
 +}
 +EOF
 +
 +cat > /​etc/​jails/​jail5/​local/​frr/​frr.conf <<EOF
 +frr version 7.0
 +frr defaults traditional
 +hostname jail5
 +log syslog
 +!
 +interface em3
 + ip router isis BSDRP
 + ipv6 router isis BSDRP
 +!
 +interface epair0a
 + ip router isis BSDRP
 + ipv6 router isis BSDRP
 + isis passive
 +!
 +interface vtnet3
 + ip router isis BSDRP
 + ipv6 router isis BSDRP
 +!
 +router isis BSDRP
 + ​is-type level-1-2
 + net 49.0001.1720.1600.5005.00
 +!
 +line vty
 +!
 +bfd
 +!
 +EOF
 +
 +ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​jails/​jail5/​local/​frr/​frr.conf
 +chown frr:frr /​etc/​jails/​jail5/​local/​frr
 +
 +cat > /​etc/​jails/​jail5/​local/​nfacctd.conf<<​EOF
 +daemonize: true
 +syslog: daemon
 +!
 +! interested in in and outbound traffic
 +aggregate: src_host,​dst_host
 +nfacctd_ip: 10.0.45.5
 +nfacctd_port:​ 2055
 +aggregate[ip]:​ src_host, dst_host, timestamp_start,​ timestamp_end,​ src_port, dst_port, proto, src_as, dst_as, peer_src_ip
 +plugins: print[ip]
 +print_output:​ csv
 +print_refresh_time:​ 300
 +print_history:​ 5m
 +print_output_file[ip]:​ /​tmp/​file-%Y%m%d-%H%M.txt
 +print_history_roundoff:​ m
 +print_output_file_append:​ true
 +files_umask:​ 022
 +EOF
 +
 +sysrc -f /​etc/​jails/​jail6/​rc.conf hostname=jail6
 +sysrc -f /​etc/​jails/​jail6/​rc.conf ifconfig_epair0b="​up"​
 +sysrc -f /​etc/​jails/​jail6/​rc.conf cloned_interfaces="​lagg0"​
 +sysrc -f /​etc/​jails/​jail6/​rc.conf ifconfig_lagg0="​laggproto failover laggport epair0b SYNCDHCP"​
 +sysrc -f /​etc/​jails/​jail6/​rc.conf ifconfig_lagg0_ipv6="​inet6 accept_rtadv"​
 +sysrc -f /​etc/​jails/​jail6/​rc.conf rtsold_enable=YES
 +sysrc -f /​etc/​jails/​jail6/​rc.conf bsnmpd_enable=YES
 +sysrc -f /​etc/​jails/​jail6/​rc.conf gateway_enable=NO
 +sysrc -f /​etc/​jails/​jail6/​rc.conf ipv6_gateway_enable=NO
 +service jail start
 +</​code>​
 +
 +
 +==== Router 2 ====
 +
 +(you can use script “labconfig vm2” for automatically pushing full configuration): ​
 +
 +<​code>​
 +sysrc hostname=R2
 +sysrc rtadvd_enable=YES
 +sysrc rtadvd_interfaces="​em0"​
 +sysrc vlans_em1="​23"​
 +sysrc ifconfig_em1="​up"​
 +sysrc ifconfig_em0="​inet 10.0.12.2/​24"​
 +sysrc ifconfig_em0_ipv6="​inet6 2001:​db8:​12::​2 prefixlen 64"
 +sysrc ifconfig_em1_23="​inet 10.0.23.2/​24"​
 +sysrc ifconfig_em1_23_ipv6="​inet6 2001:​db8:​23::​2 prefixlen 64"
 +sysrc cloned_interfaces="​lo1"​
 +sysrc ifconfig_lo1="​inet 10.0.0.2/​32"​
 +sysrc ifconfig_lo1_ipv6="​inet6 2001:db8::2 prefixlen 128"
 +sysrc frr_enable=YES
 +sysrc frr_vtysh_boot=YES
 +sysrc dhcprelya_enable=YES
 +sysrc dhcprelya_servers="​10.0.45.5"​
 +sysrc dhcprelya_ifaces=em0
 +sysrc mpd_enable=YES
 +sysrc mpd_flags="​-b -s ppp"
 +sysrc ipsec_enable=YES
 +sysrc ipsec_file="/​etc/​ipsec.conf"​
 +sysrc pimd_enable=YES
 +sysrc freevrrpd_enable=YES
 +ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​rc.conf
 +
 +cat > /​usr/​local/​etc/​freevrrpd.conf <<EOF
 +[VRID]
 +serverid = 1
 +interface = em0
 +# We want that this router is the master
 +priority = 101
 +addr = 10.0.12.254/​24
 +password = vrid1
 +EOF
 +
 +ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​usr/​local/​etc/​freevrrpd.conf
 +
 +cat > /​usr/​local/​etc/​mpd5/​if-up.sh <<EOF
 +#!/bin/sh
 +set -e
 +logger "\$0 called with parameters: \$@"
 +if [ "​\$2"​ == "​inet6"​ ]; then
 +        if ifconfig \$1 \$2 2001:​db8:​24::​2;​ then
 +        logger "\$0: \$cmd successfull"​
 +        return 0
 +        else
 +        logger "\$0: \$cmd failed"​
 +        return 1
 +        fi
 +else
 +        return 0
 +fi
 +EOF
 +
 +chmod +x /​usr/​local/​etc/​mpd5/​if-up.sh
 +
 +cat > /​usr/​local/​etc/​mpd5/​mpd.conf <<EOF
 +# Configuring a server PPTP VPN with tunnels to R4
 +default:
 +        load vpnipv4
 +        load vpnipv6
 +vpnipv4:
 +        # Create bundle called vpnipv4
 +        create bundle static vpnipv4
 +        # IP of client and server, on another subnet for avoiding problems
 +        set ipcp ranges 10.4.24.2/​32 10.4.24.4/​32
 +        # Remote LAN subnet: Learned by routing protocol
 +        #set iface route 10.0.45.0/​24
 +        # Enable Microsoft Point-to-Point encryption (MPPE)
 +        set bundle enable compression
 +        set ccp yes mppc
 +        set mppc yes e40
 +        set mppc yes e128
 +        set bundle enable crypt-reqd
 +        set mppc yes stateless
 +        # Create a static pptp link called lvpnipv4
 +        create link static lvpnipv4 pptp
 +        # Attach this link to vpnipv4
 +        set link action bundle vpnipv4
 +        # Set somes link settings
 +        set link no pap
 +        set link yes chap
 +        set auth authname "​VpnLogin4"​
 +        # Reduce the size of the outgoing packet for avoiding fragmentation
 +        set link mtu 1460
 +        set link keep-alive 10 75
 +        # max-redial:
 +        # Server side, need to be "​-1"​
 +        # Client side, need to be positive (0 for allways)
 +        set link max-redial -1
 +        # Local WAN IP addresse
 +        set pptp self 10.0.0.2
 +        # Remote WAN IP addresse
 +        set pptp peer 10.0.0.4
 +        # Allow incoming call
 +        set link enable incoming
 +vpnipv6:
 +        # Create bundle called vpnipv6
 +        create bundle static vpnipv6
 +        # Don't know how to disable IPv4 ipcp
 +        set ipcp ranges 10.6.24.2/​32 10.6.24.4/​32
 +        # Enable IPv6
 +        set bundle enable ipv6cp
 +        # Remote LAN subnet: Learned by routing protocol
 +        #set iface route 2001:​db8:​45::/​64
 +        # Need to statically set inet6 address
 +        set iface up-script /​usr/​local/​etc/​mpd5/​if-up.sh
 +        # Enable Microsoft Point-to-Point encryption (MPPE)
 +        set bundle enable compression
 +        set ccp yes mppc
 +        set mppc yes e40
 +        set mppc yes e128
 +        set bundle enable crypt-reqd
 +        set mppc yes stateless
 +        # Create a static pptp link called lvpnipv4
 +        create link static lvpnipv6 pptp
 +        # Attach this link to vpnipv6
 +        set link action bundle vpnipv6
 +        # Set somes link settings
 +        set link no pap
 +        set link yes chap
 +        set auth authname "​VpnLogin6"​
 +        # Reduce the size of the outgoing packet for avoiding fragmentation
 +        set link mtu 1460
 +        set link keep-alive 10 75
 +        # max-redial:
 +        # Server side, need to be "​-1"​
 +        # Client side, need to be positive (0 for allways)
 +        set link max-redial -1
 +        # Local WAN IP addresse
 +        set pptp self 2001:db8::2
 +        # Remote WAN IP addresse
 +        set pptp peer 2001:db8::4
 +        # Allow incoming call
 +        set link enable incoming
 +EOF
 +
 +cat > /​usr/​local/​etc/​mpd5/​mpd.secret <<EOF
 +VpnLogin4 ​      ​VpnPassword4
 +VpnLogin6 ​      ​VpnPassword6
 +EOF
 +
 +cat > /​etc/​ipsec.conf <<EOF
 +flush ;
 +add 10.0.23.2 10.0.23.3 tcp 0x1000 -A tcp-md5 "​abigpassword"​ ;
 +add 10.0.23.3 10.0.23.2 tcp 0x1001 -A tcp-md5 "​abigpassword"​ ;
 +add -6 2001:​db8:​23::​2 2001:​db8:​23::​3 tcp 0x1002 -A tcp-md5 "​abigpassword"​ ;
 +add -6 2001:​db8:​23::​3 2001:​db8:​23::​2 tcp 0x1003 -A tcp-md5 "​abigpassword"​ ;
 +EOF
 +
 +cat > /​usr/​local/​etc/​frr/​frr.conf <<EOF
 +frr version 7.0
 +frr defaults traditional
 +hostname R2
 +log syslog
 +!
 +interface ng0
 + ip ospf message-digest-key 1 md5 superpass
 + ip ospf network point-to-point
 + ipv6 ospf6 passive
 +!
 +interface ng1
 + ipv6 ospf6 network point-to-point
 +!
 +router-id 0.0.0.2
 +!
 +router bgp 100
 + ​neighbor 10.0.23.3 remote-as 100
 + ​neighbor 10.0.23.3 password abigpassword
 + ​neighbor 2001:​db8:​23::​3 remote-as 100
 + ​neighbor 2001:​db8:​23::​3 password abigpassword
 + !
 + ​address-family ipv4 unicast
 +  network 10.0.0.2/32
 +  neighbor 10.0.23.3 soft-reconfiguration inbound
 +  no neighbor 2001:​db8:​23::​3 activate
 + ​exit-address-family
 + !
 + ​address-family ipv6 unicast
 +  network 2001:​db8::​2/​128
 +  neighbor 2001:​db8:​23::​3 activate
 +  neighbor 2001:​db8:​23::​3 soft-reconfiguration inbound
 + ​exit-address-family
 +!
 +router ospf
 + ospf router-id 0.0.0.2
 + ​network 10.0.12.0/​24 area 0.0.0.0
 + ​network 10.4.24.0/​24 area 0.0.0.0
 + area 0.0.0.0 authentication message-digest
 +!
 +router ospf6
 + ​interface ng1 area 0.0.0.0
 + ​interface em0 area 0.0.0.0
 + ​interface vtnet0 area 0.0.0.0
 +!
 +line vty
 +!
 +bfd
 +!
 +EOF
 +
 +config save
 +hostname R2
 +service netif restart
 +service ipsec start
 +service rtadvd start
 +service freevrrpd start
 +service frr start
 +service dhcprelya start
 +service mpd5 start
 +service pimd start
 +</​code>​
 +==== Router 3 ====
 +
 +(you can use script “labconfig vm3” for automatically pushing full configuration): ​
 +
 +<​code>​
 +sysrc hostname=R3
 +sysrc vlans_em1="​23"​
 +sysrc ifconfig_em1="​up"​
 +sysrc ifconfig_em1_23="​inet 10.0.23.3/​24"​
 +sysrc ifconfig_em1_23_ipv6="​inet6 2001:​db8:​23::​3 prefixlen 64"
 +sysrc ifconfig_em2="​inet 10.0.34.3/​24"​
 +sysrc ifconfig_em2_ipv6="​inet6 2001:​db8:​34::​3 prefixlen 64"
 +sysrc bird_enable=YES
 +sysrc bird6_enable=YES
 +sysrc pf_enable=YES
 +sysrc pf_rules="/​etc/​pf.conf"​
 +ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​rc.conf
 +
 +cat > /​etc/​pf.conf <<EOF
 +# ALTQ is disabled since BSDRP 1.81 (too much performance impact)
 +pass all
 +EOF
 +
 +cat > /​usr/​local/​etc/​bird.conf <<EOF
 +# Configure logging
 +log syslog all;
 +log "/​var/​log/​bird.log"​ all;
 +log stderr all;
 +
 +# Override router ID
 +router id 0.0.0.3;
 +
 +# Sync bird routing table with kernel
 +protocol kernel {
 +        export all;
 +}
 +
 +# Include device route (warning, a device route is a /32)
 +protocol device {
 +        scan time 10;
 +}
 +
 +# Include directly connected network
 +protocol direct {
 +        interface "​vtnet1",​ "​em1",​ "​vtnet2",​ "​em2";​
 +}
 +
 +protocol rip R4 {
 +        export all;
 +        interface "​vtnet2","​em2"​ {
 +            version 2;
 +            password "​rippassword"​ { algorithm keyed md5; };
 +            authentication cryptographic;​
 +        };
 +}
 +
 +protocol bgp R2 {
 +        local as 100;
 +        # Bird creates IPSEC SAD entry automatically but it need to know the source IP address
 +        # Otherwise it will use the wrong 0.0.0.0 IP as source
 +        source address 10.0.23.3;
 +        neighbor 10.0.23.2 as 100;
 +        password "​abigpassword"; ​
 +        import all;
 +        export all;
 +}
 +EOF
 +
 +cat > /​usr/​local/​etc/​bird6.conf <<EOF
 +# Configure logging
 +log syslog all;
 +log "/​var/​log/​bird6.log"​ all;
 +log stderr all;
 +
 +# Override router ID
 +router id 0.0.0.3;
 +
 +# Sync bird routing table with kernel
 +protocol kernel {
 +        export all;
 +}
 +
 +protocol device {
 +        scan time 10;
 +}
 +protocol direct {
 +        interface "​vtnet1",​ "​em1",​ "​vtnet2",​ "​em2";​
 +}
 +
 +protocol rip R4 {
 +        export all;
 +        interface "​vtnet2","​em2"​ ;
 +}
 +
 +protocol bgp R2 {
 +        local as 100;
 +        # Bird creates IPSEC SAD entry automatically but it need to know the source IP address
 +        # Otherwise it will use the wrong :: IP as source
 +        source address 2001:​db8:​23::​3;​
 +        neighbor 2001:​db8:​23::​2 as 100;
 +        password "​abigpassword";​
 +        import all;
 +        export all;
 +}
 +EOF
 +
 +config save
 +hostname R3
 +service netif restart
 +service pf start
 +service bird start
 +service bird6 start
 +</​code>​
 +==== Router 4 ====
 +
 +(you can use script “labconfig vm4” for automatically pushing full configuration): ​
 +
 +<​code>​
 +sysrc hostname=R4
 +sysrc ifconfig_em3="​inet 10.0.45.4/​24"​
 +sysrc ifconfig_em3_ipv6="​inet6 2001:​db8:​45::​4 prefixlen 64"
 +sysrc ifconfig_em2="​10.0.34.4/​24"​
 +sysrc ifconfig_em2_ipv6="​inet6 2001:​db8:​34::​4 prefixlen 64"
 +sysrc cloned_interfaces="​lo1"​
 +sysrc ifconfig_lo1="​inet 10.0.0.4/​32"​
 +sysrc ifconfig_lo1_ipv6="​inet6 2001:db8::4 prefixlen 128"
 +sysrc frr_enable=YES
 +sysrc frr_vtysh_boot=YES
 +sysrc mpd_enable=YES
 +sysrc mpd_flags="​-b -s ppp"
 +sysrc firewall_enable=YES
 +sysrc firewall_script="/​etc/​ipfw.rules"​
 +sysrc ipfw_netflow_enable=YES
 +sysrc ipfw_netflow_ip=10.0.45.5
 +sysrc ipfw_netflow_port=2055
 +sysrc ipfw_netflow_version=9
 +sysrc pimd_enable=YES
 +ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​rc.conf
 +
 +cat > /​usr/​local/​etc/​frr/​frr.conf <<EOF
 +frr version 7.0
 +frr defaults traditional
 +hostname R4
 +log syslog
 +!
 +interface em3
 + ip router isis BSDRP
 + ipv6 ospf6 passive
 + ipv6 router isis BSDRP
 +!
 +interface ng0
 + ip ospf message-digest-key 1 md5 superpass
 + ip ospf network point-to-point
 + ipv6 ospf6 passive
 +!
 +interface ng1
 + ipv6 ospf6 network point-to-point
 +!
 +!
 +interface vtnet3
 + ip router isis BSDRP
 + ipv6 ospf6 passive
 + ipv6 router isis BSDRP
 +!
 +router-id 0.0.0.4
 +!
 +router rip
 + ​network lo1
 + ​network em2
 + ​network vtnet2
 + ​version 2
 +!
 +router ripng
 + ​network lo1
 + ​network em2
 + ​network vtnet2
 +!
 +router ospf
 + ospf router-id 0.0.0.4
 + ​redistribute isis
 + ​passive-interface em3
 + ​passive-interface vtnet3
 + ​network 10.0.4.0/24 area 0.0.0.0
 + ​network 10.0.45.0/​24 area 0.0.0.0
 + ​network 10.4.24.0/​24 area 0.0.0.0
 + area 0.0.0.0 authentication message-digest
 +!
 +router ospf6
 + ​redistribute isis
 + ​interface ng1 area 0.0.0.0
 + ​interface vtnet3 area 0.0.0.0
 +!
 +router isis BSDRP
 + ​is-type level-1-2
 + net 49.0001.1720.1600.4004.00
 + ​redistribute ipv4 ospf level-1
 + ​redistribute ipv4 connected level-1
 + ​redistribute ipv6 ospf6 level-1
 + ​redistribute ipv6 connected level-1
 +!
 +line vty
 +!
 +bfd
 +!
 +EOF
 +
 +cat > /​usr/​local/​etc/​mpd5/​if-up.sh <<EOF
 +#!/bin/sh
 +set -e
 +logger "\$0 called with parameters: \$@"
 +if [ "​\$2"​ == "​inet6"​ ]; then
 +        if ifconfig \$1 \$2 2001:​db8:​24::​4;​ then
 +        logger "\$0: \$cmd successfull"​
 +        return 0
 +        else
 +        logger "\$0: \$cmd failed"​
 +        return 1
 +        fi
 +else
 +        return 0
 +fi
 +EOF
 +
 +chmod +x /​usr/​local/​etc/​mpd5/​if-up.sh
 +
 +cat > /​usr/​local/​etc/​mpd5/​mpd.conf <<EOF
 +default:
 +        load vpnipv4
 +        load vpnipv6
 +vpnipv4:
 +        # Create bundle called vpnipv4
 +        create bundle static vpnipv4
 +        # Getting IP from the server
 +        set ipcp ranges 0.0.0.0/0
 +        # Remote LAN subnet: Learned by ISIS
 +        #set iface route 10.0.12.0/​24
 +        # Enable Microsoft Point-to-Point encryption (MPPE)
 +        set bundle enable compression
 +        set ccp yes mppc
 +        set mppc yes e40
 +        set mppc yes e128
 +        set bundle enable crypt-reqd
 +        set mppc yes stateless
 +        # Create a static pptp link called lvpnipv4
 +        create link static lvpnipv4 pptp
 +        # Attach this link to vpnipv4
 +        set link action bundle vpnipv4
 +        # Set somes link settings
 +        set link no pap
 +        set link yes chap
 +        set auth authname VpnLogin4
 +        # Reduce the size of the outgoing packet for avoiding fragmentation
 +        set link mtu 1460
 +        set link keep-alive 10 75
 +        # max-redial:
 +        # Server side, need to be "​-1"​
 +        # Client side, need to be positive (0 for allways)
 +        set link max-redial 0
 +        # Local WAN IP addresse
 +        set pptp self 10.0.0.4
 +        # Remote WAN IP addresse
 +        set pptp peer 10.0.0.2
 +        # Open (initiate) the link to the server
 +        open
 +vpnipv6:
 +        # Create bundle called vpnipv6
 +        create bundle static vpnipv6
 +        # Getting IP from the server
 +        set ipcp ranges 0.0.0.0/0
 +        # Enable IPv6
 +        set bundle enable ipv6cp
 +        # Remote LAN subnet: Learned by ISIS
 +        #set iface route 2001:​db8:​12::/​64
 +        # Need to statically configure inet6 adress
 +        set iface up-script /​usr/​local/​etc/​mpd5/​if-up.sh
 +        # Create a static pptp link called lvpnipv6
 +        create link static lvpnipv6 pptp
 +        # Attach this link to vpnipv6
 +        set link action bundle vpnipv6
 +        # Set somes link settings
 +        set link no pap
 +        set link yes chap
 +        set auth authname VpnLogin6
 +        # Reduce the size of the outgoing packet for avoiding fragmentation
 +        set link mtu 1460
 +        set link keep-alive 10 75
 +        # max-redial:
 +        # Server side, need to be "​-1"​
 +        # Client side, need to be positive (0 for allways)
 +        set link max-redial 0
 +        # Local WAN IP addresse
 +        set pptp self 2001:db8::4
 +        # Remote WAN IP addresse
 +        set pptp peer 2001:db8::2
 +        # Open (initiate) the link to the server
 +        open
 +EOF
 +
 +cat > /​usr/​local/​etc/​mpd5/​mpd.secret <<EOF
 +VpnLogin4 ​      ​VpnPassword4
 +VpnLogin6 ​      ​VpnPassword6
 +EOF
 +
 +echo "# IPFW we need to let it to pass IPv6 Unknown Extension Header for IPv6 PPTP" >> /​etc/​sysctl.conf
 +echo "​net.inet6.ip6.fw.deny_unknown_exthdrs=0"​ >> /​etc/​sysctl.conf
 +
 +cat > /​etc/​ipfw.rules <<EOF
 +#!/bin/sh
 +fwcmd="/​sbin/​ipfw"​
 +if ! kldstat -q -m dummynet; then
 +        kldload dummynet
 +fi
 +# Flush out the list before we begin.
 +\${fwcmd} -f flush
 +# Create hard-limited pipes: One for each direction
 +\${fwcmd} pipe 60 config bw 20Mbit/s
 +\${fwcmd} pipe 61 config bw 20Mbit/s
 +\${fwcmd} pipe 40 config bw 10Mbit/s
 +\${fwcmd} pipe 41 config bw 10Mbit/s
 +# Put PPTP Traffic into pipes
 +\${fwcmd} add pipe 40 all from 10.0.0.4 to 10.0.0.2 out via any
 +\${fwcmd} add pipe 41 all from 10.0.0.2 to 10.0.0.4 in via any
 +\${fwcmd} add pipe 60 all from 2001:db8::4 to 2001:db8::2 out via any
 +\${fwcmd} add pipe 61 all from 2001:db8::2 to 2001:db8::4 in via any
 +# We don't want to block traffic, only shape some
 +\${fwcmd} add allow ip from any to any
 +EOF
 +
 +config save
 +hostname R4
 +service netif restart
 +service frr start
 +service mpd5 start
 +service ipfw start
 +service sysctl reload
 +service ipfw_netflow start
 +service pimd start
 +</​code>​
 +
 +==== Router 1 ====
 +
 +This router will be used for backuping all other routers configuration files, then it need a root password for enabling SSH access to it.
 +We will use "​root"​ password for this lab.
 +
 +<​code>​
 +sysrc hostname=R1
 +sysrc gateway_enable=NO
 +sysrc ipv6_gateway_enable=NO
 +sysrc ifconfig_em0=up
 +sysrc cloned_interfaces=lagg0
 +sysrc ifconfig_lagg0="​laggproto loadbalance laggport em0 SYNCDHCP"​
 +sysrc ifconfig_lagg0_ipv6="​inet6 accept_rtadv"​
 +sysrc sshd_enable=yes
 +ifconfig -l | grep -q vtnet && sed -i ""​ '​s/​em/​vtnet/​g'​ /​etc/​rc.conf
 +config save
 +hostname R1
 +service routing restart
 +service netif restart
 +service sshd start
 +</​code>​
 +===== Final testing =====
 +==== IPv4 traffic shaping ====
 +
 +From R5, enter jail6 console and launch iperf in IPv4 (default) mode:
 +
 +<​code>​
 +[root@R5]~# service jail console jail6
 +Last login: Sun Jul  2 16:44:12 on ttyu0
 +BSD Router project (BSDRP) (c) 2009-2017, The BSDRP Development Team
 +All rights reserved.
 +BSDRP is under the Simplified BSD license.
 +
 +Documentation:​ http://​bsdrp.net
 +
 +Discover BSDRP tools with "​help"​ command
 +
 +Keyboard layout can be changed with this command:
 +kbdcontrol -l keymap_file (<​TAB>​ for list available maps)
 +root has logged on ttyu0 from local.
 +
 +[root@jail6]~#​ iperf3 -s
 +-----------------------------------------------------------
 +Server listening on 5201
 +-----------------------------------------------------------
 +
 +</​code>​
 +
 +Start an iperf3 client on R1, and check available bandwidth is about 10Mb/s:
 +
 +<​code>​
 +[root@R1]~# ​ iperf3 -c 10.0.56.6
 +Connecting to host 10.0.56.6, port 5201
 +[  5] local 10.0.12.1 port 20434 connected to 10.0.56.6 port 5201
 +[ ID] Interval ​          ​Transfer ​    ​Bitrate ​        ​Retr ​ Cwnd
 +[  5]   ​0.00-1.00 ​  ​sec ​ 1.04 MBytes ​ 8.73 Mbits/​sec ​   0   56.7 KBytes
 +[  5]   ​1.00-2.00 ​  ​sec ​ 1.15 MBytes ​ 9.65 Mbits/​sec ​   1   52.3 KBytes
 +[  5]   ​2.00-3.00 ​  ​sec ​ 1.14 MBytes ​ 9.55 Mbits/​sec ​   2   49.6 KBytes
 +[  5]   ​3.00-4.00 ​  ​sec ​ 1.13 MBytes ​ 9.51 Mbits/​sec ​   1   43.8 KBytes
 +[  5]   ​4.00-5.00 ​  ​sec ​ 1.13 MBytes ​ 9.46 Mbits/​sec ​   1   38.1 KBytes
 +[  5]   ​5.00-6.00 ​  ​sec ​ 1.15 MBytes ​ 9.66 Mbits/​sec ​   1   35.3 KBytes
 +[  5]   ​6.00-7.00 ​  ​sec ​ 1.15 MBytes ​ 9.61 Mbits/​sec ​   1   1.41 KBytes
 +[  5]   ​7.00-8.00 ​  ​sec ​ 1.14 MBytes ​ 9.59 Mbits/​sec ​   0   65.1 KBytes
 +[  5]   ​8.00-9.00 ​  ​sec ​ 1.14 MBytes ​ 9.57 Mbits/​sec ​   1   60.9 KBytes
 +[  5]   ​9.00-10.00 ​ sec  1.14 MBytes ​ 9.54 Mbits/​sec ​   1   58.0 KBytes
 +- - - - - - - - - - - - - - - - - - - - - - - - -
 +[ ID] Interval ​          ​Transfer ​    ​Bitrate ​        Retr
 +[  5]   ​0.00-10.00 ​ sec  11.3 MBytes ​ 9.49 Mbits/​sec ​   9             ​sender
 +[  5]   ​0.00-10.04 ​ sec  11.3 MBytes ​ 9.41 Mbits/​sec ​                 receiver
 +
 +iperf Done.
 +</​code>​
 +
 +==== IPv6 traffic shaping ====
 +
 +One jail6, display its autoconfigured inet6 address:
 +
 +<​code>​
 +[root@jail6]~#​ ifconfig lagg0 inet6 | grep autoconf
 +        inet6 2001:​db8:​56:​0:​ff:​ff:​fe00:​80b prefixlen 64 autoconf
 +</​code>​
 +
 +Start an iperf3 ipv6 client on R1, and check available bandwith is about 20Mb/s:
 +
 +==== netflow ====
 +
 +Check that netflows are collected on jail5 (/​tmp/​file-date-hour.txt):​
 +
 +<​code>​
 +[root@jail5]~#​ ls /tmp/file-*
 +/​tmp/​file-20170630-0000.txt ​    /​tmp/​file-20170630-0025.txt
 +/​tmp/​file-20170630-0005.txt ​    /​tmp/​file-20170630-0030.txt
 +/​tmp/​file-20170630-0010.txt ​    /​tmp/​file-20170630-0035.txt
 +/​tmp/​file-20170630-0015.txt ​    /​tmp/​file-20170630-0040.txt
 +/​tmp/​file-20170630-0020.txt
 +</​code>​
 +
 +==== SNMP ====
 +
 +From R1, get 2 SNMP values of R6:
 +  * The basic sysname
 +  * The UCD module version
 +
 +<​code>​
 +[root@R1]~# bsnmpget -s 10.0.56.6 sysName.0
 +sysName.0 = jail6
 +[root@R1]~# bsnmpwalk -s 10.0.56.6 1.3.6.1.4.1.2021.100.2.0
 +1.3.6.1.4.1.2021.100.2.0 = $Name: bsnmp-ucd-0-4-3 $
 +</​code>​
 +
 +==== Configurations files network backup ====
 +
 +R1 will be use as a configuration files backup repository
 +
 +=== Mounting data partition on R1 and configure root password ===
 +
 +<​code>​
 +[root@R1]~# mount /data/
 +[root@R1]~# passwd
 +Changing local password for root
 +New Password:
 +Retype New Password:
 +</​code>​
 +
 +=== Sending configuration archive file to R1 ===
 +
 +From all others routers, send the configuration file to the /data partition of R1:
 +
 +<​code>​
 +[root@R2]/# config put scp root@10.0.12.1:/​data/​R2.tar.xz
 +Send saved configuration by SCP to root@10.0.12.1:/​data/​R2.tar.xz
 +The authenticity of host '​10.0.12.1 (10.0.12.1)'​ can't be established.
 +RSA key fingerprint is 4d:​e9:​ce:​26:​d4:​2f:​92:​15:​5e:​06:​97:​a8:​83:​78:​0c:​e5.
 +Are you sure you want to continue connecting (yes/no)? yes
 +Warning: Permanently added '​10.0.12.1'​ (RSA) to the list of known hosts.
 +Password:
 +config.3803.tar.xz ​                           100% 7100     ​6.9KB/​s ​  00:00
 +</​code>​
 +
 +==== System integrity check ====
 +
 +Download the mtree reference file corresponding to your BSDRP release and start a system integrity check.
 +In this lab, we put the reference file in the /tmp folder of R1:
 +
 +<​code>​
 +[root@R1]~# system integrity /​tmp/​BSDRP-1.4-amd64-serial.mtree.xz
 +Here is the modified files comparing to the reference mtree file:
 +dev extra
 +etc extra
 +tmp extra
 +var extra
 +</​code>​
 +
 +Extra files and folder are normal regarding your previous tests.
  
documentation/examples/maximum_bsdrp_features_lab.txt · Last modified: 2019/05/29 17:32 (external edit)