labunix's blog

labunixのラボUnix

debian stretchのホストとGNS3内のルータをブリッジとタップで接続する。

■debian stretchのホストとGNS3内のルータをブリッジとタップで接続する。
 以下のNW構成で、IPアドレスを持つデバイスをeth0からbr0に変更する方式。

$ echo "[(host)br0] --> [(host)eth0],[(host<->gns3)tap0] --> [(gns3)f0/0]" | graph-easy --dot | \
    grep -v "eth0.*f0/0" | graph-easy
+------------+     +-------------------+     +------------+
| (host)br0  | --> | (host<->gns3)tap0 | --> | (gns3)f0/0 |
+------------+     +-------------------+     +------------+
  |
  |
  v
+------------+
| (host)eth0 |
+------------+

■ホストの環境は以下。

$ lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 9.2 (stretch)
Release:	9.2
Codename:	stretch

■「br0」のための「bridge-utils」と「tap0」のための「uml-utilities」をインストール

$ echo "bridge-utils uml-utilities" | tr ' ' '\n' | \
    awk '{print "echo "$1";LANG=C apt-cache show "$1}' | sh | \
    awk 'BEGIN {f=0}{if($1=="Description-en:"){f=1}}{if($1=="Description-md5:"){f=0}} \
               {if(f==1 ||/Package/) {print $0}}'
Package: bridge-utils
Description-en: Utilities for configuring the Linux Ethernet bridge
 This package contains utilities for configuring the Linux Ethernet
 bridge in Linux. The Linux Ethernet bridge can be used for connecting
 multiple Ethernet devices together. The connecting is fully
 transparent: hosts connected to one Ethernet device see hosts
 connected to the other Ethernet devices directly.
Package: uml-utilities
Description-en: User-mode Linux (utility programs)
 User-mode Linux is a port of the Linux kernel to its own system call
 interface.  It provides a kind of virtual machine, which runs Linux
 as a user process under another Linux kernel.  This is useful for
 kernel development, sandboxing, jailing, experimentation, and
 many other things.
 .
 This package contains userspace utilities for use with User-mode
 Linux, including uml_mconsole, uml_moo, uml_switch, uml_net and
 tunctl.

$ echo "bridge-utils uml-utilities" | tr ' ' '\n' | \
    awk '{print "echo "$1";sudo apt-get install -y "$1}' | sh

■NW設定のバックアップ

$ sudo cp /etc/network/interfaces{,.org};ls -l /etc/network/interfaces{,.org}
-rw-r--r-- 1 root root 495 121 21:18 /etc/network/interfaces
-rw-r--r-- 1 root root 495 123 03:25 /etc/network/interfaces.org

■ブリッジ(br0)とイーサネットデバイス(tap0)を追加。
 「ifconfig」は使えない環境なので、「ip」系のコマンドを使用する。

 1.「auto br0」を追加
 2.「allow-hotplug eth0」をコメントアウト
 3.「iface eth0 inet static」をmanualに変更、プロミスキャスモードを設定
  ※既存のIP設定を残さないように「ip address flush eth0」を追加。

iface eth0 inet manual
      up ip link set eth0 promisc on up
      up ip address flush eth0
      down ip link set eth0 promisc off down

 4.「iface eth0 inet static」以下のIP設定をそのまま「br0」で使えるよう、
  「iface br0 inet static」を追加

 5.「br0」に「tap0」「eth0」を追加する。
  ※「tap0」をユーザ権限で起動「pre-up ip tuntap add dev tap0 mode tap user [GNS3-User]」するので、
   GNS3も同一のユーザ権限で起動する。

      bridge-ports all tap0 eth0
      bridge_stp off
      bridge_maxwait 0
      bridge_fd      0
      pre-up ip tuntap add dev tap0 mode tap user labunix
      pre-up ip link set tap0 up
      post-down ip link set tap0 down
      post-down ip tuntap del dev tap0 mode tap

■コンフィグの差分は以下。

$ sudo diff /etc/network/interfaces{.org,}
8a9
> auto br0
10c11
< allow-hotplug eth0
---
> #allow-hotplug eth0
18c19,24
< iface eth0 inet static
---
> #iface eth0 inet static
> iface eth0 inet manual
> 	up ip link set eth0 promisc on up
> 	up ip address flush eth0
> 	down ip link set eth0 promisc off down
> iface br0 inet static
27a34,41
> 	bridge-ports all tap0 eth0
> 	bridge_stp off
> 	bridge_maxwait 0
> 	bridge_fd      0
> 	pre-up ip tuntap add dev tap0 mode tap user labunix
> 	pre-up ip link set tap0 up
> 	post-down ip link set tap0 down
> 	post-down ip tuntap del dev tap0 mode tap

■ネットワークサービスの再起動
 ※失敗するとネットワークによるリモート操作不可となるので、
  コンソールで操作出来ない環境では行わないこと。

$ sudo systemctl restart networking.service
$ sudo systemctl status networking.service | cat
● networking.service - Raise network interfaces
   Loaded: loaded (/lib/systemd/system/networking.service; enabled; vendor preset: enabled)
   Active: active (exited) since Sun 2017-12-03 03:48:18 JST; 25s ago
     Docs: man:interfaces(5)
  Process: 1343 ExecStop=/sbin/ifdown -a --read-environment --exclude=lo (code=exited, status=0/SUCCESS)
  Process: 1404 ExecStart=/sbin/ifup -a --read-environment (code=exited, status=0/SUCCESS)
  Process: 1399 ExecStartPre=/bin/sh -c [ "$CONFIGURE_INTERFACES" != "no" ] && \
    [ -n "$(ifquery --read-environment --list --exclude=lo)" ] && \
    udevadm settle (code=exited, status=0/SUCCESS)
 Main PID: 1404 (code=exited, status=0/SUCCESS)

1203 03:48:18 vm-tap systemd[1]: Stopped Raise network interfaces.
1203 03:48:18 vm-tap systemd[1]: Starting Raise network interfaces...
1203 03:48:18 vm-tap systemd[1]: Started Raise network interfaces.

■NW設定の確認
 状態の確認だけでなく、ホストで使うプロキシやその他サービス通信が正常に行えることを確認。

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
5: tap0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
6: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    inet 172.31.31.90/24 brd 172.31.31.255 scope global br0

$ sudo find /proc/sys/net/ -type d -name "tap0" 
/proc/sys/net/ipv4/conf/tap0
/proc/sys/net/ipv4/neigh/tap0
/proc/sys/net/ipv6/conf/tap0
/proc/sys/net/ipv6/neigh/tap0

$ sudo brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.000c29a8af76       no              ens192
                                                        tap0

$ /sbin/brctl show
bridge name	bridge id		STP enabled	interfaces
br0		8000.000c29a8af76	no		eth0
							tap0

■GNS3を上記で設定したユーザ権限で起動し、クラウド()で「nio_TAP」を設定
 C0 のアイコンを右クリック [設定]  -> [NIO TAP] タブで、tap0 を追加
 「nio_tap:tap0」が出来るので、R1の「f0/0」と接続

$ awk 'BEGIN {f=0}{if($1=="[[Cloud"){f=1}}{if(f==1 && !/x|y|z/) {print $0}}' GNS3/Projects/test/topology.net 
    [[Cloud C1]]
        connections = R1:f0/0:nio_tap:tap0

■GNS3のR1で同一サブネットのIPアドレスを設定する。

> en
# conf t
# int f0/0
# ip add 172.31.31.21 255.255.255.0
# no shut
# end

■GNS3のR1ルータのL2トラブルシュート
 ポート1でローカル「yes」の物理MACアドレスは「br0」と「eth0」。
 ポート1でローカル「no」の物理MACアドレスはホストが接続するL2範囲の別の機器。

 ポート2でローカル「yes」の物理MACアドレスは「tap0」。 
 ポート2でローカル「no」の物理MACアドレスはGNS3が接続するL2範囲の別の機器。

$ /sbin/brctl showmacs br0
port no	mac addr		is local?	ageing timer
  1	00:0c:29:eb:ec:48	no		   7.18
  1	00:0c:29:dc:d2:21	no		   0.01
  2	62:3a:77:59:05:93	yes		   0.00
  2	62:3a:77:59:05:93	yes		   0.00
  1	00:0c:29:a8:af:76	yes		   0.00
  1	00:0c:29:a8:af:76	yes		   0.00
  2	c2:00:0d:63:00:00	no		   4.76

$ /usr/sbin/arp -n
アドレス               HWタイプ  HWアドレス         フラグ マスク インタフェース
172.31.31.60             ether   00:0c:29:dc:d2:21   C                     br0
172.31.31.251            ether   00:0c:29:eb:ec:48   C                     br0
172.31.31.21             ether   c2:00:0d:63:00:00   C                     br0
172.31.31.252            ether   00:0c:29:eb:ec:48   C                     br0

$ sudo tcpdump -i tap0 -n arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:56:26.441747 ARP, Request who-has 172.31.31.252 tell 172.31.31.21, length 46
15:56:26.441973 ARP, Reply 172.31.31.252 is-at 00:0c:29:eb:ec:48, length 46
15:56:33.433477 ARP, Request who-has 172.31.31.21 tell 172.31.31.252, length 46
15:56:33.439448 ARP, Reply 172.31.31.21 is-at c2:00:0d:63:00:00, length 46

■IEEEが管理しているMACアドレスからベンダーを検索
 MACアドレス先頭の「XXXXXX」か「XX-XX-XX」形式

$ wget http://standards-oui.ieee.org/oui/oui.txt 
$ echo "00:0c:29 62:3a:77 c2:00:0d" | \
      tr '[:lower:]' '[:upper:]' | tr -d ':' | tr ' ' '\n' | awk '{print "grep "$1" oui.txt"}' | sh
000C29     (base 16)		VMware, Inc.

■Pingの確認(ICMP)

$ ping -c 3 172.31.31.21
PING 172.31.31.21 (172.31.31.21) 56(84) bytes of data.
64 bytes from 172.31.31.21: icmp_seq=1 ttl=255 time=6.75 ms
64 bytes from 172.31.31.21: icmp_seq=2 ttl=255 time=1.13 ms
64 bytes from 172.31.31.21: icmp_seq=3 ttl=255 time=6.17 ms

--- 172.31.31.21 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.134/4.687/6.759/2.525 ms

■telnetの設定(TCP)

# conf t
 username cisco password cisco
 line vty 0 4
 transport input telnet
 login local
 end

$ telnet 172.31.31.21
Trying 172.31.31.21...
Connected to 172.31.31.21.
Escape character is '^]'.

User Access Verification

Username: cisco
Password: 
Router>

■DNSクライアントの設定(UDP)

# conf t
  ip name-server 172.31.31.251
  end
# ping google.co.jp

$ sudo tcpdump -i tap0 -n udp port 123 or udp port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap0, link-type EN10MB (Ethernet), capture size 262144 bytes
16:23:25.269059 IP 172.31.31.21.60309 > 172.31.31.251.53: 50126+ A? google.co.jp. (30)
16:23:25.303178 IP 172.31.31.251.53 > 172.31.31.21.60309: 50126 1/4/4 A 172.217.27.67 (192)

■NTPクライアントの設定

 Cisco892JにNTPクライアントを設定してみる。
 http://labunix.hateblo.jp/entry/20150824/1440346473

# conf t
  clock timezone JST +9
  ntp server 172.31.31.60 source fastEthernet 0/0 prefer 
  ntp logging
  end

# clock set 16:18:00 10 DEC 2017

# conf t
  access-list 101 permit udp any any eq 123
  access-list 101 permit udp any eq 123 any
  end
# debug ip packet 101
# debug ntp packets
Dec 10 08:07:05.819: IP: tableid=0, s=172.31.31.21 (local), d=172.31.31.60 (FastEthernet0/0), routed via FIB
Dec 10 08:07:05.819: IP: s=172.31.31.21 (local), d=172.31.31.60 (FastEthernet0/0), len 76, sending
Dec 10 08:07:05.819: NTP: xmit packet to 172.31.31.60:
Dec 10 08:07:05.819:  leap 0, mode 3, version 3, stratum 4, ppoll 64
Dec 10 08:07:05.819:  rtdel 0A97 (41.367), rtdsp FC91E (15785.614), refid AC1F1F3C (172.31.31.60)
Dec 10 08:07:05.819:  ref DDD76975.D39C441E (17:06:13.826 JST Sun Dec 10 2017)
Dec 10 08:07:05.819:  org DDD76939.908BDEFF (17:05:13.564 JST Sun Dec 10 2017)
Dec 10 08:07:05.819:  rec DDD76929.D3EB105E (17:04:57.827 JST Sun Dec 10 2017)
Dec 10 08:07:05.819:  xmt DDD769A9.D1DE3704 (17:07:05.819 JST Sun Dec 10 2017)
Dec 10 08:07:05.827: IP: tableid=0, s=172.31.31.60 (FastEthernet0/0), d=172.31.31.21 (FastEthernet0/0), routed via RIB
Dec 10 08:07:05.827: IP: s=172.31.31.60 (FastEthernet0/0), d=172.31.31.21 (FastEthernet0/0), len 76, rcvd 3
Dec 10 08:07:05.827: NTP: rcv packet from 172.31.31.60 to 172.31.31.21 on FastEthernet0/0:
Dec 10 08:07:05.827:  leap 0, mode 4, version 3, stratum 3, ppoll 64
Dec 10 08:07:05.827:  rtdel 0A79 (40.909), rtdsp 0C6E (48.553), refid AC1F1FFC (172.31.31.252)
Dec 10 08:07:05.827:  ref DDD7674A.9E3CA923 (16:56:58.618 JST Sun Dec 10 2017)
Dec 10 08:07:05.827:  org DDD769A9.D1DE3704 (17:07:05.819 JST Sun Dec 10 2017)
Dec 10 08:07:05.827:  rec DDD769B9.9047B6F7 (17:07:21.563 JST Sun Dec 10 2017)
Dec 10 08:07:05.827:  xmt DDD769B9.904D8194 (17:07:21.563 JST Sun Dec 10 2017)
Dec 10 08:07:05.827:  inp DDD769A9.D3EA80BC (17:07:05.827 JST Sun Dec 10 2017)

#no debug ip packet 101
#no debug ntp packets
# conf t
  no access-list 101
  end

#show ntp status
Clock is synchronized, stratum 4, reference is 172.31.31.60
nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24
reference time is DDD76AB4.D348C0DB (17:11:32.825 JST Sun Dec 10 2017)
clock offset is 15734.5456 msec, root delay is 40.99 msec
root dispersion is 15787.72 msec, peer dispersion is 0.63 msec

#show ntp associations 

      address         ref clock     st  when  poll reach  delay  offset    disp
*~172.31.31.60     172.31.31.252     3    25    64  377    -0.1  15734.     0.6
 * master (synced), # master (unsynced), + selected, - candidate, ~ configured

■NW設定を変更する度にテストするのは面倒なので「tap0」は固定のまま。
 「tap1」を追加、削除は以下で出来る。
 「promisc on」でなく、IP設定をしても良い。

$ echo "promisc on"; \
  sudo ip tuntap add dev tap1 mode tap user labunix ; \
  sudo ip link set dev tap1 promisc on up; \
  sudo /sbin/brctl addif br0 tap1

$ echo "add IP"; \
    sudo ip tuntap add dev tap1 mode tap user labunix ; \
    sudo ip link set dev tap1 up; \
    sudo ip add add 172.31.21.21/24 dev tap1; \
    sudo /sbin/brctl addif br0 tap1

$ sudo /sbin/brctl delif br0 tap1; \
  sudo ip link set tap1 down; \
  sudo ip tuntap del dev tap1 mode tap