DFRI network

  • AS macro: AS-DFRI
  • AS numbers: 198093

Netblocks

  • IPv4
    • SE-TORNET 171.25.193.0/24
    • DFRI-DNS 194.0.61.0/24
  • IPv6
    • SE-TORNET 2001:67c:289c::/48
    • DFRI-DNS 2001:67c:16b0::/48

Address plan

SE-TORNET IPv4 (171.25.193.0/24)

- 0/24 -
  - 0/25 -
    - 0/26 sthlm site 0 infra + tor (1-62)
    - 64/26 sthlm site 3 (65-126)
  - 128/25 -
    - 128/26 sthlm site 4 infra + tor (129-190)
    - 192/26 -
      - 192/27 sthlm site 4 (193-222)
      - 224/27 -
        - 224/28 -
          - 224/29 loopback (225-230)
          - 232/29 sthlm site 2 tor (233-238)
        - 240/28 - link networks
          - 240/30 linknet5 (241,242) sto0-sto3
          - 244/31 linknet4 (244,245)
          - 246/31 linknet3 (246,247)
          - 248/31 linknet2 (248,249) sto0-internal
          - 250/31 linknet1 (250,251) sto3-sto4
          - 252/30 linknet0 (253,254) sto0-sto4

SE-TORNET IPv6 (2001:67c:289c::/48)

- 2001:67c:289c::/48 -
  - 2001:67c:289c:0000::/64 sto0
  - 2001:67c:289c:0001::/64 sto1
  - 2001:67c:289c:0002::/64 sto2
  - 2001:67c:289c:0003::/64 sto3
  - 2001:67c:289c:0004::/64 sto4
  - 2001:67c:289c:ffff::/64 link
    - :1::/96 linknet0
    - :2::/96 linknet1
    - :3::/96 linknet5
    - :4::/96 linknet2

DFRI-DNS IPv4 (194.0.61.0/24)

- 0/24 -
  - 0/25 -
    - 0/26 sto1 (1-62)
    - 64/26 unused (65-126)
  - 128/25 -
    - 128/26 unused (129-190)
    - 192/26 -
      - 192/27 unused (193-222)
      - 224/27 -
        - 224/28 unused (225-238)
        - 240/28 - link networks
          - 240/30 link3 sto0-sto3 (241-242)
          - 244/30 unused (245-246)
          - 248/30 unused (249-250)
          - 252/30 link0 sto0-sto4 (253-254)

Traffic graphs

See mrtg for how to make mrtg play nicely on FreeBSD.

Operating

Blackholing, or RTBH

Info on RTBH:

Example of how to blackhole .47 at Portlane (untested 2012-03-23):

bgpctl network add 171.25.193.47/32 community 42708:666

Remove all dynamically added announcements:

bgpctl network flush

Creating netflow data and looking at it

pmacct

pmacctd -D -c dst_port -P memory -i IF pmacct -s -c dst_port | sort -nrk 2 | head

nfcap + fprobe

Example on how to capture, collect and disseminate netflow data locally on rs0.

  • rs0# nfcapd -b 127.0.0.1 -n rs0,127.0.0.1,/usr/nfcap &
  • otherhost$ ssh -NfL 9995:127.0.0.1:9995 rs0.dfri.net
  • otherhost$ fprobe -i em3.257 -fip localhost:9995
  • Wait.
  • otherhost$ nfdump -B -R /usr/nfcap/FILE1:FILEn -s record
  • Don't forget to shut down nfcapd and fprobe and gshred -zu /usr/nfcap/FILE* when you're done.

TODO

  • Test RTHB
  • Trigger launch of fprobe on extensive ierrs or idrop (rs0)?
  • Take a look at nfsen as a nfdump front end?

How to create a VLAN i/f on a router

IF=<physical interface>
VLANID =<vlan id>

Add the VLANID to rc.conf

  • Add VLANID to vlans_${IF} (and ipv6_network_interfaces)
  • Add a create_args_${IF}_${VLANID} line for IPv4
  • Add an ifconfig_${IF}_${VLANID}_ipv6 for IPv6

Create the interface manually

  • export i=ifconfig vlan create vlan $VLANID vlandev $IF
  • ifconfig $i name ${IF}.${VLANID}

Create and configure the interface automatically

  • service netif restart ${IF}