SF26S: Настройка виртуальной машины ISP

ISP:

В настоящий момент имеем:
- ens19 - Магистральный провайдер (vmbr0)
- ens20 - Сеть в сторону FW-HQ (vmbr1)
- ens21 - Сеть в сторону RTR-BR (vmbr2)
- ens22 - Сеть в сторону RTR-COD (vmbr3)
- ens29 - Сеть в сторону OUT-CLI (vmbr4)

[root@localhost ~]# ip -c -br a
lo               UNKNOWN        127.0.0.1/8 ::1/128 
ens19            UP             172.20.20.172/24 fe80::be24:11ff:fefc:5f4/64 
ens20            DOWN           
ens21            DOWN           
ens22            DOWN           
ens29            DOWN           
[root@localhost ~]#

Базовая настройка:
- имя
- адресация
- forwarding

hostnamectl set-hostname ISP; exec bash
sed -i "s/HOSTNAME=localhost/HOSTNAME=ISP/g" /etc/sysconfig/network

mkdir /etc/net/ifaces/ens2{0,1,2,9}
echo "TYPE=eth" > /etc/net/ifaces/ens20/options
cp /etc/net/ifaces/ens2{0,1}/options
cp /etc/net/ifaces/ens2{0,2}/options
cp /etc/net/ifaces/ens2{0,9}/options

mkdir /etc/net/ifaces/lo{1,2}
echo "TYPE=dummy" > /etc/net/ifaces/lo1/options
cp /etc/net/ifaces/lo{1,2}/options

echo "63.27.19.254/23" > /etc/net/ifaces/ens20/ipv4address
echo "84.212.78.94/27" > /etc/net/ifaces/ens21/ipv4address
echo "34.95.33.254/24" > /etc/net/ifaces/ens22/ipv4address
echo "34.35.36.62/26" > /etc/net/ifaces/ens29/ipv4address
echo "192.168.255.1/32" > /etc/net/ifaces/lo1/ipv4address
echo "100.64.1.1/16" > /etc/net/ifaces/lo2/ipv4address

sed -i "s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/g" /etc/net/sysctl.conf
systemctl restart network

Проверка:

[root@ISP ~]# ip -c -br -4 a
lo               UNKNOWN        127.0.0.1/8 
ens19            UP             172.20.20.172/24 
ens20            UP             63.27.19.254/23 
ens21            UP             84.212.78.94/27 
ens22            UP             34.95.33.254/24 
ens29            UP             34.35.36.62/26 
lo1              UNKNOWN        192.168.255.1/32 
lo2              UNKNOWN        100.64.1.1/16 
[root@ISP ~]# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
[root@ISP ~]#

Устанавливаем пакет frr и iptables:

apt-get update && apt-get install -y iptables frr

Настраивает iptables для доступа в сеть Интернет из сетей FW-HQ, RTR-BR и OUT-CLI:

iptables -t nat -A POSTROUTING -s 63.27.18.0/23 -o ens19 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 84.212.78.64/27 -o ens19 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 34.95.33.0/24 -o ens19 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 34.35.36.0/26 -o ens19 -j MASQUERADE
iptables-save >> /etc/sysconfig/iptables
systemctl enable --now iptables

Проверка:

[root@ISP ~]# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3 packets, 228 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 3 packets, 228 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  0    --  *      ens19   63.27.18.0/23        0.0.0.0/0           
    0     0 MASQUERADE  0    --  *      ens19   84.212.78.64/27      0.0.0.0/0           
    0     0 MASQUERADE  0    --  *      ens19   34.95.33.0/24        0.0.0.0/0           
    0     0 MASQUERADE  0    --  *      ens19   34.35.36.0/26        0.0.0.0/0           
[root@ISP ~]#

Настройка BGP и IS-IS:

sed -i "s/bgpd=no/bgpd=yes/g" /etc/frr/daemons
sed -i "s/isisd=no/isisd=yes/g" /etc/frr/daemons
systemctl enable --now frr
vtysh

conf t
router isis 0
is-type level-2-only 
net 49.0001.1921.6825.5001.00
exit
interface lo1
ip route isis 0
exit
interface ens21
ip route isis 0
isis circuit-type level-2-only 
isis network point-to-point
exit
router bgp 64499
bgp router-id 192.168.255.1
no bgp ebgp-requires-policy 
neighbor 192.168.255.2 remote-as 64499
neighbor 192.168.255.2 description iBGP-to-RTR-BR
neighbor 192.168.255.2 update-source lo1
neighbor 34.95.33.33 remote-as 64499 
address-family ipv4 unicast 
network 0.0.0.0/0
network 100.64.0.0/16
neighbor 192.168.255.2 next-hop-self 
neighbor 192.168.255.2 default-originate 
neighbor 192.168.255.2 soft-reconfiguration inbound
neighbor 34.95.33.33 default-originate
exit-address-family 
end
wr mem

Проверка:

ISP# show running-config 
Building configuration...

Current configuration:
!
frr version 10.2.2
frr defaults traditional
hostname ISP
log file /var/log/frr/frr.log
no ipv6 forwarding
!
interface ens21
 ip router isis 0
 isis circuit-type level-2-only
 isis network point-to-point
exit
!
interface lo1
 ip router isis 0
exit
!
router bgp 64499
 bgp router-id 192.168.255.1
 no bgp ebgp-requires-policy
 neighbor 34.95.33.33 remote-as 64499
 neighbor 192.168.255.2 remote-as 64499
 neighbor 192.168.255.2 description iBGP-to-RTR-BR
 neighbor 192.168.255.2 update-source lo1
 !
 address-family ipv4 unicast
  network 0.0.0.0/0
  network 100.64.0.0/16
  neighbor 34.95.33.33 default-originate
  neighbor 192.168.255.2 next-hop-self
  neighbor 192.168.255.2 default-originate
  neighbor 192.168.255.2 soft-reconfiguration inbound
 exit-address-family
exit
!
router isis 0
 is-type level-2-only
 net 49.0001.1921.6825.5001.00
exit
!
end
ISP#

Последнее изменение: вторник, 17 марта 2026, 11:56