Mikrotik Ros + 华为S5720 基于Vlan做L2 L3互通

  • A+
所属分类:RouteOS  软路由

基本拓扑+接线如下图:
Mikrotik Ros + 华为S5720 基于Vlan做L2 L3互通

需求说明:
1:基于Ros的二层网络是10.0.0.0/8
2:服务器出公网用的是Vlan2002的172.30.0.0/21
3:服务器内部通讯的是基于openstack的虚拟vlan
4:服务器的远程管理IPMI用的是Vlan2000的172.16.0.0/21
5:10.0.0.0/8不基于网关NAT的方式可以访问172.30.0.0/21、172.16.0.0/21和openstack的虚拟vlan
6:172.30.0.0/21可以访问公网

实现:
下面来看看交换机配置:

<guang1>dis cu
!Software Version V200R010C00SPC600
#
sysname guang1
#
dns server 8.8.4.4
#
vlan batch 20 2002
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name dot1xmac_authen_profile
authentication-profile name multi_authen_profile
#
telnet server enable
#
dhcp enable
#
diffserv domain default
#
radius-server template default
#
free-rule-template name default_free_rule
#                                         
portal-access-profile name portal_access_profile
#
drop-profile default
#
aaa
 authentication-scheme default
 authentication-scheme radius
  authentication-mode radius
 authorization-scheme default
 accounting-scheme default
 domain default
  authentication-scheme radius
  radius-server default
 domain default_admin
  authentication-scheme default
 local-user dtkj password irreversible-cipher $1a$;RN_-p,t*($)+qu.M9&&D[N(CL$I!Y3M/E<5D'N4.AM+zBv$\7%$
 local-user dtkj privilege level 15
 local-user dtkj service-type telnet
 local-user admin password irreversible-cipher $1a$RN<m::9hcL$y5IkSR|tG75vsR-zY+3W;>qd'0SjRXBv0hF)>qiS$
 local-user admin privilege level 15
 local-user admin service-type telnet terminal ssh ftp http
#
interface Vlanif2001
#
interface Vlanif2002
 ip address 172.30.0.1 255.255.248.0
 dhcp select interface
 dhcp server dns-list 8.8.8.8 8.8.4.4
#
interface MEth0/0/1
#
interface XGigabitEthernet0/0/1
 port link-type access
 port default vlan 2002
#
interface XGigabitEthernet0/0/2
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface XGigabitEthernet0/0/3
 port link-type access
 port default vlan 2002
#
interface XGigabitEthernet0/0/4
 port link-type trunk                     
 port trunk allow-pass vlan 2 to 4094
#
interface XGigabitEthernet0/0/48
 port link-type trunk
 port trunk allow-pass vlan 2001 to 2002
#
interface 40GE0/0/1
#
interface 40GE0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 172.30.0.2
ip route-static 192.168.1.0 255.255.255.0 192.168.1.2
#
snmp-agent
snmp-agent local-engineid 800007DB03E868196600D0
snmp-agent community write cipher %^%#ia)*T\GFPJH&r6P{_m84D=Q+GZio"Dh=`9!#vkJDgBoK>Dzj#/|m=F1-LLP8lhdRF~5%K*=T[N/V|h51%^%#
snmp-agent sys-info version all
#                                         
user-interface con 0
 authentication-mode none
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound telnet
user-interface vty 16 20
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
return
<guang1>
<dian1>dis cu
!Software Version V200R008C00SPC500
#
sysname dian1
#
vlan batch 20 2000 to 2002
#
telnet server enable
#
dhcp enable
#
diffserv domain default
#
drop-profile default
#
aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user dtkj password irreversible-cipher %^%#Jx}+C6=[U6b,W>U_OE$R3jjpAlo"_~Jx1a,9}^=G5=9RAv]g+#6a7q1Pq0iT%^%#
 local-user dtkj privilege level 3
 local-user dtkj service-type telnet
 local-user admin password irreversible-cipher %^%#SvtvT:'|V(Fi)2;ZWDa.OxT<<^VXsU]B&*H:fYy<yh>V7N8n44;kqXWI_<h6%^%#
 local-user admin privilege level 15      
 local-user admin service-type http
 local-user lookback password irreversible-cipher %^%#G!->B12MkNo/<|)TH\a4SCs]Kxr`^#vx'%0'i"NYFV->Vd}W=%~]x!Q$0,`<%^%#
 local-user lookback privilege level 15
 local-user lookback service-type telnet terminal http
#
interface Vlanif2000
 ip address 172.16.0.1 255.255.248.0
 dhcp select interface
 dhcp server dns-list 8.8.8.8 8.8.4.4
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
 port link-type access
 port default vlan 2000
#
interface GigabitEthernet0/0/2
 port link-type access
 port default vlan 2000
#
interface GigabitEthernet0/0/3            
 port link-type access
 port default vlan 2000
#
interface GigabitEthernet0/0/17
 port link-type access
 port default vlan 2000
#
interface GigabitEthernet0/0/18
 port link-type access
 port default vlan 2000
#
interface XGigabitEthernet0/0/4
 port link-type trunk
 port trunk allow-pass vlan 2 to 4094
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 172.16.0.2
#
snmp-agent
snmp-agent local-engineid 800007DB03AC617573A580
snmp-agent community write cipher %^%#gTC"=0T.=)$f`nY_,613=dfYE.392S=fvHR9@a)+E"<7QMsR^>}bJ*/Wd$47wLr926*|*UN&~GKM,i+.%^%#
snmp-agent sys-info version all
#                                         
user-interface con 0
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound telnet
user-interface vty 16 20
#
wlan
#
return
<dian1>

下面是路由ROS的配置

/interface vlan
add interface=ether2 name=vlan2000 vlan-id=2000
add interface=ether1 name=vlan2002 vlan-id=2002
/ip address
add address=172.30.0.2/16 interface=vlan2002 network=172.30.0.0
add address=172.16.0.2/21 interface=vlan2000 network=172.16.0.0
/ip firewall mangle
add action=accept chain=prerouting dst-address=172.16.0.0/21
add action=accept chain=prerouting dst-address=172.30.0.0/21
/ip firewall nat
add action=accept chain=srcnat comment="Vlan2000-172.16.0.0/21-L3-\B5\E71" dst-address=172.16.0.0/21 src-address=10.0.0.0/8 to-addresses=172.16.0.2
add action=accept chain=srcnat comment="Vlan2002-172.30.0.0/21-L3-\B9\E21" dst-address=172.30.0.0/21 src-address=10.0.0.0/8 to-addresses=172.30.0.2

做好了就可以来测试了

[lookback@LookBack-iMac ~]$ traceroute -n 172.30.7.1
traceroute to 172.30.7.1 (172.30.7.1), 64 hops max, 52 byte packets
 1  10.0.0.1  0.894 ms  0.287 ms  0.460 ms
 2  172.30.7.1  0.497 ms !Z  0.554 ms !Z  0.478 ms !Z
[lookback@LookBack-iMac ~]$ ping -t1 -c2 172.30.7.1
PING 172.30.7.1 (172.30.7.1): 56 data bytes
64 bytes from 172.30.7.1: icmp_seq=0 ttl=63 time=0.482 ms

--- 172.30.7.1 ping statistics ---
2 packets transmitted, 1 packets received, 50.0% packet loss
round-trip min/avg/max/stddev = 0.482/0.482/0.482/0.000 ms
[lookback@LookBack-iMac ~]$ ssh root@172.30.7.1
Last login: Tue Aug 21 03:29:08 2018 from 10.0.1.201
[root@ceph-master ~]# w
 01:15:26 up 2 days, 20:29,  2 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     tty1                       һ04    2days  0.72s  0.72s -bash
root     pts/0    10.10.248.105    01:15    2.00s  0.05s  0.00s w
[root@ceph-master ~]# exit
Connection to 172.30.7.1 closed.
[lookback@LookBack-iMac ~]$

从上面可以看出10.0.0.0/8 访问172.30.0.0/21是没有问题了,172.16.0.0/21这里的验证就不做了,因为和30没有任何区别

[root@DS-VM-Node_172_30_7_9 ~]# ping -W1 -c2 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=130 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=45 time=76.7 ms

--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 76.721/103.717/130.713/26.996 ms
[root@DS-VM-Node_172_30_7_9 ~]# ping -W1 -c2 10.10.248.105
PING 10.10.248.105 (10.10.248.105) 56(84) bytes of data.
64 bytes from 10.10.248.105: icmp_seq=1 ttl=63 time=0.367 ms
64 bytes from 10.10.248.105: icmp_seq=2 ttl=63 time=0.365 ms

--- 10.10.248.105 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1037ms
rtt min/avg/max/mdev = 0.365/0.366/0.367/0.001 ms
[root@DS-VM-Node_172_30_7_9 ~]#

从上面可以看出172.30.0.0/21 出公网和到ROS的二层网是没有问题

[root@DS-VM-Node_172_30_7_9 ~]# ping -W1 -c2 172.16.7.13
PING 172.16.7.13 (172.16.7.13) 56(84) bytes of data.
64 bytes from 172.16.7.13: icmp_seq=1 ttl=62 time=5.48 ms
64 bytes from 172.16.7.13: icmp_seq=2 ttl=62 time=0.607 ms

--- 172.16.7.13 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.607/3.044/5.482/2.438 ms
[root@DS-VM-Node_172_30_7_9 ~]# 

从上面可以看出172.30.0.0/21和172.16.0.0/21的Vlan间互通也是没有问题的

lookback

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: