基本拓扑+接线如下图:
需求说明:
1:基于Ros的二层网络是10.0.0.0/8
2:服务器出公网用的是Vlan2002的172.30.0.0/21
3:服务器内部通讯的是基于openstack的虚拟vlan
4:服务器的远程管理IPMI用的是Vlan2000的172.16.0.0/21
5:10.0.0.0/8不基于网关NAT的方式可以访问172.30.0.0/21、172.16.0.0/21和openstack的虚拟vlan
6:172.30.0.0/21可以访问公网
实现:
下面来看看交换机配置:
<guang1>dis cu
!Software Version V200R010C00SPC600
#
sysname guang1
#
dns server 8.8.4.4
#
vlan batch 20 2002
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name dot1xmac_authen_profile
authentication-profile name multi_authen_profile
#
telnet server enable
#
dhcp enable
#
diffserv domain default
#
radius-server template default
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
drop-profile default
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
authentication-scheme radius
radius-server default
domain default_admin
authentication-scheme default
local-user dtkj password irreversible-cipher $1a$;RN_-p,t*($)+qu.M9&&D[N(CL$I!Y3M/E<5D'N4.AM+zBv$\7%$
local-user dtkj privilege level 15
local-user dtkj service-type telnet
local-user admin password irreversible-cipher $1a$RN<m::9hcL$y5IkSR|tG75vsR-zY+3W;>qd'0SjRXBv0hF)>qiS$
local-user admin privilege level 15
local-user admin service-type telnet terminal ssh ftp http
#
interface Vlanif2001
#
interface Vlanif2002
ip address 172.30.0.1 255.255.248.0
dhcp select interface
dhcp server dns-list 8.8.8.8 8.8.4.4
#
interface MEth0/0/1
#
interface XGigabitEthernet0/0/1
port link-type access
port default vlan 2002
#
interface XGigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface XGigabitEthernet0/0/3
port link-type access
port default vlan 2002
#
interface XGigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface XGigabitEthernet0/0/48
port link-type trunk
port trunk allow-pass vlan 2001 to 2002
#
interface 40GE0/0/1
#
interface 40GE0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 172.30.0.2
ip route-static 192.168.1.0 255.255.255.0 192.168.1.2
#
snmp-agent
snmp-agent local-engineid 800007DB03E868196600D0
snmp-agent community write cipher %^%#ia)*T\GFPJH&r6P{_m84D=Q+GZio"Dh=`9!#vkJDgBoK>Dzj#/|m=F1-LLP8lhdRF~5%K*=T[N/V|h51%^%#
snmp-agent sys-info version all
#
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode aaa
protocol inbound telnet
user-interface vty 16 20
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
return
<guang1>
<dian1>dis cu !Software Version V200R008C00SPC500 # sysname dian1 # vlan batch 20 2000 to 2002 # telnet server enable # dhcp enable # diffserv domain default # drop-profile default # aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user dtkj password irreversible-cipher %^%#Jx}+C6=[U6b,W>U_OE$R3jjpAlo"_~Jx1a,9}^=G5=9RAv]g+#6a7q1Pq0iT%^%# local-user dtkj privilege level 3 local-user dtkj service-type telnet local-user admin password irreversible-cipher %^%#SvtvT:'|V(Fi)2;ZWDa.OxT<<^VXsU]B&*H:fYy<yh>V7N8n44;kqXWI_<h6%^%# local-user admin privilege level 15 local-user admin service-type http local-user lookback password irreversible-cipher %^%#G!->B12MkNo/<|)TH\a4SCs]Kxr`^#vx'%0'i"NYFV->Vd}W=%~]x!Q$0,`<%^%# local-user lookback privilege level 15 local-user lookback service-type telnet terminal http # interface Vlanif2000 ip address 172.16.0.1 255.255.248.0 dhcp select interface dhcp server dns-list 8.8.8.8 8.8.4.4 # interface MEth0/0/1 # interface GigabitEthernet0/0/1 port link-type access port default vlan 2000 # interface GigabitEthernet0/0/2 port link-type access port default vlan 2000 # interface GigabitEthernet0/0/3 port link-type access port default vlan 2000 # interface GigabitEthernet0/0/17 port link-type access port default vlan 2000 # interface GigabitEthernet0/0/18 port link-type access port default vlan 2000 # interface XGigabitEthernet0/0/4 port link-type trunk port trunk allow-pass vlan 2 to 4094 # interface NULL0 # ip route-static 0.0.0.0 0.0.0.0 172.16.0.2 # snmp-agent snmp-agent local-engineid 800007DB03AC617573A580 snmp-agent community write cipher %^%#gTC"=0T.=)$f`nY_,613=dfYE.392S=fvHR9@a)+E"<7QMsR^>}bJ*/Wd$47wLr926*|*UN&~GKM,i+.%^%# snmp-agent sys-info version all # user-interface con 0 user-interface vty 0 4 authentication-mode aaa protocol inbound telnet user-interface vty 16 20 # wlan # return <dian1>
下面是路由ROS的配置
/interface vlan add interface=ether2 name=vlan2000 vlan-id=2000 add interface=ether1 name=vlan2002 vlan-id=2002 /ip address add address=172.30.0.2/16 interface=vlan2002 network=172.30.0.0 add address=172.16.0.2/21 interface=vlan2000 network=172.16.0.0 /ip firewall mangle add action=accept chain=prerouting dst-address=172.16.0.0/21 add action=accept chain=prerouting dst-address=172.30.0.0/21 /ip firewall nat add action=accept chain=srcnat comment="Vlan2000-172.16.0.0/21-L3-\B5\E71" dst-address=172.16.0.0/21 src-address=10.0.0.0/8 to-addresses=172.16.0.2 add action=accept chain=srcnat comment="Vlan2002-172.30.0.0/21-L3-\B9\E21" dst-address=172.30.0.0/21 src-address=10.0.0.0/8 to-addresses=172.30.0.2
做好了就可以来测试了
[lookback@LookBack-iMac ~]$ traceroute -n 172.30.7.1 traceroute to 172.30.7.1 (172.30.7.1), 64 hops max, 52 byte packets 1 10.0.0.1 0.894 ms 0.287 ms 0.460 ms 2 172.30.7.1 0.497 ms !Z 0.554 ms !Z 0.478 ms !Z [lookback@LookBack-iMac ~]$ ping -t1 -c2 172.30.7.1 PING 172.30.7.1 (172.30.7.1): 56 data bytes 64 bytes from 172.30.7.1: icmp_seq=0 ttl=63 time=0.482 ms --- 172.30.7.1 ping statistics --- 2 packets transmitted, 1 packets received, 50.0% packet loss round-trip min/avg/max/stddev = 0.482/0.482/0.482/0.000 ms [lookback@LookBack-iMac ~]$ ssh root@172.30.7.1 Last login: Tue Aug 21 03:29:08 2018 from 10.0.1.201 [root@ceph-master ~]# w 01:15:26 up 2 days, 20:29, 2 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root tty1 һ04 2days 0.72s 0.72s -bash root pts/0 10.10.248.105 01:15 2.00s 0.05s 0.00s w [root@ceph-master ~]# exit Connection to 172.30.7.1 closed. [lookback@LookBack-iMac ~]$
从上面可以看出10.0.0.0/8 访问172.30.0.0/21是没有问题了,172.16.0.0/21这里的验证就不做了,因为和30没有任何区别
[root@DS-VM-Node_172_30_7_9 ~]# ping -W1 -c2 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=130 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=45 time=76.7 ms --- 8.8.8.8 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 76.721/103.717/130.713/26.996 ms [root@DS-VM-Node_172_30_7_9 ~]# ping -W1 -c2 10.10.248.105 PING 10.10.248.105 (10.10.248.105) 56(84) bytes of data. 64 bytes from 10.10.248.105: icmp_seq=1 ttl=63 time=0.367 ms 64 bytes from 10.10.248.105: icmp_seq=2 ttl=63 time=0.365 ms --- 10.10.248.105 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1037ms rtt min/avg/max/mdev = 0.365/0.366/0.367/0.001 ms [root@DS-VM-Node_172_30_7_9 ~]#
从上面可以看出172.30.0.0/21 出公网和到ROS的二层网是没有问题
[root@DS-VM-Node_172_30_7_9 ~]# ping -W1 -c2 172.16.7.13 PING 172.16.7.13 (172.16.7.13) 56(84) bytes of data. 64 bytes from 172.16.7.13: icmp_seq=1 ttl=62 time=5.48 ms 64 bytes from 172.16.7.13: icmp_seq=2 ttl=62 time=0.607 ms --- 172.16.7.13 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.607/3.044/5.482/2.438 ms [root@DS-VM-Node_172_30_7_9 ~]#
从上面可以看出172.30.0.0/21和172.16.0.0/21的Vlan间互通也是没有问题的
您可以选择一种方式赞助本站
支付宝扫一扫赞助
微信钱包扫描赞助
赏