Mikrotik Ros + 华为S5720 基于Vlan做L2 L3互通

最新推荐文章于 2024-07-10 10:30:26 发布

wdhqwe520

最新推荐文章于 2024-07-10 10:30:26 发布

阅读量2.8k

点赞数

CC 4.0 BY-SA版权

本文链接：https://blog.youkuaiyun.com/wdhqwe520/article/details/94127760

本文详细介绍了基于Ros的二层网络、服务器公网及内部通讯的Vlan配置，以及远程管理IPMI的网络设置。通过交换机和路由器的具体配置示例，展示了不同网络间的互访实现，并通过ping和traceroute等测试验证了网络连通性。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

基本拓扑+接线如下图：

需求说明：
1：基于Ros的二层网络是10.0.0.0/8
2：服务器出公网用的是Vlan2002的172.30.0.0/21
3：服务器内部通讯的是基于openstack的虚拟vlan
4：服务器的远程管理IPMI用的是Vlan2000的172.16.0.0/21
5：10.0.0.0/8不基于网关NAT的方式可以访问172.30.0.0/21、172.16.0.0/21和openstack的虚拟vlan
6：172.30.0.0/21可以访问公网

实现：
下面来看看交换机配置：

001

002

003

004

005

006

007

008

009

010

011

012

013

014

015

016

017

018

019

020

021

022

023

024

025

026

027

028

029

030

031

032

033

034

035

036

037

038

039

040

041

042

043

044

045

046

047

048

049

050

051

052

053

054

055

056

057

058

059

060

061

062

063

064

065

066

067

068

069

070

071

072

073

074

075

076

077

078

079

080

081

082

083

084

085

086

087

088

089

090

091

092

093

094

095

096

097

098

099

100

101

102

103

104

<guang1>dis cu

!Software Version V200R010C00SPC600

#

sysname guang1

#

dns server 8.8.4.4

#

vlan batch 20 2002

#

authentication-profile name default_authen_profile

authentication-profile name dot1x_authen_profile

authentication-profile name mac_authen_profile

authentication-profile name portal_authen_profile

authentication-profile name dot1xmac_authen_profile

authentication-profile name multi_authen_profile

#

telnet server enable

#

dhcp enable

#

diffserv domain default

#

radius-server template default

#

free-rule-template name default_free_rule

#

portal-access-profile name portal_access_profile

#

drop-profile default

#

aaa

authentication-scheme default

authentication-scheme radius

authentication-mode radius

authorization-scheme default

accounting-scheme default

domain default

authentication-scheme radius

radius-server default

domain default_admin

authentication-scheme default

local-user dtkj password irreversible-cipher $1a$;RN_-p,t*($)+qu.M9&&D[N(CL$I!Y3M/E<5D'N4.AM+zBv$\7%$

local-user dtkj privilege level 15

local-user dtkj service-type telnet

local-user admin password irreversible-cipher $1a$RN<m::9hcL$y5IkSR|tG75vsR-zY+3W;>qd'0SjRXBv0hF)>qiS$

local-user admin privilege level 15

local-user admin service-type telnet terminal ssh ftp http

#

interface Vlanif2001

#

interface Vlanif2002

ip address 172.30.0.1 255.255.248.0

dhcp select interface

dhcp server dns-list 8.8.8.8 8.8.4.4

#

interface MEth0/0/1

#

interface XGigabitEthernet0/0/1

port link-type access

port default vlan 2002

#

interface XGigabitEthernet0/0/2

port link-type trunk

port trunk allow-pass vlan 2 to 4094

#

interface XGigabitEthernet0/0/3

port link-type access

port default vlan 2002

#

interface XGigabitEthernet0/0/4

port link-type trunk

port trunk allow-pass vlan 2 to 4094

#

interface XGigabitEthernet0/0/48

port link-type trunk

port trunk allow-pass vlan 2001 to 2002

#

interface 40GE0/0/1

#

interface 40GE0/0/2

#

interface NULL0

#

ip route-static 0.0.0.0 0.0.0.0 172.30.0.2

ip route-static 192.168.1.0 255.255.255.0 192.168.1.2

#

snmp-agent

snmp-agent local-engineid 800007DB03E868196600D0

snmp-agent community write cipher %^%#ia)*T\GFPJH&r6P{_m84D=Q+GZio"Dh=`9!#vkJDgBoK>Dzj#/|m=F1-LLP8lhdRF~5%K*=T[N/V|h51%^%#

snmp-agent sys-info version all

#

user-interface con 0

authentication-mode none

user-interface vty 0 4

authentication-mode aaa

protocol inbound telnet

user-interface vty 16 20

#

dot1x-access-profile name dot1x_access_profile

#

mac-access-profile name mac_access_profile

#

return

<guang1>

<dian1>dis cu

!Software Version V200R008C00SPC500

#

sysname dian1

#

vlan batch 20 2000 to 2002

#

telnet server enable

#

dhcp enable

#

diffserv domain default

#

drop-profile default

#

aaa

authentication-scheme default

authorization-scheme default

accounting-scheme default

domain default

domain default_admin

local-user dtkj password irreversible-cipher %^%#Jx}+C6=[U6b,W>U_OE$R3jjpAlo"_~Jx1a,9}^=G5=9RAv]g+#6a7q1Pq0iT%^%#

local-user dtkj privilege level 3

local-user dtkj service-type telnet

local-user admin password irreversible-cipher %^%#SvtvT:'|V(Fi)2;ZWDa.OxT<<^VXsU]B&*H:fYy<yh>V7N8n44;kqXWI_<h6%^%#

local-user admin privilege level 15

local-user admin service-type http

local-user lookback password irreversible-cipher %^%#G!->B12MkNo/<|)TH\a4SCs]Kxr`^#vx'%0'i"NYFV->Vd}W=%~]x!Q$0,`<%^%#

local-user lookback privilege level 15

local-user lookback service-type telnet terminal http

#

interface Vlanif2000

ip address 172.16.0.1 255.255.248.0

dhcp select interface

dhcp server dns-list 8.8.8.8 8.8.4.4

#

interface MEth0/0/1

#

interface GigabitEthernet0/0/1

port link-type access

port default vlan 2000

#

interface GigabitEthernet0/0/2

port link-type access

port default vlan 2000

#

interface GigabitEthernet0/0/3

port link-type access

port default vlan 2000

#

interface GigabitEthernet0/0/17

port link-type access

port default vlan 2000

#

interface GigabitEthernet0/0/18

port link-type access

port default vlan 2000

#

interface XGigabitEthernet0/0/4

port link-type trunk

port trunk allow-pass vlan 2 to 4094

#

interface NULL0

#

ip route-static 0.0.0.0 0.0.0.0 172.16.0.2

#

snmp-agent

snmp-agent local-engineid 800007DB03AC617573A580

snmp-agent community write cipher %^%#gTC"=0T.=)$f`nY_,613=dfYE.392S=fvHR9@a)+E"<7QMsR^>}bJ*/Wd$47wLr926*|*UN&~GKM,i+.%^%#

snmp-agent sys-info version all

#

user-interface con 0

user-interface vty 0 4

authentication-mode aaa

protocol inbound telnet

user-interface vty 16 20

#

wlan

#

return

<dian1>

下面是路由ROS的配置

/interface vlan

add interface=ether2 name=vlan2000 vlan-id=2000

add interface=ether1 name=vlan2002 vlan-id=2002

/ip address

add address=172.30.0.2/16 interface=vlan2002 network=172.30.0.0

add address=172.16.0.2/21 interface=vlan2000 network=172.16.0.0

/ip firewall mangle

add action=accept chain=prerouting dst-address=172.16.0.0/21

add action=accept chain=prerouting dst-address=172.30.0.0/21

/ip firewall nat

add action=accept chain=srcnat comment="Vlan2000-172.16.0.0/21-L3-\B5\E71" dst-address=172.16.0.0/21 src-address=10.0.0.0/8 to-addresses=172.16.0.2

add action=accept chain=srcnat comment="Vlan2002-172.30.0.0/21-L3-\B9\E21" dst-address=172.30.0.0/21 src-address=10.0.0.0/8 to-addresses=172.30.0.2

做好了就可以来测试了

[lookback@LookBack-iMac ~]$ traceroute -n 172.30.7.1

traceroute to 172.30.7.1 (172.30.7.1), 64 hops max, 52 byte packets

1 10.0.0.1 0.894 ms 0.287 ms 0.460 ms

2 172.30.7.1 0.497 ms !Z 0.554 ms !Z 0.478 ms !Z

[lookback@LookBack-iMac ~]$ ping -t1 -c2 172.30.7.1

PING 172.30.7.1 (172.30.7.1): 56 data bytes

64 bytes from 172.30.7.1: icmp_seq=0 ttl=63 time=0.482 ms

--- 172.30.7.1 ping statistics ---

2 packets transmitted, 1 packets received, 50.0% packet loss

round-trip min/avg/max/stddev = 0.482/0.482/0.482/0.000 ms

[lookback@LookBack-iMac ~]$ ssh root@172.30.7.1

Last login: Tue Aug 21 03:29:08 2018 from 10.0.1.201

[root@ceph-master ~]# w

01:15:26 up 2 days, 20:29, 2 users, load average: 0.00, 0.00, 0.00

USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT

root tty1 һ04 2days 0.72s 0.72s -bash

root pts/0 10.10.248.105 01:15 2.00s 0.05s 0.00s w

[root@ceph-master ~]# exit

Connection to 172.30.7.1 closed.

[lookback@LookBack-iMac ~]$

从上面可以看出10.0.0.0/8 访问172.30.0.0/21是没有问题了，172.16.0.0/21这里的验证就不做了，因为和30没有任何区别

[root@DS-VM-Node_172_30_7_9 ~]# ping -W1 -c2 8.8.8.8

PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.

64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=130 ms

64 bytes from 8.8.8.8: icmp_seq=2 ttl=45 time=76.7 ms

--- 8.8.8.8 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1001ms

rtt min/avg/max/mdev = 76.721/103.717/130.713/26.996 ms

[root@DS-VM-Node_172_30_7_9 ~]# ping -W1 -c2 10.10.248.105

PING 10.10.248.105 (10.10.248.105) 56(84) bytes of data.

64 bytes from 10.10.248.105: icmp_seq=1 ttl=63 time=0.367 ms

64 bytes from 10.10.248.105: icmp_seq=2 ttl=63 time=0.365 ms

--- 10.10.248.105 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1037ms

rtt min/avg/max/mdev = 0.365/0.366/0.367/0.001 ms

[root@DS-VM-Node_172_30_7_9 ~]#

从上面可以看出172.30.0.0/21 出公网和到ROS的二层网是没有问题

[root@DS-VM-Node_172_30_7_9 ~]# ping -W1 -c2 172.16.7.13

PING 172.16.7.13 (172.16.7.13) 56(84) bytes of data.

64 bytes from 172.16.7.13: icmp_seq=1 ttl=62 time=5.48 ms

64 bytes from 172.16.7.13: icmp_seq=2 ttl=62 time=0.607 ms

--- 172.16.7.13 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1001ms

rtt min/avg/max/mdev = 0.607/3.044/5.482/2.438 ms

[root@DS-VM-Node_172_30_7_9 ~]#

从上面可以看出172.30.0.0/21和172.16.0.0/21的Vlan间互通也是没有问题的