Mikrotik Ros + 华为S5720 基于Vlan做L2 L3互通

基本拓扑+接线如下图：

需求说明：
1：基于Ros的二层网络是10.0.0.0/8
2：服务器出公网用的是Vlan2002的172.30.0.0/21
3：服务器内部通讯的是基于openstack的虚拟vlan
4：服务器的远程管理IPMI用的是Vlan2000的172.16.0.0/21
5：10.0.0.0/8不基于网关NAT的方式可以访问172.30.0.0/21、172.16.0.0/21和openstack的虚拟vlan
6：172.30.0.0/21可以访问公网

实现：
下面来看看交换机配置：

001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102 103 104

<guang1>dis cu !Software Version V200R010C00SPC600 # sysname guang1 # dns server 8.8.4.4 # vlan batch 20 2002 # authentication-profile name default_authen_profile authentication-profile name dot1x_authen_profile authentication-profile name mac_authen_profile authentication-profile name portal_authen_profile authentication-profile name dot1xmac_authen_profile authentication-profile name multi_authen_profile # telnet server enable # dhcp enable # diffserv domain default # radius-server template default # free-rule-template name default_free_rule #                                         portal-access-profile name portal_access_profile # drop-profile default # aaa  authentication-scheme default  authentication-scheme radius   authentication-mode radius  authorization-scheme default  accounting-scheme default  domain default   authentication-scheme radius   radius-server default  domain default_admin   authentication-scheme default  local-user dtkj password irreversible-cipher $1a$;RN_-p,t*($)+qu.M9&&D[N(CL$I!Y3M/E<5D'N4.AM+zBv$\7%$  local-user dtkj privilege level 15  local-user dtkj service-type telnet  local-user admin password irreversible-cipher $1a$RN<m::9hcL$y5IkSR|tG75vsR-zY+3W;>qd'0SjRXBv0hF)>qiS$  local-user admin privilege level 15  local-user admin service-type telnet terminal ssh ftp http # interface Vlanif2001 # interface Vlanif2002  ip address 172.30.0.1 255.255.248.0  dhcp select interface  dhcp server dns-list 8.8.8.8 8.8.4.4 # interface MEth0/0/1 # interface XGigabitEthernet0/0/1  port link-type access  port default vlan 2002 # interface XGigabitEthernet0/0/2  port link-type trunk  port trunk allow-pass vlan 2 to 4094 # interface XGigabitEthernet0/0/3  port link-type access  port default vlan 2002 # interface XGigabitEthernet0/0/4  port link-type trunk                      port trunk allow-pass vlan 2 to 4094 # interface XGigabitEthernet0/0/48  port link-type trunk  port trunk allow-pass vlan 2001 to 2002 # interface 40GE0/0/1 # interface 40GE0/0/2 # interface NULL0 # ip route-static 0.0.0.0 0.0.0.0 172.30.0.2 ip route-static 192.168.1.0 255.255.255.0 192.168.1.2 # snmp-agent snmp-agent local-engineid 800007DB03E868196600D0 snmp-agent community write cipher %^%#ia)*T\GFPJH&r6P{_m84D=Q+GZio"Dh=`9!#vkJDgBoK>Dzj#/|m=F1-LLP8lhdRF~5%K*=T[N/V|h51%^%# snmp-agent sys-info version all #                                         user-interface con 0  authentication-mode none user-interface vty 0 4  authentication-mode aaa  protocol inbound telnet user-interface vty 16 20 # dot1x-access-profile name dot1x_access_profile # mac-access-profile name mac_access_profile # return <guang1>

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81

<dian1>dis cu !Software Version V200R008C00SPC500 # sysname dian1 # vlan batch 20 2000 to 2002 # telnet server enable # dhcp enable # diffserv domain default # drop-profile default # aaa  authentication-scheme default  authorization-scheme default  accounting-scheme default  domain default  domain default_admin  local-user dtkj password irreversible-cipher %^%#Jx}+C6=[U6b,W>U_OE$R3jjpAlo"_~Jx1a,9}^=G5=9RAv]g+#6a7q1Pq0iT%^%#  local-user dtkj privilege level 3  local-user dtkj service-type telnet  local-user admin password irreversible-cipher %^%#SvtvT:'|V(Fi)2;ZWDa.OxT<<^VXsU]B&*H:fYy<yh>V7N8n44;kqXWI_<h6%^%#  local-user admin privilege level 15       local-user admin service-type http  local-user lookback password irreversible-cipher %^%#G!->B12MkNo/<|)TH\a4SCs]Kxr`^#vx'%0'i"NYFV->Vd}W=%~]x!Q$0,`<%^%#  local-user lookback privilege level 15  local-user lookback service-type telnet terminal http # interface Vlanif2000  ip address 172.16.0.1 255.255.248.0  dhcp select interface  dhcp server dns-list 8.8.8.8 8.8.4.4 # interface MEth0/0/1 # interface GigabitEthernet0/0/1  port link-type access  port default vlan 2000 # interface GigabitEthernet0/0/2  port link-type access  port default vlan 2000 # interface GigabitEthernet0/0/3             port link-type access  port default vlan 2000 # interface GigabitEthernet0/0/17  port link-type access  port default vlan 2000 # interface GigabitEthernet0/0/18  port link-type access  port default vlan 2000 # interface XGigabitEthernet0/0/4  port link-type trunk  port trunk allow-pass vlan 2 to 4094 # interface NULL0 # ip route-static 0.0.0.0 0.0.0.0 172.16.0.2 # snmp-agent snmp-agent local-engineid 800007DB03AC617573A580 snmp-agent community write cipher %^%#gTC"=0T.=)$f`nY_,613=dfYE.392S=fvHR9@a)+E"<7QMsR^>}bJ*/Wd$47wLr926*|*UN&~GKM,i+.%^%# snmp-agent sys-info version all #                                         user-interface con 0 user-interface vty 0 4  authentication-mode aaa  protocol inbound telnet user-interface vty 16 20 # wlan # return <dian1>

下面是路由ROS的配置

01 02 03 04 05 06 07 08 09 10 11 12

/interface vlan add interface=ether2 name=vlan2000 vlan-id=2000 add interface=ether1 name=vlan2002 vlan-id=2002 /ip address add address=172.30.0.2/16 interface=vlan2002 network=172.30.0.0 add address=172.16.0.2/21 interface=vlan2000 network=172.16.0.0 /ip firewall mangle add action=accept chain=prerouting dst-address=172.16.0.0/21 add action=accept chain=prerouting dst-address=172.30.0.0/21 /ip firewall nat add action=accept chain=srcnat comment="Vlan2000-172.16.0.0/21-L3-\B5\E71" dst-address=172.16.0.0/21 src-address=10.0.0.0/8 to-addresses=172.16.0.2 add action=accept chain=srcnat comment="Vlan2002-172.30.0.0/21-L3-\B9\E21" dst-address=172.30.0.0/21 src-address=10.0.0.0/8 to-addresses=172.30.0.2

做好了就可以来测试了

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21

[lookback@LookBack-iMac ~]$ traceroute -n 172.30.7.1 traceroute to 172.30.7.1 (172.30.7.1), 64 hops max, 52 byte packets  1  10.0.0.1  0.894 ms  0.287 ms  0.460 ms  2  172.30.7.1  0.497 ms !Z  0.554 ms !Z  0.478 ms !Z [lookback@LookBack-iMac ~]$ ping -t1 -c2 172.30.7.1 PING 172.30.7.1 (172.30.7.1): 56 data bytes 64 bytes from 172.30.7.1: icmp_seq=0 ttl=63 time=0.482 ms   --- 172.30.7.1 ping statistics --- 2 packets transmitted, 1 packets received, 50.0% packet loss round-trip min/avg/max/stddev = 0.482/0.482/0.482/0.000 ms [lookback@LookBack-iMac ~]$ ssh root@172.30.7.1 Last login: Tue Aug 21 03:29:08 2018 from 10.0.1.201 [root@ceph-master ~]# w  01:15:26 up 2 days, 20:29,  2 users,  load average: 0.00, 0.00, 0.00 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT root     tty1                       һ04    2days  0.72s  0.72s -bash root     pts/0    10.10.248.105    01:15    2.00s  0.05s  0.00s w [root@ceph-master ~]# exit Connection to 172.30.7.1 closed. [lookback@LookBack-iMac ~]$

从上面可以看出10.0.0.0/8 访问172.30.0.0/21是没有问题了，172.16.0.0/21这里的验证就不做了，因为和30没有任何区别

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17

[root@DS-VM-Node_172_30_7_9 ~]# ping -W1 -c2 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=130 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=45 time=76.7 ms   --- 8.8.8.8 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 76.721/103.717/130.713/26.996 ms [root@DS-VM-Node_172_30_7_9 ~]# ping -W1 -c2 10.10.248.105 PING 10.10.248.105 (10.10.248.105) 56(84) bytes of data. 64 bytes from 10.10.248.105: icmp_seq=1 ttl=63 time=0.367 ms 64 bytes from 10.10.248.105: icmp_seq=2 ttl=63 time=0.365 ms   --- 10.10.248.105 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1037ms rtt min/avg/max/mdev = 0.365/0.366/0.367/0.001 ms [root@DS-VM-Node_172_30_7_9 ~]#

从上面可以看出172.30.0.0/21 出公网和到ROS的二层网是没有问题

1 2 3 4 5 6 7 8 9

[root@DS-VM-Node_172_30_7_9 ~]# ping -W1 -c2 172.16.7.13 PING 172.16.7.13 (172.16.7.13) 56(84) bytes of data. 64 bytes from 172.16.7.13: icmp_seq=1 ttl=62 time=5.48 ms 64 bytes from 172.16.7.13: icmp_seq=2 ttl=62 time=0.607 ms   --- 172.16.7.13 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.607/3.044/5.482/2.438 ms [root@DS-VM-Node_172_30_7_9 ~]#

从上面可以看出172.30.0.0/21和172.16.0.0/21的Vlan间互通也是没有问题的