基本拓扑+接线如下图:
需求说明:
1:基于Ros的二层网络是10.0.0.0/8
2:服务器出公网用的是Vlan2002的172.30.0.0/21
3:服务器内部通讯的是基于openstack的虚拟vlan
4:服务器的远程管理IPMI用的是Vlan2000的172.16.0.0/21
5:10.0.0.0/8不基于网关NAT的方式可以访问172.30.0.0/21、172.16.0.0/21和openstack的虚拟vlan
6:172.30.0.0/21可以访问公网
实现:
下面来看看交换机配置:
dis cu
!Software Version V200R010C00SPC600
#
sysname guang1
#
dns server 8.8.4.4
#
vlan batch 20 2002
#
authentication-profile name default_authen_profile
authentication-profile name dot1x_authen_profile
authentication-profile name mac_authen_profile
authentication-profile name portal_authen_profile
authentication-profile name dot1xmac_authen_profile
authentication-profile name multi_authen_profile
#
telnet server enable
#
dhcp enable
#
diffserv domain default
#
radius-server template default
#
free-rule-template name default_free_rule
#
portal-access-profile name portal_access_profile
#
drop-profile default
#
aaa
authentication-scheme default
authentication-scheme radius
authentication-mode radius
authorization-scheme default
accounting-scheme default
domain default
authentication-scheme radius
radius-server default
domain default_admin
authentication-scheme default
local-user dtkj password irreversible-cipher $1a$;RN_-p,t*($)+qu.M9&&D[N(CL$I!Y3M/E<5D'N4.AM+zBv$\7%$
local-user dtkj privilege level 15
local-user dtkj service-type telnet
local-user admin password irreversible-cipher $1a$RN<:9hcl>qd'0SjRXBv0hF)>qiS$
local-user admin privilege level 15
local-user admin service-type telnet terminal ssh ftp http
#
interface Vlanif2001
#
interface Vlanif2002
ip address 172.30.0.1 255.255.248.0
dhcp select interface
dhcp server dns-list 8.8.8.8 8.8.4.4
#
interface MEth0/0/1
#
interface XGigabitEthernet0/0/1
port link-type access
port default vlan 2002
#
interface XGigabitEthernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface XGigabitEthernet0/0/3
port link-type access
port default vlan 2002
#
interface XGigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface XGigabitEthernet0/0/48
port link-type trunk
port trunk allow-pass vlan 2001 to 2002
#
interface 40GE0/0/1
#
interface 40GE0/0/2
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 172.30.0.2
ip route-static 192.168.1.0 255.255.255.0 192.168.1.2
#
snmp-agent
snmp-agent local-engineid 800007DB03E868196600D0
snmp-agent community write cipher %^%#ia)*T\GFPJH&r6P{_m84D=Q+GZio"Dh=`9!#vkJDgBoK>Dzj#/|m=F1-LLP8lhdRF~5%K*=T[N/V|h51%^%#
snmp-agent sys-info version all
#
user-interface con 0
authentication-mode none
user-interface vty 0 4
authentication-mode aaa
protocol inbound telnet
user-interface vty 16 20
#
dot1x-access-profile name dot1x_access_profile
#
mac-access-profile name mac_access_profile
#
return
dis cu
!Software Version V200R008C00SPC500
#
sysname dian1
#
vlan batch 20 2000 to 2002
#
telnet server enable
#
dhcp enable
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user dtkj password irreversible-cipher %^%#Jx}+C6=[U6b,W>U_OE$R3jjpAlo"_~Jx1a,9}^=G5=9RAv]g+#6a7q1Pq0iT%^%#
local-user dtkj privilege level 3
local-user dtkj service-type telnet
local-user admin password irreversible-cipher %^%#SvtvT:'|V(Fi)2;ZWDa.OxT<V7N8n44;kqXWI_
local-user admin privilege level 15
local-user admin service-type http
local-user lookback password irreversible-cipher %^%#G!->B12MkNo/Vd}W=%~]x!Q$0,`
local-user lookback privilege level 15
local-user lookback service-type telnet terminal http
#
interface Vlanif2000
ip address 172.16.0.1 255.255.248.0
dhcp select interface
dhcp server dns-list 8.8.8.8 8.8.4.4
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 2000
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 2000
#
interface GigabitEthernet0/0/3
port link-type access
port default vlan 2000
#
interface GigabitEthernet0/0/17
port link-type access
port default vlan 2000
#
interface GigabitEthernet0/0/18
port link-type access
port default vlan 2000
#
interface XGigabitEthernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 4094
#
interface NULL0
#
ip route-static 0.0.0.0 0.0.0.0 172.16.0.2
#
snmp-agent
snmp-agent local-engineid 800007DB03AC617573A580
snmp-agent community write cipher %^%#gTC"=0T.=)$f`nY_,613=dfYE.392S=fvHR9@a)+E"<7QMsR^>}bJ*/Wd$47wLr926*|*UN&~GKM,i+.%^%#
snmp-agent sys-info version all
#
user-interface con 0
user-interface vty 0 4
authentication-mode aaa
protocol inbound telnet
user-interface vty 16 20
#
wlan
#
return
下面是路由ROS的配置
/interface vlan
add interface=ether2 name=vlan2000 vlan-id=2000
add interface=ether1 name=vlan2002 vlan-id=2002
/ip address
add address=172.30.0.2/16 interface=vlan2002 network=172.30.0.0
add address=172.16.0.2/21 interface=vlan2000 network=172.16.0.0
/ip firewall mangle
add action=accept chain=prerouting dst-address=172.16.0.0/21
add action=accept chain=prerouting dst-address=172.30.0.0/21
/ip firewall nat
add action=accept chain=srcnat comment="Vlan2000-172.16.0.0/21-L3-\B5\E71" dst-address=172.16.0.0/21 src-address=10.0.0.0/8 to-addresses=172.16.0.2
add action=accept chain=srcnat comment="Vlan2002-172.30.0.0/21-L3-\B9\E21" dst-address=172.30.0.0/21 src-address=10.0.0.0/8 to-addresses=172.30.0.2
做好了就可以来测试了
[lookback@LookBack-iMac ~]$ traceroute -n 172.30.7.1
traceroute to 172.30.7.1 (172.30.7.1), 64 hops max, 52 byte packets
1 10.0.0.1 0.894 ms 0.287 ms 0.460 ms
2 172.30.7.1 0.497 ms !Z 0.554 ms !Z 0.478 ms !Z
[lookback@LookBack-iMac ~]$ ping -t1 -c2 172.30.7.1
PING 172.30.7.1 (172.30.7.1): 56 data bytes
64 bytes from 172.30.7.1: icmp_seq=0 ttl=63 time=0.482 ms
--- 172.30.7.1 ping statistics ---
2 packets transmitted, 1 packets received, 50.0% packet loss
round-trip min/avg/max/stddev = 0.482/0.482/0.482/0.000 ms
[lookback@LookBack-iMac ~]$ ssh root@172.30.7.1
Last login: Tue Aug 21 03:29:08 2018 from 10.0.1.201
[root@ceph-master ~]# w
01:15:26 up 2 days, 20:29, 2 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root tty1 һ04 2days 0.72s 0.72s -bash
root pts/0 10.10.248.105 01:15 2.00s 0.05s 0.00s w
[root@ceph-master ~]# exit
Connection to 172.30.7.1 closed.
[lookback@LookBack-iMac ~]$
从上面可以看出10.0.0.0/8 访问172.30.0.0/21是没有问题了,172.16.0.0/21这里的验证就不做了,因为和30没有任何区别
[root@DS-VM-Node_172_30_7_9 ~]# ping -W1 -c2 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=45 time=130 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=45 time=76.7 ms
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 76.721/103.717/130.713/26.996 ms
[root@DS-VM-Node_172_30_7_9 ~]# ping -W1 -c2 10.10.248.105
PING 10.10.248.105 (10.10.248.105) 56(84) bytes of data.
64 bytes from 10.10.248.105: icmp_seq=1 ttl=63 time=0.367 ms
64 bytes from 10.10.248.105: icmp_seq=2 ttl=63 time=0.365 ms
--- 10.10.248.105 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1037ms
rtt min/avg/max/mdev = 0.365/0.366/0.367/0.001 ms
[root@DS-VM-Node_172_30_7_9 ~]#
从上面可以看出172.30.0.0/21 出公网和到ROS的二层网是没有问题
[root@DS-VM-Node_172_30_7_9 ~]# ping -W1 -c2 172.16.7.13
PING 172.16.7.13 (172.16.7.13) 56(84) bytes of data.
64 bytes from 172.16.7.13: icmp_seq=1 ttl=62 time=5.48 ms
64 bytes from 172.16.7.13: icmp_seq=2 ttl=62 time=0.607 ms
--- 172.16.7.13 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.607/3.044/5.482/2.438 ms
[root@DS-VM-Node_172_30_7_9 ~]#
从上面可以看出172.30.0.0/21和172.16.0.0/21的Vlan间互通也是没有问题的