本教程使用RouterOS实现多区域异地组网,已在真实环境部署运行还是比较稳定。
一、新网络规划
1、原网络改动比较少
2、各区域互通(内网可以互访)
3、各区域单独上网
4、各区域VPN可以连接到内网,并可以通过其他出口上网
二、原网络介绍
A区域(总部),使用核心交换机(三层交换机)用于VLAN之间的互通(VLAN8-13和VPN6),外网IP我这边隐藏了,用1.1.1.2/30用于展示。
B区域(分部),使用核心交换机(三层交换机)用于VLAN之间的互通(VLAN80-85和VPN6),外网IP我这边隐藏了,用2.2.2.2/30用于展示。
C区域(分部),使用核心交换机(三层交换机)用于VLAN之间的互通(VLAN120-125和VPN6),外网IP我这边隐藏了,用3.3.3.2/30用于展示。
三、ROS基础配置
1、ROS-A配置
/ip address add address=1.1.1.2 interface=WAN network=1.1.1.1 /ip firewall nat add action=masquerade chain=srcnat /ip route add disabled=no distance=100 dst-address=0.0.0.0/0 gateway=1.1.1.1
2、ROS-B配置
/ip address add address=2.2.2.2 interface=WAN network=2.2.2.1 /ip firewall nat add action=masquerade chain=srcnat /ip route add disabled=no distance=100 dst-address=0.0.0.0/0 gateway=2.2.2.1
3、ROS-C配置
/ip address add address=3.3.3.2 interface=WAN network=3.3.3.1 /ip firewall nat add action=masquerade chain=srcnat /ip route add disabled=no distance=100 dst-address=0.0.0.0/0 gateway=3.3.3.1
四、EOIP配置
1、ROS-A配置
/interface eoip add arp=disabled dont-fragment=inherit name=A-B remote-address=2.2.2.2 tunnel-id=12 /interface bridge add name=bridge-A-vlan6 protocol-mode=none /interface bridge port add bridge=bridge-A-vlan6 interface=A-B /interface eoip add arp=disabled dont-fragment=inherit name=A-C remote-address=3.3.3.3 tunnel-id=13 /interface bridge port add bridge=bridge-A-vlan6 interface=A-C /ip address add address=192.168.6.254/24 interface=bridge-A-vlan6 network=192.168.6.0
2、ROS-B配置
/interface eoip add arp=disabled dont-fragment=inherit name=B-A remote-address=1.1.1.1 tunnel-id=12 /interface bridge add name=bridge-B-vlan6 protocol-mode=none /interface bridge port add bridge=bridge-B-vlan6 interface=B-A /ip address add address=192.168.6.253/24 interface=bridge-B-vlan6 network=192.168.6.0
3、ROS-C配置
/interface eoip add arp=disabled dont-fragment=inherit name=C-A remote-address=1.1.1.1 tunnel-id=13 /interface bridge add name=bridge-C-vlan6 protocol-mode=none /interface bridge port add bridge=bridge-C-vlan6 interface=C-A /ip address add address=192.168.6.252/24 interface=bridge-C-vlan6 network=192.168.6.0
五、静态路由
1、ROS-A配置,添加A、B、C的静态路由
/ip route add disabled=no distance=1 dst-address=192.168.8.0/21 gateway=192.168.6.1 /ip route add disabled=no distance=1 dst-address=192.168.80.0/21 gateway=192.168.6.253 /ip route add disabled=no distance=1 dst-address=192.168.120.0/21 gateway=192.168.6.252
2、ROS-B配置,添加A、B、C的静态路由
/ip route add disabled=no distance=1 dst-address=192.168.80.0/21 gateway=192.168.6.2 /ip route add disabled=no distance=1 dst-address=192.168.8.0/21 gateway=192.168.6.254 /ip route add disabled=no distance=1 dst-address=192.168.120.0/21 gateway=192.168.6.252
3、ROS-C配置,添加A、B、C的静态路由
/ip route add disabled=no distance=1 dst-address=192.168.120.0/21 gateway=192.168.6.3 /ip route add disabled=no distance=1 dst-address=192.168.8.0/21 gateway=192.168.6.254 /ip route add disabled=no distance=1 dst-address=192.168.80.0/21 gateway=192.168.6.253
六、核心交换机配置
1、A核心交换机,配置vlan6的IP地址是192.168.6.1,并设置vlan6和其他vlan互通,上网通过NAT到192.168.8.2(具体配置略)
2、B核心交换机,配置vlan6的IP地址是192.168.6.2,并设置vlan6和其他vlan互通,上网通过NAT到192.168.80.2(具体配置略)
3、C核心交换机,配置vlan6的IP地址是192.168.6.3,并设置vlan6和其他vlan互通,上网通过NAT到192.168.120.2(具体配置略)
七、VPN设置
1、ROS-A配置
/ip pool add name=vpn-pool ranges=192.168.14.1-192.168.15.254 /ppp profile add dns-server=192.168.6.254 local-address=192.168.6.254 name=A-vpn only-one=no remote-address=vpn-pool use-ipv6=no
2、ROS-B配置
/ip pool add name=vpn-pool ranges=192.168.86.1-192.168.87.254 /ppp profile add dns-server=192.168.6.253 local-address=192.168.6.253 name=A-vpn only-one=no remote-address=vpn-pool use-ipv6=no
3、ROS-C配置
/ip pool add name=vpn-pool ranges=192.168.126.1-192.168.127.254 /ppp profile add dns-server=192.168.6.252 local-address=192.168.6.252 name=A-vpn only-one=no remote-address=vpn-pool use-ipv6=no
评论(0)