ProHoster > Блог > Gudanarwa > Aikina wanda bai gane ba. Cibiyar sadarwa na 200 MikroTik Routers

Aikina wanda bai gane ba. Cibiyar sadarwa na 200 MikroTik Routers

Aikina wanda bai gane ba. Cibiyar sadarwa na 200 MikroTik Routers

Assalamu alaikum. Wannan labarin an yi niyya ne ga waɗanda ke da na'urorin Mikrotik da yawa a cikin rundunarsu, kuma waɗanda ke son yin iyakar haɗin kai don kada su haɗa da kowace na'ura daban. A cikin wannan labarin zan kwatanta aikin da, rashin alheri, bai kai ga yanayin fama ba saboda dalilai na mutum. A takaice: fiye da 200 masu amfani da hanyoyin sadarwa, saitin sauri da horar da ma'aikata, haɗin kai ta yanki, hanyoyin sadarwa na tacewa da takamaiman runduna, da ikon ƙara dokoki cikin sauƙi ga duk na'urori, shiga da sarrafawa.

Abin da aka bayyana a ƙasa baya yin riya a matsayin abin da aka shirya, amma ina fata zai kasance da amfani a gare ku lokacin tsara hanyoyin sadarwar ku da rage kurakurai. Wataƙila wasu batutuwa da mafita ba za su yi maka daidai ba - idan haka ne, rubuta a cikin sharhi. Suka a cikin wannan harka zai zama gwaninta ga baitulmali na kowa. Don haka, mai karatu, ka duba sharhin, watakila marubucin ya yi babban kuskure – al’umma za su taimaka.

Adadin masu amfani da hanyar sadarwa shine 200-300, sun warwatse a garuruwa daban-daban masu ingancin haɗin Intanet daban-daban. Wajibi ne a yi komai da kyau kuma a bayyane ga admins na gida yadda komai zai yi aiki.

To, a ina ake fara wani aiki? Hakika, tare da TK.

  1. Tsarin tsarin hanyar sadarwa don duk rassan bisa ga buƙatun abokin ciniki, ɓangaren cibiyar sadarwa (daga cibiyoyin sadarwa 3 zuwa 20 a cikin rassan dangane da adadin na'urori).
  2. Saita na'urori a kowane reshe. Duba ainihin saurin kayan aiki na mai bayarwa a ƙarƙashin yanayin aiki daban-daban.
  3. Ƙungiya na kariyar na'ura, gudanar da lissafin ba da izini, gano kai hare-hare tare da sanya baƙar fata ta atomatik na wani ɗan lokaci, rage yawan amfani da hanyoyin fasaha daban-daban da ake amfani da su don katse damar sarrafawa da ƙin sabis.
  4. Ƙungiyoyin amintattun hanyoyin haɗin yanar gizo na VPN tare da tace cibiyar sadarwa bisa ga buƙatun abokin ciniki. Mafi ƙarancin haɗin VPN 3 daga kowane reshe zuwa cibiyar.
  5. Dangane da maki 1, 2. Zaɓi mafi kyawun hanyoyi don gina VPNs masu jure rashin kuskure. Idan an sami barata daidai, ɗan kwangilar na iya zaɓar fasaha mai ƙarfi ta hanyar tuƙi.
  6. Ƙungiyoyin fifikon zirga-zirga ta hanyar ladabi, tashar jiragen ruwa, runduna da sauran takamaiman ayyuka da abokin ciniki ke amfani da su. (VOIP, runduna tare da ayyuka masu mahimmanci)
  7. Ƙungiya na kulawa da shiga abubuwan da ke faruwa na na'ura mai ba da hanya tsakanin hanyoyin sadarwa don amsawar ma'aikatan goyon bayan fasaha.

Kamar yadda muka fahimta, a lokuta da yawa ana zana ƙayyadaddun fasaha bisa ga buƙatun. Na tsara waɗannan buƙatun da kaina, bayan sauraron manyan matsalolin. Ya yarda da yiwuwar cewa wani zai iya kula da waɗannan batutuwa.

Wadanne kayan aikin da za a yi amfani da su don cika waɗannan buƙatun:

  1. ELK tari (bayan wani lokaci, ya bayyana a fili cewa za a yi amfani da ƙwarewa maimakon logstash).
  2. Mai yiwuwa. Don sauƙin gudanarwa da samun damar raba, za mu yi amfani da AWX.
  3. GITLAB. Babu bukatar yin bayani a nan. A ina za mu kasance ba tare da sarrafa sigar namu ba?
  4. PowerShell. Za a sami rubutun mai sauƙi don farkon tsararrun saiti.
  5. Doku wiki, don rubuta takardu da jagorori. A wannan yanayin, muna amfani da habr.com.
  6. Za a gudanar da sa ido ta hanyar zabbix. Hakanan za'a zana hoton haɗin gwiwa a wurin don fahimtar gabaɗaya.

Abubuwan saitin EFK

A game da batu na farko, kawai zan yi bayanin akidar da za a gina ma'auni. Akwai da yawa
kyawawan labarai akan kafawa da karɓar rajistan ayyukan daga na'urorin da ke aiki da mikrotik.

Zan tsaya akan wasu batutuwa:

1. Bisa ga zane-zane, yana da daraja la'akari da karɓar rajistan ayyukan daga wurare daban-daban kuma a kan tashar jiragen ruwa daban-daban. Domin wannan za mu yi amfani da log aggregator. Muna kuma son yin zane-zane na duniya don duk masu amfani da hanyar sadarwa tare da ikon raba damar shiga. Sa'an nan kuma mu gina fihirisa kamar haka:

Anan ga guntun tsarin tare da ƙwanƙwasa rubuta elasticsearch
logstash_format gaskiya
index_name mikrotiklogs.arewa
logstash_prefix mikrotiklogs.north
flush_tazarar 10s
runduna maganin roba: 9200
tashar 9200

Ta wannan hanyar za mu iya haɗa hanyoyin sadarwa da yanki bisa ga shirin - mikrotiklogs.west, mikrotiklogs.south, mikrotiklogs.east. Me yasa ya zama mai rikitarwa? Mun fahimci cewa za mu sami na'urori 200 ko fiye. Ba za ku iya lura da komai ba. Tare da sigar 6.8 na elasticsearch, saitunan tsaro suna samuwa gare mu (ba tare da siyan lasisi ba), ta haka za mu iya rarraba haƙƙin gani tsakanin ma'aikatan goyan bayan fasaha ko masu gudanar da tsarin gida.
Tables, jadawalai - a nan kawai kuna buƙatar yarda - ko dai ku yi amfani da guda ɗaya, ko kuma kowa yana yin abin da ya dace da shi.

2. Ta hanyar shiga. Idan muka ba da damar shiga cikin dokokin Tacewar zaɓi, to muna yin sunaye ba tare da sarari ba. Ana iya ganin cewa ta amfani da tsari mai sauƙi a cikin ƙwanƙwasa, za mu iya tace bayanai kuma mu sanya bangarori masu dacewa. Hoton da ke ƙasa shine na'ura mai ba da hanya tsakanin hanyoyin sadarwa na gida.

Aikina wanda bai gane ba. Cibiyar sadarwa na 200 MikroTik Routers

3. By sarari shagaltar da kuma guntu. A matsakaita, tare da saƙonni 1000 a kowace awa, rajistan ayyukan suna ɗaukar 2-3 MB kowace rana, wanda, kuna gani, ba haka bane. Elasticsearch 7.5.

MAI KYAU.AWX

Abin farin ciki a gare mu, muna da shirye-shiryen da aka yi don hanyoyin sadarwa
Na ambata game da AWX, amma umarnin da ke ƙasa kawai game da abin da za a iya samu a cikin tsarkakakken tsari - Ina tsammanin cewa ga waɗanda suka yi aiki tare da mai yiwuwa, ba za a sami matsala ta amfani da awx ta hanyar gui ba.

A gaskiya, kafin wannan na dubi wasu jagororin inda suka yi amfani da ssh, kuma dukansu suna da matsaloli daban-daban tare da lokacin amsawa da kuma tarin wasu matsalolin. Na sake maimaitawa, bai zo da fada ba , ɗauki wannan bayanin a matsayin gwaji wanda bai wuce tsayin dakaru 20 ba.

Muna buƙatar amfani da takaddun shaida ko asusu. Ya rage naku don yanke shawara, Ina neman takaddun shaida. Wani batu mai hankali game da haƙƙin mallaka. Ina ba da haƙƙoƙin rubutu - aƙalla “sake saitin saitin” ba zai yi aiki ba.

Kada a sami matsala samarwa, kwafi da shigo da takardar shaidar:

Taƙaitaccen jerin umarniA kan PC ɗin ku
ssh-keygen -t RSA, amsa tambayoyi, ajiye maɓalli.
Kwafi zuwa mikrotik:
mai amfani ssh-keys shigo da jama'a-key-file=id_mtx.pub mai amfani=mai yiwuwa
Da farko kuna buƙatar ƙirƙirar asusu kuma sanya haƙƙoƙinsa.
Duba haɗin kai ta amfani da takaddun shaida
ssh -p 49475 -i /keys/mtx [email kariya]

Yi rijista vi /etc/ansible/hosts
MT01 ansible_network_os = hanyoyin da za a iya yiwuwa_ssh_port=49475 ansible_ssh_user= mai yiwuwa
MT02 ansible_network_os = hanyoyin da za a iya yiwuwa_ssh_port=49475 ansible_ssh_user= mai yiwuwa
MT03 ansible_network_os = hanyoyin da za a iya yiwuwa_ssh_port=49475 ansible_ssh_user= mai yiwuwa
MT04 ansible_network_os = hanyoyin da za a iya yiwuwa_ssh_port=49475 ansible_ssh_user= mai yiwuwa

To, littafin wasa misali: - suna: add_work_sites
runduna: testmt
serial: 1
haɗi: network_cli
remote_user: mikrotik.west
tattara_gaskiya: eh
ayyuka:
- suna: ƙara Work_sites
routeros_umarnin:
umarni:
- / ip Firewall address-list add address=gov.ru list=work_sites comment=Ticket665436_Ochen_nado
- / ip-jerin adireshin firewall add address=habr.com list=shafi_shafukan aiki sharhi=for_habr

Kamar yadda kuke gani daga tsarin da ke sama, ƙirƙirar littattafan wasan ku ba shi da wahala. Ya isa ya mallaki cli mikrotik da kyau. Bari mu yi tunanin halin da ake ciki inda kuke buƙatar cire jerin adireshi tare da wasu bayanai akan duk masu amfani da hanyar sadarwa, sannan:

Nemo kuma cire/ip firewal address-jerin cire [nemo inda jerin = "gov.ru"]

Ni da gangan ban hada da gaba dayan jeri na Firewall ba saboda... zai zama mutum ɗaya don kowane aikin. Amma abu ɗaya da zan iya faɗi tabbas, yi amfani da jerin adireshi kawai.

A cewar GITLAB komai a bayyane yake. Ba zan tsaya a kan wannan batu ba. Komai yana da kyau ga ɗawainiya ɗaya, samfuri, masu sarrafa.

Powershell

Za a sami fayiloli 3 a nan. Me yasa powershell? Kuna iya zaɓar kowane kayan aiki don ƙirƙirar saiti, duk abin da ya fi dacewa da ku. A wannan yanayin, kowa yana da Windows akan PC ɗin su, don haka me yasa kuke yin shi a cikin bash lokacin da powershell ya fi dacewa. Wanne ya fi dacewa?

Rubutun kanta (mai sauƙi kuma mai fahimta):[cmdletBinding()] Param(
[Siga (Wajibi = $ gaskiya)] [string]$EXTERNALIPADDDRESS,
[Parameter (Dole = $ gaskiya)] [string]$ EXTERNALIPROUTE,
[Parameter (Dole = $ gaskiya)] [string] $ BWorknets,
[Parameter (Wajibi = $ gaskiya)] [string] $ CWorknets,
[Parameter (Wajibi = $ gaskiya)] [string]$BVoipNets,
[Parameter (Dole = $ gaskiya)] [string] $CVoipNets,
[Parameter (Wajibi = $ gaskiya)] [string] $ Clients,
[Parameter (Dole = $ gaskiya)] [string] $ BVPNWORKs,
[Parameter (Wajibi = $ gaskiya)] [string] $CVPNWORKs,
[Parameter (Dole = $ gaskiya)] [string] $ BVPNCLIENTSs,
[Parameter (Wajibi = $ gaskiya)] [string] $cVPNCLIENTSs,
[Parameter (Dole = $ gaskiya)] [string]$NAMEROUTER,
[Parameter(Wajibi = $ gaskiya)] [string] $Server Certificates,
[Parameter (Dole = $ gaskiya)] [string] $infile,
[Parameter (Dole ne = $ gaskiya)] [string] $ outfile
)

Samun-abun ciki $infile | Abun Gabatarwa {$_.Maye gurbin("EXTERNIP", $EXTERNALIPADDRESS)} |
Abun Gabatarwa {$_.Maye gurbin("EXTROUTE", $EXTERNALIPROUTE)} |
Abun Gabatarwa {$_.Maye gurbin("BWorknet", $BWorknets)} |
Abun Gabatarwa {$_.Maye gurbin("CWorknet", $CWorknets)} |
Abun Gabatarwa {$_.Maye gurbin("BVoipNet", $BVoipNets)} |
Abun Farko {$_.Maye gurbin("CVoipNet", $CVoipNets)} |
Abun Gabatarwa {$_.Maye gurbin("Clients", $CClients)} |
Abun Gabatarwa {$_.Maye gurbin("BVPNWORK", $BVPNWORKs)} |
Abun Gabatarwa {$_.Maye gurbin("CVPNWORK", $CVPNWORKs)} |
Abun Gabatarwa {$_.Maye gurbin("BVPNCLIENTS", $BVPNCLIENTSs)} |
Abun Gabatarwa {$_.Maye gurbin("CVPNCLIENTS", $cVPNCLIENTSs)} |
Abun Gabatarwa {$_.Maye gurbin("MYNAMERROUTER", $NAMEROUTER)} |
Abun Gabatarwa {$_.Maye gurbin("ServerCertificate", $ServerCertificates)} | Saita-abun ciki $outfile

Don Allah a gafarta mani, ba zan iya buga duk ka'idoji ba saboda... ba zai yi kyau sosai ba. Kuna iya tsara dokoki da kanku, bisa mafi kyawun ayyuka.

Misali, ga jerin hanyoyin haɗin da na bi:wiki.mikrotik.com/wiki/Manual:Tsaro da_Router
wiki.mikrotik.com/wiki/Manual:IP/Firewall/Tace
wiki.mikrotik.com/wiki/Manual:OSPF-misali
wiki.mikrotik.com/wiki/Drop_port_scanners
wiki.mikrotik.com/wiki/Manual: Winbox
wiki.mikrotik.com/wiki/Manual: Upgrading_RouterOS
wiki.mikrotik.com/wiki/Manual: IP / Fasttrack - a nan kana buƙatar sanin cewa lokacin da aka kunna fasttrack, ƙaddamar da zirga-zirgar zirga-zirga da ƙa'idodin tsarawa ba za su yi aiki ba - da amfani ga na'urori masu rauni.

Alamomi ga masu canji:Ana ɗaukar waɗannan cibiyoyin sadarwa a matsayin misali:
192.168.0.0/24 cibiyar sadarwa mai aiki
172.22.4.0/24 VOIP cibiyar sadarwa
10.0.0.0/24 cibiyar sadarwa don abokan ciniki ba tare da samun dama ga cibiyar sadarwar gida ba
192.168.255.0/24 VPN cibiyar sadarwa don manyan rassa
172.19.255.0/24 VPN cibiyar sadarwa don ƙarami

Adireshin cibiyar sadarwa ya ƙunshi lambobi 4 na decimal, bi da bi ABCD, maye gurbin yana aiki akan ka'ida ɗaya, idan a farawa yana neman B, to yana nufin kuna buƙatar shigar da lambar 192.168.0.0 don cibiyar sadarwar 24/0, da C don C. = 0.
$EXTERNALIPADDDRESS - adireshin sadaukarwa daga mai bayarwa.
$EXTERNALIPROUTE - tsohuwar hanya zuwa cibiyar sadarwa 0.0.0.0/0
$BWorknets - Cibiyar sadarwa na aiki, a cikin misalinmu za a sami 168
$CWorknets - Cibiyar sadarwa mai aiki, a cikin misalinmu wannan zai zama 0
$BVoipNets - hanyar sadarwar VOIP a cikin misalinmu anan 22
$CVoipNets - hanyar sadarwar VOIP a cikin misalinmu anan 4
$CClients - hanyar sadarwa don abokan ciniki - samun damar Intanet kawai, a cikin yanayinmu anan 0
$BVPNWORKs - hanyar sadarwar VPN don manyan rassa, a cikin misalinmu 20
$CVPNWORKs - hanyar sadarwar VPN don manyan rassa, a cikin misalinmu 255
$BVPNCLIENTS - VPN cibiyar sadarwa don ƙananan rassa, ma'ana 19
$CVPNCLIENTS - VPN cibiyar sadarwa don ƙananan rassa, ma'ana 255
$NAMEROUTER - sunan mai amfani da hanyar sadarwa
$ServerCertificate - sunan takardar shaidar da kuka shigo da shi a baya
$infile - Ƙayyade hanyar zuwa fayil ɗin da za mu karanta saitin, misali D: config.txt (zai fi dacewa hanyar Turanci ba tare da ambato da sarari ba)
$outfile - ƙayyade hanyar inda za a adana shi, misali D:MT-test.txt

Na canza adiresoshin da ke cikin misalan da gangan don dalilai masu ma'ana.

Na rasa ma'anar gano hare-hare da halaye mara kyau - wannan ya cancanci labarin daban. Amma yana da kyau a nuna cewa a cikin wannan rukunin zaku iya amfani da ƙimar bayanan saka idanu daga Zabbix + bayanan curl da aka sarrafa daga bincike na elastick.

Wadanne batutuwa ya kamata ku kula da su:

  1. Tsarin hanyar sadarwa. Yana da kyau a tsara shi nan da nan a cikin sigar da za a iya karantawa. Excel zai isa. Abin takaici, sau da yawa ina ganin cewa an gina hanyoyin sadarwa bisa ga ka'idar "Sabon reshe ya bayyana, ga /24 a gare ku." Babu wanda ke gano adadin na'urorin da ake tsammanin a wani wurin da aka bayar ko kuma za a sami ƙarin haɓaka. Misali, wani karamin shago ya bude wanda da farko ya tabbata cewa na'urar ba zata wuce 10 ba, me yasa aka ware /24? Don manyan rassan, akasin haka, suna rarraba / 24, kuma akwai na'urori 500 - za ku iya ƙara hanyar sadarwa kawai, amma kuna so kuyi tunanin komai a lokaci guda.
  2. Ka'idojin tacewa. Idan aikin ya ɗauka cewa za a sami rabuwa na cibiyoyin sadarwa da matsakaicin kashi. Mafi kyawun Ayyuka suna canzawa akan lokaci. A baya can, an raba hanyar sadarwar PC da cibiyar sadarwar firinta, amma yanzu ya zama al'ada kada a rarraba waɗannan cibiyoyin sadarwa. Yana da kyau a yi amfani da hankali kuma ba ƙirƙira da yawa subnets inda ba a buƙatar su kuma ba haɗa duk na'urori cikin hanyar sadarwa ɗaya ba.
  3. Saitunan "Golden" akan duk hanyoyin sadarwa. Wadancan. idan kun yanke shawara akan tsari. Yana da kyau a hango komai nan da nan kuma ƙoƙarin tabbatar da cewa duk saitunan iri ɗaya ne - jerin adireshi da adiresoshin IP kawai sun bambanta. Idan matsaloli sun taso, lokacin cirewa zai zama ƙasa.
  4. Batutuwan kungiya ba su da mahimmanci fiye da na fasaha. Sau da yawa ma'aikata masu kasala suna aiwatar da waɗannan shawarwarin "da hannu", ba tare da yin amfani da saitunan da aka yi da shirye-shiryen da rubutun ba, wanda a ƙarshe ya haifar da matsaloli ba tare da wani wuri ba.

Ta hanyar tuƙi mai ƙarfi. An yi amfani da OSPF tare da rabon yanki. Amma wannan benci ne na gwaji; a cikin yanayin fama yana da ban sha'awa don saita irin waɗannan abubuwa.

Ina fatan babu wanda ya damu cewa ban sanya saitunan na'ura mai ba da hanya tsakanin hanyoyin sadarwa ba. Ina tsammanin cewa hanyoyin haɗin za su isa, sannan duk abin ya dogara da bukatun. Kuma tabbas gwaje-gwaje, ana buƙatar ƙarin gwaje-gwaje.

Ina fatan kowa ya gane ayyukansa a cikin sabuwar shekara. Bari damar shiga ta kasance tare da ku !!!

source: www.habr.com

Add a comment