ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > Kuv qhov project tsis tiav. Network ntawm 200 MikroTik routers

Kuv qhov project tsis tiav. Network ntawm 200 MikroTik routers

Kuv qhov project tsis tiav. Network ntawm 200 MikroTik routers

Nyob zoo sawv daws. Cov kab lus no yog npaj rau cov neeg uas muaj ntau yam Mikrotik li hauv cov tiaj ua si, thiab leej twg xav ua kom muaj kev sib koom ua ke siab tshaj plaws kom tsis txhob txuas rau txhua lub cuab yeej sib cais. Hauv tsab xov xwm no, kuv yuav piav qhia txog qhov project uas, hmoov tsis, tsis ncav cuag kev sib ntaus sib tua vim yog tib neeg yam. Hauv luv luv: ntau dua 200 routers, teeb tsa sai thiab kev cob qhia cov neeg ua haujlwm, kev sib koom ua ke los ntawm cheeb tsam, lim cov tes hauj lwm thiab cov tswv tshwj xeeb, muaj peev xwm yooj yim ntxiv cov cai rau txhua yam khoom siv, nkag mus thiab tswj xyuas.

Dab tsi tau piav qhia hauv qab no tsis yog ua piv txwv ua rooj plaub npaj txhij, tab sis kuv vam tias nws yuav muaj txiaj ntsig zoo rau koj thaum npaj koj cov tes hauj lwm thiab txo qhov yuam kev. Tej zaum qee cov ntsiab lus thiab kev txiav txim siab yuav tsis zoo rau koj - yog tias muaj, sau rau hauv cov lus. Kev thuam nyob rau hauv rooj plaub no yuav yog ib qho kev paub hauv ib lub txhab nyiaj piggy. Yog li ntawd, tus nyeem ntawv, saib hauv cov lus, tej zaum tus sau tau ua yuam kev loj - lub zej zog yuav pab.

Tus naj npawb ntawm routers yog 200-300, tawg nyob rau hauv cov nroog sib txawv nrog qhov sib txawv zoo ntawm kev sib txuas hauv Is Taws Nem. Nws yog ib qho tsim nyog yuav tsum ua kom txhua yam zoo nkauj thiab piav qhia rau cov thawj coj hauv zos hauv txoj kev nkag mus tau li cas txhua yam yuav ua haujlwm.

Yog li txhua qhov project pib qhov twg? Tau kawg, nrog TK.

  1. Lub koom haum ntawm kev npaj network rau txhua ceg raws li cov neeg siv khoom xav tau, kev faib cov network (los ntawm 3 mus rau 20 tes hauj lwm hauv cov ceg, nyob ntawm seb cov khoom siv li cas).
  2. Teeb tsa cov khoom siv hauv txhua ceg. Tshawb xyuas qhov bandwidth tiag tiag ntawm tus neeg muab kev pabcuam hauv kev ua haujlwm sib txawv.
  3. Lub koom haum ntawm kev tiv thaiv cov cuab yeej, kev tswj hwm daim ntawv teev npe dawb, pib tshawb nrhiav kev tawm tsam nrog nws pib-blacklisting rau ib lub sijhawm, txo qis ntawm kev siv ntau yam kev siv los cuam tshuam kev tswj kev nkag mus thiab tsis kam txais kev pabcuam.
  4. Lub koom haum ntawm kev ruaj ntseg vpn kev sib txuas nrog lub network lim raws li cov neeg siv khoom xav tau. Tsawg kawg yog 3 vpn kev sib txuas los ntawm txhua ceg mus rau qhov chaw.
  5. Raws li cov ntsiab lus 1, 2. Xaiv txoj hauv kev zoo tshaj plaws los tsim kev ua txhaum-tolerant vpn. Lub dynamic routing tshuab, nrog rau qhov tseeb qhov tseeb, tuaj yeem xaiv los ntawm tus neeg cog lus.
  6. Lub koom haum ntawm kev ua haujlwm tseem ceeb los ntawm cov txheej txheem, chaw nres nkoj, hosts thiab lwm yam kev pabcuam tshwj xeeb uas tus neeg siv khoom siv. (VOIP, hosts nrog cov kev pabcuam tseem ceeb)
  7. Lub koom haum saib xyuas thiab txiav txim siab ntawm cov xwm txheej router rau cov lus teb ntawm cov neeg ua haujlwm pabcuam.

Raws li peb nkag siab, qee zaum, TOR tau sau los ntawm cov cai. Kuv tsim cov kev cai no ntawm kuv tus kheej, tom qab mloog cov teeb meem tseem ceeb. Nws tau lees paub qhov muaj peev xwm uas lwm tus tuaj yeem coj los ua raws li cov ntsiab lus no.

Cov cuab yeej twg yuav raug siv los ua kom tiav cov kev xav tau no:

  1. ELK pawg (tom qab qee lub sij hawm, nws tau nkag siab tias fluentd yuav siv tsis tau logstash).
  2. Ansible. Rau kev yooj yim ntawm kev tswj hwm thiab kev sib koom ntawm kev nkag, peb yuav siv AWX.
  3. GITLAB. Tsis tas yuav piav qhia ntawm no. Qhov twg tsis muaj version tswj ntawm peb configs.
  4. PowerShell. Yuav muaj ib tsab ntawv yooj yim rau thawj tiam ntawm config.
  5. Doku wiki, rau kev sau cov ntaub ntawv thiab phau ntawv. Hauv qhov no, peb siv habr.com.
  6. Kev tshuaj xyuas yuav ua tiav los ntawm zabbix. Kuj tseem yuav muaj daim duab sib txuas rau kev nkag siab dav dav.

EFK teeb cov ntsiab lus

Ntawm thawj qhov taw tes, kuv yuav piav qhia tsuas yog lub tswv yim uas cov indexes yuav tsim. Muaj ntau
Cov ntawv zoo heev ntawm kev teeb tsa thiab tau txais cov cav los ntawm cov khoom siv khiav mikrotik.

Kuv yuav nyob ntawm qee cov ntsiab lus:

1. Raws li cov tswv yim, nws tsim nyog xav txog kev txais cov cav ntoo los ntawm ntau qhov chaw thiab ntawm cov chaw nres nkoj sib txawv. Txhawm rau ua qhov no, peb yuav siv lub cav aggregator. Peb kuj xav ua universal graphics rau tag nrho cov routers uas muaj peev xwm sib qhia nkag. Tom qab ntawd peb tsim cov indexes raws li hauv qab no:

ntawm no yog ib daim config nrog fluentd elasticsearch
logstash_format tseeb
index_name mikrotiklogs.north
logstash_prefix mikrotiklogs.north
flush_interval 10s
fwjchim luj kawg nkaus ywj siab nrhiav: 9200
chaw nres nkoj 9200

Yog li, peb tuaj yeem muab cov routers thiab ntu raws li txoj kev npaj - mikrotiklogs.west, mikrotiklogs.south, mikrotiklogs.east. Vim li cas thiaj ua kom nyuaj? Peb nkag siab tias peb yuav muaj 200 lossis ntau dua li. Tsis txhob ua raws txhua yam. Txij li version 6.8 ntawm elasticsearch, kev ruaj ntseg teeb tsa muaj rau peb (tsis tas yuav daim ntawv tso cai), yog li, peb tuaj yeem faib saib cov cai ntawm cov neeg ua haujlwm txhawb nqa lossis cov thawj coj hauv zos.
Cov ntxhuav, cov duab - ntawm no koj tsuas yog yuav tsum pom zoo - txawm siv tib qho, lossis txhua tus ua nws raws li nws yuav yooj yim rau nws.

2. Los ntawm kev sau npe. Yog tias peb qhib kev nkag rau hauv cov cai ntawm firewall, ces peb ua cov npe tsis muaj qhov chaw. Nws tuaj yeem pom tau tias siv qhov yooj yim config hauv fluentd, peb tuaj yeem lim cov ntaub ntawv thiab ua kom yooj yim panels. Daim duab hauv qab no yog kuv lub tsev router.

Kuv qhov project tsis tiav. Network ntawm 200 MikroTik routers

3. Raws li qhov chaw nyob thiab cov cav. Qhov nruab nrab, nrog 1000 cov lus hauv ib teev, cov cav yuav siv li 2-3 MB ib hnub, uas, koj pom, tsis ntau heev. elasticsearch version 7.5.

ANSIBLE.AWX

Hmoov zoo rau peb, peb muaj ib qho kev npaj ua module rau routeros
Kuv tau taw qhia txog AWX, tab sis cov lus txib hauv qab no tsuas yog hais txog ansible hauv nws daim ntawv purest - Kuv xav tias rau cov neeg uas tau ua haujlwm nrog ansible, yuav tsis muaj teeb meem siv awx los ntawm gui.

Ua kom ncaj ncees, ua ntej kuv tau saib lwm cov lus qhia uas lawv siv ssh, thiab txhua tus muaj teeb meem sib txawv nrog lub sijhawm teb thiab ntau yam teeb meem. Kuv rov hais dua, nws tsis tau mus rau kev sib ntaus sib tua , coj cov ntaub ntawv no los ua ib qho kev sim uas tsis mus dhau qhov sawv ntawm 20 routers.

Peb yuav tsum siv daim ntawv pov thawj lossis ib tus account. Nws yog nyob ntawm koj txiav txim, Kuv yog rau daim ntawv pov thawj. Qee qhov hloov maj mam taw tes ntawm txoj cai. Kuv muab txoj cai los sau - tsawg kawg "rov pib dua config" yuav tsis ua haujlwm.

Yuav tsum tsis muaj teeb meem nrog kev tsim, luam daim ntawv pov thawj thiab importing:

Cov npe luv luv ntawm cov lus txibHauv koj lub PC
ssh-keygen -t RSA, teb cov lus nug, txuag tus yuam sij.
Copy rau mikrotik:
neeg siv ssh-keys import public-key-file=id_mtx.pub user=ansible
Ua ntej koj yuav tsum tsim ib tus account thiab faib cov cai rau nws.
Tshawb xyuas qhov txuas nrog daim ntawv pov thawj
ssh -p 49475 -i /keys/mtx [email tiv thaiv]

Sau vi /etc/ansible/hosts
MT01 ansible_network_os=routeros ansible_ssh_port=49475 ansible_ssh_user= ansible
MT02 ansible_network_os=routeros ansible_ssh_port=49475 ansible_ssh_user= ansible
MT03 ansible_network_os=routeros ansible_ssh_port=49475 ansible_ssh_user= ansible
MT04 ansible_network_os=routeros ansible_ssh_port=49475 ansible_ssh_user= ansible

Zoo, ib qho piv txwv ntawm phau ntawv ua si: npe: add_work_sites
hosts: tes
xov tooj: 1
kev sib txuas: network_cli
remote_user: mikrotik.west
sau_facts: yog
cov dej num:
npe: ntxiv Work_sites
routeros_command:
lus txib:
- /ip firewall chaw nyob- npe ntxiv chaw nyob = gov.ru list=work_sites tawm tswv yim=Ticket665436_Ochen_nado
- /ip firewall chaw nyob-list ntxiv chaw nyob =habr.com list=work_sites comment=for_habr

Raws li koj tuaj yeem pom los ntawm kev teeb tsa saum toj no, suav nrog koj tus kheej cov ntawv ua si yog qhov yooj yim. Nws yog qhov zoo txaus los ua tus tswv cli mikrotik. Xav txog qhov xwm txheej uas koj yuav tsum tshem tawm cov npe chaw nyob nrog qee cov ntaub ntawv ntawm txhua lub routers, tom qab ntawd:

Nrhiav thiab tshem tawm/ip firewal chaw nyob-list tshem tawm [nrhiav qhov twg daim ntawv teev = "gov.ru"]

Kuv txhob txwm tsis suav nrog tag nrho cov npe firewall ntawm no. nws yuav yog tus kheej rau txhua qhov project. Tab sis kuv tuaj yeem hais ib yam kom paub meej, tsuas yog siv cov npe chaw nyob xwb.

Raws li GITLAB, txhua yam yog qhov tseeb. Kuv yuav tsis nyob rau lub sijhawm no. Txhua yam yog zoo nkauj nyob rau hauv cov nqe lus ntawm tus kheej cov dej num, templates, handlers.

Powershell

Yuav muaj 3 cov ntaub ntawv. Vim li cas powershell? Cov cuab yeej tsim cov configs tuaj yeem xaiv los ntawm txhua tus neeg uas yooj yim dua. Hauv qhov no, txhua tus neeg muaj qhov rais ntawm lawv lub PC, yog li vim li cas thiaj li ua rau ntawm bash thaum powershell yooj yim dua. Leej twg yooj yim dua.

Tsab ntawv nws tus kheej (yooj yim thiab nkag siab):[cmdletBinding()] Param(
[Parameter(Yuav tsum = $true)] [string]$EXTERNALIPADDRESS,
[Parameter(Yuav tsum = $true)] [string]$EXTERNALIPROUTE,
[Parameter(Yuav tsum = $true)] [string]$BWorknets,
[Parameter(Yuav tsum = $true)] [string]$CWorknets,
[Parameter(Yuav tsum = $true)] [string]$BVoipNets,
[Parameter(Yuav tsum = $true)] [string]$CVoipNets,
[Parameter(Yuav tsum = $true)] [string]$CClientss,
[Parameter(Yuav tsum = $true)] [string]$BVPNWORKs,
[Parameter(Yuav tsum = $true)] [string]$CVPNWORKs,
[Parameter(Yuav tsum = $true)] [string]$BVPNCLIENTSs,
[Parameter(Yuav tsum = $true)] [string]$cVPNCLIENTSs,
[Parameter(Yuav tsum = $true)] [string]$NAMEROUTER,
[Parameter(Yuav tsum = $true)] [string]$ServerCertificates,
[Parameter(Yuav tsum = $true)] [string]$infile,
[Parameter(Yuav tsum = $true)] [string]$outfile
)

Tau-Cov ntsiab lus $infile | Foreach-Object {$_.Replace("EXTERNIP", $EXTERNALIPADDRESS)} |
Foreach-Object {$_.Replace("EXTROUTE", $EXTERNALIPROUTE)} |
Foreach-Object {$_.Replace("BWorknet", $BWorknets)} |
Foreach-Object {$_.Replace("CWorknet", $CWorknets)} |
Foreach-Object {$_.Replace("BVoipNet", $BVoipNets)} |
Foreach-Object {$_.Replace("CVoipNet", $CVoipNets)} |
Foreach-Object {$_.Replace("CClients", $CClientss)} |
Foreach-Object {$_.Replace("BVPNWORK", $BVPNWORKs)} |
Foreach-Object {$_.Replace("CVPNWORK", $CVPNWORKs)} |
Foreach-Object {$_.Replace("BVPNCLIENTS", $BVPNCLIENTSs)} |
Foreach-Object {$_.Replace("CVPNCLIENTS", $cVPNCLIENTSs)} |
Foreach-Object {$_.Replace("MYNAMERROUTER", $NAMEROUTER)} |
Foreach-Object {$_.Replace("ServerCertificate", $ServerCertificates)} | Set-Content $outfile

Kuv thov koj zam txim, kuv tsis tuaj yeem tso tag nrho cov cai. nws yuav tsis zoo nkauj. Koj tuaj yeem tsim cov cai ntawm koj tus kheej, coj los ntawm cov kev coj ua zoo tshaj plaws.

Piv txwv li, ntawm no yog ib daim ntawv teev cov kev sib txuas uas kuv tau coj los ntawm:wiki.mikrotik.com/wiki/Manual:Securing_Your_Router
wiki.mikrotik.com/wiki/Manual: IP / Firewall / Lim
wiki.mikrotik.com/wiki/Manual: OSPF-example
wiki.mikrotik.com/wiki/Drop_port_scanners
wiki.mikrotik.com/wiki/Manual: Winbox
wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS
wiki.mikrotik.com/wiki/Manual: IP/Fasttrack - ntawm no koj yuav tsum paub tias thaum fasttrack yog enabled, cov kev ua ntej kev khiav tsheb thiab shaping txoj cai yuav tsis ua hauj lwm - pab tau rau cov tsis muaj zog pab kiag li lawm.

Variable conventions:Cov network hauv qab no raug coj los ua piv txwv:
192.168.0.0/24 ua haujlwm network
172.22.4.0/24 VOIP network
10.0.0.0/24 network rau cov neeg siv tsis muaj LAN nkag
192.168.255.0/24 VPN network rau cov ceg loj
172.19.255.0/24 VPN network rau me me

Qhov chaw nyob hauv lub network muaj 4 tus lej lej, raws li ABCD, qhov hloov pauv ua haujlwm raws li tib txoj cai, yog tias nws nug B thaum pib, koj yuav tsum nkag mus rau tus lej 192.168.0.0 rau lub network 24/0, thiab rau C = 0. .
$EXTERNALIPADDRESS - qhov chaw nyob faib los ntawm tus kws kho mob.
$ EXTERNALIPROUTE - default route to network 0.0.0.0/0
$BWorknets - Ua haujlwm network, hauv peb qhov piv txwv yuav muaj 168
$ CWorknets - Ua haujlwm network, hauv peb qhov piv txwv nws yuav yog 0
$BVoipNets - VOIP network hauv peb qhov piv txwv ntawm no 22
$CVoipNets - VOIP network hauv peb qhov piv txwv ntawm no 4
$ CClientss - Network rau cov neeg siv khoom - nkag mus rau hauv Is Taws Nem nkaus xwb, hauv peb cov ntaub ntawv ntawm no 0
$BVPNWORKs - VPN network rau cov ceg loj, hauv peb qhov piv txwv 20
$CVPNWORKs - VPN network rau cov ceg loj, hauv peb qhov piv txwv 255
$BVPNCLIENTS - VPN network rau cov ceg me, txhais tau tias 19
$ CVPNCLIENTS - VPN network rau cov ceg me, txhais tau tias 255
$NAMEROUTER - lub npe router
$ServerCertificate - lub npe ntawm daim ntawv pov thawj uas koj tab tom importing ua ntej
$infile - Qhia txoj hauv kev rau cov ntaub ntawv uas peb yuav nyeem cov config, piv txwv li D: config.txt (zoo lus Askiv txoj kev tsis muaj quotes thiab qhov chaw)
$outfile - qhia txoj hauv kev uas yuav txuag tau, piv txwv li D: MT-test.txt

Kuv txhob txwm hloov qhov chaw nyob hauv cov piv txwv rau qhov laj thawj pom tseeb.

Kuv nco lub ntsiab lus ntawm kev kuaj xyuas kev tawm tsam thiab tus cwj pwm tsis zoo - qhov no tsim nyog rau ib tsab xov xwm cais. Tab sis nws yog tsim nyog taw qhia tias nyob rau hauv pawg no koj tuaj yeem siv saib xyuas cov ntaub ntawv tseem ceeb ntawm Zabbix + ua haujlwm tawm curl cov ntaub ntawv los ntawm elasticsearch.

Cov ntsiab lus dab tsi los tsom rau:

  1. Network Plan. Nws yog qhov zoo dua los sau nws hauv daim ntawv nyeem tau. Excel txaus. Hmoov tsis zoo, kuv feem ntau pom tias cov tes hauj lwm tau muab tso ua ke raws li lub hauv paus ntsiab lus "Ib ceg tshiab tau tshwm sim, ntawm no yog /24 rau koj." Tsis muaj leej twg pom tias muaj pes tsawg lub cuab yeej xav tau nyob rau hauv ib qho chaw thiab seb puas yuav muaj kev loj hlob ntxiv. Piv txwv li, ib lub khw me me tau qhib, uas nws pib paub meej tias cov cuab yeej yuav tsis ntau tshaj 10, vim li cas thiaj li faib / 24? Rau cov ceg ntoo loj, ntawm qhov tsis sib xws, lawv faib / 24, thiab muaj 500 cov khoom siv - koj tuaj yeem ntxiv lub network, tab sis koj xav xav txhua yam tam sim ntawd.
  2. Cov cai lim. Yog tias qhov project xav tias yuav muaj kev sib cais ntawm cov tes hauj lwm thiab qhov siab tshaj plaws segmentation. Cov kev coj ua zoo tshaj plaws hloov pauv raws sijhawm. Yav dhau los, lawv tau sib koom PC network thiab lub tshuab luam ntawv network, tam sim no nws yog ib txwm zoo tsis txhob muab cov network no. Nws tsim nyog siv kev nkag siab zoo thiab tsis tsim ntau cov subnets uas lawv tsis xav tau thiab tsis sib txuas tag nrho cov khoom siv hauv ib lub network.
  3. "Golden" teeb tsa ntawm txhua lub routers. Cov. yog koj muaj txoj kev npaj. Nws tsim nyog pom txhua yam tam sim ntawd thiab sim ua kom paub tseeb tias txhua qhov chaw zoo ib yam - tsuas muaj cov npe sib txawv thiab ip chaw nyob. Thaum muaj teeb meem, lub sijhawm rau kev debugging yuav tsawg dua.
  4. Kev koom ua ke tsis muaj qhov tseem ceeb tshaj li cov txheej txheem. Feem ntau, cov neeg ua haujlwm tub nkeeg ua raws li cov lus pom zoo no "manually", yam tsis tas siv cov qauv tsim thiab cov ntawv sau, uas thaum kawg ua rau muaj teeb meem los ntawm kos.

Los ntawm dynamic routing. OSPF nrog zoning tau siv. Tab sis qhov no yog lub rooj ntev zaum sim, nyob rau hauv kev sib ntaus sib tua tej yam zoo li no nthuav ntau rau teeb.

Kuv vam tias tsis muaj leej twg chim siab tias kuv tsis tau tshaj tawm qhov teeb tsa ntawm routers. Kuv xav tias kev sib txuas yuav txaus, thiab tom qab ntawd nws tag nrho nyob ntawm qhov yuav tsum tau ua. Thiab ntawm chav kawm, kev sim ntau ntxiv yog xav tau.

Kuv xav kom txhua tus paub lawv cov haujlwm hauv xyoo tshiab. Yuav nkag tau nrog koj !!!

Tau qhov twg los: www.hab.com

Ntxiv ib saib