Nyob zoo txhua tus. Tsab xov xwm no yog rau cov neeg uas muaj lub network Mikrotik loj thiab xav kom muaj kev sib koom ua ke ntau tshaj plaws yam tsis tas yuav txuas rau txhua lub cuab yeej ib leeg. Hauv tsab xov xwm no, kuv yuav piav qhia txog ib qhov project uas, hmoov tsis zoo, tsis tau mus txog qhov tsim tawm vim yog qhov yuam kev ntawm tib neeg. Hauv luv luv: ntau dua 200 lub routers, kev teeb tsa sai thiab kev cob qhia cov neeg ua haujlwm, kev sib koom ua ke los ntawm thaj chaw, network thiab host filtering, lub peev xwm yooj yim ntxiv cov cai rau txhua lub cuab yeej, kev sau npe, thiab kev tswj hwm kev nkag mus.
Qhov piav qhia hauv qab no tsis yog ib qho kev kawm tiav, tab sis kuv vam tias nws yuav pab tau thaum npaj koj lub network thiab txo qhov yuam kev. Tej zaum qee cov ntsiab lus thiab cov kev daws teeb meem tsis zoo li yog rau koj - yog tias yog, thov qhia rau kuv paub hauv cov lus. Kev thuam, hauv qhov no, yuav yog kev kawm sib koom. Yog li ntawd, tus nyeem ntawv, thov saib cov lus; tej zaum tus sau tau ua yuam kev loj - lub zej zog yuav zoo siab pab.
Muaj 200-300 lub routers nyob thoob plaws ntau lub nroog sib txawv uas muaj qhov zoo sib xws ntawm kev sib txuas hauv internet. Txhua yam yuav tsum tau tsim kom zoo nkauj thiab piav qhia meej rau cov thawj coj hauv zos seb nws yuav ua haujlwm li cas.
Yog li, qhov twg yog qhov project pib? Tau kawg, nrog TK.
- Kev npaj ib txoj kev npaj network rau txhua ceg raws li cov neeg siv khoom xav tau, kev faib network (txij li 3 txog 20 network hauv ceg nyob ntawm seb muaj pes tsawg lub cuab yeej).
- Kev teeb tsa cov cuab yeej ntawm txhua ceg. Sim qhov ceev ntawm tus neeg muab kev pabcuam hauv qab ntau yam kev ua haujlwm.
- Kev npaj kev tiv thaiv cov khoom siv, kev tswj hwm daim ntawv teev dawb, kev nrhiav pom kev tawm tsam nrog kev teev npe dub rau lub sijhawm teev tseg, txo qis kev siv ntau yam kev siv tshuab los cuam tshuam kev nkag mus tswj hwm thiab kev tsis kam lees kev pabcuam.
- Muab kev sib txuas VPN ruaj ntseg nrog kev lim dej network raws li cov neeg siv khoom xav tau. Yam tsawg kawg yog peb qhov kev sib txuas VPN los ntawm txhua ceg mus rau chaw ua haujlwm hauv nruab nrab.
- Raws li cov ntsiab lus 1 thiab 2, xaiv cov kev zoo tshaj plaws rau kev tsim cov VPNs uas tsis ua haujlwm. Tus neeg cog lus yuav xaiv cov thev naus laus zis dynamic routing nrog kev piav qhia kom raug.
- Kev txiav txim siab ua ntej ntawm cov tsheb khiav raws li cov txheej txheem, cov chaw nres nkoj, cov tswv tsev, thiab lwm yam kev pabcuam tshwj xeeb uas tus neeg siv khoom siv (VOIP, cov tswv tsev nrog cov kev pabcuam tseem ceeb)
- Npaj kev saib xyuas thiab sau cov xwm txheej ntawm router rau cov neeg ua haujlwm pabcuam kev txawj ntse los teb.
Raws li peb nkag siab, qee zaum, cov lus qhia tshwj xeeb yog raws li cov kev cai. Kuv tau tsim cov kev cai no kuv tus kheej tom qab mloog cov teeb meem tseem ceeb. Kuv cia siab tias lwm tus yuav ua raws li cov ntsiab lus no.
Cov cuab yeej twg yuav siv los ua kom tau raws li cov kev cai no:
- ELK stack (tom qab ib pliag, nws tau pom tseeb tias fluentd yuav raug siv es tsis txhob siv logstash).
- Ansible. Rau qhov yooj yim ntawm kev tswj hwm thiab kev tswj hwm kev nkag mus, peb yuav siv AWX.
- GITLAB. Tsis tas yuav piav qhia qhov no. Peb ua tsis tau yam tsis muaj kev tswj hwm version ntawm peb cov configurations.
- PowerShell. Yuav muaj ib tsab ntawv yooj yim rau kev tsim thawj zaug.
- Ib qho wiki rau kev sau cov ntaub ntawv thiab cov lus qhia. Hauv qhov no, peb siv habr.com.
- Kev saib xyuas yuav ua tiav los ntawm Zabbix. Daim duab qhia kev sib txuas kuj tseem yuav muab rau kev nkag siab dav dav.
Cov ntsiab lus kho EFK
Hais txog thawj lub ntsiab lus, kuv tsuas yog yuav piav qhia txog lub tswv yim uas yuav siv los tsim cov ntsuas. Muaj ntau yam
Cov ntawv zoo heev txog kev teeb tsa thiab txais cov cav los ntawm Mikrotik cov khoom siv.
Cia kuv tham txog ob peb lub ntsiab lus:
1. Raws li daim duab qhia, nws tsim nyog xav txog kev txais cov cav los ntawm ntau qhov chaw sib txawv thiab ntawm ntau qhov chaw sib txawv. Rau qhov no, peb yuav siv lub cav sib sau ua ke. Peb kuj xav tsim cov duab kos rau txhua lub routers uas muaj peev xwm cais kev nkag mus. Tom qab ntawd peb yuav tsim cov indexes raws li hauv qab no:
Nov yog ib daim snippet ntawm fluentd config. hom elasticsearch
logstash_format muaj tseeb
lub npe ntawm cov ntaub ntawv mikrotiklogs.north
logstash_prefix mikrotiklogs.north
flush_interval 10s
fwjchim luj kawg nkaus : 9200
chaw nres nkoj 9200
Li no, peb tuaj yeem muab cov routers sib txuas ua ke thiab faib lawv raws li txoj kev npaj: mikrotiklogs.west, mikrotiklogs.south, mikrotiklogs.east. Vim li cas ho ua rau tej yam nyuaj ua luaj? Peb nkag siab tias peb yuav muaj 200 lossis ntau dua cov khoom siv. Nws tsis yooj yim sua kom taug qab txhua yam. Nrog ElasticSearch version 6.8, peb muaj kev nkag mus rau qhov chaw ruaj ntseg (tsis tas yuav daim ntawv tso cai), uas tso cai rau peb faib cov cai saib ntawm cov neeg ua haujlwm txhawb nqa kev txawj ntse lossis cov thawj coj hauv zos.
Cov lus qhia, cov duab kos - ntawm no koj tsuas yog yuav tsum pom zoo - siv tib yam, lossis txhua tus ua nws txoj kev uas yooj yim tshaj plaws rau lawv.
2. Hais txog kev sau ntawv. Yog tias peb qhib kev sau ntawv rau hauv cov cai firewall, peb yuav ua cov npe yam tsis muaj qhov chaw. Koj tuaj yeem pom tias los ntawm kev siv kev teeb tsa yooj yim hauv fluentd, peb tuaj yeem lim cov ntaub ntawv thiab tsim cov dashboards yooj yim. Daim duab hauv qab no qhia txog kuv lub router hauv tsev.
3. Los ntawm qhov chaw thiab cov ntaub ntawv teev cia. Qhov nruab nrab, nrog 1000 cov lus hauv ib teev, cov ntaub ntawv teev cia siv 2-3 MB hauv ib hnub, uas, koj yuav pom zoo, tsis ntau. Elasticsearch version 7.5.
ANSIBLE.AWX
Hmoov zoo rau peb, peb muaj ib lub module uas npaj txhij rau routers
Kuv tau hais txog AWX, tab sis cov lus txib hauv qab no tsuas yog siv rau Ansible xwb. Kuv xav tias cov neeg uas tau ua haujlwm nrog Ansible yuav tsis muaj teeb meem siv AWX los ntawm GUI.
Kuv yuav ncaj ncees, kuv tau saib lwm cov lus qhia siv SSH ua ntej, thiab lawv txhua tus muaj teeb meem teb sib txawv thiab ntau yam teeb meem. Dua li, nws tsis tau los ua qhov tsis zoo 🙂 Xav txog cov ntaub ntawv no ua ib qho kev sim uas tsis mus dhau qhov teeb tsa 20-router.
Peb yuav tsum siv daim ntawv pov thawj los yog ib tus account. Nws yog nyob ntawm koj, tab sis kuv pom zoo rau daim ntawv pov thawj. Muaj teeb meem me me nrog cov kev tso cai. Kuv tab tom tso cai rau kev sau ntawv - txawm tias rov pib dua qhov config yuav tsis ua haujlwm.
Yuav tsum tsis muaj teeb meem dab tsi thaum tsim, theej, thiab xa daim ntawv pov thawj:
Daim ntawv teev luv luv ntawm cov lus txibHauv koj lub PC
ssh-keygen -t RSA, teb cov lus nug, txuag tus yuam sij.
Luam rau mikrotik:
tus neeg siv ssh-keys import public-key-file=id_mtx.pub tus neeg siv=ansible
Ua ntej, koj yuav tsum tsim ib tus account thiab muab cai rau nws.
Tshawb xyuas qhov kev sib txuas siv daim ntawv pov thawj
ssh -p 49475 -i /keys/mtx ansible@192.168.0.120
Peb sau vi /etc/ansible/hosts
MT01 ansible_network_os=routeros ansible_ssh_port=49475 ansible_ssh_user= ansible
MT02 ansible_network_os=routeros ansible_ssh_port=49475 ansible_ssh_user= ansible
MT03 ansible_network_os=routeros ansible_ssh_port=49475 ansible_ssh_user= ansible
MT04 ansible_network_os=routeros ansible_ssh_port=49475 ansible_ssh_user= ansible
Zoo, ntawm no yog ib phau ntawv qhia ua piv txwv: — lub npe: add_work_sites
cov neeg teb xov tooj: testmt
series: 1
kev sib txuas: network_cli
remote_user: mikrotik.west
gather_facts: yog
cov dej num:
— lub npe: ntxiv Work_sites
routeros_command:
cov lus txib:
— /ip firewall address-list ntxiv address=gov.ru list=work_sites comment=Ticket665436_Ochen_nado
— /ip firewall address-list ntxiv address=habr.com list=work_sites comment=for_habr
Raws li koj tuaj yeem pom los ntawm qhov kev teeb tsa saum toj no, kev tsim koj tus kheej cov phau ntawv ua si tsis nyuaj. Kev nkag siab zoo txog Mikrotik cli txaus. Cia peb xav txog qhov xwm txheej uas peb xav tau tshem tawm daim ntawv teev npe chaw nyob nrog cov ntaub ntawv tshwj xeeb los ntawm txhua lub routers. Tom qab ntawd:
Nrhiav thiab rho tawm/ip firewal chaw nyob-daim ntawv teev npe tshem tawm [nrhiav qhov twg list="gov.ru"]
Kuv txhob txwm tsis suav nrog tag nrho cov npe firewall ntawm no, vim nws yuav tshwj xeeb rau txhua qhov project. Tab sis muaj ib qho tseeb: siv tsuas yog daim ntawv teev chaw nyob.
Txhua yam meej nrog GITLAB. Kuv yuav tsis nyob ntawm qhov no. Txhua yam tau teeb tsa zoo nkauj rau hauv cov haujlwm, cov qauv, thiab cov neeg ua haujlwm.
Powershell
Yuav muaj peb cov ntaub ntawv ntawm no. Vim li cas PowerShell? Koj tuaj yeem xaiv txhua yam cuab yeej rau kev tsim cov configs, txhua yam uas yooj yim tshaj plaws rau koj. Hauv qhov no, txhua tus neeg khiav Windows ntawm lawv lub PC, yog li vim li cas ho siv Bash thaum PowerShell yooj yim dua? Nws yog ib qho teeb meem ntawm kev nyiam.
Tsab ntawv nws tus kheej (yooj yim thiab meej):[cmdletBinding()] Param(
[Parameter(Yuav tsum yog $true)] [string]$EXTERNALIPADDDRESS,
[Parameter(Yuav tsum yog $true)] [string]$EXTERNALIPROUTE,
[Parameter(Yuav tsum yog $true)] [string]$BWorknets,
[Parameter(Yuav tsum yog $true)] [string]$CWorknets,
[Parameter(Yuav tsum yog $true)] [string]$BVoipNets,
[Parameter(Yuav tsum yog $true)] [string]$CVoipNets,
[Parameter(Yuav tsum=$true)] [string]$CClientss,
[Parameter(Yuav tsum yog $true)] [string]$BVPNWORKs,
[Parameter(Yuav tsum yog $true)] [string]$CVPNWORKs,
[Parameter(Yuav tsum=$true)] [string]$BVPNCLIENTSs,
[Parameter(Yuav tsum=$true)] [string]$cVPNCLIENTSs,
[Parameter(Yuav tsum muaj=$true)] [string]$NAMEROUTER,
[Parameter(Yuav tsum yog $true)] [string]$ServerCertificates,
[Parameter(Yuav tsum muaj=$true)] [string]$infile,
[Parameter(Yuav tsum muaj=$true)] [string]$outfile
)
Tau Txais Cov Ntsiab Lus $infile | Foreach-Object {$_.Replace("EXTERNIP", $EXTERNALIPADDRESS)} |
Foreach-Khoom {$_.Replace("EXTROUTE", $EXTERNALIPROUTE)} |
Foreach-Khoom {$_.Replace("BWorknet", $BWorknets)} |
Foreach-Khoom {$_.Replace("CWorknet", $CWorknets)} |
Foreach-Khoom {$_.Replace("BVoipNet", $BVoipNets)} |
Foreach-Khoom {$_.Replace("CVoipNet", $CVoipNets)} |
Foreach-Khoom {$_.Hloov("CClients", $CClientss)} |
Foreach-Object {$_.Replace("BVPNWORK", $BVPNWORKs)} |
Foreach-Khoom {$_.Replace("CVPNWORK", $CVPNWORKs)} |
Foreach-Object {$_.Replace("BVPNCLIENTS", $BVPNCLIENTSs)} |
Foreach-Object {$_.Replace("CVPNCLIENTS", $cVPNCLIENTSs)} |
Foreach-Khoom {$_.Replace("MYNAMERROUTER", $NAMEROUTER)} |
Foreach-Object {$_.Replace("ServerCertificate", $ServerCertificates)} | Teem-Cov Ntsiab Lus $outfile
Thov zam txim rau kuv, kuv tsis tuaj yeem piav qhia txhua txoj cai, vim tias nws yuav tsis zoo heev. Koj tuaj yeem tsim koj tus kheej txoj cai, ua raws li cov kev coj ua zoo tshaj plaws.
Piv txwv li, ntawm no yog daim ntawv teev cov kev sib txuas uas kuv tau ua raws li::Kev Ruaj Ntseg_Koj_Router
:IP/Firewall/Filter
: piv txwv OSPF
:Winbox
:Kev Txhim Kho_RouterOS
:IP/Fasttrack — nws yog ib qho tseem ceeb uas yuav tsum nco ntsoov tias thaum fasttrack raug qhib, kev txiav txim siab ua ntej thiab kev teeb tsa cov cai yuav tsis ua haujlwm — muaj txiaj ntsig zoo rau cov khoom siv tsis muaj zog.
Cov cim qhia ib txwm muaj rau cov hloov pauv:Cov tes hauj lwm hauv qab no raug coj los ua piv txwv:
192.168.0.0/24 ua haujlwm network
172.22.4.0/24 VOIP network
10.0.0.0/24 network rau cov neeg siv khoom uas tsis muaj kev nkag mus rau hauv lub network hauv zos
192.168.255.0/24 VPN network rau cov ceg loj
172.19.255.0/24 VPN network rau cov lag luam me
Qhov chaw nyob hauv network muaj 4 tus lej decimal, feem ntau yog ABCD, qhov hloov pauv ua haujlwm ntawm tib lub hauv paus ntsiab lus, yog tias thaum pib nws nug txog B, ces koj yuav tsum sau tus lej 0 rau lub network 192.168.0.0/24, thiab rau C = 0.
$EXTERNALIPADDRESS — chaw nyob tshwj xeeb los ntawm tus neeg muab kev pab.
$EXTERNALIPROUTE — txoj kev mus rau lub network 0.0.0.0/0
$BWorknets — Lub network ua haujlwm, hauv peb qhov piv txwv nws yuav yog 168
$CWorknets - Lub network ua haujlwm, hauv peb qhov piv txwv nws yuav yog 0
$BVoipNets — lub network VOIP hauv peb qhov piv txwv yog 22
$CVoipNets — VOIP network hauv peb qhov piv txwv ntawm no 4
$CClientss — Network rau cov neeg siv khoom – Kev nkag mus rau hauv Is Taws Nem xwb, hauv peb qhov xwm txheej nws yog 0
$BVPNWORKs — VPN network rau cov ceg loj, hauv peb qhov piv txwv 20
$CVPNWORKs — VPN network rau cov ceg loj, hauv peb qhov piv txwv 255
$BVPNCLIENTS — VPN network rau cov ceg me me, txhais tau tias 19
$CVPNCLIENTS — VPN network rau cov ceg me me, txhais tau tias 255
$NAMEROUTER — lub npe ntawm lub router
$ServerCertificate - lub npe ntawm daim ntawv pov thawj uas koj tab tom import ua ntej
$infile — Qhia txoj kev mus rau cov ntaub ntawv uas peb yuav nyeem cov config, piv txwv li D:config.txt (qhov zoo tshaj yog txoj kev lus Askiv tsis muaj cov lus hais thiab qhov chaw)
$outfile — qhia txoj kev uas yuav txuag tau, piv txwv li D:MT-test.txt
Kuv tau txhob txwm hloov cov chaw nyob hauv cov piv txwv rau qhov laj thawj pom tseeb.
Kuv tsis tau nkag siab txog qhov teeb meem ntawm kev nrhiav pom kev tawm tsam thiab kev coj cwj pwm tsis zoo—uas tsim nyog muaj tsab xov xwm cais. Txawm li cas los xij, nws tsim nyog sau tseg tias pawg no tuaj yeem siv cov ntaub ntawv saib xyuas los ntawm Zabbix thiab cov ntaub ntawv curl ua tiav los ntawm elasticsearch.
Koj yuav tsum tsom mus rau cov ntsiab lus twg:
- Txoj kev npaj network. Zoo tshaj plaws yog tsim nws ua hom ntawv uas nyeem tau tam sim ntawd. Excel txaus lawm. Hmoov tsis zoo, kuv feem ntau pom cov network tsim raws li lub hauv paus ntsiab lus ntawm "Ib ceg tshiab qhib, ntawm no yog /24." Tsis muaj leej twg xam pom tias muaj pes tsawg lub cuab yeej xav tau ntawm qhov chaw thiab seb puas muaj kev loj hlob yav tom ntej. Piv txwv li, yog tias lub khw me me qhib, nws pom tseeb txij thaum pib tias nws yuav tsis muaj ntau tshaj 10 lub cuab yeej. Vim li cas ho faib /24? Rau cov ceg loj dua, nws yog qhov sib txawv: lawv faib /24, tab sis xaus nrog 500 lub cuab yeej. Koj tuaj yeem ntxiv lub network, tab sis koj xav xav txog txhua yam txij thaum pib.
- Cov cai lim dej. Yog tias qhov project cuam tshuam nrog kev sib cais network thiab kev faib ua feem ntau, cov kev coj ua zoo tshaj plaws hloov pauv raws sijhawm. Yav dhau los, PC networks thiab printer networks tau sib cais, tab sis tam sim no nws yog qhov lees txais kom khaws cov networks no sib cais. Nws yog ib qho tseem ceeb uas yuav tsum siv kev nkag siab zoo thiab zam kev tsim ntau lub subnets uas lawv tsis xav tau thiab zam kev sib koom ua ke txhua lub cuab yeej rau hauv ib lub network.
- Cov chaw teeb tsa "Kub" ntawm txhua lub routers. Yog li ntawd, yog tias koj tau txiav txim siab txog ib txoj kev npaj. Nws tsim nyog npaj ua ntej thiab sim ua kom txhua qhov chaw teeb tsa zoo ib yam - tsuas yog cov npe chaw nyob thiab cov chaw nyob IP sib txawv. Yog tias muaj teeb meem tshwm sim, kev daws teeb meem yuav sai dua.
- Cov ntsiab lus ntawm lub koom haum kuj tseem ceeb dua li cov ntsiab lus txog kev siv tshuab. Cov neeg ua haujlwm tub nkeeg feem ntau ua raws li cov lus qhia no tes ua, yam tsis siv cov kev teeb tsa thiab cov ntawv sau uas twb npaj lawm, uas thaum kawg ua rau muaj teeb meem tshwm sim tsis paub qhov twg.
Hais txog kev dynamic routing, OSPF nrog zonal partitioning tau siv. Tab sis qhov no yog ib qho kev sim; kev teeb tsa cov khoom zoo li no hauv kev tsim khoom yog qhov nthuav dua.
Vam tias tsis muaj leej twg chim siab uas kuv tsis tau tshaj tawm cov teeb tsa router. Kuv xav tias cov kev sib txuas txaus lawm, thiab txhua yam nyob ntawm qhov yuav tsum tau ua. Thiab tau kawg, kev sim yog qhov xav tau - xav tau kev sim ntxiv.
Vam tias txhua tus yuav ua tiav lawv tej yaam num hauv xyoo tshiab no. Thov kom nej tau txais kev pab!!!
Tau qhov twg los: www.hab.com
