Answer the question
In order to leave comments, you need to log in
What is the best way to merge branches?
Colleagues! Comrades! After reading a ton of documentation, I can’t figure out for myself how to do the following task correctly.
There is a central heating center and 30 branches. The task is to combine these branches into one visibility zone. So that each mikrotik sees the subnets of another mikrotik.
The solution, as I understand it for myself, is:
- combine them all into one subnet via vpn;
- ospf dynamic routing setup.
Now everything works through IPSec and there is a connection between the branches and the CO. But there is naturally no connection between the branches. How to do it right? (in general, it all started because of VoIP traffic, since RTP works, but the voice does not go, since everything should be on the same network).
Answer the question
In order to leave comments, you need to log in
Thanks to all!
Here is the full answer for people looking for the answer to the same question as me.
In the current structure, I got a star topology, in which the core is Cisco 2811, and the rays are Mikrotik RB951. Yes, of course, a fully connected topology is better, but it will turn out to be hellish in terms of administration - there are 30 tunnels on each Mikrotik :). If you want full connectivity, then Cisco DMVPN is best (but expensive, although it works beautifully and clearly).
1. We make GRE tunnels.
2. Set up IPSec in TRANSPORT mode.
3. Then we raise OSPF so that the Tsysk exchanges routes with Mikrotiks through the tunnels.
In this connection, it worked for me. There is no limit to joy) Of course, the settings there are still far from ideal, but there is a beginning. I'll write back later when everything works in production.
PS: today launched into production. Everything is great and working. The sound goes between the phones, which was originally the task. GREoverIPSec works in TRANSPORT mode. NAT-Traversal (that is, three points are behind NAT) also works. Routing - through OSPF. Of course, the only negative is the central router in the central heating center, perhaps in the future it will somehow be possible to get rid of the weak spot. Thanks to all!!!
If you want it easier and decentralized (so that there is no central link that can drop the entire network), then do GRE tunnels with IPSEC between each tick. Set up very quickly, works reliably. The most important thing is to set the correct MTU and MSS.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question