Introduction to the article: This article uses Huawei ensp to carry out network planning and wireless simulation scenarios for enterprise networks. The article attaches complete device configuration commands. The attachment is the ensp project. If necessary, you can download it and contact the author to provide after-sales service. You can modify it according to customized requirements

About the author: Senior network engineer, I hope to meet more friends to communicate with, you can private message or Penguin number: 3121200538

Salted fish search: the siege lion who can't run away Station B: the siege lion who can't run away Welcome everyone to consult!

1. Project background

1.1 Enterprise Background

Founded in Chongqing in 2022, Longfor Network Technology Co., Ltd. covers network-related businesses such as network technology services, network technology consulting, computer hardware installation, network security assessment, and network training services, and actively develops vocational education and establishes in-depth school-enterprise cooperation with colleges and universities. Develop innovative fields such as technology to achieve the future. At present, the business has spread to more than 100 colleges and universities across the country.

With the growth of the customer's business, the customer's business sites are still increasing, and the enterprise network will be newly built in the future. In order to meet the stable operation of the company's current business system and the development needs of new businesses in the future, according to the above problems and needs, we have made the following network construction plan.

1.2 Design goals of the overall network of Longfor Network Technology Co., Ltd.

(1) High availability

For the overall production network of Longfor Network Technology Co., Ltd., high availability is the basic goal of network design. High availability means that on the one hand, it is necessary to ensure that the failure time of equipment that causes network unavailability is extremely short, and on the other hand, it is also necessary to ensure that the network can meet the needs of various data transmissions without unacceptable response time due to performance degradation.

In the network design to achieve the goal of high availability, the advanced technology should be combined with the existing mature technology, and the current situation and future development trend of network applications should be fully considered. In the design, high-reliability network products and complete network backup strategies will be used to meet reliability requirements, such as Cisco's industry-first VSS virtual switch technology; and VPC virtualization technology commonly used in N7K equipment. Different levels of reliability design for different levels of equipment and lines, dual-line access, link bundling and aggregation. Routing redundancy. Make the network have the ability of fault self-healing. Reliability design includes not only the reliability of physical design such as network equipment, but also the reliability of logical design such as routing.

(2) Scalability

In addition to meeting the current needs, the network structure design should also be able to easily expand capacity to support more users and applications as the scale of user applications continues to expand; with the continuous development of network technology, the network must be able to stably Transition to new technology and equipment. In order to protect the user's investment, in the case of network upgrade or reinvestment in the future, the existing equipment can be upgraded and expanded by adding network equipment or modules at any time, and the replaced equipment can be applied to the branch or edge network. The smooth convergence of future network upgrades should be fully considered to ensure the backward compatibility of network communication media and network design cores.

(3) High security

The special nature of production-oriented business determines that network security is of great significance to the overall network of the enterprise. In the process of network design, the network security design idea of integrated self-defense network system is adopted, so as to fully guarantee the network core backbone, aggregation, and edge access. High security for multiple part network access.

(4) Manageability and monitorability

Good organization and management are of great help to the normal operation and efficient use of the network. The network should be able to provide convenient, flexible and powerful tools for centralized and effective management and control of the network. In addition, a good monitoring mechanism, especially an automated monitoring mechanism, can facilitate real-time monitoring of the network and provide clear and effective alarm responses in a timely manner. Therefore, convenient monitoring, good management interface, and complete system records enable administrators to perform management and maintenance tasks such as detection, modification, and fault recovery of the network system without changing the system operation.

(5) High performance and application optimization

Adopt international leading network products and related technologies, support rich network application protocols in the industry, support existing services and new services added in the future, make full use of existing links and hardware resources, and make reasonable optimization adjustments to ensure WAN bandwidth The effective utilization of the network guarantees the reliable transmission and service quality of various businesses on the backbone network, ensures the balanced utilization of data center resources, and meets the needs of rapid business development of the enterprise's overall network in the future.

2. Network Design Scheme and Related Technologies

2.1 Network topology:

2.2 VLAN planning/IP planning

equipment	VLAN	IP address	illustrate
HX1	VLAN 10	10.10.10.253/24	business
HX1	VLAN 20	10.10.20.253/24	business
HX1	VLAN 30	10.10.30.253/24	business
HX1	VLAN 40	10.10.40.253/24	business
HX1	VLAN 50	10.10.50.253/24	AP
HX1	VLAN 60	10.10.60.253/24	STA
HX1	VLAN 11	10.1.1.1/30	Connect to R1
HX2	VLAN 10	10.10.10.252/24	business
HX2	VLAN 20	10.10.20.252/24	business
HX2	VLAN 30	10.10.30.252/24	business
HX2	VLAN 40	10.10.40.252/24	business
HX2	VLAN 50	10.10.50.252/24	AP
HX2	VLAN 60	10.10.60.252/24	STA
HX2	VLAN 100	10.10.100.1/24	control center
HX2	VLAN 11	10.2.2.1/24	Connect to R1
R1	G0/0/0	10.1.1.2/24	Connect to HX1
R1	G0/0/1	10.2.2.2/24	Connect HX2
R1	G0/0/2	101.1.1.1/24	connect to the internet
Internet	G0/0/0	101.1.1.2/24	Connect to R1
Internet	Lookback 0	8.8.8.8/32	Internet

2.3 Spanning Tree Protocol

The basic principle of STP is to determine the topology of the network by transmitting a special protocol message , Bridge Protocol Data Unit ( BPDU for short ) between switches . There are two types of BPDU , configuration BPDU ( Configuration BPDU ) and TCN BPDU . The former is used to calculate a loop-free spanning tree , and the latter is used to shorten the refresh time of MAC entries (from the default 300s to 15s ) when the topology of the Layer 2 network changes.

Spanning Tree Protocol ( STP ) is defined in the IEEE 802.1D document. The principle of this protocol is to construct the network topology according to the tree structure, eliminate the loop in the network, and avoid the broadcast storm caused by the existence of the loop .

The basic idea of Spanning Tree Protocol ( STP ) is to construct the topology of the network according to the " tree " structure . The root of the tree is a bridge device called the root bridge. The establishment of the root bridge is determined by the BID ( Bridge ID) of the switch or bridge. ), the device with the smallest BID becomes the root bridge in the Layer 2 network. The BID is composed of the bridge priority and the MAC address, and the number of bytes of the bridge priority of devices of different manufacturers may be different. Starting from the root bridge, a tree is formed step by step. The root bridge regularly sends the configuration BPDU , and the non-root bridge receives the configuration BPDU , refreshes the best BPDU and forwards it. The best BPDU here refers to the BPDU sent by the current root bridge . If a lower-level BPDU is received (a newly connected device will send a BPDU , but the BID of the device is larger than the current root bridge), the device that receives the lower-level BPDU will send the best BPDU stored by itself to the newly connected device , to inform the root bridge in the current network; if the receivedBPDU is better, and the spanning tree topology will be recalculated . When the non-root bridge has not received the best BPDU after receiving the best BPDU maximum age (Max Age, 20s by default) , the port will enter the monitoring state, and the device will generate TCN BPDU , and from The root port forwards it out, and the upper-level device that receives the TCN BPDU from the designated port will send an acknowledgment, and then send the TCN BPDU to the upper-level device. This process continues until the root bridge, and then the root bridge will carry the flag in the configuration BPDU sent thereafter. It indicates that the topology has changed, and all devices in the network will shorten the refresh time of MAC entries from 300s to 15s after receiving them . The entire convergence time is about 50s .

2.4 VRRP protocol

VRRP is a selection protocol that can dynamically assign the responsibility of a virtual router to one of the VRRP routers on the LAN. The VRRP router that controls the IP addresses of the virtual routers is called the master router, and it is responsible for forwarding packets to these virtual IP addresses. This election process provides a dynamic failover mechanism should the primary router become unavailable, which allows the virtual router's IP address to serve as the default first-hop router for end hosts. It is a LAN access device backup protocol. All hosts in a local area network are set with a default gateway , so that the packets sent by the host whose destination address is not in the local network segment will be sent to the Layer 3 switch through the default gateway , thus realizing the communication between the host and the external network.

VRRP is a fault-tolerant routing protocol, and it can also be called a backup routing protocol. All hosts in a local area network are set with default routes. When the destination address sent by the hosts in the network is not in the local network segment, the message will be sent to the external router through the default route, thus realizing the communication between the host and the external network. When the default router is down (that is, the port is closed), the internal host will not be able to communicate with the outside. If the router is set with VRRP , then at this time, the virtual router will enable the backup router to achieve network-wide communication.

In the VRRP protocol, there are two important concepts: VRRP routers and virtual routers, master routers and backup routers. A VRRP router refers to a router running VRRP , which is a physical entity; a virtual router refers to a logical concept created by the VRRP protocol. A group of VRRP routers work together to form a virtual router. The virtual router appears externally as a logical router with a unique fixed IP address and MAC address. Routers in the same VRRP group have two mutually exclusive roles: the master router and the backup router. There is only one router in the master role in a VRRP group, and there can be one or more routers in the backup role. The VRRP protocol selects one router from the router group as the master router, which is responsible for ARP analysis and forwarding of IP data packets. Other routers in the group act as backup and are on standby. When the master router fails for some reason, One of the backup routers can be upgraded to the master router after an instant delay. Since the switching is very fast and does not need to change the IP address and MAC address, it is transparent to the end user system.

equipment	VLAN ID	priority	state	Virtual IP
HX1	VLAN 10	120	Master	10.10.10.254/24
HX1	VLAN 20	120	Master	10.10.20.254/24
HX1	VLAN 30	100	Backup	10.10.30.254/24
HX1	VLAN 40	100	Backup	10.10.40.254/24
HX1	VLAN 50	120	Master	10.10.50.254/24
HX1	VLAN 60	120	Master	10.10.60.254/24
HX2	VLAN 10	100	Backup	10.10.10.254/24
HX2	VLAN 20	100	Backup	10.10.20.254/24
HX2	VLAN 30	120	Master	10.10.30.254/24
HX2	VLAN 40	120	Master	10.10.40.254/24
HX2	VLAN 50	100	Backup	10.10.50.254/24
HX2	VLAN 60	100	Backup	10.10.60.254/24

2.5 Routing Protocol (OSPF)

Open Shortest Path First ( Open Shortest Path First , OSPF ) is a widely used dynamic routing protocol. It belongs to the link state routing protocol. It has fast convergence speed of routing changes, no routing loops, and supports variable-length subnet masks ( VLSM ) and summarization, hierarchical area division and other advantages. After the OSPF protocol is used in the network , most routes will be calculated and generated by the OSPF protocol itself, without manual configuration by the network administrator. When the network topology changes, the protocol can automatically calculate and correct routes, which greatly facilitates network management. However, if it is not used in conjunction with the specific network application environment and careful planning is not done, the effect of using OSPF protocol will be greatly reduced, and even cause failures.

OSPF协议是一种链路状态协议。每个路由器负责发现、维护与邻居的关系，并将已知的邻居列表和链路费用LSU(Link State Update)报文描述，通过可靠的泛洪与自治系统AS(Autonomous System)内的其他路由器周期性交互，学习到整个自治系统的网络拓扑结构;并通过自治系统边界的路由器注入其他AS的路由信息，从而得到整个Internet的路由信息。每隔一个特定时间或当链路状态发生变化时，重新生成LSA，路由器通过泛洪机制将新LSA通告出去，以便实现路由的实时更新。

2.6 运维与管理 

telnet协议是TCP/IP协议族中的一员，是Internet远程登录服务的标准协议和主要方式。它为用户提供了在本地计算机上完成远程主机工作的能力。在终端使用者的电脑上使用telnet程序，用它连接到服务器。终端使用者可以在telnet程序中输入命令，这些命令会在服务器上运行，就像直接在服务器的控制台上输入一样。可以在本地就能控制服务器。要开始一个telnet会话，必须输入用户名和密码来登录服务器。Telnet是Internet远程登录服务的标准协议和主要方式，最初由ARPANET开发，现在主要用于Internet会话，它的基本功能是允许用户登录进入远程主机系统。Telnet可以让我们坐在自己的计算机前通过Internet网络登录到另一台远程计算机上，这台计算机可以是在隔壁的房间里，也可以是在地球的另一端。当登录上远程计算机后，本地计算机就等同于远程计算机的一个终端，我们可以用自己的计算机直接操纵远程计算机，享受远程计算机本地终端同样的操作权限。Telnet的主要用途就是使用远程计算机上所拥有的本地计算机没有的信息资源，如果远程的主要目的是在本地计算机与远程计算机之间传递文件，那么相比而言使用FTP会更加快捷有效。交互过程当我们使用Telnet登录进入远程计算机系统时，事实上启动了两个程序：一个是Telnet客户程序，运行在本地主机上；另一个是Telnet服务器程序，它运行在要登录的远程计算机上。本地主机上的Telnet客户程序主要完成以下功能：建立与远程服务器的TCP联接。从键盘上接收本地输入的字符。将输入的字符串变成标准格式并传送给远程服务器。从远程服务器接收输出的信息。将该信息显示在本地主机屏幕上。远程主机的“服务”程序通常被昵称为“精灵”，它平时不声不响地守候在远程主机上，一接到本地主机的请求，就会立马活跃起来，并完成以下功能：通知本地主机，远程主机已经准备好了。等候本地主机输入命令。对本地主机的命令作出反应（如显示目录内容，或执行某个程序等）。把执行命令的结果送回本地计算机显示。重新等候本地主机的命令。

在Internet中，很多服务都采取这样一种客户/服务器结构。对使用者来讲，通常只要了解客户端的程序就可以了。

2.7 NAT 技术（网络地址转换）

在计算机网络中，网络地址转换（Network Address Translation，缩写为NAT），也叫做网络掩蔽或者IP掩蔽（IP masquerading），是一种在IP数据包通过路由器或防火墙时重写来源IP地址或目的IP地址的技术。这种技术被普遍使用在有多台主机但只通过一个公有IP地址访问因特网的私有网络中。它是一个方便且得到了广泛应用的技术。当然，NAT也让主机之间的通信变得复杂，导致了通信效率的降低。

NAT英文全称是“NetworkAddressTranslation”，中文意思是“网络地址转换”，它是一个IETF(InternetEngineeringTaskForce,Internet工程任务组)标准，允许一个整体机构以一个公用IP（InternetProtocol）地址出现Internet上。顾名思义，它是一种把内部私有网络地址（IP地址）翻译成合法网络IP地址的技术。

无NAT网络，假设每个接入子网都需要一组/24的IP，而且还能对外连接，对外的路由至少要保留或申请1000个对外IP。但NAT网络，通过NAT转换，接入子网可以使用私用IP，对外连接时由路由绑定私用IP与对外IP的关系，修改传输的IP包上的地址，从而只需要255个对外IP就能满足内部接入子网的对外连接需求

1990年代中期，NAT是作为一种解决IPv4地址短缺以避免保留IP地址困难的方案而流行起来的。网络地址转换在很多国家广泛使用。所以NAT就成了家庭和小型办公室网络连接上的路由器的一个标准特征，因为对他们来说，申请独立的IP地址的代价要高于所带来的效益。

在一个典型的配置中，一个本地网络使用一个专有网络的指定子网（比如192.168.x.x或10.x.x.x）和连在这个网络上的一个路由器。这个路由器占有这个网络地址空间的一个专有地址（比如192.168.0.1），同时它还通过一个或多个因特网服务提供商提供的公有的IP地址（叫做“过载”NAT）连接到因特网上。当信息由本地网络向因特网传递时，源地址从专有地址转换为公用地址。由路由器跟踪每个连接上的基本数据，主要是目的地址和端口。当有回复返回路由器时，它通过输出阶段记录的连接跟踪数据来决定该转发给内部网的哪个主机；如果有多个公用地址可用，当数据包返回时，TCP或UDP客户机的端口号可以用来分解数据包。对于因特网上的通信，路由器本身充源和目的。

流行在网络上的一种看法认为，IPv6的广泛采用将使得NAT不再需要，因为NAT只是一个处理IPv4的地址空间不足的方法。

2.8 无线技术

The so-called wireless network refers to a network that can realize the interconnection of various communication devices without wiring. Wireless networking technologies range from global voice and data networks that allow users to establish long-distance wireless connections to infrared and radio frequency technologies optimized for short-range wireless connections. According to different network coverage, wireless networks can be divided into wireless wide area network (WWAN : Wireless Wide Area Network) , wireless local area network (WLAN : Wireless Local Area Network) , wireless metropolitan area network (WMAN : Wireless Metropolitan Area Network) and wireless personal network . LAN (WPAN : Wireless Personal Area Network) .