Hello everyone, I am senior Xiaohua, a blogger in the computer field. After years of study and practice, I have accumulated rich computer knowledge and experience. Here I would like to share my learning experience and skills with you to help you become a better programmer.
As a computer blogger, I have been focusing on programming, algorithms, software development and other fields, and have accumulated a lot of experience in these areas. I believe that sharing is a win-win situation. Through sharing, I can help others improve their technical level and at the same time get the opportunity to learn and communicate.
In my articles, you will see my analysis and analysis of various programming languages, development tools, and common problems. I will provide you with practical solutions and optimization techniques based on my actual project experience. I believe that these experiences will not only help you solve the problems you are currently encountering, but also improve your programming thinking and problem-solving abilities.
In addition to sharing technical aspects, I will also touch on some topics about career development and learning methods. As a former student, I know how to better improve myself and face challenges in the computer field. I will share some learning methods, interview skills and workplace experiences, hoping to have a positive impact on your career development.
My articles will be published in the CSDN community, which is a very active and professional computer technology community. Here you can communicate, learn and share with other people who love technology. By following my blog, you can get my latest articles as soon as possible and interact with me and other readers.
If you are interested in the computer field and hope to better improve your programming skills and technical level, then please follow my CSDN blog. I believe that what I share will help and inspire you, allowing you to achieve greater success in the computer field!
Let us become better programmers together and explore the wonderful world of computing together! Thank you for your attention and support!
All computer project source codes shared include documents and can be used for graduation projects or course designs. Welcome to leave a message to share questions and exchange experiences!
Summary
This topic has taken the network planning and design of Guangxi Medical University as the research object, and targetedly analyzed the four aspects of internal network, external network, server network, and network security. The specific content of campus network planning and design is related to research and Provide reference for practical application. Campus network construction is the top priority in the information construction of colleges and universities. This article starts from the campus network topology, network redundancy, local area network technology, wide area network technology and network security, and plans and designs a 10G cross-campus redundant link. Connection, Gigabit optical fiber to all buildings, 100M to the desktop, a high-speed, safe, reliable, controllable and manageable campus network. This design requires a fully functional, safe, stable, and high-performance campus LAN for Guangxi Medical University based on detailed demand analysis. It is required that the network system to be built can provide a safe, efficient, stable and reliable basic network for teachers and students of the school. Services to meet the various needs of school teaching and management. After the design is completed, network system requirements analysis and detailed network system design instructions will be provided, as well as standardized logical topology diagrams, virtual subnet division and address allocation plans, equipment selection, etc. And use the simulator to build a model network of the design to confirm the feasibility of the design. At the same time, the configuration code of the main equipment is given to test the basic connectivity of the network.
Keywords: campus network, reliability, local area network
Abstract
This topic has taken the network planning and design of Guangxi Medical University as the research object, and analyzed the internal network, external network, server network and network security, so as to provide a reference for the specific content of campus network planning and design and the related research and practical application. The construction of campus network is the most important part of the information construction in Colleges and universities. Starting from the topology of campus network, network redundancy, LAN technology, WAN technology and network security, this paper plans and designs a high-speed, safe, reliable, controllable and manageable campus network with 10 Gigabit redundant links across the campus, gigabit optical fiber to all buildings and 100 Gigabit to the desktop. This design needs to design a functional, safe, stable and high-performance campus LAN for Guangxi Medical University on the basis of detailed demand analysis. The network system to be built is required to provide safe, efficient, stable and reliable basic network services for school teachers and students, so as to meet the needs of school teaching and management. After the completion of the design, the network system requirements analysis and detailed network system design specification are given, and the standard logical topology diagram, virtual subnet division and address allocation scheme, equipment selection and so on are given. The simulator is used to build a model network to verify the feasibility of the design, and the configuration code of the main equipment is given to test the basic connectivity of the network.
key word:Campus network, reliable, local area network
Table of contents
1.4 Main research contents... 6
2.2 Network security requirements analysis... 7
2.3 Analysis of network technology requirements... 7
2.4 Environmental demand analysis... 7
3. Overall planning and design... 9
3.1 Network design planning... 9
3.2 Network design principles... 9
3.3 Comprehensive wiring rules... 10
3.4 IP address and VLAN planning... 11
3.4.1 Core switch selection... 12
3.4.2 Aggregation layer switch... 13
3.4.3 Access layer switch... 15
3.6 Network topology diagram... 17
4. Introduction to key technologies... 19
4.2 OSPF dynamic routing protocol... 19
5.1 VRRP+MSTP redundant configuration... 22
5.4 IPv4 over IPv6 Tunnel... 24
5.5 FW hot backup configuration... 25
6.1 LAN interoperability test... 26
6.5 HTTP service and DNS test... 28
6.6 VRRP status and switching... 29
1. Introduction
1.1 Overview
With the advent of the information age, information networks are in a stage of rapid development in our country. As the forefront of education, schools provide an important learning environment for our country's future talents in various industries. Therefore, the scale and application level of the campus network are important components of the school's teaching environment and scientific research strength. Schools need high-quality network systems to provide stable and efficient services.From the perspective of campus network development, it has always provided a brand new network environment for teachers, students and scientific researchers. However, with the rapid development of network technology in the new era, in order to keep up with the trend of network development in this era, so The construction of a new generation of campus network must be put forward to follow the development trend of the Internet era. However, the development of a large part of campus networks in our country has not kept up with the development trend of the times and is still stuck in the technical thinking of the older generation. The computer business of many schools has not been fully utilized, resulting in a waste of unnecessary campus network resources. In order to avoid unnecessary waste of the campus network, improve the efficiency of campus network use, enhance the school's business level, and at the same time conform to the trend of the development of the times, facilitate the daily teaching and life of teachers and students, as well as school management, it has become necessary to build a new campus network .
1.2 Project background
The school was founded on November 21, 1934 and is located in Nanning, the capital of Guangxi Zhuang Autonomous Region. The school was formerly known as Guangxi Provincial Medical College, which moved to Guilin in 1940. Before the founding of the school and the founding of New China, the school moved six times during the war and changed its name four times. After the founding of New China, in November 1949 It was renamed Guangxi Medical College; in 1952, the Central Ministry of Health commissioned it to be directly led by the Central and Southern Ministry of Health; in April 1953, the Central Ministry of Health approved the name and was renamed Guangxi Medical College; in July 1954, it moved back to its current location in Nanning City from Guilin; in 1996 In May, the Ministry of Education approved the name change to Guangxi Medical University. On May 25, 2020, the People's Government of the Autonomous Region and the National Health Commission officially signed the "Opinions of the National Health Commission of the People's Government of the Guangxi Zhuang Autonomous Region on the Joint Construction of Guangxi Medical University". The school has officially become the only higher medical school jointly built by the province and the ministry in Guangxi. school.
1.3 Construction purpose
With the advent of the information age, information networks are in a stage of rapid development in our country. As the forefront of education, schools provide an important learning environment for our country's future talents in various industries. Therefore, the scale and application level of the campus network are important components of the school's teaching environment and scientific research strength. Schools need high-quality network systems to provide stable and efficient services. At present, the development and construction of schools at home and abroad need to emphasize the technical conditions of networking. Planning and designing campus networks is conducive to sharing school information, teaching resources, etc., allowing schools to keep up with the development of the information age. Building a campus network is conducive to talent cultivation, allowing information-based quality education to penetrate into students' daily learning, enhancing students' hands-on and brain-using skills in information technology, and keeping up with the information age. Building a campus network will help increase the quality of school teaching, enable it to provide advanced teaching methods for education and teaching, and apply network technology to teaching to enrich teachers' education and teaching methods. Building a campus network is the fundamental way to informatize basic education. A colorful, healthy and fresh campus network culture will become a new environment for schools to cultivate students' thinking, moral character, and creative abilities, and become a high-quality environment for all teachers and students to cultivate all-round development. A new platform for talents.
1.4 Main research content
(1) Basic content
This design requires a detailed investigation of the network cabling areas of each building, each floor, and each classroom of Guangxi Medical University and an analysis of network requirements, so as to design a fully functional, safe, stable, and high-performance campus LAN for Guangxi Medical University. This design requires that the network system to be built can provide safe, efficient, stable and reliable basic network services for teachers and students of the school to meet various needs of school teaching and management.
(2) Expected design effect
After the design is completed, a network system requirement analysis and detailed network system design instructions will be provided, as well as a standardized logical topology diagram, virtual subnet division and address allocation plan, equipment selection and investment budget, etc. And use the simulator to build a model network of the design to confirm the feasibility of the design. At the same time, the configuration code of the main equipment is given to test the basic connectivity of the network.
2. Demand analysis
2.1 User needs analysis
Teacher: Most teachers want a smooth network when using the campus network. That is to say, their requirement is that when accessing the campus database on the intranet, there will be no lag when uploading or downloading data. In this case, they need network equipment with high link bandwidth and good load capacity. .
Students: The campus network is fast, ensuring smooth and stable Internet speed for daily Internet access.
Administrative staff: Administrative staff hope to be able to effectively monitor students' online content and online security, prevent data from being lost or damaged in the event of a power outage, and facilitate campus network management.
2.2 Network security needs analysis
A complete and feasible set of network security and network management policies should be established in the network to control the content of network service requests so that illegal access is rejected before reaching the host; access authentication for legal users should be strengthened, while user access rights should be controlled to a minimum limit; backup and disaster recovery, strengthen system backup, and achieve rapid system recovery; strengthen network security management, provide network security awareness and prevention technology for all system personnel; prevent malicious attacks and destruction by intruders; protect users during online transmission Confidentiality, integrity.
2.3 Analysis of network technology requirements
The overall requirements for Guangxi Medical University's network deployment are reliability, flexibility, stability, and economy.
The network structure needs to be flexible and tolerant to meet the requirements for additional equipment and network nodes as the company expands in the future; it must be economical, and the deployment method and selection of the architecture must be close to the network conditions used by campus personnel for work and daily use. When choosing equipment, it must be reliable and stable. If the school is disconnected every three days or there is network packet loss or slow speed, it will greatly affect the user's Internet experience. Therefore, it is necessary to achieve double redundancy technically and physically. to ensure the normal operation of the company's business.
2.4 Environmental demand analysis
Guangxi Medical University is located in Qingxiu District, Nanning City. It is a first-class university in Guangxi. The school headquarters covers an area of 710,000 square meters, and the teaching and administrative space covers an area of 210,000 square meters. There are currently more than 1,000 faculty and staff and more than 10,000 students. The main campus of the school mainly consists of teaching buildings, comprehensive buildings, dormitories, canteens and other buildings. The teaching buildings are divided into 3 high-rise teaching buildings and 9 ordinary teaching buildings: the Excellence Building is 21 floors, with classrooms, laboratories, offices, conference rooms, entrepreneurship bases and training centers; the Pharmacy Building is 18 floors, with Classrooms, laboratories, offices and subsidiaries of the school; the clinical teaching building is 13 floors, equipped with classrooms, laboratories and offices; the general teaching buildings are 101~109, with 3~5 floors, equipped with classrooms, experiments Rooms, offices, etc., with different uses; there are also higher vocational teaching buildings, international colleges and graduate students buildings in the school. There is a comprehensive building, mainly used for teaching and office. The dormitory building is divided into male dormitory, female dormitory, graduate dormitory and international student dormitory. The dormitory floors are different. Male Building A has 4 floors with 17 dormitories on each floor. Male Building B has 5 floors with 16 dormitories on each floor. Male Building C There are 6 floors with 12 dormitories on each floor. There are 4 canteens.
3. Overall planning and design
3.1 Network design planning
In this scheme design, the old network architecture of Guangxi Medical University was restructured and part of the integrated wiring was transformed. The network topology used this time was a three-layer architecture. Including high-end firewall equipment, three-layer switches, aggregation switches, access switches, etc. According to the standard structure of the network deployment plan, the campus network structure architecture is divided into access layer, aggregation layer and core layer. In order to prevent problems or interruptions in the existing network services during the transformation process, it will be carried out in a smooth and stable manner. In order to ensure the stability and security of the network during construction, it is used when configuring network equipment; (VLAN) virtual LAN; (portchannel) redundancy technology; (ACL) access control list; (NAT) internal and external network address translation and other related operation configurations.
The new era of network information technology, network security technology, and data redundancy backup technology has gradually been reflected. As the network demand for campus content and education network is increasing, the Guangxi Medical University network needs to build an enterprise network that keeps pace with the times with high availability and strong redundancy. Only in this way will the campus network architecture be more secure. , to prevent data leakage. In this article, I will combine the most advanced modern information technology, integrated wiring, etc. to realize the design and implementation needs of the campus network of Guangxi Medical University.
Today, when network technology is very developed, it is very important to build a campus with information security. Formulating a reasonable construction plan based on the campus's own situation is the most important step in campus information construction. Therefore, make reasonable use of network protocol strategies to build a stable, reliable, and high-performance campus network.
3.2 Network design principles
In the network construction of the campus network, we need not only to adopt internationally advanced technologies, but also to ensure the security, reliability and practicality of the system, high performance and high bandwidth, and at the same time, we must choose the overall network based on the principle of simple management. Architecture, after internal analysis and discussion, the network architecture decided to adopt is a three-layer hierarchical network design model of "core layer-aggregation layer-access layer".
1. Backbone network core layer: The core layer is the high-speed switching backbone of the network and the network hub. It is responsible for the connectivity of the entire network and completes data transmission between different networks. Therefore, the core layer should have: reliability, efficiency, redundancy, Features such as fault tolerance and manageability. Therefore, high-bandwidth, high-performance Gigabit or above switches are used and dual-machine redundant hot backup is used.
2. LAN aggregation access: aggregate user traffic at the access layer, perform aggregation, forwarding and switching of data packet transmission; local routing, filtering, traffic balancing, QoS priority management, and Security mechanism, IP address translation, traffic shaping, multicast management, etc.; forward user traffic to the core switching layer or perform routing processing locally based on the processing results;
3. Terminal access layer: The access layer provides working access to the local network and provides functions such as data aggregation and transmission. It mainly provides interfaces for end users to connect to the network, so the access layer equipment chooses ordinary switches with low cost and a large number of ports.
4. Building LAN design: Each building deploys aggregation switches and access switches, and divides network segments according to the building to achieve network isolation and ensure security.
5. Internet access layer: The Internet realizes communication through optical fiber access of telecom operators. Internet access equipment is mainly used for address translation and external operator line access for intranet access. It can also block some intranet addresses and illegal IPs on the external network. It mainly plays a connecting role with the Internet.
3.3 Comprehensive wiring rules
The integrated wiring system and the wiring of the information network system, security technology prevention system, building equipment monitoring system, etc. shall be planned and designed simultaneously, and the design shall be reasonably optimized according to the information transmission requirements of each system.
In the engineering design of integrated wiring systems, finalized products that have issued qualified inspection reports and comply with relevant national technical requirements should be selected.
In addition to complying with this specification, the engineering design of the integrated wiring system should also comply with the relevant national standards.
Figure 3-1 Schematic diagram of integrated wiring system
1 An independent area where terminal equipment (TE) needs to be set up should be divided into a work area. The work area should include the information socket module (TO) , connecting cables and adapters at the terminal equipment.
2 The wiring subsystem should be composed of the information socket module in the work area, the horizontal cable from the information socket module to the telecommunications room wiring equipment (FD) , the telecommunications room wiring equipment, equipment cables and jumpers, etc.
3. The trunk subsystem shall consist of trunk cables from the equipment room to the telecommunications room, building wiring equipment (BD) installed in the equipment room, equipment cables and jumpers.
4 The building complex subsystem should consist of trunk cables connecting multiple buildings, building complex distribution equipment (CD) , equipment cables and jumpers.
5 The equipment room should be a venue for wiring management, network management and information exchange at appropriate locations in each building. Building wiring equipment, building cluster wiring equipment, Ethernet switches, telephone switches, and computer network equipment should be installed in the equipment room of the integrated wiring system. Entrance facilities can also be installed in equipment rooms.
6. The incoming line room should be the entrance to the external information and communication network pipelines of the building, and can be used as the installation site for entrance facilities.
7 Management should identify, record and manage wiring equipment, cables, information socket modules and other facilities in the work area, telecommunications room, equipment room, incoming line room, and wiring path environment according to a certain pattern.
3.4 Security planning and design
Entering a new historical period, computers and networks are being used more widely. At the same time, factors affecting network security are also increasing, and various cybercriminal activities are also occurring frequently. Faced with this severe situation, network security managers should conduct a comprehensive assessment of computers and network systems, formulate scientific overall network security solutions, actively adopt effective strategies, and build network security including firewalls, virus detection and response systems. Protection system, reasonably optimize computer and network configuration, minimize network security risks, and safeguard the legitimate rights and interests of network users.
1. Establish a complete and feasible network security and network management strategy
3. Control the content of network service requests so that illegal access is rejected before reaching the host.
4. Strengthen access authentication for legal users and control user access rights to a minimum.
5. Backup and disaster recovery, strengthen system backup and achieve rapid system recovery.
6. Strengthen network security management and provide network security awareness and prevention techniques for all system personnel.
7. Prevent malicious attacks and destruction by intruders
8. Protect the confidentiality and integrity of corporate information during online transmission
3.4 IP address and VLAN planning
Table 3-1 Address planning
| name |
VLAN/interface |
Address network segment |
gateway |
| FW1 |
GE1/0/0 |
2001::2/64 |
/ |
| GE1/0/1 |
10.1.1.2/30 |
/ |
|
| GE1/0/2 |
172.32.1.1/24 |
/ |
|
| FW2 |
GE1/0/0 |
2002::2/64 |
/ |
| GE1/0/1 |
10.1.1.1/30 |
/ |
|
| GE1/0/2 |
172.31.1.1/24 |
/ |
|
| FW6 |
GE1/0/0 |
172.30.1.254 |
/ |
| GE1/0/2 |
172.29.1.254 |
/ |
|
| Core switch 1 |
GE0/0/1 |
172.32.1.2/24 |
/ |
| GE0/0/6 |
172.30.1.1/24 |
/ |
|
| Core switch 2 |
GE0/0/1 |
172.31.1.2/24 |
/ |
| GE0/0/6 |
172.29.1.1/24 |
/ |
|
| Teaching building |
10 |
192.168.10/24 |
192.168.10.1 |
| Comprehensive building |
20 |
192.168.20/24 |
192.168.20.1 |
| Graduate Building |
30 |
192.168.30/24 |
192.168.30.1 |
| canteen |
40 |
192.168.40/24 |
192.168.40.1 |
| Zhuoyue Building |
50 |
192.168.50/24 |
192.168.50.1 |
| Pharmacy Building |
60 |
192.168.60/24 |
192.168.60.1 |
| Boys dormitory building |
70 |
192.168.70/24 |
192.168.70.1 |
| Girls dormitory building |
80 |
192.168.80/24 |
192.168.80.1 |
| Server test machine |
90 |
192.168.90/24 |
192.168.90.1 |
| HTTP server |
100 |
172.16.1.10/24 |
172.16.1.1 |
| DNS server |
100 |
172.16.1.11/24 |
172.16.1.1 |
| FTP server |
100 |
172.16.1.12/24 |
172.16.1.1 |
3.5 Equipment selection
3.4.1 Core switch selection
After analyzing the core network layer equipment selection of the campus network, it is recommended to use the S12708 switch produced by Huawei specifically for the campus core network. The switch has high throughput and high forwarding rate. The specific parameters are as follows:
Table 3-2 Core switch S12708
| switching capacity |
28.8/102.4Tbps |
| Packet forwarding rate |
3600/24000Mpps |
| Number of main control board slots |
2 |
| Number of switching network board slots |
2 |
| Number of service board slots |
4 |
| fan frame |
2 |
| Architecture |
CLOS architecture |
| Redundant design |
Main control, switching network board, power supply, fan frame (front, rear and left rear air ducts) |
| Virtualization |
Supports CSS2 switching network hardware cluster, cluster master 1+N backup, 1.92Tbps cluster |
| Wireless management |
Supports on-board AC, each board can manage up to 4K APs, and the entire machine can manage 10K APs Supports AP access control, AP domain management and AP configuration template management Supports radio frequency template management, unified static configuration and centralized dynamic management Support WLAN basic services, QoS, security and user management |
Figure 3-2 Huawei S12708
3.4.2 Aggregation layer switch
The network aggregation layer recommends the use of Huawei S7706 switches within the campus network. The S7706 switch has strong scalability and compatibility and is suitable as a switch for aggregating various network devices. The specific parameters of the switch are as follows:
Table 3-3 S7706 parameters
| switching capacity |
19.2/48Tbps |
| Packet forwarding rate |
1440/16560Mpps |
| 冗余设计 |
主控、电源、监控板、风扇框(前后及左后风道) |
| 无线管理 |
支持随板AC |
| 用户管理 |
支持统一用户管理 |
| 路由特性 |
支持IPV4静态路由、RIP、OSPF、IS-IS、BGP4等 |
| iPCA质量感知 |
支持直接对业务报文标记以获得丢包数量和丢包率统计数据,实时统计,零开销 |
| SVF简化运维 |
支持将256个Client节点(接入交换机)、最大支持4K个AP虚拟为一台设备管理 |
| 缓存容量 |
支持每端口200ms数据缓存 |
| 数据中心特性 |
支持TRILL,FCoE(DCB),EVN,nCenter,EVB,SPB,VXLAN等数据中心特性 |
| OpenFlow |
支持多控制器 |
| 互通性 |
VBST基于VLAN生成树协议(和PVST/PVST+/RPVST互通) |
图3-3 S7706交换机
3.4.3接入层交换机
华为的接入层交换机S5736-S交换机是一款三层的交换机,它具备万兆的上行接口和千兆的下联接口,适合终端接入使用。具体参数如下:
表3-4接入交换机参数
| 包转发率 |
660Mpps |
| 交换容量 |
2.56/25.6 Tbps |
| 固定端口 |
24个100M/1G/2.5G/5G/10G Base-T以太网端口 ,4个10GE SFP+ |
| PoE++ |
支持,单端口最大90W供电 |
| 扩展插槽 |
1个扩展插槽,支持2*25GE或8*10GE光、4*40GE光子卡 |
| MAC特性 |
支持MAC地址自动学习和老化 |
| VLAN特性 |
支持4K个VLAN |
| IP路由 |
静态路由、RIPv1/2、RIPng、OSPF、OSPFv3、ECMP、ISIS、ISISv6、BGP、BGP4+、VRRP、VRRP6 |
| 互通性 |
VBST基于VLAN生成树协议(和PVST/PVST+/RPVST 互通) |
图3-4华为S5720系列交换机
3.4.4 防火墙
网络出口USG防火墙为用户提供统一的外网连接业务,避免各部门各自建立出口链路。设备推荐使用华为USG6600E防火墙,该防火墙是一款万兆的出口防护设备,具有入侵检测、主动防御等安全能力。具体参数如下:
表3-5防火墙参数
| 固定接口 |
12×GE (RJ45) + 8×GE (SFP) + 4×10GE (SFP+) + 1×USB3.0 |
| 产品形态 |
1 U |
| 存储 |
选配2.5英寸形态硬盘,支持SSD 240GB/960GB,HDD 1TB |
| 一体化防护 |
集传统防火墙、VPN、入侵防御、防病毒、数据防泄漏、带宽管理、Anti-DDoS、URL过滤、反垃圾邮件等多种功能于一身,全局配置视图和一体化策略管理 |
| 应用识别与管控 |
识别6000+应用,访问控制精度到应用功能,例如:区分微信的文字和语音。应用识别与入侵检测、防病毒、内容过滤相结合,提高检测性能和准确率。 |
| 带宽管理 |
在识别业务应用的基础上,可管理每用户/IP使用的带宽, 确保关键业务和关键用户的网络体验。管控方式包括:限制最大带宽或保障最小带宽、应用的策略路由、修改应用转发优先级等 |
| 入侵防御与Web防护 |
第一时间获取最新威胁信息,准确检测并防御针对漏洞的攻击。可防护各种针对web的攻击,包括SQL注入攻击和跨站脚本攻击等。 |
| APT防御 |
与本地/云端沙箱联动,对恶意文件进行检测和阻断。 |
| 云管理模式 |
设备自行向云管理平台发起认证注册,实现即插即用,简化网络创建和开局 |
| 云应用安全感知 |
可对企业云应用进行精细化和差异化的控制,满足企业对用户使用云应用的管控需求。 |
图3-5华为USG6600E系列防火墙
3.6 网络拓扑图
图3-6 网络拓扑图
本设计方案中的校园网络的网络架构划分为三层类型:核心层、汇聚层、接入层。
伴随着广西医科大学的校园业务增加,校园网在网络架构规模越来越庞大,为了进一步提升校园网络及其其他学校在互联网上的热度以及社会推广度,广西医科大学在网络内网上设立独立web服务器、DNS服务器、FTP服务器等。
现如今按照广西医科大学的网络需求,我们所规定的三层网络架构是为搭建网络拓扑实用方案,这样的搭网环境会让整个架构层次变得分明,结构变得更为简单,出现问题的时候,容易定位在故障点。
此次校园拓扑的优点:
1、扩展性:可将三层次网络分别进行扩展变化,严格按照核心层、汇聚层、接入层架构实施。
2、可冗余性:在汇聚设备上使用VRRP技术,可以更好提高广西医科大学校园网络可行性。
3、高性能:将两到三个层次之间运用ethchannel链路聚合特性,这样可以能够更好的提高网络的稳定性以及可用性。
四、关键技术介绍
4.1 VLAN技术
VLAN技术中文含义为虚拟局域网络, VLAN技术能够有效的划分不同网络的通信, 让不同局域网实现隔离效果,可以不受地址位置的限制,虚拟局域网可以将整个网络分成一个个不同的小的子网, 这样一来,就可以较为清楚地划分不同的网络,使数据传输更为可靠有效稳定性高。也可以用来区分不同的业务系统,以及可以方便的用来区分不同网段所能访问的资源,也可以更好地避免广播风暴的发生,使局域网维护性能更强。
4.2 OSPF动态路由协议
路由技术通俗来讲被称为是三层技术,算是在网络工程中的上层应用技术了。对于一个完善成熟的网络架构拓扑中,路由技术一般运用在核心架构层次。一般所运用到的拥有路由功能的网络设备,比如有路由器、三层交换机、防火墙等高端路由设备。就类似于家与学校之间的一条人行道路一般,在路由表中,我们网管人员可以从这里面查到许多有用的参考信息,可以看到各个网络路由设备之间的邻居建立关系,以及各个路由条目的路径参数信息类似于常用的技术OSPF。因此,三层路由技术被应用于各个企业内以及校园网络内也是如此。而路由协议的缺点也比较明显,相比于二层静态默认路由技术,三层动态路由协议所占用的网络设备资源内存虽然较多,大大的增加了设备与设备之间的开销占比,所以就需要购置性能参数较高的相关路由设备。来保证业务可靠的实施,推荐使用OSPF路由技术。
4.3 VRRP技术
随着用户对网络可靠性的要求越来越高,如何保证网络的不间断传输,已成为一个必须解决的问题。特别是在一些重要业务的入口或接入点上,需要保证网络的不间断运行,如企业的Internet接入点、银行的数据库服务器等。在这些业务点上如果只使用一台设备,无论其可靠性多高,网络都必然要承受因单点故障而导致业务中断的风险。
传统的单网关设备、单上联链路的环境中,用户的网关地址配置为一个固定的IP,这个IP一般被路由器的一个接口所拥有,这台路由器就充当网络网关的角色,这就存在单点故障,如果路由器宕机了,内网的用户也就断网了,再者,如果路由器的上联链路故障了,内网用户同样无法上网。VRRP可以实现网关的冗余,让网络变得更加的健壮。为了解决上述问题,引入了网关冗余协议VRRP。双机热备份实现了双机业务的备份功能,业务信息通过备份链路实现批量备份和实时备份,保证在主设备故障时业务能够不中断地顺利切换到备份设备,从而降低了单点故障的风险,提高了网络的可靠性。
通过在“同一个广播环境中”部署多台路由器,这些路由器(的接口)加入同一个VRRP组,这个VRRP组会虚拟出一台虚拟路由器,而虚拟路由器的IP地址,就是内网用户PC所配置的网关地址,虚拟路由器的MAC,就是用户将会解析到的网关IP对应的MAC。VRRP组内的成员之间进行PK,选出一个Active路由器,这个路由器承担实际的流量转发任务,他将响应内网对于网关IP的ARP查询。VRRP组内的其他路由器,为standby状态,实时侦听Active路由器的状态,以便能够在Active路由器故障后立即进行切换。
当Active路由器发生故障,剩下的组员再次进行选举,会有新的Active路由器出现承担数据转发任务,同时响应内网用户对于网关IP的ARP请求,如此一来即可实现网关的冗余,而对于内网用户来说,这一个切换的机制是完全不知情的,由协议自己完成,另外内网PC也不用做任何的配置或者网关IP的变更。
路由器状态分为两种:
1、Active路由器:就是在VRRP组实际转发数据包的路由器,在每一个VRRP组中,仅有Active响应对虚拟IP地址的ARP请求。
2、Standby路由器:就是在VRRP组中处于监听状态的路由器,一旦Active路由器出现故障, Standby路由器就开始接替工作。
总的来说,VRRP具有高度的可靠性,两台路由器之间采用VRRP(热备份冗余协议)协议,来保证两台路由器中的任意一台down掉,或路由器的广域网口down,都会迅速切换到另外一台。
4.4 STP生成树
以太网交换网络中为了进行链路备份,提高网络可靠性,通常会使用冗余链路,但是这也带来了网络环路的问题。网络环路会引发广播风暴和MAC地址表震荡等问题,导致用户通信质量差,甚至通信中断。
为了解决交换网络中的环路问题,IEEE提出了基于802.1D标准的生成树协议STP(Spanning Tree Protocol)。STP是局域网中的破环协议,运行该协议的设备通过彼此交互信息来发现网络中的环路,并有选择地对某些端口进行阻塞,最终将环形网络结构修剪成无环路的树形网络结构,达到破除环路的目的。另外,如果当前活动的路径发生故障,STP还可以激活冗余备份链路,恢复网络连通性。
而随着局域网规模的不断增长,STP拓扑收敛速度慢的问题逐渐凸显,因此,IEEE在2001年发布了802.1w标准,定义了快速生成树协议RSTP(Rapid Spanning Tree Protocol),RSTP在STP的基础上进行了改进,可实现网络拓扑的快速收敛。
在运行STP协议的网络中,一台设备被称为一个网桥,或简称桥。每个桥都有一个桥ID(Bridge ID,即BID),IEEE 802.1d标准中规定BID是由桥优先级(Bridge Priority)与桥MAC地址构成。BID桥优先级占据高16位,其余的低48位是MAC地址。
根桥(Root Bridge)
STP协议破环的关键在于生成一个树形的网络结构,而树形的网络结构必须有树根,于是STP引入了根桥的概念。对于一个STP网络,根桥就是网桥ID最小的桥,在全网中只有一个,它是整个网络的逻辑中心,但不一定是物理中心。根桥会根据网络拓扑的变化而动态变化。
根端口(Root Port)
根端口就是去往根桥路径开销最小的端口,根端口负责向根桥方向转发数据,这个端口的选择标准是依据根路径开销判定。很显然,在一个运行STP协议的设备上根端口有且只有一个,根桥上没有根端口。
指定桥(Designated Bridge)与指定端口(Designated Port)
图2-1 STP示意图
思科私有协议 PVST: Per-VLAN Spanning Tree(每VLAN生成树)
PVST是解决在虚拟局域网上处理生成树的CISCO特有解决方案.PVST为每个虚拟局域网运行单独的生成树实例.一般情况下PVST要求在交换机之间的中继链路上运行cisco的ISL.
每VLAN生成树 (PVST)为每个在网络中配置的VLAN维护一个生成树实例。它使用ISL中继和允许一个VLAN中继当被其它VLANs的阻塞时将一些VLANs转发。尽管PVST对待每个VLAN作为一个单独的网络,它有能力(在第2层)通过一些在主干和其它在另一个主干中的不引起生成树循环的Vlans中的一些VLANs来负载平衡通信。
PVST+(Per VLAN Spanning Tree Plus,增强的按VLAN生成树) 是CISCO解决在虚拟局域网上处理生成树问题的另一个方案。PVST+ 允许CST (公共生成树)信息传给PVST,以便与其他厂商对在 VLAN 上运行生成树的实现方法进行操作。
PVST+支持在相同网络中同时存在CST和PVST,PVST+可以用802.1Q封装。PVST+在Catalyst 802.1Q trunks上是自动启动的。也是每个Vlan一棵STP。也可以实现第2层的负载均衡。PVST+分成3种类型的区域:PVST区域/PVST+区域/单生成树区域。
五、详细设计
5.1 VRRP+MSTP冗余配置
图5-1 VRRP+MSTP设计
部分配置举例:
stp instance 0 root primary
interface Vlanif10
ip address 192.168.10.2 255.255.255.0
vrrp vrid 1 virtual-ip 192.168.10.1
vrrp vrid 1 priority 150
vrrp vrid 1 preempt-mode timer delay 20
interface Vlanif20
ip address 192.168.20.2 255.255.255.0
vrrp vrid 2 virtual-ip 192.168.20.1
vrrp vrid 2 priority 150
vrrp vrid 2 preempt-mode timer delay 20
5.2 DHCP配置
图5-2 DHCP配置
DHCP配置:
ip pool 10
gateway-list 192.168.10.1
network 192.168.10.0 mask 255.255.255.0
excluded-ip-address 192.168.10.100 192.168.10.254
dns-list 172.16.1.11
ip pool 20
gateway-list 192.168.20.1
network 192.168.20.0 mask 255.255.255.0
excluded-ip-address 192.168.20.100 192.168.20.254
dns-list 172.16.1.11
5.3 OSPF配置
图5-3 OSPF配置
OSPF配置:
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 192.168.0.0 0.0.255.255
network 172.32.1.0 0.0.0.255
network 172.30.1.0 0.0.0.255
5.4 IPv4 over IPv6隧道
图5-4 IPv4 over IPv6
隧道配置:
interface Tunnel2
ip address 30.1.1.1 255.255.255.0
tunnel-protocol ipv4-ipv6
source 2002::2
destination 2002::1
interface Tunnel1
description 10::1
ip address 20.1.1.2 255.255.255.0
tunnel-protocol ipv4-ipv6
source 2001::1
destination 2001::2
5.5 FW热备份配置
图5-5 热备份配置
hrp enable
hrp interface GigabitEthernet1/0/1 remote 10.1.1.2
hrp auto-sync config static-route
hrp track interface GigabitEthernet1/0/0
hrp track interface GigabitEthernet1/0/2
六、测试结果
6.1 局域网互通测试
VLAN划分可以简化网络管理,同时隔绝广播域的作用,不同VLAN默认是不能互相通信的,如果需要相互通信的话必须经过网关转发。下图为不同VLAN之间相互通信测试。
图6-2 VLAN之间通信测试
6.2 DHCP测试
采用DHCP可以自动的给终端分配IP地址,能够充分的利用IP地址,避免IP地址的浪费。
图6.2 DHCP配置测试
6.4 OSPF测试
OSPF通过路由器之间通告网络接口的状态来建立链路状态数据库,生成最短路径树,每个OSPF路由器使用这些最短构造路由表。
如下图所示将出口防火墙和核心交换机划分到了骨干区域。
图6-3防火墙OSPF邻接状态
如下图所示防火墙上学到的OSPF路由。
图6-4 防火墙路由表
6.5 HTTP服务及DNS测试
服务器开放HTTP服务和DNS域名解析,内网都可通过域名来对http服务器进行访问。
下图为内外网通过web访问域名进入HTTP服务:
图6-5 内网通过域名访问HTTP服务器
6.6 VRRP状态及切换
VRRP就是让两台设备共同维护一个虚拟网关,现网所创建的网关地址是不存在的,当主设备宕机后,备设备可立即进行切换从而接替主设备进行网关转发。
图6-6 VRRP状态
6.7 IPV4 over IPV6测试
内网通过边界防火墙IPV4和IPV6隧道策略访问公网,当内网终端流量数据到达边界防火墙时,防火墙将源地址路由丢进隧道进行访问,当数据回包时再将目的地址转为本地终端。
图6-8内网访问公网
总结
此次对广西医科大学的校园网的规划,是对网络知识的又一次系统的学习,而且是一次更完整的学习。在以前的课堂上,网络课程讲的都是关于网络原理性的内容,在实际的操作方面却很少提及。经过此次校园网的规划,学到了很多实际应用的知识。
在这次广西医科大学院校的校园网规划中,在规划之前做到了到学校考察情况,并询问了相关问题。这为以后的网络规划提供了有利的依据。在以后的规划中,以建立网络教学、办公为目标,从经济性、实用性、操作性、扩展性的原则来设计广西医科大学院校校园网。此次根据用户需求建立的网络架构,并且对以后的网络扩展也有较强的扩展性。在规划中还将新一代网络的特性和网络的发展新趋势,提高了网络的人性化,体现了以人为本的原则。但是,网络设计也有一些需要完善的地方,比如在建立服务器、防火墙的具体配置方法等方面。通过这次网络规划,丰富了我在网络方面的知识,使我学到了很多网络方面深层次的内容。特别是在网络设计、交换机、服务器方面,我有了更加丰富的知识。