Hello everyone, I am senior Xiaohua, a blogger in the computer field. After years of study and practice, I have accumulated rich computer knowledge and experience. Here I would like to share my learning experience and skills with you to help you become a better programmer.
As a computer blogger, I have been focusing on programming, algorithms, software development and other fields, and have accumulated a lot of experience in these areas. I believe that sharing is a win-win situation. Through sharing, I can help others improve their technical level and at the same time get the opportunity to learn and communicate.
In my articles, you will see my analysis and analysis of various programming languages, development tools, and common problems. I will provide you with practical solutions and optimization techniques based on my actual project experience. I believe that these experiences will not only help you solve the problems you are currently encountering, but also improve your programming thinking and problem-solving abilities.
In addition to sharing technical aspects, I will also touch on some topics about career development and learning methods. As a former student, I know how to better improve myself and face challenges in the computer field. I will share some learning methods, interview skills and workplace experiences, hoping to have a positive impact on your career development.
My articles will be published in the CSDN community, which is a very active and professional computer technology community. Here you can communicate, learn and share with other people who love technology. By following my blog, you can get my latest articles as soon as possible and interact with me and other readers.
If you are interested in the computer field and hope to better improve your programming skills and technical level, then please follow my CSDN blog. I believe that what I share will help and inspire you, allowing you to achieve greater success in the computer field!
Let us become better programmers together and explore the wonderful world of computing together! Thank you for your attention and support!
All computer project source codes shared include documents and can be used for graduation projects or course designs. Welcome to leave a message to share questions and exchange experiences!
Implementing the supermarket network plan is a hub for convenient communication between supermarkets. In today's society, the scale and application level of the supermarket network have become the primary component of the supermarket network environment. For the supermarket network, the security of the intranet and server is its top priority. Therefore, we should use the existing conditions of supermarkets to design a safe and unified supermarket network on this basis.
Based on demand analysis, basic core technologies (port aggregation, spanning tree priority, VLAN applications) are provided to meet the development of the industry with better topology planning and more accurate analysis modernization. According to supermarket distribution, IP address planning is an appropriate part of VLAN, and selecting user access (using MAC address to bind IP address) makes management easier. Select the brand name and model of your device according to your plan. The ACL protocol is used to optimize the network. ACL controls the data packets in and out of the port through the router's command list and the switch interface. The egress deployment router is connected to the operator's network equipment, and the access of internal users in the supermarket is completed through the network address translation configuration of the egress router.
Keywords: network planning; vlan ; network address translation
Table of contents
1.1 The background of the emergence of supermarket internal network. 3
1.2 Current status and analysis of supermarket internal network. 3
2.1 System structure inside the supermarket. 3
2.1.2 System management and maintenance. 4
2.2 Currently popular supermarket internal network construction technologies. 4
2.2.1 Hierarchical model design technology. 4
2.2.3 Network security technology. 5
3Requirements analysis and system design principles. 5
3.1.2 Management requirements. 6
3.2 System design principles. 6
3.2.1 Equipment selection principles. 6
3.2.2 Principles of design goals. 8
4.5 Network configuration and management. 14
4.5.2 IP address allocation and DHCP settings. 15
4.5.3 Setting and application of NAT in supermarket network. 18
4.5.4 Setting and management of access control lists in supermarket networks. 19
5 Network security configuration. 20
5.3 Disabling and configuring network services. 21
1 . 1 The background of the emergence of supermarket internal network
Supermarkets are a shopping method that developed with the rise of the commodity economy. Different from the types of customers and goods and the types of product information, as well as a single form of old grocery stores, it can effectively avoid face-to-face contact between customers and shopkeepers. And provide customers with a free, relaxed and comfortable shopping environment. Therefore, it is favored by more and more consumers and plays an increasingly important role in people's daily lives.
Although traditional business models such as supermarkets have been impacted by e-commerce in recent years, this shopping method is consistent with my country's national conditions. Our country's living pattern of large mixed settlements and small settlements makes small and medium-sized supermarkets, an economic state that needs to be close to the crowd, dispersed in every corner of cities and rural areas, directly connected with people's lives, and plays an irreplaceable and important role in today's social life. Since the 21st century, the pace of economic globalization has accelerated, China's reform and opening up has continued to deepen, and competition in the retail industry has become increasingly fierce. This requires small and medium-sized supermarkets to strengthen their core competitiveness in order to survive in the fierce market competition. If small and medium-sized supermarkets want to survive in the fierce competitive environment and face difficulties, in addition to having high-quality products and a comfortable shopping environment, the most important thing is to keep pace with the times, meet customer needs in a timely manner, and build an efficient and fast Network management system.
1 . 2 Current status and analysis of supermarket internal network
With the continuous development of the Internet, the distance between people is no longer so far away, and information exchange is becoming more direct and convenient. Modern information technology has also changed the way people work, learn, think and manage. This not only greatly expanded the application scope of computers, but also led to historical changes in reading, writing, and calculation, making computers easier to learn. When the social cells of a new era mature, this era will also arrive. The simplicity and ease of learning computers also promotes the dissemination of all kinds of information. The new and dynamic ways of receiving information will not only have a great impact on our traditional way of receiving knowledge and the education system, but also have a great impact on human beings themselves.
This article analyzes the network solution architecture in detail based on the supermarket's network information needs and network functions. Taking into account the economic costs of the supermarket, the direct relationship between income and human flow, the needs of the network communication platform and the specific implementation of specific applications, it is recommended to establish a good, fast, multi-layer switching network management application system. For the future development trend of paperless office, we can realize supermarket resource sharing, establish a complete data exchange system, quickly transmit information, and adapt to the digital working environment in advance. Based on Linux innovation, the network marketing program is committed to maintaining new technologies such as finance, business and online branches. We must make full use of modern relevant technologies to maximize the competitiveness of supermarkets and meet the needs of network applications such as redundant links, security conditions, and load balancing. Provide a good hardware environment for supermarkets.
2 System Overview
An introduction to the platform that constitutes the system within the supermarket, as well as the currently popular supermarket internal network construction technology, hierarchical model design technology, virtual LAN, and network security technology.
2 . 1 System structure inside the supermarket
2 . 1.1 Information platform
It is currently recommended that users with higher bandwidth requirements or system opening issues also need to establish a network security system for information management and application. The goal of the entire project is to build a highly reliable, high-performance multimedia company network that integrates data transmission and backup, multimedia applications, voice transmission, OA applications and Internet access. Although it improves the service capabilities of the server, prevents server failures, and reduces the openness of the system, it is also necessary to establish a network security system for information management and application.
2 . 1.2 System management and maintenance
Network resource optimization, network monitoring, flexible and efficient network management tools, network operation management, checking the system hardware and software environment, and maintaining comprehensive monitoring of the network system. It is flexible and supports various communication media, multiple physical interfaces, technology updates and equipment upgrades, allowing the system to be improved and updated. The purpose of the program design is to build a highly reliable and high-performance supermarket intranet. In addition to improving the service processing function of the server, it also avoids single points of failure of the server and ensures the normal use of its applications.
2 . 2 Currently popular supermarket internal network establishment technologies
2 . 2.1 Hierarchical model design technology
Network design framework:
1. Core layer: generally does not implement any policies, just for users’ data to reach the Internet at high speed.
2. Aggregation layer: realizes access between different VLANs and policies between VLANs
3. Access layer: Access terminal equipment, such as PC, printer, such as wireless user access
The core layer forms the backbone network (also known as the backbone network), providing high-performance, non-blocking high-speed channels that are comparable to national highways.
The aggregation layer forms the backbone access network and provides access to the high-speed backbone, which is comparable to provincial and municipal highways.
The access layer provides an interface for user access, which can be compared to a general highway.
In this way, the entire network is resilient, efficient and reliable .
2 . 2.2 Virtual LAN
In a purely switched internetwork, the method of dividing broadcast domains is to create virtual LANs ( VLANs). A VLAN is a logical grouping of network users and network resources connected to a manager-defined switch port. When creating a VLAN, port switches can be assigned to serve different subnets. By using VLANs to create broadcast domains, you have full control over all ports and users. You can also create a VLAN based on network resource users and configure and access the switch to notify the network management station of unauthorized access to network resources. In order to ensure the security of communication between VLANs, restrictions on the router can be used to solve this problem.
( 1) Strong flexibility--not subject to any geographical restrictions
( 2) Security---VLANs cannot communicate with each other by default.
( 3) Segmentation: one VLAN=1 broadcast domain=1 subnet/1 main class
Due to the characteristics of VLAN, the VLAN to which broadcast and unicast traffic belongs does not forward the traffic to other VLANs. Its function is to control traffic, improve network security, reduce equipment investment, and simplify network management.
2 . 2.3 Network security technology
Once the network is complete, make sure the entire network is functioning properly. What is particularly important is to prevent computer viruses from invading the network and preventing "hacker" intrusions, which requires the network to do a good job in security precautions, such as data integrity, identity authentication, access authorization, anti-virus intrusion, data confidentiality, audit records, etc. details. Firewalls can be configured using IPSec standard virtual private VPN connections to improve secure intranet, remote network and Internet security access.
Attack Classification of Switched Networks
(1 ) MAC layer attack: Use the overflow of the MAC address table to monitor
(2 ) VLAN attack (VLAN hopping attack)
(3 ) Spoofing attack (ARP spoofing, DHCP spoofing)
(4 ) Attack switch equipment
Since there are a large number of clients and various application servers in the network, client or server computer viruses may be infected at any time due to individual irregular use or other reasons. All virus protection systems are essential. of.
3 Requirements analysis and system design principles
3.1 User needs
3.1.1 Network requirements
(1) Determine the reliability and availability of the network.
(2) Determine the security of the network.
(3) Communication volume requirements
3.1.2 Management requirements
The basic requirement of the program is ease of use and management. The specific implementation of adopting a typical three-layer network architecture not only takes into account the difficulty of actual operation of building a supermarket network, but also ensures the stability of the network. Considering the future development of the network and the growth of enterprises, network information needs to be constantly updated.
3.2 System design principles
3.2.1 Equipment selection principles
According to the plan, the core switch is required to integrate functions such as server software installation, network management software, and Internet behavior management. This is used as the center of network equipment, and devices such as layer 2 switches are used to expand and extend the network.
(1) Brand selection
H3C equipment should be used based on comprehensive considerations such as economic cost, equipment brand awareness, and application convenience.
(2) Main equipment technical performance requirements
The following is the specific information and characteristics of the three types of H3C equipment.
Table 3-2 Detailed information of alternative equipment
| Support features |
S5130-28S-SI |
S5130-52S-SI |
S5130-28F-SI |
||
| Overall machine switching capacity |
256Gbps |
||||
| Packet forwarding rate |
96Mpps |
132Mpps |
96Mpps |
||
| fixed port |
24*10/100/1000Base-T electrical port 4*10G BASE-X SFP+ 10G optical port |
48*10/100/1000Base-T electrical port 4*10G BASE-X SFP+ 10G optical port |
24*100/1000Base-X Gigabit optical port (8*Combo port) 4*10G BASE-X SFP+ 10G optical port |
||
| link aggregation |
Support GE/10GE port aggregation Support dynamic aggregation Supports cross-device aggregation |
||||
| Port characteristics |
Supports storm suppression based on PPS/BPS Support IEEE802.3x flow control (full duplex) Supports storm suppression based on port rate percentage |
||||
| IRF2 |
Supports stacking via standard Ethernet interface Support IRF2 intelligent elastic architecture Support distributed device management and distributed link aggregation Support local stacking and remote stacking |
||||
| IP routing |
Support static routing |
||||
| VLAN |
Supports protocol-based VLANs Support port-based VLAN Support VLAN Mapping Support Voice VLAN Support QinQ, flexible QinQ Support Guest VLAN |
||||
| ACL |
Supports L2 (Layer 2) ~ L4 (Layer 4) packet filtering function, providing flow classification based on source MAC address, destination MAC address, source IP address, destination IP address, TCP/UDP port, protocol type, and VLAN Support time range (Time Range) ACL Supports ACL delivery based on port, VLAN, and globally |
||||
| QoS |
Supports limiting the rate at which ports receive packets and the rate at which they send packets. Support message redirection Supports 8 output queues per port Support port queue scheduling (SP, WRR, SP+WRR) Supports 802.1p and DSCP priority remarking of packets |
||||
| DHCP |
Support DHCP Snooping Support DHCP Client Support DHCP Relay Support DHCP Snooping option82 Support DHCP Server Support DHCP auto-config (zero configuration) |
||||
| multicast |
Support IGMP Snooping / MLD Snooping Support multicast VLAN |
||||
| Layer 2 Ring Network Protocol |
Support STP/RSTP/MSTP/PVST |
||||
| security features |
Support 802.1X authentication/centralized MAC address authentication Support user hierarchical management and password protection Support Guest VLAN Support SSH 2.0 Support port isolation Support RADIUS authentication Support IP+MAC+port multi-group binding Support port security Supports MAC address learning number limit Support IP source address protection Support ARP intrusion detection function |
||||
| Management and maintenance |
Support XModem/FTP/TFTP loading and upgrade Supports command line interface (CLI), Telnet, and Console port for configuration 支持SNMPv1/v2/v3,WEB网管 支持RMON告警、事件、历史记录 支持iMC智能管理中心 支持系统日志,分级告警,调试信息输出 支持NTP 支持Ping、Tracert 支持VCT电缆检测功能 支持DLDP单向链路检测协议 支持Loopback-detection 端口环回检测 |
||||
| 绿色节能 |
支持EEE(802.3az) 支持端口自动Power down功能 支持端口定时down功能(Schedule job) |
||||
| 功耗 |
静态:19W 满载:26W |
静态:38W 满载:45W |
静态 AC: 30W DC: 38W 满载: AC: 60W DC: 68W |
||
| 工作环境温度 |
0℃~45℃ |
||||
| 工作环境相对湿度(非凝露) |
5%~95% |
||||
综合考虑上述设备的条件,本计划采用S5130-28S-SI。
3.2.2 设计目标原则
项目目标
(1)全网连通:分开内外网,各地分超市相互连通。
(2)网络安全:防止外来黑客入侵,保护数据安全。
(3)便于管理:使用基础配置,保证稳定性。
使用典型三层网络架构--------核心层、汇聚层和接入层为一体的网络架构模式。
(1)核心层
负责数据高速转发到Internet,不做任何策略
在主交换机的需求可以旁挂独立的安全设备,为所有的办公网络提供安全功能,确保其安全性。
汇聚接入层交换机,保证VLAN之间的路由和过滤,流量的限速。负责各区域的终端接入,因为每个区域都划分成一个VLAN,不需要区域三路选路,所以接入层交换机为二层交换机。
接入终端设备用户。在本方案中,多以各部门PC设备为主。
4系统组建方案
主要介绍在本次设计中方案综述,拓扑图的规划,设计中用到的主要技术路线,网络硬件设备的选取服务器的设计,VLAN划分以及ACL的应用以及无线网络在超市中的应用。
4.1 方案综述
本方案的基础步骤是:
1.二层交换机和三层交换机之间封装,trunk配置。
2.划分VLAN。
3.DHCP配置,地址分配。
4.网络核心层与路由器之间采用OSPF协议。
5.边界路由器R2运用复用NAT,区分内外网。
6.子网络中的路由器R3加入之前的OSPD协议中。
7.HSRP的配置(主备交换机配置)。
8.服务器配置测试
4.2 拓扑图规划
拓扑图如图1所示:
图4-1拓扑图规划
网络主干主要采用百兆以太网技术是根据超市项目和业务系统的需求给出的切实可靠的超市网络的实施办法,具体表现百兆以太网技术,100Mbps数据传输速率和快速以太网下后兼容技术,以及快速和高性价比的特征使得百兆以太网交换机逐渐成为校园和企业等网络的主要选择应用技术。
4.3 主要技术路线
HSRP (hot standby router protocol )热备份路由器协议
(1)维护虚拟路由器的路由器如果维护路由器失败,那么虚拟路由器是无效的。
(2)PC只需要指定网关到虚拟路由器,维护的路由器会选举以下角色,仅仅只有active路由器才能够进行转发
A.active路由器
B.standby路由器
C.listen 路由器
在核心层采用HSRP协议,在本方案中使用互为主备的方式。将多个VLAN均等划分给两台交换机,分别设定为不同交换机的主备。当某VLAN在一台主核心交换机在工作时,则该VLAN在另一台处于备用状态。这时,汇聚层交换机与两台核心连接,但只与具体运行VLAN的主核心交换机进行通信。主核心交换机间和备用交换机通信以进行冗余备份。当主核心出现问题,备份交换机可立刻接过工作,使网络畅通。因此如要生成树优先设计,如下图图2主交换机。
图4-2 HSRP交换机
图4-3 HSRP交换机
现代交换机的通用技术是端口聚合,它的最终效果是在配置的端口,使该端口获得更高的带宽、更大的吞吐量和可恢复性的技术。它的工作具体是将一组物理端口进行合并,形成一个逻辑通道。这样,交换机会认为这个逻辑通道为一个端口,以提供更高的带宽、更大的吞吐量和可恢复性的技术。
Trunk的条件:
1)两边封装的协议一定要相同(ISL/802.1Q)
2)两边的模式一定要匹配
3)vtp domain 一定要相同(要么都为空,要么都一样)
技术如图图3,图4端口聚合设计。
每个路由器都会产生自己的LSA(链路状态通告),然后通告出去,收到LSA的路由器会转发给其他的路由器,这个过程就是OSPF的工作过程。
OSPF区域是基于路由器的接口划分的,而不是基于整台路由器划分的,一台路由器可以属于单个区域,也可以属于多个区域。
OSPF划分区域优点:在边界路由器做汇总
(1)减少LSA的泛洪的范围,只会在本区域内进行泛洪
(2)能够减少路由表条目
在该实验中R1 和 DHCP-server1 ,DHCP-server2 之间运行OSPF协议。 最好在运行OSPF的每台设备上创建一个lo 0接口,作为它的RID地址。
图4-7 R1路由条目
4.4 服务器设计
(1)DNS服务器设计
本设计中加入了一台专门的DNS服务器,由其统一对IP地址进行管理,DNS服务器的IP地址为:100.1.1.1。下图为本设计的服务器页面。
图4-8 DNS服务器
(2)WEB服务器设计
Web服务器是指驻留于因特网上某种类型计算机的程序。
图4-9 WEB服务器
(3)FTP服务器设计
Internet中一种广泛使用的服务之一,是传输文件的服务,主要用来在两台机器之间(甚至是一同系统)应用。在该实验中配置FTP服务器的地址为100.1.1.3。
图4-10 FTP服务器
4.5 网络配置与管理
4.5.1 VLAN划分
因为在实际超市网络中各种部门的划分,二层交换机的大量使用以及子超市、分店的存在,要保证业务隔离又保证业务效率,还有从安全性和实际操作难度综合考虑,合理的网络划分是解决该问题的办法。
表4-1VLAN和IP分配表
| IP网段 |
||
| VLAN10 |
DHCP地址分配 |
|
| VLAN20 |
DHCP地址分配 |
|
| VLAN30 |
DHCP地址分配 |
|
| VLAN40 |
DHCP地址分配 |
|
创建VLAN、命名VLAN如图图4-11划分vlan
图4-11 VLAN划分
图4-12 VLAN接口
4.5.2 IP地址分配与DHCP设置
DCHP请求过程:
(1)客户端发送discover报文到服务器(请求服务器分配地址)---广播方式方式
(2)服务器收到客户端请求,那么服务器就会发送offer报文给客户端(包含IP地址,子网掩码,地址租期,网关,DNS--并且标记不可用)
(3)客户端收到offer报文,虽然有地址,但是不能够使用,所以发送request报文,请求地址使用
(4)服务器收到request报文,发送ackonwledgement报文并且标记地址可用,那么客户端就可以使用了
图4-13 DHCP地址规划
图4-14 PC的DHCP地址配置
将两个属于不同VLAN的网络 ping,检查连通性。
图4-15 不同VLANping测试
由图15结果可知在该实验中处于同一VLAN中网络可通。
PC本地信息查看中,可查看简单的地址信息
图4-16 DHCP测试
由上图可知,dhcp配置成功。
图4-17 外网测试
图4-17表明该PC可以连通外网。
图4-18 分店的连通性测试
图4-18表明子超市可以与超市端销售PC相通。
图4-19 NAT配置
图4-20 分店与外网连接测试
根据以上结果,超市网络内部的任何电脑都可以访问互联网,且在内网互通。
图4-21 WEB服务器效果
4.5.3 NAT在超市网络中的设置和应用
NAT核心思想:将私网地址转换成公网地址。解决了lP地址不足的问题的有效方法之一----网络地址转换,而且NAT还可以避免网络外部的攻击,有效隐藏和保护网络中的计算机。
NAT的类型:
1.静态NAT:手工指定一对一
2.动态NAT:动态绑定一对一
3.复用NAT:一对多(65535),用端口号来区分
4.状态化NAT:冗余的NAT,跟HSRP结合,当主路由器失效,那么切换到备份的路由器做NAT
NAL优点:
1.节省了公网IP地址
2.能够处理编址方案重叠的情况
3.网络发生改变时不需要重新编址
4.隐藏了真正的IP地址
NAT缺点:
1.NAT引起数据交互的延迟
2.导致无法进行端到端的IP跟踪
3.某些应用程序不支持NAT
4.需要消耗额外的CPU和内存
4.5.4 访问控制列表在超市网络中的设置和管理
访问控制列表(Access Control List,ACL)是路由器和交换机接口的指令列表,用来控制端口进出的数据包。NAT核心思想:将私网地址转换成公网地址。ACL 分为三大类:
(1)标准访问控制列表 standard access control list:
A.列表号1-99,1300-1999
B.只检查源地址,不检查目的地址
C.允许或者拒绝整个协议
(2) 扩展访问控制列表 extended access control list:
A.列表号100-199,2000-2699
B.检查源地址与目的地址
C.允许或者拒绝某个特定的协议
(3) 命名访问控制列表 named access control list:
A.列表号就是一个名字,而不是一个数字
ACL的应用场合:
1.telnet的过滤/vty的过滤--限制仅仅某个主机才能够telnet
2.QOS(quality of service 服务质量)的判断---默认情况下,所有的数据优先级都为0,可以采用ACL针对某些流量设置不同的优先级,不同的流量分配的不同标记
3.数据层面的过滤:只能够允许某个网络
4.控制层面的过滤:只允许接受某些路由条目
5 网络安全配置
5.1 防病毒软件
针对与其他设备和软件工具相关的特定环境问题制作反病毒解决方案。与此同时,病毒的来源也远比单机环境复杂得多。一个反病毒软件不仅保护文件服务,而且在邮件,员工使用pc,网关和所有其他计算机硬件的保护。另外,防病毒软件必须能够监控并拦截可能导致病毒的任何信息来源,例如电子邮件,FTP文件,网站,磁盘,CD等等。 一般来说,软件应该着重于以下几个方面:
l病毒查杀能力
l对新病毒的反应能力
l病毒实时监测
l快速方便的升级
l智能安装、远程识别远程安装、远程设置
l管理方便,易于操作
l对现有资源的占用情况
l系统兼容性
l软件的价格
l软件商的企业实力
5.2 安全策略
在大中型企业网络中,各种安全策略的具体实现是以外围路由器、内部路由器和防火墙这三者的搭配和具体配置来协调完成的。内部路由器通过使用访问控制列表来过滤发送到企业网络的受保护部分的信息以增加安全性。
在可信网络内部,可不使用路由器,而结合使用虚拟局域网(VLAN)和交换机。多层交换机内置了安全功能,可替代内部路由器在VLAN架构中提供较高的性能。
5.3 禁用和配置网络服务
默认情况下,思科IOS运行了一些不必要的服务,如果不禁用它们,它们很可能成为拒绝服务(DoS)攻击的目标。
DoS攻击是最常见的攻击,因为这种攻击最容易发动。要检测并防范这些有害的简单攻击,可使用软件和硬件工具,如入侵检测系统(IDS)和入侵防范系统(IPS)。然而如果不能实现IDS/IPS,可在路由器上执行一些基本命令,让路由器更安全,但没有任何措施可确保当今的网络绝对安全。
下面来看看应在路由器上禁用的部分基本服务。
1.禁用HTTP进程
2.阻断SNMP分组
3.禁用代理ARP
4.禁用BootP和自动配置
5.禁用echo
6.禁用重定向消息