Hello everyone, I am senior Xiaohua, a blogger in the computer field. After years of study and practice, I have accumulated rich computer knowledge and experience. Here I would like to share my learning experience and skills with you to help you become a better programmer.
As a computer blogger, I have been focusing on programming, algorithms, software development and other fields, and have accumulated a lot of experience in these areas. I believe that sharing is a win-win situation. Through sharing, I can help others improve their technical level and at the same time get the opportunity to learn and communicate.
In my articles, you will see my analysis and analysis of various programming languages, development tools, and common problems. I will provide you with practical solutions and optimization techniques based on my actual project experience. I believe that these experiences will not only help you solve the problems you are currently encountering, but also improve your programming thinking and problem-solving abilities.
In addition to sharing technical aspects, I will also touch on some topics about career development and learning methods. As a former student, I know how to better improve myself and face challenges in the computer field. I will share some learning methods, interview skills and workplace experiences, hoping to have a positive impact on your career development.
My articles will be published in the CSDN community, which is a very active and professional computer technology community. Here you can communicate, learn and share with other people who love technology. By following my blog, you can get my latest articles as soon as possible and interact with me and other readers.
If you are interested in the computer field and hope to better improve your programming skills and technical level, then please follow my CSDN blog. I believe that what I share will help and inspire you, allowing you to achieve greater success in the computer field!
Let us become better programmers together and explore the wonderful world of computing together! Thank you for your attention and support!
All computer project source codes shared include documents and can be used for graduation projects or course designs. Welcome to leave a message to share questions and exchange experiences!
Summary
This hotel network diagram manual designed for the Cisco tracer packet simulator mainly explains the planning and design process of hotels in the service industry, and has an overall explanation of the process from topology planning to process design to connectivity testing.
Referring to the network topology networking requirements of the same level and industry, we should strictly abide by the standardized network construction requirements, and build the network through various principles of modularization, layering, and standardization, from the bottom terminal to the access layer to the aggregation layer to the backbone aggregation. Network resources should be reasonably allocated from layer to egress to achieve a safe and effective network topology. The entire hotel network is mainly divided into: hotel lobby, catering department, guest room department, storage department and server group area, and the entire hotel is covered by wireless. The network equipment used in the entire hotel is composed of different network vendors. The firewall is mainly provided by Huawei and Shanshi. The core The layer routing equipment is mainly provided by Cisco and Huawei, the aggregation layer is mainly provided by Huawei and H3C, the access layer is mainly provided by H3C and Ruijie, and the wireless equipment is mainly provided by Ruijie Wireless.
The hotel network belongs to the service industry, so the entire intranet uses Cisco's private protocol EIGRP routing protocol because its routing protocol converges faster and has greater stability. Integrity, privacy, and security are the highest in any industry. Therefore, the security policy levels of internal and external network walls should be strictly defined in the egress network. Computer network engineering major is a rising major in today's IT industry, so it requires our contemporary college students to be proficient in learning its important technologies, and this is a level of mastery that can sufficiently demonstrate professional skills for college students.
Keywords : networking requirements; hotel network; Cisco packet tracer;
3.1 Virtual LAN—VLAN................................................ .............13
3.3 Access control list technology—ACL........................................ ............ 16
5.5 IP address planning and subnetting........................................ .............27
7.5 Hotel and data center connectivity test........................................ .............39
1.1 Research background of the topic
As an indispensable part of contemporary society, the Internet is becoming more and more dependent on it, and its status in the industry is also becoming higher and higher. Therefore, Internet technology is constantly being learned, improved and even used by people. The hotel designed this time is to meet the construction requirements of a higher-level standard hotel in the service industry. It needs to comply with various international information network security standards in terms of bottom-level terminal access and export network equipment security policy definitions.
Hotel network architecture design in China first emerged in the 1990s with the Hilton Hotel Network. Since then, major domestic Internet companies have continued to build large hotels, which have sprung up everywhere like bamboo shoots after a rain. Because the hotel designed this time complies with the traditional rules of redundancy and disaster recovery, a backup data center is established in a remote location to establish an interconnected data transmission mode. Once an abnormality occurs in the main data center, the data packet traffic will be immediately switched to Prepare the data center so that it will not affect the business or cause economic losses. The hotel network master and backup designed this time use GRE VPN tunnel tunnel mode for transmission. Since the tunnel transmission mode is already used in the intranet, there is no need to use IPSEC VPN, thus avoiding the use of IPSEC VPN secondary encryption. Spend more time encrypting.
1.2 The purpose and significance of the research
This design uses the Cisco Cisco packet tracer simulator to implement network device interconnection simulation, so that a first-class hotel with standardization can be established and be able to carry greater business needs in the future. A hotel mainly has these organizational structures: hotel lobby, catering department, guest room department, storage department and server group area. The same hotel also has the same organizational structure.
As a sunrise technology, computer network engineering technology is pursued by countless scholars at home and abroad, although the learning process is very boring and includes countless protocol types, network types, and architectural models. However, this is a technology that can interconnect everything in real life and can benefit the majority of our end users. In the future development of the Internet, technologies such as SD-WAN, SDN, and Python will also be evolutionary trends. These are emerging technologies that our contemporary college students need to constantly learn and update. In the process of planning and building a hotel network, we mainly conducted detailed research on the dynamic routing protocol EIGRP and took advantage of the fast convergence speed of Cisco's private protocol to better provide customers with better solutions.
1.3 Main content and research route of the topic
1. The main research content of this topic:
(1) As the basis for the construction of a certain hotel this time, under the premise of building infrastructure, it needs to be deployed in a targeted manner from early demand analysis to detailed configuration, so that a standardized and effective hotel can be established Private network, and output the corresponding configuration explanation and solution introduction.
(2) Based on the hotel's medium and large network construction requirements formulated in the early stages of construction, this design was implemented based on Cisco packet tracer simulator simulation, a detailed topology map was planned, detailed configuration was made, and connectivity testing was conducted later.
(3) Regarding the hotel private network topology diagram designed this time, when an error or a certain fault point is found in the diagram, it needs to be classified and modified. Similar to the drawing design, the planned design The network solution becomes more perfect and detailed, which can effectively avoid failures in the future.
2. The technical research route adopted:
The hotel network implemented in this simulation is a three-layer network architecture topology that follows international standards, from which corresponding data analysis, solution construction, and detailed technical introduction to the realization of demand configuration are studied. The EIGRP dynamic routing protocol is used. EIGRP, as a Cisco private routing protocol, is a relatively mainstream dynamic routing protocol in the contemporary industry, allowing egress routing devices and core devices within the architecture to form a better correlation.
The topic studied in this graduation thesis is about the network design and construction of large hotels, so as to draw relevant conclusions and detailed analysis of various technologies in the three-layer network topology diagram.
2Introduction to EIGRP protocol technology
2.1 EIGRP related concepts
Since the EIGRP dynamic routing protocol is a proprietary protocol of Cisco, the Chinese translation is the internal gateway dynamic routing protocol, and in 2013, the US Cisco headquarters issued a statement that it became public ownership. The K value is used as the metric for the EIGRP routing protocol. Although the K value The calculation is extremely complex, but its importance in routing is high. Compared with other dynamic routing protocols, EIGRP routing entries not only converge faster in the routing table, but also send and receive data packets faster in the network topology. Once the announcement entry under the EIGRP90 process triggers packet delivery, the neighbor state establishment speed will become very fast, and its sending and receiving speed should be faster among all routing protocols. Among them, the modified dispersion algorithm DUAL has corresponding characteristics and is commonly used in real topological scenarios.
2.2 EIGRP related features
Because the EIGRP dynamic routing protocol has strong compatibility in hotels and covers a wide range of areas in the core layer, it has the advantage of faster route convergence. Since the EIGRP routing protocol was one of Cisco's most effective routing protocols in the early days, here is a brief introduction to the main features of EIGRP:
Fast data packet convergence speed: Due to the characteristics of most routing protocols in the TCP/IP seven-layer protocol, they will spend more time in the process of initiation, forwarding, convergence, and announcement, while the EIGRP protocol does not require so much time. Complex process, this will effectively greatly reduce the declaration time and improve efficiency within an effective time. Due to the role of the DUAL modified dispersion algorithm, the COST overhead generated by data traffic will become smaller and smaller. To be more straightforward, we can summarize it into a real-life scenario. For example, in the hotel network designed this time, because in the service industry, the data center needs to place two core switches to play the role of VRRP dual-machine hot backup. If an accident occurs to the host device, all packet traffic will be actively switched to the backup device, making the entire network topology more fault-tolerant.
For bandwidth reduction: if a certain node network in the hotel network topology changes accordingly, the routing entries in the routing table will not change accordingly, so it will not affect the global routing status. For Internet speeds For low-rate WAN egress lines, EIGRP routing may occupy higher bandwidth due to port rate mismatch, which will not affect the working status of the routing table in global configuration mode.
2.3 Comparison of Routing Protocol Characteristics
Each routing protocol used in the hotel network has different missions and roles. Routing protocols are mainly divided into static routing protocols and dynamic routing protocols. The routing protocol is like the blood flowing in the human body, which plays a role in delivering nutrients. Each network device with routing function is like every organ.
Static default route: The most primitive and common routing protocol, which usually requires manual configuration by engineers, which greatly increases the workload of engineers. The configuration rules of static routing are: ip route destination network segment subnet mask next hop address (exit port) When configuring the network topology of this large-scale service hotel, it is absolutely impossible to use a large number of static routes, which will greatly affect the construction efficiency. Mainstream dynamic routing protocols are required to route routes on the same or different network segments. Connected announcement.
RIP dynamic routing protocol: As a routing protocol that will be eliminated, it is called the distance vector algorithm protocol routing protocol. Because the RIP protocol can no longer meet the construction specifications of contemporary large-scale hotel networks, and the data packet sending and receiving speed is slow, it cannot carry the carrying capacity of a private network above Gigabit. The RIP protocol is not without its advantages. In the process of declaring a network segment, only the network segment information is required, and no detailed data is required.
OSPF routing protocol: OSPF routing protocol is a dynamic routing protocol commonly used in many small and medium-sized enterprises, large and medium-sized hospitals, and small and medium-sized campus networks today. It has strong compatibility and can be used in various network scenarios. The disadvantage is that the configuration is more cumbersome during the configuration process, and you need to configure its anti-mask and the area type where it is located.
EIGRP routing protocol: The core network layer routing protocol used by the hotel this time is EIGRP, and its Chinese name is Internal Enhanced Gateway Protocol. As a public dynamic routing protocol, its DUAL modified dispersion algorithm, as the core technology of this protocol, plays an indispensable and important role, and EIGRP is also more convenient to use in the process of route re-distribution, and can be used with Other dynamic routing protocols form a better network integration system.
Among all dynamic routing protocols, only the EIGRP protocol can be widely used for transmitting data packets based on link state forwarding. Therefore, the EIGRP route forwarding convergence speed is also at a first-class and high level in the industry. Because EIGRP's own unicast address is different from other routing protocols, it is not a single 128.0.0.1, but 224.0.0.10. Therefore, such reasonable planning is safer and more standardized.
2.4 Introduction to DUAL algorithm
The DUAL algorithm, which is translated into Chinese as the Diffuse Update Algorithm, is the core algorithm in the EIGRP dynamic protocol and plays an extremely critical part in the network topology diagram. It can quickly find a delivery path with the shortest path, best solution and shortest time in the entire network topology, and can intelligently determine whether there will be a loop in the network. DUAL has the following three principles:
1. Once the EIGRP protocol running in the routing device passes, the DUAL algorithm will notify other announced network segment neighbors and select the optimal path.
2. Recalculate the metric value using the overhead value generated by the router.
3. Determine the shortest path priority principle based on the cost calculated by the K value.
3 Layer 2 network technology analysis
3.1 Virtual LAN - VLAN
The function of virtual LAN is to allow users to use the network without being affected by problems such as floors, offices, information points, etc., as well as the geographical location restrictions of the equipment, in the same second-layer network environment. VLAN can be transparently transmitted to the required port, which means that the communication between user 1 and user 2 is in the same LAN, and they can communicate directly without going through the gateway device, so there is a VLAN. The most important thing about the existence of technology is that VLAN can also isolate the broadcast domain of the second layer of the switch. This is also the most feared failure problem in the second layer network environment. By default, different VLANs cannot be directly used in the second layer network environment. Communication must be forwarded by the gateway device before normal communication can occur, and this technology is also the most commonly used technology.
3.2 Spanning Tree Protocol—STP
Spanning Tree Protocol (STP) is mainly used to prevent MAC jitter, ARP jitter and other fault phenomena that can occur in the second-layer network environment. Basically, all second-layer network equipment will enable the spanning tree function by default during the development process. However, The only difference is that the default spanning tree protocol mode of each manufacturer is different. For example, if two devices of different manufacturers are interconnected, the spanning tree mode of device A (such as H3C equipment, Huawei equipment, etc.) uses the MSTP protocol. , the spanning tree mode of device B (such as Cisco device) uses the rapid-pvst protocol. At this time, device A and device B cannot communicate normally when connected. At this time, the port is down and cannot be up. Normally, some mainstream manufacturers The default spanning tree mode of equipment such as Cisco equipment is PVST mode. The default spanning tree mode of H3C equipment and Huawei equipment is MSTP mode. However, they all support PVST mode, so when Cisco equipment and H3C equipment or Huawei equipment use Layer 2 technology to connect , generally uses PVST mode, and PVST is also a public spanning tree protocol, supported by all equipment manufacturers.
3.2.1 Principle of Spanning Tree Protocol
If the spanning tree mode is different, it is equivalent to not turning on spanning tree. In this case, it cannot block the port by itself to avoid loops. STP can prevent loops and provide path redundancy for the network.
As shown in the figure below, in a ringed Layer 2 environment, there are switch A, switch B, and switch C interconnected in pairs to form a ring network environment. Then they will block a port according to the election rules, that is, block a port. The port is disabled. At this time, the port is in the down state and does not participate in data forwarding. As shown in the figure, the link of port 6 and port 2 is blocked at this time and does not participate in data forwarding between them.
Assume that access computer 1 under switch B wants to access computer 2 under switch C. At this time, the flow of their data packets is as follows. Computer 1 first sends the data packet to switch B, and then switch B looks up the arp table. Port 4 forwards it to switch C. At this time, after switch C receives the data packet, it searches the ARP table in switch C and then forwards it to computer 2.
Assume that access computer 1 under switch C wants to access computer 2 under switch A. At this time, the flow of their data packets is as follows. Computer 1 first sends the data packet to switch C, and then switch C looks up the arp table. It is necessary It is forwarded from port 5 to switch B. Because of the problem of port blocking, it cannot be forwarded directly to switch A through port 6. After receiving the data packet, switch B looks up the ARP table in switch B and then forwards it to switch A through port 3. After receiving the data packet from port 1, switch A looks up the ARP table and forwards it to computer 2. At this time, the communication is completed.
Assume that computer 1 under switch B wants to access computer 2 under switch A. At this time, the flow of their data packets is as follows. Computer 1 first sends the data packet to switch B, and then switch B looks up the arp table. Port 3 forwards it to switch A. At this time, after switch A receives the data packet through port 1, it searches the ARP table in switch A and then forwards it to computer 2.
When any one of port 3 and port 4 of switch B or port 5 of switch C or port 1 of switch A fails, such as port hardware damage or other faults, causing the interface to go down, or the link between switch A and switch B , the links of switch B and switch C. If a link failure occurs in any one of these two links, such as fiber damage, module damage and other factors, the link is disconnected. At this time, port 6 will enter a forwarding mode. state, but the specific time it takes to enter the forwarding state is based on different protocols. The opening time of entering the forwarding state is inconsistent. We assume that the link between port 4 and port 5 is interrupted due to module damage.
So how does the data packet forwarding path take place at this time?
Assume that access computer 1 under switch B wants to access computer 2 under switch C. At this time, the flow of their data packets is as follows. Computer 1 first sends the data packet to switch B, and then switch B looks up the arp table. Port 3 forwards it to switch A. Because the link failure between switch B and switch C cannot directly transmit the data packet, it needs to be transmitted around. At this time, after switch A receives the data packet, it searches the ARP table in switch A and passes Port 2 forwards the packet to switch C. After receiving the packet, switch C checks the ARP table and then forwards it to computer 2.
Assume that access computer 1 under switch C wants to access computer 2 under switch A. At this time, the flow of their data packets is as follows. Computer 1 first sends the data packet to switch C, and then switch C looks up the arp table. It is necessary It is forwarded from port 6 to switch A. After receiving the data packet from port 2, switch A looks up the ARP table and forwards it to computer 2. At this time, the communication is completed.
Assume that computer 1 under switch B wants to access computer 2 under switch A. At this time, the flow of their data packets is as follows. Computer 1 first sends the data packet to switch B, and then switch B looks up the arp table. Port 3 forwards it to switch A. At this time, after switch A receives the data packet through port 1, it searches the ARP table in switch A and then forwards it to computer 2.
The working principle of STP is to block a certain port through a mechanism to ensure that the network is redundant and loop-free.
Figure 3.2.1 Network forming a loop
3.2.2 BPDU message
The election mechanism of each spanning tree protocol to select blocked ports is different, but they are all elected through BPDU messages. So what is a BPDU message? It is a message sent to all switches participating in the spanning tree. Obtain some information about other switches in the layer 2 network environment. This kind of message is BPDU message.
At first, all switches feel good about themselves and think that they are the most powerful root bridge, and then send BPDU messages. In fact, only the root bridge will send BPDU messages, and then other switches will follow after receiving the BPDU messages. Compare yourself. If the other party is better than you, then you will no longer be the root bridge, and then forward BPDU messages to other switches. If you are better, you will tell the message to the other party, and forward your own BPDU messages to the other switch. Others, let others compare. By default, the root bridge sends a BPDU message every 2 seconds.
What are the functions of BPDU messages?
- Used for root bridge election in the same layer 2 network environment
- It is used to determine where the path of the redundant line is, that is, to determine through which line I can forward data packets to other devices when the original line fails to send or has a port problem, or when the port is shut down manually.
- Block some ports through elections to prevent loops.
- When in a second-layer network environment, such as when a computer is turned on and off, causing the port up or down status to change, or when a device fails or some uncontrollable factors cause a failure, use BPDU messages to inform others. Network topology changes
- Monitor the status of the spanning tree at all times to see if there are any changes in the topology or the status of blocking ports and enabling forwarding, etc.
3.3 Access control list technology—ACL
ACL technology was first used in the previous generation of firewalls, and was later extended to ordinary network equipment. It is currently the most commonly used in routing and switching to use network segment isolation, IP isolation, routing selection and other actions. Later, as the functions of firewalls became more and more powerful, qualified enterprises would buy firewalls to control access, which was basically implemented on the firewall.
ACL classification is divided into two categories, standard access control list and extended access control list. Is there any difference between the two?
A. Standard access control list
It can only allow or deny the entire protocol, such as IP protocol, etc. It cannot deny or allow the port numbers of certain protocols.
It only cares about the source address and does not care about where the data packet is going. That is to say, it does not do any check on the destination address, it only checks the source address.
The range of standard access control list numbers can only be 1 to 99 or 1300 to 1999, and other port numbers cannot be used.
B. Extended access control list
The range of extended access control list numbers can only be list numbers 100 to 199, 2000 to 2699, and other port numbers are unavailable.
Compared with the standard access control list, the extended access control list is more concerned about both the source address and the destination address, which means that it not only checks the source address, but also checks the destination address.
It is possible to accurately deny or allow a specific network protocol, such as not allowing access to a certain address using FTP port number 23.
3.4 Address translation technology—NAT
It uses this technology to map some private addresses in the LAN in a hotel or enterprise to public network addresses. For such an operation, if users within the LAN can access the Internet normally, this technology is needed to enable users to Normal Internet access, because it is stipulated in the RFC document that private network addresses cannot appear on the public network. It is also because of this rule that this technology has become popular, and it also solves the problem of insufficient public network addresses. However, Now that there are IPV6 addresses, this technology should not be used in the future, because IPV6 addresses fully meet the needs of our current network environment.
However, in the real network environment, as the functions of firewalls become more and more powerful, qualified enterprises or hotels will buy firewalls as exits, and also use NAT technology on the firewall, and the firewall also has some protective technologies. It can make the network environment more secure, because now it is rare to do NAT on routers, and switches do not support this technology. I wonder if the subsequent research and development of manufacturers will improve the switches so that switches can also Can support NAT technology, but once the switch can support NAT technology, then I believe that the status of routers in the market will also be reduced a lot. Why, because switches not only have many ports, but also have a big advantage in price.
In Huawei equipment, there are three NAT technologies. In fact, they are similar to Cisco equipment, but their names are different from Cisco equipment. NAT address translation in Cisco equipment can be divided into:
Static NAT refers to converting the private network address in the internal LAN to an address on the public network. That is to say, one private network address can only correspond to one public network address, but in this case, many public networks will be needed. IP address. Assume that there are 100 private network addresses in the hotel, which means that it also needs 100 public network addresses corresponding to the public network. Not only is the configuration complicated, it also wastes a lot of public network addresses, so this address is generally not used in reality. , except for some external web servers, etc., a fixed IP address must be used to map to the public network. In this way, the public network IP address can be directly used to directly access the enterprise's web server and other interfaces to perform business operations. Only in This technology will be used when operating on the simulator, because the addresses are used on the simulator anyway and do not appear on the public network, so it will not violate the provisions of the RFC document, and the technology of static NAT can be learned;
Dynamic NAT maps the internal private network address in the LAN to an address pool on the public network through NAT conversion technology. The private network address on the internal network is randomly converted to a random address in the public network address pool. Assume that there are 5 addresses in the address pool. address. At this time, there are 6 addresses in the private network. At this time, the 5 private network addresses in the private network use the external network at the same time. The remaining person cannot access the public network. Only when accessing the 5 addresses on the external network If one is offline or has no access to the external network, the other IP address can access the public network. In fact, this is a bit like static NAT. The only difference is that there is no need for the administrator to manually bind them one by one. It reduces the amount of configuration required by network configurators. This method is rarely used now because this technology also wastes addresses in the public network. How many addresses there are in the address pool can only correspond to how many IPs that can access the Internet, which also greatly affects the work efficiency of the enterprise. This is a very undesirable technology;
Port reuse is to convert the private network address inside the LAN to a different port number corresponding to an external address through the NAT address. The conversion to the corresponding port number is also implemented through some algorithms. For example, through algorithm calculation, it is calculated that it should be converted to 2500 port, then it will check whether anyone is using port 2500. If no one is using it, then use port 2500 directly. If port 2500 is already used by others, then the +1 operation will be performed, which is to change It becomes port 2501, and then continue to check whether anyone is using this port again. If no one uses the port number 2501, then use this port number directly. If someone has already used the port number 2502, then the execution will continue + 1 operation, that is, it will become port 2502, and then continue the above steps to search until no one uses the port number. That is to say, a public network address cannot be converted to a maximum of 65535 private network addresses. Generally speaking, for For a small and medium-sized enterprise, there will be no more than 65,535 private network IP addresses, so it is completely sufficient, which not only saves the enterprise a lot of capital costs.
Suppose there is a hotel with more than 65535 private network addresses in their LAN. How can we ensure that everyone can meet their Internet needs?
Based on the above problem situation, we will use dynamic NAT and port reuse technology together to solve this bottleneck problem. Moreover, these two technologies, dynamic NAT and port reuse, are currently very popular among all network configuration engineers. Why? Because they are not only simple and convenient to configure, there will be no uncontrollable problems such as address conflicts in translation, and there will also be no shortage of IP addresses on the public network. At the same time, it also reduces the hotel's budget on the public network. The cost also plays a big role in the case where global IPV4 addresses are not enough.
3.5 Dynamic IP address acquisition technology—DHCP
Dynamic Host Configuration Protocol, also known as DHCP technology, can reduce the workload of network managers in configuring computer IP addresses. Computers can automatically obtain IP addresses through the DHCP server without the need for network managers to manually configure an IP address. Not only is it easy for configuration errors and other situations to occur, but it can also effectively avoid the problem of IP conflict. The problem of IP address conflict means that if two or more devices are configured with the same IP address, then there is only one device at this time. One device can be used normally, and the other devices will not be able to be used normally.
DHCP roles are mainly divided into server and client. The DHCP server exists to assign IP addresses to clients.
Figure 3.5 DHCP working principle
How DHCP technology works:
(1) The client will send a broadcast message to the DHCP server in the form of a data message requesting an IP address.
(2) After receiving the client's broadcast message requesting an address message, the server uses a unicast message to send a message that no one is using and can assign an IP address to the user. This purpose is also to avoid When sending an IP address conflict, it is also necessary to know whether the user has obtained an address from another DHCP server.
(3) After the client receives the unicast message sent by the DHCP server, it will also send a real address request message in the form of a unicast message. At the same time, it will also tell other servers in the form of a broadcast message that I have found an address. As a server that can allocate IP addresses to me, you don’t need to allocate addresses to me. At the same time, it also ensures that the client can obtain multiple IP addresses. Other servers will stop allocating IP addresses after receiving this message. In other words, whichever server can send a unicast message to me first, I will use the address in this server.
(4) When the server receives the unicast message from the client requesting an IP address, it will send the IP address information that no one is using to the client in a broadcast message, and at the same time tell others that I have sent this address. After it is assigned to others, others can no longer request this address from me. When the client receives this message, it will send a confirmation message to the server, telling the server that I accept the IP address you assigned to me. , no need to allocate other IP addresses to me.
3.5 VTP technology
VTP is a protocol unique to Cisco and a Layer 2 network technology. Huawei or H3C cannot support this Layer 2 network technology. The existence of VTP technology can effectively reduce the number of VLANs that network configurers have to worry about. Configuration amount, Cisco switches can learn all VLAN information in the same domain by themselves, which means that we can create fewer VLAN numbers, and the version, password, domain name and other information in the same domain must be exactly the same, exactly the same, so that They are guaranteed to be in the same domain. If there is any information that is different, it will be considered that they are not in the same domain. This means that the function of synchronizing VLAN information cannot be implemented. However, the only problem is that you can only learn VLAN information by yourself. The interconnection port between two switches must be configured in Trunk mode and all VLAN numbers that need to be learned must be allowed to pass. Otherwise, VLAN cannot be learned normally, and all switches By default, it is in server mode. Below, we verify this theory through experiments:
Figure 3.5
Part of the configuration information:
What are the differences between the functions of VTP in different modes? See the figure below for details:
4Based on hotel demand analysis
4.1 Basic network requirements analysis
Since the hotel is a large-scale LAN with the highest security level in the service industry, the hotel contains a full range of network equipment. Including internal and external network firewalls, WAF bastion machines, VPN dedicated line CN2 equipment, DMZ server groups, core switch groups, aggregation switch groups, access groups, wireless controller groups, wired and wireless authentication groups, etc. In the entire process of building a hotel, if you want to play its maximum role without affecting the compatibility of later expansion, you need to make a detailed description of the requirements in the early stage, and you need to have the following functional points:
1. The entire core switch area runs the EIGRP dynamic routing protocol studied in detail in this topic, thereby interconnecting the entire internal LAN.
2. For the entire organizational structure within the hotel; the catering department and the storage department need to implement an automated office integration model, which can greatly improve office efficiency and achieve twice the result with half the effort.
3. For the hotel reception department, it is necessary to configure an ACL (Access Control List) to control the direction of data packet traffic, so that the reception department cannot access the external network and can only form internal communication effects internally.
4. The wired and wireless terminal devices connected to the bottom layer of the access layer need to be classified into relevant specific department groups, so as to effectively reduce the occurrence of broadcast storms, and the hotel’s internal conference rooms need to be equipped with wireless devices and AC+AP unified management mode, use Ruijie Wireless and place outdoor AP outdoors.
5. For the exit part of the hotel's external connection area, the exit router configures NAT based on static port network address translation, so that access to the ISP can be more secure, and the private network address will not be exposed to the public network.
4.2 Network characteristic requirements
Because safety production is the first priority in the hotel's initial construction ideas, the performance specifications of the internal and external network firewalls are extremely important. Moreover, wireless APs need to be placed in all conference rooms and guest rooms in the hotel so that wireless terminal devices can be easily connected to the Internet. This is more in line with today's business standards in the IT industry and can have stronger expansion compatibility. For the hotel's internal network architecture, three major aspects need to be considered during the design process of the entire network topology architecture:
The first point is equipment expansion compatibility; since there are many network equipment manufacturers used in hotels, more consideration needs to be given to the scalability range and compatibility issues of the entire hotel network in the future. In order to ensure that more external devices need to be freshly connected in the future, And without breaking its entire architectural situation, network equipment needs to have higher performance scalable compatibility across the entire topology.
The second point is the security and maintenance of the hotel network; for example, if the hotel network encounters a cutover operation of network equipment during daily project inspections, it needs to better meet the regular needs of project implementation, which requires the entire topology The architecture has better maintainability requirements.
The third point is redundancy reliability; since the hotel network production area mainly needs to be directly connected to the core layer, the requirements for the core layer are more stringent. HSRP dual-machine hot standby redundancy is configured in the dual-core switch of the core layer. technology to make links in the network topology more robust.
4.3 Network function requirements
1. In the hotel network topology architecture, for virtual LANs in different areas and departments, it is necessary to create several different VLANs to separate the data packet traffic of different network segments, so as to better avoid network corruption in the LAN. A malicious occurrence of a broadcast storm.
2. In the early planning process of the hotel, configure VRRP or HSRP redundant backup operations for the core layer network equipment in the network topology, so as to better ensure the normal operation of the service network. Simply put, the default data packets pass through the main network. The core switch then reaches the bottom layer. If the host is powered off or down, the entire network packet traffic will be transferred to the backup switch.
3. In the hotel data, the entire network runs the EIGRP dynamic routing protocol, so that the egress routing device establishes a neighbor relationship with the core switching device, and announces a static default route on the egress routing device. The next one does not have a detailed address, but an egress port. .
4. For the hotel's internal office staff, the address is automatically and dynamically assigned by the internal DHCP server. The reason why there is no need to fix the IP is that it can avoid manual configuration and can better play the greater role of the DHCP server.
5. Configure NAT technology on the egress router to perform network address translation for the static intranet address. This can better avoid the security of the intranet address and prevent it from being exposed to the public network.
6. Use and configure GRE VPN tunnel technology in hotels and data centers in remote locations to meet the requirements for cross-public network communication in remote locations.
5 Hotel LAN design plan
5.1 Hotel network design principles
For the early planning and design of the hotel, it is necessary to make more prospects and considerations for the future scalability and compatibility of the hotel private network. The following requirements principles are listed here:
For the interior of the hotel network, there are multiple solution construction requirements for the internal network topology architecture. This will help the entire large-scale local area network to have multiple sets of solutions to respond to emergencies, and will not be at a loss when encountering emergencies. initiatives and can respond quickly.
- Strong reliability
For the construction of computer rooms within the hotel network, higher standards are required from hardware to software. Since the hotel network topology is the highest standard in the industry in many aspects, it is necessary to do better in terms of details. For example, all equipment in the computer room must be To be equipped with dual power supply mode and add UPS uninterruptible power supply, all network equipment needs to be grounded to avoid power short circuit.
3. High cost performance
When selecting the network equipment used in the hotel data center computer room, it is necessary to select the more mainstream network equipment in the IT industry today. The widespread use of mainstream network equipment will not only meet existing needs, but also make the network topology more reliable.
4. Strong scalability
Large-scale hotel networks use an open concept as the network construction system, and the entire core layer topology network needs to have strong scalability. For example, each access server in the server group needs to have larger memory space to facilitate more cache memory requirements, and the entire series of network devices within the network architecture must be regularly inspected and observed. Once any equipment that does not meet the specifications is found, product for repair.
5.2 Hotel network topology diagram
According to the early hotel network topology planning and design process, it is necessary to evaluate the relevant application requirements put forward by customers at the beginning and the relevant configuration risks and cutover time points. Only in this way can we build a network with strong confidentiality, high security performance and Low-risk backbone core network. This time, the simulation is implemented based on the Cisco packet tracer Cisco simulator. The hotel network designed this time is mainly divided into two parts: the main hotel and the backup hotel. The organizational structure is divided into the hotel lobby, catering department, guest room department, storage department and server group area. The detailed network topology is shown in Figure 5.1:
Figure 5.1 Hotel network topology diagram
5.3 Overall planning of hotel network
The technologies used for devices at each level in the network topology are as follows:
1. Outbound zone border router
The K881 version of the router, which is more popular among Cisco manufacturers, is used as the egress routing device in the external area. By injecting a default static route, it is related to the route obtained by its ISP mobile operator Telecom. On this basis, configuring NAT network address translation can enable secure access to the public network within the hotel network topology.
2.DHCP server, WEB server, FTP server
In the hotel data center DMZ server group, most totem cabinets are used to carry the server group's services. Cisco rack-mounted C22 model servers are mainly used, which are mainly used in DHCP servers, WEB servers, and FTP servers; the DHCP server is mainly responsible for allocating dynamic IP addresses. Functions: The WEB server is mainly responsible for providing WEB services, and FTP is mainly responsible for transmitting internal files.
3. Access service planning
In the underlying user environment, wireless APs are installed in various conference rooms and all guest rooms, so that wireless terminal users can pass the POTOUL authentication of account name + password to achieve full network coverage.
4. Hotel and data center configuration planning
The border gateway egress router not only carries the business Internet needs, but also serves as the business tunnel VPN between the hotel and the data center, thereby establishing a GRE VPN connection relationship and forming a closer connection between the two units in different places anytime and anywhere.
5.4 Network level design
In the process of setting up a hotel network, if you want to configure and interoperate the entire hotel network, you need to perform corresponding detailed configurations at each level, and carry out corresponding detailed configurations at different levels to start a hierarchical discussion. Nowadays, hierarchical management is respected in the IT and Internet circles. Of course, higher-level service circles also need to treat everyone equally. The entire routing and switching part is mainly based on the TCP/IP seven-layer protocol. The three major layers are the core layer, the aggregation layer, and the access layer.
Core layer: Mainly runs the EIGRP dynamic routing protocol on the egress router and the two primary and backup core switches. And define the internal and external network port information on the egress router. The most important thing is to configure GRE VPN on each egress routing device to enable tunnel communication.
Convergence layer; as the middle layer in the hotel network, it plays the role of interconnection, diverting and recirculating the external traffic from the egress router, so that the entire network topology can be recirculated freely, and network performance can be better improved. .
Access layer; as the lowest layer in the network architecture, there will be a large number of access devices connected to it. The hotel requires each new access PC to achieve a one-to-one connection, so that one terminal can connect to one access point. Implementing IP+MAC binding can achieve the most secure network infrastructure.
5.5 IP address planning and subnet division
1. The allocation of subnets to different areas within the hotel is shown in Table 5.1:
Table 5.1 Hotel IP address subnet division table
| equipment |
port |
IP address |
Default gateway |
| Core switch one |
VLAN10 |
10.0.1.253/24 |
10.0.1.254 |
| VLAN20 |
10.0.2.253/24 |
10.0.2.254 |
|
| VLAN30 |
10.0.3.253/24 |
10.0.3.254 |
|
| VLAN40 |
10.0.4.253/24 |
10.0.4.254 |
|
| VLAN100 |
192.168.100. 253/24 |
192.168.100.254 |
|
| F0/1 |
192.168.1. 2/30 |
— |
|
| Core switch two |
VLAN10 |
10.0.1.252/24 |
10.0.1.254 |
| VLAN20 |
10.0.2.252/24 |
10.0.2.254 |
|
| VLAN30 |
10.0.3.252/24 |
10.0.3.254 |
|
| VLAN40 |
10.0.4.252/24 |
10.0.4.254 |
|
| VLAN100 |
192.168.100. 252/24 |
192.168.100.254 |
|
| F0/1 |
192.168.1.6/30 |
— |
|
| Border Router NAT |
FO/0 |
192.168.1.1/30 |
— |
| F0/1 |
192.168.1. 5/30 |
— |
|
| S0/0/1 |
192.168. 3.1/24 |
— |
|
| S0/0/0 |
202.100.1. 2/30 Public network address: 202.100.100. 2/30 |
— |
| Hotel lobby and conference room |
VLAN10 |
1O.O.1.O/24 (DHCP) |
10.0.1.254 |
| Catering Department |
VLAN20 |
10.0.2.0/24 (DHCP) |
10.0.2.254 |
| Housekeeping |
VLAN30 |
10.0.3.0/24 (DHCP) |
10.0.3.254 |
| Information Department |
VLAN40 |
10.0.4.0/24 (DHCP) |
10.0.4.254 |
| DHCP server |
VlanlOO |
192.168.100.100/24 |
192.168.100.254 |
| 0A system server |
VlanlOO |
192.168.100.101/24 |
192.168.100.254 |
| FTP system |
VlanlOO |
192.168.100.102/24 |
192.168.100.254 |
2. The subnet allocation among the hotel’s internal equipment is shown in Table 5.2:
Table 5.2 Subnet IP address subnetting table between devices
| equipment |
port |
IP address |
Default gateway |
| egress router |
F0/1 |
192.168. 2.1/30 |
— |
| S0/0/0 |
201.100.1. 2/30 |
— |
|
| Ethernet switch |
F0/1 |
192.168. 2. 2/30 |
— |
| Vlan50 |
10.0.5.254/24 |
10.0.5.254 |
|
| Vlan60 |
10.0.6.254/24 |
10.0.6.254 |
|
| Vlan70 |
10.0.7.254/24 |
10.0.7.254 |
|
| VlanSO |
10.0.8.254/24 |
10.0.8.254 |
|
| Supermarket Department |
Vlan50 |
10.0.1.0/24 (DHCP) |
10.0.5.254 |
| Garment Department |
Vlan60 |
10.0.2.0/24 (DHCP) |
10.0.6.254 |
| Home Appliances Department |
Vlan70 |
10.0.3.0/24 (DHCP) |
10.0.7.254 |
| Ministry of Culture and Sports |
VlanSO |
10.0.4.0/24 (DHCP) |
10.0.8.254 |
5.6 Network equipment selection
1. Layer 2 switching equipment selection
The hotel access layer switch uses Cisco C2900 series layer 2 switches. The detailed parameter configuration is shown in Figure 5.1:
| product type |
Fast Ethernet switch |
| Transmission rate |
10/100Mbps |
| exchange method |
store and forward |
| The back panel is finished |
S.SGbps |
| Number of ports |
24 |
| Transmission mode |
Support full duplex |
| network standards |
IEEE 802.3u |
| Network protocol |
LAN protocol |
| Stacking Gu function |
Cascadable |
Figure 5.1 C2900 switch parameter configuration
2. Layer 3 switching equipment selection
The hotel access layer switch uses Cisco C3560e series three-layer switches. The detailed parameter configuration is shown in Figure 5.2:
| Transmission rate |
lO/lOO/lOOOMpps |
| Equipment type |
Network equipment : Layer 3 switch |
| Transmission mode |
full duplex |
| The back panel is finished |
32Gbps |
| Number of ports |
24 |
| Number of modular slots |
2 |
| Dimensions |
4. 4*44. 5*30.1cm 5.1kg |
| Feed current |
100 到 240VAC 自动适应 5.5-2. SA 50-GOHz |
图5.2 C3560e交换机参数配置
3. 三层路由设备选型
酒店接入层交换机选用思科1841系列核心交换机,详细参数配置如图5.3所示:
| 路由器类型 |
模块化接入路由器 |
| 网络协议 |
TCP/IP |
| 端口结构 |
模块化 |
| 局集成多业务路由器域网接口 |
2个 |
| 防火墙 |
内置防火墙 |
| 传输速率 |
10/100J.!bps |
| 9惡支持 |
支持 |
| VPN支持 |
支持 |
图5.3 1841交换机参数配置
6 酒店局域网操作配置
作为服务界内性能级别最高的酒店网络体系,所使用的网络技术配置也是要求极高的。主要核心层运行EIGRP动态路由协议、虚拟局域网划分VLAN技术、动态地址自动分配技术DHCP、内外网地址转换技术NAT、HSRP双击热备冗余技术、VPN技术GRE VPN等,以下是各个技术配置代码清单。
6.1 EIGRP配置
在酒店网络拓扑内部,主要运用动态路由协议EIGRP协议,从而使得内网内部全网互联。
6.2 VLAN配置
酒店内部主要分成6个虚拟局域网VLAN;酒店大厅与会议室为vlan10、餐饮部为vlan20、客房部为vlan30、信息部为vlan40以及服务器群区单独分成vlan100,详细子网划分可见IP子网划分分配表。
6.3 HSRP配置
针对主酒店内部核心层内部两台核心交换机各自使用VLAN序号作为双击热备组名,优先级更高的为主机,优先级次高的为备机。
6.4 DHCP配置
为了能够让酒店内部所用接入终端更顺利的接入外网,并且使得无线WIFI能够覆盖全园区,从而创建DHCP地址池。
1.创建DHCP地址池划分,包括默认网关、DNS域名,如图5.1所示:
图5.1 地址池的详细划分
6.5 NAT配置
为了更好地提高酒店网络内部访问互联网更安全,就需要配置更细致的NAT网络转换技术,并且限制收纳部无法访问外网,详细配置。
6.6 GRE VPN配置
酒店与数据中心异地之间配置GRE VPN隧道技术,从而使得异地两部实现跨公网通信,详细配置。
7 酒店网络连通性测试
这个章节主要对于配置完成的酒店进行连通性测试工作,包括其中各区域的互联通信测试、各区域访问外网测试、拒绝网络接入ACL测试等。
7.1 区域间通信连通PING测试
酒店大厅与餐饮部都分别属于不同的vlan,并且也不在同一网段内,通过基于三层交换机上的VLAN间路由操作,从而完成连通作用,测试办法:分别用VLAN 10酒店大厅主机与VLAN 20餐饮部与主机互相通过PING操作测试网络连通性。PING通结果如下图7.1与图7.2:
图7.1 酒店大厅主机访问餐饮部测试
图7.2 餐饮部PC访问灾备冗余区PC测试
7.2 服务器访问通信连通测试
FTP、OA、DHCP服务器作为酒店内的基础应用平台,是整个局域网络十分重要的一个部分,所以内网主机内服务器之间的通信是必要的,测试办法:酒店大厅主机访问FTP服务器。PING通测试图如图所示:
图7.3 服务器访问测试
7.3 外网访问连通测试
为了使酒店内主机用户成功访问到外网ISP中国移动网络,通过NAT转换技术,测试办法:酒店大厅主机访问外网地址202.100.1.1,PING通测试结果如图所示:
图7.4 外网访问测试
7.4 收纳部访问连通测试
从图6.5可获知收纳部网段10.0.4.X用户之间无法访问到外网地址,充分体现了酒店网络设计方案中的网络安全效应,达到了设计需求,如图所示:
图7.5 收纳部访问测试
7.5 酒店与数据中心连通测试
酒店与数据中心之间基于隧道TUN口传输GRE VPN传输协议从而进行数据传输。测试办法:利用主店酒店大厅主机访问数据中心PC,从而实现两区域之间的网络互通,PING通测试结果如图所示:
图7.6 GRE VPN测试
8 酒店网络连通性模拟故障排查
酒店内部地址10.0.1.0/24网段去访问10.0.8.0/24网段的主机地址发送故障问题,也就是说10.0.1.0/24网段中任何一台主机都无法ping通10.0.8.0/24网段中任何一台主机,现象如下:
首先要先测试10.0.1.0/24中的主机能不能ping通自己的网关,如下图:
由上图可以得出,主机到达自己网关是没问题,那么就可以排除是网关的问题,接下来使用主机去ping出口路由器地址
由上图可以得出,主机到达出口的是没有问题的,现在可以排除自己内部的网络故障问题,那么现在需要10.0.8.0/24所在网段去ping自己的网关是否有问题:
由上图可以得出,10.0.8.1到达自己的网关是没有问题,那么现在测试一下去ping到出口路由器设备上
由上图可以得出,10.0.8.1主机到达出口的路由器上是正常,主机内部的网络是正常的,那么问题就由可能出现再2台出口路由器上,也就是说是运营商线路问题了,接下我们直接用出口路由器去ping对端的出口路由器互联地址,如下图
由上图可以得出,出口路由器之间互联由问题,这个时候需要找运营商查看故障问题,经过运营商解决故障问题之后,我们测试结果如下,发现已经可以正常的ping通了
