Zhao Xin
Description:
1. This scheme adopts the network equipment provided by Ruijie Network to design, and completely follows:
Advanced: adopting advanced and mature concepts, technologies and methods can support all kinds of mainstream network applications at present and in the future, and has development potential, including basic scheme, expansion scheme and management scheme.
Feasibility: The design scheme can fully consider the characteristics of online education and the constraints of technology, resources and management of application objects, and can be designed with the characteristics of Ruijie network products.
Flexibility: The network is designed according to the principle of modularization and hierarchy. The network has good expansibility, can be flexibly configured and expanded according to different stages of network construction, and has the function of constantly absorbing new technologies and methods.
Practicality: The network is easy to maintain, manage and implement.
Reliability: We can make use of the product's own characteristics to ensure the stable, reliable and efficient operation of the network system. Fully embody the advanced nature, etc.
2. The design scheme is not an actual case that has been actually built.
I. Introduction
With the rapid development of Internet and the full implementation of educational network infrastructure, the informationization and networking of colleges and universities have created new opportunities for the school's take-off and development. In order to further promote the informatization construction of Huazhong University of Science and Technology, expand the coverage of campus network, improve the learning conditions of students in the east campus and create a more convenient learning environment for students, based on the existing campus network construction, this paper puts forward and discusses the construction scheme of student dormitory network in the east campus of our school.
At present, the construction goal of the student dormitory network in the East Campus of Huazhong University of Science and Technology is to connect the newly-built 15 Yunyuan student apartment * * 10694 information point to the campus network. After the completion of this phase of the project, students in the east campus will be able to access the campus network, and then surf the Internet in the dormitory, just like the main campus.
Second, the demand analysis
1. The core switching equipment requires strong processing ability, good security, reliability and scalability; Support all kinds of mature technologies, and smoothly upgrade to 10 Gigabit in the future.
2. Access layer network devices need to support the functions based on MAC address 802. 1X and port 802. 1X to ensure the uniqueness of the account; Support remote telnet management, mib-II and remote switch port functions at the same time; In addition, it is also required to adapt to the concurrent authentication of a large number of users and the complex working environment.
3. It is required to bind the user name, IP address, MAC address, switch port and switch IP at the same time, so as to prevent illegal users from maliciously stealing the user name, password, IP and MAC of legitimate users and ensure the billing work.
4. Solve the phenomenon that users set proxy servers privately.
5. Support standard Radius authentication and accounting, and connect various access devices. On the one hand, the equipment is required to support 802. 1x authentication mode; On the other hand, the system is required to support the charging mode based on duration, traffic and monthly subscription; So as to provide a perfect, flexible and customizable charging strategy for network management; At the same time, it is necessary to ensure the stability and simple management of the network when more than 30 thousand users are in parallel.
6. The network must have the characteristics of high reliability and easy management.
Third, the principles of network design
The student dormitory network has both the characteristics of general network design and its particularity. When planning the construction of student dormitory network, besides the necessary conditions such as the reliability, stability and security of the general network, we should also consider the controllability and high performance of all information points and the QoS guarantee of key services. In addition, in the network design, how to reserve expansion space and carry out investment protection to meet the needs of new applications and the growth and change of information is also a key factor to be considered in the network construction of student dormitories.
While fully considering the multi-application and manageability of the student dormitory network, this scheme also follows the following principles:
1) high performance
The networking technology of building dormitory network must be high bandwidth networking technology; Backbone switching equipment must support line-speed switching to ensure data exchange without blocking; In addition, from the network structure design, it is necessary to consider the distributed deployment of some high-traffic multimedia applications to reduce the traffic passing through the backbone network and improve the network performance.
2) Quality assurance of key business services
There are various application business data streams in the dormitory network. When the network traffic is at the peak, it will definitely affect the response time of key business data streams. For multimedia services, stuttering and image mosaic will appear. Therefore, a high-performance network still needs QOS guarantee.
3) Controllability of information points
The information points of dormitory network are widely distributed. Compared with the general enterprise network, the dormitory network is more mobile and more difficult to manage. In order to ensure the effective use of network data, it is necessary to control the information points. In addition to limiting access bandwidth, user-based access authentication, authorization and billing must also be provided. In order not to affect the network performance, the control of information points should be distributed on the access layer equipment.
4) Advanced nature
The selected equipment must have good scalability, and when the network scale or bandwidth needs to be expanded, it can meet the new demand at the minimum cost.
5) Reliable stability
A reliable and stable network platform is the cornerstone of the implementation and promotion of application business systems. The design of network platform must ensure the reliability and stability of the network from the aspects of equipment, network topology and network technology.
6) Safety
The security of dormitory network platform needs to ensure the security of application business system and other network resources to some extent besides the security of network platform. The network platform should ensure the network security from several aspects: 1) the access security of the equipment itself; 2) Security of resource access between intranets; 3) Security of routing system; 3) Internet safety.
Fourth, network solutions.
According to the user's demand, gigabit backbone and 100 megabits to the desktop are adopted, and the whole network adopts distributed three-layer switching architecture. With ultra-high bandwidth and good scalability and manageability. See the following figure for the specific network topology:
Core layer: RG-S6806, a 10 Gigabit core switch independently developed by Ruijie Network (formerly Shida Network), is selected as the core layer of the network. RG-S6806 has a switching capacity of 256G and a packet forwarding rate of 143M. Up to 8 10 Gigabit /96 Gigabit/128 100 Gigabit ports can be supported; The hardware itself adopts a distributed switching system, which is realized by a variety of complex functional hardware, and has good scalability and ultra-high switching performance. It can not only meet the current access needs, but also meet the needs of future development.
Convergence layer: In convergence layer, we choose the STAR-S3550 series three-layer switch of Ruijie Network; Through the local distributed three-layer switching in the building, the burden of the backbone network is greatly reduced. The switching capacity of STAR-S3550 series switches is 12.8/ 18.5Gbps, and the packet forwarding rate is 6.6//kloc-0.1m, which ensures the line-speed forwarding of all ports. At the same time, STAR-S3550 also provides 24/48 100M ports and 2 gigabit expansion slots, and provides full-duplex 4G backbone bandwidth through L2 Trunk technology.
Access layer: In the access layer, we choose the gigabit intelligent switch RG-S 2126G/2150g supported by Ruijie Network; The switch has superior switching processing capability and access control capability. At the same time, as an intelligent switch, it can not only support 2-7 layers of intelligent switching, but also identify various application streams, such as video and voice, which require high network delay and jitter. It also has a perfect QoS guarantee system, supporting 802. 1P, DSCP data marking technology, SP, WRR, CAR, WRED and other queuing and congestion control technologies, which can provide end-to-end QoS guarantee for users.
Security billing: We use SAM system based on 802. 1x technology and access layer S2 126G/S2 150G switch to manage students' access control.
The security authentication and billing solution provided by Ruijie Network selects the access switch STAR-S2126G/S2150g for authentication and billing, thus providing four key services for the school: First, realizing distributed authentication to the greatest extent, with high authentication efficiency; Second, it can effectively reduce the burden of dormitory switches; Third, access users can be effectively, comprehensively and thoroughly controlled; Fourthly, it has good scalability, which provides a guarantee and technical basis for large-scale user authentication and billing.
Network management: In order to manage the equipment of the whole network, it is recommended to configure the STAR View network management system.
STAR View management system can provide the topology structure of the whole network, manage any general IP devices and SNMP management devices in Ethernet, and combine with SNMP management, Telnet management, Web management and RMON management supported by management devices to form a fully functional network management solution, realizing all-round network management from network level to device level. STAR View can centrally configure, monitor and control the network equipment of the whole network, automatically detect the network topology, monitor and control the network segments and ports, make statistics and error statistics on network traffic, and automatically collect and manage network equipment events. Through the comprehensive monitoring of the network, the network administrator can reconstruct the network structure and make the network achieve the best effect.
The characteristics of verb (abbreviation of verb) network scheme
1 high performance
Gigabit backbone, 100M switching to desktop: the core selects the switching platform that can support 10M technology, and the backbone adopts Gigabit and 100M switching to desktop to meet the needs of large capacity and high-speed data transmission.
Hardware realization of complex functions: The core RG-S6806 not only realizes three-layer routing and switching through hardware, but also realizes key functions of complex functions such as ACL, QOS and policy routing through hardware. The fused STAR-S3550 also realizes three-layer switching, ACL and QOS through hardware. In particular, RG-S6806, the core switch, has designed intelligent distributed processing of board cards, and the user interface module can independently realize routing, switching, ACL, QoS and QoS.
Distributed three-layer switching: convergence layer introduces three-layer switching, which can reduce the pressure of core switches, effectively reduce broadcast packets and improve network transmission efficiency;
Ultra-high backplane ensures that all data packets are forwarded at line speed: the core layer, convergence layer and access layer switches used in this scheme have ultra-high switching ability and packet forwarding rate at Layer 2 and Layer 3, ensuring that all data lines are forwarded at high speed.
Distributed authentication, separation of authentication message and service data stream: Ruijie security authentication management system based on 802. 1X, in which the security switches of each access layer undertake the authentication of access users, and the separation technology of authentication message and service data stream is adopted to realize bottleneck-free high-speed network transmission.
2 intelligence
End-to-end QoS: from access switch to convergence to core, it comprehensively covers multi-layer switching quality assurance such as port rate limitation, application flow classification and identification, and key business traffic bandwidth guarantee;
Intelligent identification based on traffic: distinguish the same traffic flow based on the physical port, MAC address, IP address and TCP/UDP port number of the switch;
Traffic-based bandwidth control: bandwidth is limited based on switch port, MAC address, IP address, protocol and application combination;
3 High security.
Global network security: establish a linkage mechanism through security control protocol, take Radius as the core, support the linkage of third-party firewalls, IDS and security switches, and realize global network security;
Accurate authentication and identity positioning in advance: before users use the network, users are accurately authenticated through the composite binding of user accounts with IP, MAC, switch IP, ports and VLAN, in which the binding of accounts with switches and access ports realizes accurate positioning of users.
Real-time processing: When a malicious attack occurs on a protected key server or system in the network, the IDS intrusion detection system can detect the source IP address of the attack. Through the S-SCP security control protocol, IDS will notify S-Radius to attack the source IP in real time, and S-Radius will find the source malicious attacker in the online user list and remove the malicious attacker from the offline through the SNMP protocol. The whole process realizes automatic real-time processing.
Complete audit afterwards: the log server records the user's complete access records, including source IP, destination IP, source port, destination port, source MAC, destination MAC, access start time, access end time, sent traffic, received traffic, etc. Combined with the log management query system, a quick and complete audit can be carried out.
Authentication when accessing the network: Users should authenticate themselves as long as they use the network, so as to ensure that only legitimate users who apply for opening an account can use the network.
Powerful access control: combine account with IP, MAC, switch IP, port and VLAN to realize account roaming at the same time;
4 High reliability
Link-level redundant backup and load balancing: The core RG-S6806 and the converged STAR-S3550 not only support the traditional 802. 1d spanning tree protocol, but also support the latest 802. 1w and 802. 1s spanning tree protocols, thus achieving load balancing between the two links while ensuring link redundancy.
Redundancy of key components: RG-S6806 provides redundancy of key components such as redundancy management switching engine and redundant power supply, and cooperates with RAPS (Sharp Automatic Protection System) to achieve high stability and reliability of the system.
RG-S6806 provides redundancy of key components such as redundancy management switching engine and redundant power supply, and cooperates with RAPS (Sharp Automatic Protection System) to achieve high stability and reliability of the system.
Strict test: the selected equipment has been strictly tested by professional instruments such as Smartbit to ensure the reliability in R&D and production stages;
5 easy to manage
Three diagrams: simple and clear equipment management diagram, topological state diagram and traffic analysis diagram to minimize the workload of network management;
China culture: the interface and core of China culture, especially suitable for China people;
One-stop: it can realize the complete management of the whole network in a network management work and support the seamless management of third-party network management software.
Satisfactory solution to IP address conflict and IP address theft: IP attribute verification when Ruijie S-Radius authenticates users completely eliminates the occurrence of IP address conflict, including failing to set IP as required before authentication, and immediately logging off after changing IP address; Bind the user account with the IP address and assign a fixed IP address to each user to prevent the IP address from being stolen by others.
Review team:
Ruijie network products business division
Beijing Saidi Information Assessment Co., Ltd.
Comments: The demand analysis of the scheme is in place, and the characteristics of the student dormitory network application system are accurately analyzed. The technical scheme design embodies the characteristics of advanced, safe, extensible, manageable and easy to operate, and adopts the advanced design concept of "Gigabit backbone, 100 Mbps to desktop" and the distributed three-layer switching network architecture. It must be pointed out that it is the basic requirement of the characteristics of campus network construction to pay attention to the combination of advanced and practical in the scheme design and integrate with the existing network system.