Modular Network Design: A Scalable Architecture Framework
Modular Network Design: En skalerbar arkitekturramme
Introduktion til modulopbygget netværksdesign
Network modularitet er den praksis at designe netværk som indbyrdes forbundne, målbyggede segmenter snarere end monolitiske strukturer. Hvert modul tjener en bestemt funktion, har definerede grænser, og forbinder til tilstødende moduler gennem velforstod grænseflader. Denne tilgang forvandler netværksdesign fra en kunst til en gentagelig ingeniørdisciplin.
Modularitetens kraft ligger i dens evne til at skabeforudsigelige mønstreder kan anvendes konsekvent på tværs af en organisations hele infrastruktur fodaftryk - uanset om der spænder titusinder af små steder, tusindvis af mellemstore steder, eller hundredvis af store virksomheder campus.
Hvorfor modularitetsspørgsmål
Fordele på tværs af alle netværkskalaer
; 124; Fordel; 124; Små Sider; 124; Mellemsider; 124; Store Sider; 124 - 124; - - 124; - - 124 |Forenklet fejlfinding124; Enkelt ingeniør kan forstå hele topologi; Teams kan specialisere sig ved modul • 124; Ryd eskalering stier mellem modul ejere • 124 |Forudsigelig skaleringNote 124; Tilføj moduler efter behov; Clone bevist mønstre • 124; Udvid uden redesign • 124 |Konsistent sikkerhed124; Samme politik overalt; 124; Ensartet compliance posituri • 124; Auditable grænser • 124 |Driftseffektivitet124; Temperaturbaseret implementering 124; Automatiseret provisionsstyring 124; Standardiseret ændringsstyring 124 |Omkostningskontrol124; Right- size hvert modul
Skaleringsudfordringen
Organisationer er sjældent statiske. En modulopbygget konstruktion skal rumme:
- 10.000 + små steder: Branch kontorer, detailforretninger, fjerntliggende faciliteter
- 1000 + mellemstore steder: Regionale kontorer, distributionscentre, produktionsanlæg
- 100 + store steder: Hovedkvarter, datacentre, større campus
Uden modularitet, hvert websted bliver en unik snefnug kræver brugerdefineret dokumentation, specialiseret træning, og one-off fejlfinding. Med modularitet, en ingeniør, der forstår mønstret kan arbejde effektivt på ethvert sted.
Hovednetmoduler
Modul 1: Internet Edge Segment
Internet Edge er hvor din organisation møder omverdenen. Dette modul indeholder:
- WAN / Internet-kredsløb(MPLS, DIA, bredbånd, LTE / 5G)
- Kant routere(BGP peering, WAN opsigelse)
- Firewalls(Stateful inspektion, NAT, VPN opsigelse)
- VLAN-segmenteringtil funktionel adskillelse
@startuml Internet Edge Module
!define ICONURL https://raw.githubusercontent.com/Roemer/plantuml-office/master/office2014
skinparam backgroundColor #FEFEFE
skinparam handwritten false
nwdiag {
internet [shape = cloud, description = "Internet"];
network ISP_Transit {
address = "VLAN 10-12"
color = "#FFE4E1"
description = "ISP/MPLS Transit"
internet;
ISP_A [description = "ISP-A\nCircuit"];
ISP_B [description = "ISP-B\nCircuit"];
MPLS [description = "MPLS\nCircuit"];
}
network Edge_Router_Segment {
address = "VLAN 10,11,12"
color = "#E6E6FA"
description = "Edge Router Aggregation"
ISP_A;
ISP_B;
MPLS;
Edge_Router [description = "Edge Router\n(BGP Peering)"];
}
network FW_Outside {
address = "VLAN 100"
color = "#FFFACD"
description = "Firewall Outside"
Edge_Router;
FW_Primary [description = "Firewall\nPrimary"];
FW_Secondary [description = "Firewall\nSecondary"];
}
network FW_HA_Sync {
address = "VLAN 101"
color = "#F0FFF0"
description = "HA Sync Link"
FW_Primary;
FW_Secondary;
}
network FW_Inside {
address = "VLAN 102"
color = "#E0FFFF"
description = "To Internal Edge"
FW_Primary;
FW_Secondary;
}
}
@enduml
Nøgledesignprincipper:
- Redundante kredsløb fra forskellige udbydere
- Firewall high-tilgængelighed par
- Ryd VLAN grænser mellem trustzoner
- L3 point- til- punkt links mellem router og firewall
Modul 2: Intern kant / DMZ Tier
For mellemstore og store lokaliteter giver den interne kant et aggregeringslag for tjenester, der kræver kontrolleret eksponering eller fungerer som overgangspunkter mellem sikkerhedszoner.
@startuml Internal Edge Module
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Internet_Edge {
address = "VLAN 102"
color = "#E0FFFF"
description = "From Firewall Inside"
IntEdge_A [description = "Internal Edge\nSwitch A"];
IntEdge_B [description = "Internal Edge\nSwitch B"];
}
network MCLAG_Peer {
address = "Peer-Link"
color = "#DDA0DD"
description = "MCLAG/vPC Peer"
IntEdge_A;
IntEdge_B;
}
network WLC_Mgmt {
address = "VLAN 200 - 10.x.200.0/24"
color = "#FFE4B5"
description = "WLC Management"
IntEdge_A;
IntEdge_B;
WLC [description = "Wireless LAN\nController"];
}
network Proxy_Farm {
address = "VLAN 201 - 10.x.201.0/24"
color = "#FFDAB9"
description = "Proxy Services"
IntEdge_A;
IntEdge_B;
Proxy [description = "Web Proxy\nServers"];
}
network VPN_Services {
address = "VLAN 202 - 10.x.202.0/24"
color = "#E6E6FA"
description = "VPN Termination"
IntEdge_A;
IntEdge_B;
VPN [description = "VPN\nConcentrator"];
}
network Infrastructure {
address = "VLAN 204 - 10.x.204.0/24"
color = "#F0FFF0"
description = "Infrastructure Services"
IntEdge_A;
IntEdge_B;
DNS_DHCP [description = "DNS/DHCP\nServers"];
}
network To_Core {
address = "VLAN 205"
color = "#B0E0E6"
description = "Core Transit"
IntEdge_A;
IntEdge_B;
}
}
@enduml
Tjenester typisk i intern kant:
- Trådløse LAN-controllere (WLC)
- Web proxies og indhold filtre
- VPN-koncentrer
- DNS / DHCP-infrastruktur
- Belastningspressere
- Spring værter / bastionsservere
Modul 3: Kernelag
Kernen er den højhastighedsrygrad, der forbinder alle andre moduler. Det bør optimeres til:
- Maksimal gennemstrømning
- Mindste latens
- Høj tilgængelighed
- Enkel, hurtig videresendelse
@startuml Core Module
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Internal_Edge {
address = "L3 Routed"
color = "#B0E0E6"
description = "From Internal Edge"
Core_A [description = "Core Switch A\n100G Backbone"];
Core_B [description = "Core Switch B\n100G Backbone"];
}
network Core_Interconnect {
address = "100G+ ISL"
color = "#FFB6C1"
description = "High-Speed Interconnect\nOSPF/IS-IS/BGP"
Core_A;
Core_B;
}
network To_Distribution_1 {
address = "L3 P2P"
color = "#98FB98"
description = "Building A"
Core_A;
Core_B;
Dist_1 [description = "Distribution 1\n(L3 Adjacent)"];
}
network To_Distribution_2 {
address = "L3 P2P"
color = "#DDA0DD"
description = "Building B"
Core_A;
Core_B;
Dist_2 [description = "Distribution 2\n(MCLAG)"];
}
network To_Distribution_3 {
address = "L3 P2P"
color = "#FFDAB9"
description = "Building C"
Core_A;
Core_B;
Dist_3 [description = "Distribution 3\n(MCLAG)"];
}
network To_DC_Border {
address = "L3 Routed"
color = "#87CEEB"
description = "Datacenter"
Core_A;
Core_B;
Border_Leaf [description = "Border Leaf\n(DC Fabric)"];
}
}
@enduml
Hovedkonstruktionsprincipper:
- Ingen enheder med direkte forbindelse til slutbrugeren
- L3 routing mellem kernekontakter (ingen spanning træ)
- Equal- cost multipath (ECMP) for lastfordeling
- Protokoller om hurtig konvergens
Modul 4: Distributionslag
Distribution lag aggregater Access switches og håndhæver politik. Det er her, netværksdesign valg har den mest variation baseret på site krav.
Distribution Tier Variationer
Variation 1: L3 tillæg (afbrudt adgang)
I dette design, distribution og adgang lag erL3 tilstødende- hver adgangsknap har sit eget IP-undernet og ruter direkte til distribution.
@startuml Distribution Variation 1 - L3 Adjacent
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Core {
address = "L3 ECMP"
color = "#B0E0E6"
description = "From Core Layer"
Dist_A [description = "Distribution A\n(L3 Router)"];
Dist_B [description = "Distribution B\n(L3 Router)"];
}
network Dist_iBGP {
address = "iBGP Peering"
color = "#DDA0DD"
description = "ECMP/iBGP"
Dist_A;
Dist_B;
}
network P2P_Access_1 {
address = "10.x.2.0/30"
color = "#98FB98"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_1 [description = "Access SW-1\n(L3 Gateway)"];
}
network P2P_Access_2 {
address = "10.x.2.8/30"
color = "#FFE4B5"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_2 [description = "Access SW-2\n(L3 Gateway)"];
}
network P2P_Access_3 {
address = "10.x.2.16/30"
color = "#FFDAB9"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_3 [description = "Access SW-3\n(L3 Gateway)"];
}
network User_VLAN_1 {
address = "10.x.32.0/24"
color = "#F0FFF0"
description = "Users - SW1"
Access_1;
Laptop_1 [description = "Laptops"];
Phone_1 [description = "Phones"];
}
network User_VLAN_2 {
address = "10.x.33.0/24"
color = "#FFF0F5"
description = "Users - SW2"
Access_2;
Laptop_2 [description = "Laptops"];
Camera_2 [description = "Cameras"];
}
network User_VLAN_3 {
address = "10.x.34.0/24"
color = "#F5FFFA"
description = "Users - SW3"
Access_3;
Laptop_3 [description = "Workstations"];
Camera_3 [description = "Cameras"];
}
}
@enduml
Eksempel på tildeling af subnet:
124; Link 124; Subnet 124 - 124; - 124; - 124 124; fordeling til hovednet 124; 10.x.1.0 / 30, 10.x.1.4 / 30 - til tilbehør - til 124- til 10.x.2.0 / 30 - 124 ; Disk- B til tilbehør -1 til 124; 10.x.2.4 / 30 ; Tilbehør - bruger VLAN; 10.x.32.0 / 24 Note 124; Tilbehør -2 Bruger VLAN
Ydelser:
- Broadcast domæne isolation ved hver kontakt
- Forenklet fejlfinding (problemer indeholdt i subnet)
- Ingen spanning træ mellem distribution og adgang
- Mulig opsummering ved distributionslag
Overvejelser:
- Kræver L3- kontakter
- DHCP relækonfiguration på hver adgangsknap
- Mere kompleks IP adressehåndtering
Variation 2: MPLAG med LACP Trunks
Dette design brugerMulti- Chassis Link Aggregation (MMLAG)ved distribution medLAVS-obligationerat få adgang til kontakter, der indeholder indrammede VLANs.
Vendorterminologi: Cisco kalder denne vPC (Virtual Port Channel), Arista bruger MLAG, Juniper bruger MC- LAG, og HPE / Aruba bruger VSX. Den funktionelle adfærd er ens på tværs af leverandører.
@startuml Distribution Variation 2 - MCLAG
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Core {
address = "L3 Routed Uplinks"
color = "#B0E0E6"
description = "From Core Layer"
Dist_A [description = "Distribution A\n(MCLAG Member)"];
Dist_B [description = "Distribution B\n(MCLAG Member)"];
}
network MCLAG_Peer_Link {
address = "Peer-Link"
color = "#FFB6C1"
description = "MCLAG/vPC Peer-Link"
Dist_A;
Dist_B;
}
network LACP_To_Access {
address = "Po1 - LACP Trunk"
color = "#DDA0DD"
description = "VLANs 100,110,120 Trunked"
Dist_A;
Dist_B;
Access_1 [description = "Access SW-1\n(L2 Switch)"];
}
network Data_VLAN {
address = "VLAN 100 - 10.x.32.0/24"
color = "#98FB98"
description = "Data VLAN"
Access_1;
Laptops [description = "Laptops\nWorkstations"];
}
network Voice_VLAN {
address = "VLAN 110 - 10.x.64.0/24"
color = "#FFE4B5"
description = "Voice VLAN"
Access_1;
Phones [description = "IP Phones"];
}
network Security_VLAN {
address = "VLAN 120 - 10.x.96.0/24"
color = "#FFDAB9"
description = "Security VLAN"
Access_1;
Cameras [description = "Cameras\nBadge Readers"];
}
}
@enduml
SVI Placering (VRRP VIP on Distribution Par):
- VLAN 100: 10.x.32.1 / 24
- VLAN 110: 10.x.64.1 / 24
- VLAN 120: 10.x.96.1 / 24
Indstilling af VLAN trunk:
124; Port- Channel - 124 ; Po1 (MCLAG) ; Po2 (MCLAG) 124; Po3 (MCLAG); 124; 100,110; 124; Tilbehør -3; 124 124; Indfødt VLAN
MCLAG- fordele:
- Active- aktiv videresendelse (begge anvendte uplink)
- Under- anden fejl
- Enkelt logisk skift fra adgangsperspektiv
- Ingen spanning træ blokering
Overvejelser:
- Name
- MCLAG peer- link kan blive flaskehals
- STP stadig kræves som sløjfeforebyggelse backup
Variation 3: Border Leaf for Spine / Leaf Datacenter
I datacentermiljøer bliver distributionslagetBorder Leafforbinder rygrad / blad stof til resten af virksomhedens netværk.
@startuml Distribution Variation 3 - Border Leaf Datacenter
skinparam backgroundColor #FEFEFE
nwdiag {
network Enterprise_Core {
address = "L3 Routed (eBGP/OSPF)"
color = "#B0E0E6"
description = "From Enterprise Core"
Border_A [description = "Border Leaf A\nVXLAN Gateway"];
Border_B [description = "Border Leaf B\nVXLAN Gateway"];
}
network Border_EVPN {
address = "VXLAN EVPN"
color = "#DDA0DD"
description = "EVPN Type-5 Routes"
Border_A;
Border_B;
Spine_1 [description = "Spine 1"];
Spine_2 [description = "Spine 2"];
}
network Spine_Fabric {
address = "eBGP Underlay"
color = "#FFB6C1"
description = "Spine Layer"
Spine_1;
Spine_2;
}
network Leaf_Tier_1 {
address = "VTEP"
color = "#98FB98"
description = "Compute Rack 1"
Spine_1;
Spine_2;
Leaf_1 [description = "Leaf 1"];
Leaf_2 [description = "Leaf 2"];
}
network Leaf_Tier_2 {
address = "VTEP"
color = "#FFE4B5"
description = "Storage/Services"
Spine_1;
Spine_2;
Leaf_3 [description = "Leaf 3"];
Leaf_4 [description = "Leaf 4"];
}
network Server_Rack_1 {
address = "VNI 10001"
color = "#F0FFF0"
description = "Compute Servers"
Leaf_1;
Leaf_2;
Servers_1 [description = "Rack Servers\nVMs/Containers"];
}
network Storage_Network {
address = "VNI 10002"
color = "#FFDAB9"
description = "Storage Arrays"
Leaf_3;
Storage [description = "SAN/NAS\nStorage"];
}
network Voice_Services {
address = "VNI 10003"
color = "#E6E6FA"
description = "UC Systems"
Leaf_4;
PBX [description = "PBX/UC\nSystems"];
}
}
@enduml
Datacenter Fabric Detaljer:
unit description in lists - 124; - 124; - 124 |Underlagunit description in lists |Overlay; VXLAN med EVPN kontrolplan |Border Leaf; VXLAN- to- VLAN gateway, Eksterne ruter, Inter- VRF routing- 124 |Arbejdsbelastning af blade; Compute, Storage, Voice / UC, Infrastruktur
Ydelser:
- Massiv horisontal skala (tilføj bladpar efter behov)
- Ikke-blokerende stof arkitektur
- Multileje via VRF / VNI
- Optimal øst-vest trafik mønstre
Overvejelser:
- VXLAN / EVPN 's operationelle kompleksitet
- Specialiserede færdigheder
- Udgifter til højere udstyr
Modul 5: Adgangslag
Access-laget er der, hvor slutenhederne forbindes. Uanset distribution topologi, adgang kontakter giver:
@startuml Access Layer Module
skinparam backgroundColor #FEFEFE
nwdiag {
network Distribution_Uplink {
address = "L3 or LACP Trunk"
color = "#B0E0E6"
description = "Uplinks to Distribution"
Access_SW [description = "48-Port Access Switch\nPoE+ Capable"];
}
network Data_VLAN {
address = "VLAN 100 - Ports 1-8, 25-32"
color = "#98FB98"
description = "Data VLAN"
Access_SW;
Laptops [description = "Laptops\nWorkstations"];
}
network Voice_VLAN {
address = "VLAN 110 - Ports 9-16"
color = "#FFE4B5"
description = "Voice VLAN"
Access_SW;
Phones [description = "IP Phones"];
}
network Camera_VLAN {
address = "VLAN 120 - Ports 17-24"
color = "#FFDAB9"
description = "Security VLAN"
Access_SW;
Cameras [description = "IP Cameras"];
}
network Wireless_VLAN {
address = "VLAN 130 - Ports 33-40"
color = "#DDA0DD"
description = "Wireless AP VLAN"
Access_SW;
APs [description = "Wireless APs"];
}
network Mgmt_VLAN {
address = "VLAN 999 - Ports 41-44"
color = "#F0FFF0"
description = "Management VLAN"
Access_SW;
}
}
@enduml
Sikkerhedselementer for adgangslag:
- 802.1X / MAB-godkendelse
- Dynamisk VLAN-opgave
- Havnesikkerhed
- DHCP snooping
- Dynamisk ARP-inspektion
- IP Kildegarde
Komplet modulopbygget topologi
Her er hvordan alle moduler opretter et komplet virksomhedsnetværk:
@startuml Complete Modular Network Topology
skinparam backgroundColor #FEFEFE
title Complete Enterprise Modular Network
nwdiag {
internet [shape = cloud, description = "Internet/WAN"];
network Internet_Edge {
address = "Module 1"
color = "#FFE4E1"
description = "INTERNET EDGE MODULE"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B"];
MPLS [description = "MPLS"];
Edge_RTR [description = "Edge Router"];
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Internal_Edge {
address = "Module 2"
color = "#E6E6FA"
description = "INTERNAL EDGE / DMZ MODULE"
FW_A;
FW_B;
IntEdge_A [description = "IntEdge-A"];
IntEdge_B [description = "IntEdge-B"];
WLC [description = "WLC"];
Proxy [description = "Proxy"];
VPN [description = "VPN"];
DNS [description = "DNS/DHCP"];
}
network Core {
address = "Module 3"
color = "#B0E0E6"
description = "CORE MODULE"
IntEdge_A;
IntEdge_B;
Core_A [description = "Core-A"];
Core_B [description = "Core-B"];
}
network Distribution_L3 {
address = "Variation 1"
color = "#98FB98"
description = "DIST - L3 Adjacent\n(Building A)"
Core_A;
Core_B;
Dist_1A [description = "Dist-1A"];
Dist_1B [description = "Dist-1B"];
Access_L3 [description = "Access\n(L3)"];
}
network Distribution_MCLAG {
address = "Variation 2"
color = "#DDA0DD"
description = "DIST - MCLAG\n(Building B)"
Core_A;
Core_B;
Dist_2A [description = "Dist-2A"];
Dist_2B [description = "Dist-2B"];
Access_L2 [description = "Access\n(L2)"];
}
network Datacenter {
address = "Variation 3"
color = "#FFE4B5"
description = "DATACENTER\n(Spine/Leaf)"
Core_A;
Core_B;
Border_Leaf [description = "Border\nLeaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
Servers [description = "Servers\nStorage\nPBX"];
}
network Campus_Users {
address = "End Devices"
color = "#F0FFF0"
description = "Campus Users"
Access_L3;
Access_L2;
Users [description = "Laptops\nPhones\nCameras"];
}
}
@enduml
IP adressering strategi med VRF isolation
Udfordringen i Multi- Segment, Multi- VRF Design
Når netværk vokser til at omfatte flere sikkerhedszoner, forretningsenheder eller compliance grænser,VRF (virtuel routing og fremwarding)giver rutebordet isolation. Men udvidelse af VRF gennem flere niveauer tilføjer kompleksitet:
- Hver L3 hop kræver en transit undernet
- Undergrænseflader ganger konfigurationskompleksitet
- Fejlfinding spænder over flere routingborde
- Dokumentation skal spore VRF medlemskab på hvert niveau
Undernet Schema Strategi
En veldesignet subnet skema gør mønstre genkendelige, reducere kognitiv belastning og konfiguration fejl.
Eksempel: Stort produktionssted (10.0.0.0 / 13)
Tildeling af lokalitet:10.0.0.0 / 13 (Manufacturing Site Alpha) - 524.286 brugbare værter
@startuml VRF Subnet Schema
skinparam backgroundColor #FEFEFE
title Large Site VRF Allocation Schema (10.0.0.0/13)
nwdiag {
network Corporate_VRF {
address = "VRF: CORPORATE\n10.0.0.0/17"
color = "#98FB98"
description = "Production Users"
Corp_Transit [description = "Transit\n10.0.0.0/23"];
Corp_Users [description = "Users\n10.0.32.0/19"];
Corp_Voice [description = "Voice\n10.0.64.0/19"];
Corp_Wireless [description = "Wireless\n10.0.96.0/19"];
Corp_Server [description = "Servers\n10.0.112.0/20"];
}
network Guest_VRF {
address = "VRF: GUEST\n10.1.0.0/17"
color = "#FFE4B5"
description = "Visitor Network"
Guest_Transit [description = "Transit\n10.1.0.0/23"];
Guest_Users [description = "Users\n10.1.32.0/19"];
}
network Security_VRF {
address = "VRF: SECURITY\n10.2.0.0/17"
color = "#FFDAB9"
description = "Physical Security"
Sec_Transit [description = "Transit\n10.2.0.0/23"];
Sec_Camera [description = "Cameras\n10.2.32.0/19"];
Sec_Badge [description = "Badge Readers\n10.2.64.0/19"];
Sec_NVR [description = "NVR/VMS\n10.2.96.0/20"];
}
network IOT_VRF {
address = "VRF: IOT\n10.3.0.0/17"
color = "#E6E6FA"
description = "Manufacturing OT"
IOT_Transit [description = "Transit\n10.3.0.0/23"];
IOT_PLC [description = "PLCs\n10.3.32.0/19"];
IOT_HMI [description = "HMIs\n10.3.64.0/19"];
IOT_SCADA [description = "SCADA\n10.3.96.0/20"];
}
}
@enduml
Transit Segment Detail (10.0.0.0 / 23 - 510 brugbare IP 'er):
unit description in lists 1 124; 1 124; 1 124; 1 124 ; 10.0.0.0 / 30; FW- Inside → Internal- Edge- -- 124 ; 10. 0. 4 / 30; FW- Inside → Internal- Edge- B 124; 10.0.0.0.8 / 30 124; 10.0.0.12 / 30; Internal- Edge- A → Care- B - 124 124; 10.0.0.16 / 30; Internal- Edge- B → Man- 124 124; 10.0.0.20 / 30 ; 124; 10.0.0.24 / 30; 124; Core- A → Distribution- - 124 12, 10, 0, 28 / 30, 12, 4, 6, 6, 6, 7, 7, 9, 9, 9, 9, 10, 10, 10, 0, 28, 30, 12, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 10, 10, 10, 10, 10, 10, 28, 28, 12, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9, 9 12, 10, 0, 32 / 30; 12, 4; B → Distribution- - 124 12, 10, 0, 36 / 30; 12, 4; B → Distribution- B & gt; 124; 10.0.0.40 / 30 & gt; Distribution- A → Tilbehør-SW-1 & gt ; 10.0.0.44 / 30; Distribution- B → Tilbehør-SW-1 124;... 124; (Mønster fortsætter) 124
Bemærk:/ 31 subnets (RFC 3021) kan også bruges til point- to- point links, der bevarer adresseplads.
Mønstergenkendelsesydelser
Når undernetmønstre er konsistente på tværs af VRO 'er:
124; Hvad du ved 124; Hvad du kan indskrive 124 ECB 's Styrelsesråd 124; Transit link i Corporate anvendelser 10.0.0.40 / 30 124; Tilbehør-SW- 5 brugere er på 10.0.36.0 / 24 124; Site Alpha er 10, 0, 0 / 13; Site Beta kan være 10, 8, 0 / 13
Dette giver ingeniører mulighed for at:
- Forudsæt IP-adresser uden at konsultere dokumentation
- Genkender fejlkonfigurerede undernet med det samme
- Opret automatiseringsskabeloner, der virker på tværs af VRO 'er
- Træn nyt personale på mønsteret, ikke erindring
Skabeloner for lokalitetsstørrelse
Small Site Template (Branch Office)
@startuml Small Site Template
skinparam backgroundColor #FEFEFE
title Small Site Template (< 50 users)
nwdiag {
internet [shape = cloud];
network WAN {
color = "#FFE4E1"
description = "ISP/MPLS Circuit"
internet;
UTM [description = "UTM/SD-WAN\nAppliance\n(Router+FW+VPN+WLC)"];
}
network LAN {
address = "10.100.x.0/24"
color = "#98FB98"
description = "Single Subnet"
UTM;
Access [description = "Access Switch\n(or UTM ports)"];
}
network Endpoints {
color = "#F0FFF0"
description = "End Devices"
Access;
AP [description = "WiFi AP"];
Users [description = "Users"];
Phones [description = "Phones"];
}
}
@enduml
Small Site Design Noter:
- Collapsed Design: Alle funktioner i minimal hardware
- Undernet: / 24 eller / 23 pr. sted
- Eksempel10.100.1.0 / 24 (Site 001)
Skabelon for mellemstore lokaliteter (regionalkontoret)
@startuml Medium Site Template
skinparam backgroundColor #FEFEFE
title Medium Site Template (50-500 users)
nwdiag {
internet [shape = cloud];
network WAN_Edge {
color = "#FFE4E1"
description = "Internet Edge"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B/MPLS"];
Edge_RTR [description = "Edge Router"];
}
network Firewall_Tier {
color = "#FFDAB9"
description = "Firewall HA Pair"
Edge_RTR;
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Distribution {
address = "10.50.x.0/21"
color = "#DDA0DD"
description = "MCLAG Distribution\n(Dist/Core Combined)"
FW_A;
FW_B;
Dist_A [description = "Dist-A"];
Dist_B [description = "Dist-B"];
}
network Access_Tier {
color = "#98FB98"
description = "Access Switches (LACP)"
Dist_A;
Dist_B;
Acc1 [description = "Acc1"];
Acc2 [description = "Acc2"];
Acc3 [description = "Acc3"];
Acc4 [description = "Acc4"];
Acc5 [description = "Acc5"];
}
network Users {
color = "#F0FFF0"
description = "End Devices"
Acc1;
Acc2;
Acc3;
Acc4;
Acc5;
Endpoints [description = "Laptops/Phones\nCameras/APs"];
}
}
@enduml
Middel site design Noter:
- Delvis modularitet: Distinkt kant og adgang niveauer
- Undernet: / 21 pr. lokalitet (2,046 IPs)
- Eksempel10.50.0.0 / 21 (Site 050)
Stor skabelon for lokalitet (hovedkvarter / Campus)
@startuml Large Site Template
skinparam backgroundColor #FEFEFE
title Large Site Template (500+ users)
nwdiag {
internet [shape = cloud];
network Internet_Edge {
color = "#FFE4E1"
description = "INTERNET EDGE MODULE"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B"];
MPLS [description = "MPLS"];
Edge_RTR [description = "Edge-RTR"];
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Internal_Edge {
color = "#E6E6FA"
description = "INTERNAL EDGE MODULE"
FW_A;
FW_B;
IntEdge_A [description = "IntEdge-A"];
IntEdge_B [description = "IntEdge-B"];
WLC [description = "WLC"];
Proxy [description = "Proxy"];
VPN [description = "VPN"];
DNS [description = "DNS"];
}
network Core {
color = "#B0E0E6"
description = "CORE MODULE"
IntEdge_A;
IntEdge_B;
Core_A [description = "Core-A"];
Core_B [description = "Core-B"];
}
network Dist_Var1 {
color = "#98FB98"
description = "L3 Adjacent"
Core_A;
Core_B;
Dist_1 [description = "Dist-1"];
Access_1 [description = "Access"];
}
network Dist_Var2 {
color = "#DDA0DD"
description = "MCLAG Trunk"
Core_A;
Core_B;
Dist_2 [description = "Dist-2"];
Access_2 [description = "Access"];
}
network Dist_Var3 {
color = "#FFE4B5"
description = "MCLAG Trunk"
Core_A;
Core_B;
Dist_3 [description = "Dist-3"];
Access_3 [description = "Access"];
}
network Datacenter {
color = "#87CEEB"
description = "SPINE/LEAF DC"
Core_A;
Core_B;
Border [description = "Border-Leaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
Servers [description = "Servers"];
}
}
@enduml
Store designnoter:
- Fuld modularitet: Alle niveauer fysisk adskilt
- Undernet: / 13 til / 15 pr. lokalitet (baseret på VRF tal)
- Eksempel10.0.0.0 / 13 (HQ) - 524,286 ICP 'er
VRF og L3 Segmentering: Fordele og kompleksitet
Fordele ved L3 Segmentering med Sub- Interfaces
- Sikkerhedsisolering: Trafikken mellem VRO 'er skal krydse en firewall eller en politikanordning
- Blast Radiusindeslutning: Komlovet segment kan ikke direkte nå andre VRO 'er
- Overholdelsesgrænser: PCI, HIPAA eller OT-netværk i særskilte routingområder
- Trafikteknik: Forskellige rutepolitikker pr. VRF
Kompleksitetstradeoff
Når segmenter skal strække sig gennem flere lag, hver L3 grænse tilføjer konfiguration overhead:
@startuml Multi-VRF Path Through Tiers
skinparam backgroundColor #FEFEFE
title Multi-VRF Traffic Path: Camera to NVR
nwdiag {
network Camera_Segment {
address = "VLAN 120\n10.2.36.0/24"
color = "#FFDAB9"
description = "VRF: SECURITY"
Camera [description = "Camera"];
Access_SW [description = "Access-SW\nSub-int: 10.2.0.40/30"];
}
network Access_to_Dist {
address = "10.2.0.40/30"
color = "#DDA0DD"
description = "VRF: SECURITY"
Access_SW;
Distribution [description = "Distribution\nSub-int: 10.2.0.24/30"];
}
network Dist_to_Core {
address = "10.2.0.24/30"
color = "#B0E0E6"
description = "VRF: SECURITY"
Distribution;
Core [description = "Core\nSub-int: 10.2.0.8/30"];
}
network Core_to_IntEdge {
address = "10.2.0.8/30"
color = "#E6E6FA"
description = "VRF: SECURITY"
Core;
Internal_Edge [description = "Internal-Edge\nSub-int: 10.2.0.0/30"];
}
network IntEdge_to_FW {
address = "10.2.0.0/30"
color = "#FFE4E1"
description = "VRF: SECURITY"
Internal_Edge;
Firewall [description = "Firewall\nInter-VRF Policy"];
}
network DC_Path {
address = "VXLAN/EVPN"
color = "#87CEEB"
description = "Datacenter Fabric"
Firewall;
Border_Leaf [description = "Border-Leaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
NVR [description = "NVR"];
}
}
@enduml
Konfigurationsoverhead:
- 5 undergrænseflader pr. VRF pr. sti
- 4 VRF × 5 sub- ints = 20 sub- interfaces per switch
- Routing protokol adjaccies i hver VRF
- Ruteudsivning eller firewall regler for inter- VRF trafik
Mitigationsstrategier
- Grænse for VRF-antal: Lav kun VRO 'er for ægte isolationskrav
- Centrér inter- VRF routing: Single firewall policy point vs. distribueret
- Brug VXLAN / EVPN: Overlay reducerer fysisk undergrænsefladesprøjtning
- Automatisk levering: Skabeloner sikrer ensartet konfiguration
- Dokumentér mønsteret: Når lært, mønstre er hurtigere end opslag
Oversigt: Opbygning af et skalerbart netværksmønster
Målet med modulært netværksdesign er at skabe enrepeterbart mønsterder muliggør:
unit description in lists - 124; - 124; - 124; - 124; - 124 124; lille 124; 10.000 + 124; sammenklappelig UTM + enkelt kontakt, / 24 pr. sted 124; Medium 124; 1.000 + Note 124; Edge + MCLAG distribution + adgang, / 21 per site 124; Stor 124; 100 + Hold 124; Fuld modulær (Kant, Intern Kant, Core, Distribution varianter, DC stof), / 13 - / 15 pr site
Takeaways
- Moduler skaber grænser: Hvert modul har et defineret formål og interface
- Mønstre aktiverer skala: Samme design på alle steder reducerer træning og fejl
- VRF giver isolation: Men tilføje konfiguration kompleksitet på hvert niveau
- Subnetskemaer: Forudsigelig adressering reducerer kognitiv belastning
- Distribution varierer efter behov: L3 tilstødende, MCLAG / LACP eller rygsøjle / blad
- Right-størrelse for stedet: Må ikke over- engineer små steder
Ved at etablere disse mønstre og anvende dem konsekvent, organisationer kan opbygge netværk, der skalerer fra en enkelt filial kontor til en global virksomhed - alle samtidig opretholde operationelle enkelhed og sikkerhed stilling.
Artikel version 2.0-124; Udgivet 2026- 02- 02-124; Opdateret med PlantUML nwdiag diagrammer