Modular Network Design: A Scalable Architecture Framework
Sare modularraren diseinua: arkitektura-markoa
Sareko diseinu modularra
Sare-modulutasuna sareak interkonektatu eta helburudun segmentu gisa diseinatzea da, egitura monolitikoen ordez. Modulu bakoitzak funtzio jakin bat du, mugak definitu ditu eta ondoko moduluekin konektatzen da ongi ulertutako interfazeen bidez. Ikuspegi horrek sare-diseinua arte batetik ingeniaritza-diziplina errepikagarri bihurtzen du.
Modularitatearen boterea sortzeko duen gaitasunean datzaaurreikus daitezkeen ereduakerakunde baten azpiegitura-aztarna osoan etengabe aplika daiteke: hamarnaka mila gune txiki, milaka gune ertain edo ehunka enpresa-campus handi.
Zergatik balio du modularitateak
Prestazioak sareko eskala guztietan
| Mesedea | Gune txikiak | Tartekoak | Gune handiak |---------------------------------------------------------------------------------------- -BaiZailtasunen konponketa erraztuaIngeniari bakar batek topologia osoa uler dezake | Taldeak modulu bidez espezializatu daitezke | Modulu-jabeen arteko eskalatze-bide garbiak | -BaiIragargarria| Gehitu moduluak behar bezala | Clone-ren eredu frogatuak | Diseinurik gabe hedatu | -BaiSegurtasun iraunkorraPolitika berberak alde guztietan | Betetze-jarrera uniformea | Muga entzungarriak -BaiEraginkortasun operatiboa| txantiloian oinarritutako hedapena | Eskaintza automatikoa | Aldaketa-kudeaketa normalizatua -BaiKostu-kontrola| Eskuineko tamaina modulu bakoitza | Eskuko erosketa modulu motaren arabera | Bizi-zikloaren kudeaketa mailaren arabera |
Desafioa
Erakundeak oso gutxitan egoten dira estatikoak. Diseinu modularra egokitu behar da:
- 10.000+ gune txikiak: Bulegoak, txikizkako kokalekuak, urruneko instalazioak
- 1.000+ erdiko guneak: Eskualde-bulegoak, banaketa-zentroak, lantegiak
- 100+ gune handiak: Egoitza, datu-zentroak, campus nagusiak
Modularitaterik gabe, gune bakoitza elur-maluta bakar bihurtzen da, dokumentazio pertsonalizatua, prestakuntza espezializatua eta arazoak konpontzeko. modularitatearekin, eredua ulertzen duen ingeniari batek edozein lekutan funtziona dezake.
Oinarrizko sareko moduluak
1. modulua: Interneteko ertzeko segmentua
Internet Edge da zure erakundea kanpoko munduarekin elkartzen den lekua. Modulu honek hau dauka:
- WAN/Interneteko zirkuituak(MPLS, DIA, banda zabala, LTE/5G)
- Ertzaren bideratzaileak(BGP begiraketa, WAN amaiera)
- Suebakiak(egoerazko ikuskapena, NAT, VPNaren amaiera)
- VLAN segmentazioabanaketa funtzionalerako
@startuml Internet Edge Module
!define ICONURL https://raw.githubusercontent.com/Roemer/plantuml-office/master/office2014
skinparam backgroundColor #FEFEFE
skinparam handwritten false
nwdiag {
internet [shape = cloud, description = "Internet"];
network ISP_Transit {
address = "VLAN 10-12"
color = "#FFE4E1"
description = "ISP/MPLS Transit"
internet;
ISP_A [description = "ISP-A\nCircuit"];
ISP_B [description = "ISP-B\nCircuit"];
MPLS [description = "MPLS\nCircuit"];
}
network Edge_Router_Segment {
address = "VLAN 10,11,12"
color = "#E6E6FA"
description = "Edge Router Aggregation"
ISP_A;
ISP_B;
MPLS;
Edge_Router [description = "Edge Router\n(BGP Peering)"];
}
network FW_Outside {
address = "VLAN 100"
color = "#FFFACD"
description = "Firewall Outside"
Edge_Router;
FW_Primary [description = "Firewall\nPrimary"];
FW_Secondary [description = "Firewall\nSecondary"];
}
network FW_HA_Sync {
address = "VLAN 101"
color = "#F0FFF0"
description = "HA Sync Link"
FW_Primary;
FW_Secondary;
}
network FW_Inside {
address = "VLAN 102"
color = "#E0FFFF"
description = "To Internal Edge"
FW_Primary;
FW_Secondary;
}
}
@enduml
Gako-diseinuaren printzipioak:
- Hornitzaile ezberdinen zirkuitu erredundanteak
- Firewall erabilgarritasun handiko bikoteak
- Garbitu VLANen mugak fidagarritasun-eremuen artean
- L3 puntutik punturako estekak bideratzailearen eta suebakiaren artean
2. modulua: barneko ertza / DMZ Lurra
Gune ertain eta handietan, Barne-ertzak gehikuntza-geruza bat eskaintzen du, esposizio kontrolatua behar duten edo segurtasun-eremuen arteko trantsizio-puntu gisa balio duten zerbitzuetarako.
@startuml Internal Edge Module
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Internet_Edge {
address = "VLAN 102"
color = "#E0FFFF"
description = "From Firewall Inside"
IntEdge_A [description = "Internal Edge\nSwitch A"];
IntEdge_B [description = "Internal Edge\nSwitch B"];
}
network MCLAG_Peer {
address = "Peer-Link"
color = "#DDA0DD"
description = "MCLAG/vPC Peer"
IntEdge_A;
IntEdge_B;
}
network WLC_Mgmt {
address = "VLAN 200 - 10.x.200.0/24"
color = "#FFE4B5"
description = "WLC Management"
IntEdge_A;
IntEdge_B;
WLC [description = "Wireless LAN\nController"];
}
network Proxy_Farm {
address = "VLAN 201 - 10.x.201.0/24"
color = "#FFDAB9"
description = "Proxy Services"
IntEdge_A;
IntEdge_B;
Proxy [description = "Web Proxy\nServers"];
}
network VPN_Services {
address = "VLAN 202 - 10.x.202.0/24"
color = "#E6E6FA"
description = "VPN Termination"
IntEdge_A;
IntEdge_B;
VPN [description = "VPN\nConcentrator"];
}
network Infrastructure {
address = "VLAN 204 - 10.x.204.0/24"
color = "#F0FFF0"
description = "Infrastructure Services"
IntEdge_A;
IntEdge_B;
DNS_DHCP [description = "DNS/DHCP\nServers"];
}
network To_Core {
address = "VLAN 205"
color = "#B0E0E6"
description = "Core Transit"
IntEdge_A;
IntEdge_B;
}
}
@enduml
Zerbitzuak barne-ertzean:
- Haririk gabeko sare-kontroladoreak (WLC)
- Web proxy-ak eta eduki-iragazkiak
- VPN kontzentratzaileak
- DNS/DHCP azpiegitura
- Kargatu balantzeak
- Jump hosts / bastion zerbitzariak
3. modulua: oinarrizko geruza
Nukleoa beste modulu guztiak lotzen dituen abiadura handiko bizkarrezurra da. Horretarako optimizatu behar da:
- Gehienezko irteera
- Latentzia minimoa
- Erabilgarritasun handia
- Erraza, aurrera azkar
@startuml Core Module
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Internal_Edge {
address = "L3 Routed"
color = "#B0E0E6"
description = "From Internal Edge"
Core_A [description = "Core Switch A\n100G Backbone"];
Core_B [description = "Core Switch B\n100G Backbone"];
}
network Core_Interconnect {
address = "100G+ ISL"
color = "#FFB6C1"
description = "High-Speed Interconnect\nOSPF/IS-IS/BGP"
Core_A;
Core_B;
}
network To_Distribution_1 {
address = "L3 P2P"
color = "#98FB98"
description = "Building A"
Core_A;
Core_B;
Dist_1 [description = "Distribution 1\n(L3 Adjacent)"];
}
network To_Distribution_2 {
address = "L3 P2P"
color = "#DDA0DD"
description = "Building B"
Core_A;
Core_B;
Dist_2 [description = "Distribution 2\n(MCLAG)"];
}
network To_Distribution_3 {
address = "L3 P2P"
color = "#FFDAB9"
description = "Building C"
Core_A;
Core_B;
Dist_3 [description = "Distribution 3\n(MCLAG)"];
}
network To_DC_Border {
address = "L3 Routed"
color = "#87CEEB"
description = "Datacenter"
Core_A;
Core_B;
Border_Leaf [description = "Border Leaf\n(DC Fabric)"];
}
}
@enduml
Oinarrizko diseinuaren printzipioak:
- Ez dago zuzenean erantsitako erabiltzailearen gailurik
- L3 kommutadore zentralen arteko bideraketa (zuhaitzik ez zabalduz)
- Karga-banaketarako kostu berdineko bide-izena (ECMP)
- Konbergentzia-protokolo azkarrak
4. modulua: Banaketa-geruza
Banaketa-geruzak agregatu egiten du Sarbide-konmutadorea eta politika behartzen du. Hau da, non sareko diseinuen aukerek aldagarritasun handiena duten guneen eskakizunetan oinarrituta.
Banaketa-pieza aldakuntzak
1. aldaketa: L3 ondokoa (Atzipen murriztua)
Diseinu honetan, banaketa eta sarbide geruzak daudeL3 ondokoa- sarbide-aldaketa bakoitzak bere IP azpisarea du eta zuzenean banaketarako bideak.
@startuml Distribution Variation 1 - L3 Adjacent
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Core {
address = "L3 ECMP"
color = "#B0E0E6"
description = "From Core Layer"
Dist_A [description = "Distribution A\n(L3 Router)"];
Dist_B [description = "Distribution B\n(L3 Router)"];
}
network Dist_iBGP {
address = "iBGP Peering"
color = "#DDA0DD"
description = "ECMP/iBGP"
Dist_A;
Dist_B;
}
network P2P_Access_1 {
address = "10.x.2.0/30"
color = "#98FB98"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_1 [description = "Access SW-1\n(L3 Gateway)"];
}
network P2P_Access_2 {
address = "10.x.2.8/30"
color = "#FFE4B5"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_2 [description = "Access SW-2\n(L3 Gateway)"];
}
network P2P_Access_3 {
address = "10.x.2.16/30"
color = "#FFDAB9"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_3 [description = "Access SW-3\n(L3 Gateway)"];
}
network User_VLAN_1 {
address = "10.x.32.0/24"
color = "#F0FFF0"
description = "Users - SW1"
Access_1;
Laptop_1 [description = "Laptops"];
Phone_1 [description = "Phones"];
}
network User_VLAN_2 {
address = "10.x.33.0/24"
color = "#FFF0F5"
description = "Users - SW2"
Access_2;
Laptop_2 [description = "Laptops"];
Camera_2 [description = "Cameras"];
}
network User_VLAN_3 {
address = "10.x.34.0/24"
color = "#F5FFFA"
description = "Users - SW3"
Access_3;
Laptop_3 [description = "Workstations"];
Camera_3 [description = "Cameras"];
}
}
@enduml
Azpisarearen esleipena Adibidea:
| Esteka | Azpisarea - | Banaketa nukleora | 10.x.1.0/30, 10.x.1.4/30 | | Dist-A Access-1 | 10.x.2.0/30 | | Dist-B Access-1 | 10.x.2.4/30 | | Access-1 User VLAN | 10.x.32.0/24 | Access-2 User VLAN | 10.x.33.0/24 |
Prestazioak:
- Zabaldu domeinuaren isolamendua sarbide-aldaketa bakoitzean
- Zailtasunen konponketa erraztua (azpisarean dauden irudiak)
- Banaketaren eta sarbidearen arteko zuhaitzik ez
- Baturatzea posible da banaketa-geruzan
Kontuak:
- L3rako sarbide-konmutadorea behar du
- DHCP erreleboaren konfigurazioa sarbide-aldaketa bakoitzean
- IP helbideen kudeaketa konplexuagoa
2. aldaketa: MCLAG LACP Trunks-ekin
Diseinu honek erabiltzen duKate anitzeko esteka-gehikuntza (MCLAG)banaketarekinLACP lokarriakvLAN trunkatuak dituzten kommutadoreetara sartzeko.
Hornitzailearen terminologiaCiscok vPC deitzen dio (Virtual Port Channel), Aristak MLAG erabiltzen du, Juniperrek MC-LAG erabiltzen du, eta HPE/Aruba-k VSX erabiltzen du. Portaera funtzionala saltzaileen artean antzekoa da.
@startuml Distribution Variation 2 - MCLAG
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Core {
address = "L3 Routed Uplinks"
color = "#B0E0E6"
description = "From Core Layer"
Dist_A [description = "Distribution A\n(MCLAG Member)"];
Dist_B [description = "Distribution B\n(MCLAG Member)"];
}
network MCLAG_Peer_Link {
address = "Peer-Link"
color = "#FFB6C1"
description = "MCLAG/vPC Peer-Link"
Dist_A;
Dist_B;
}
network LACP_To_Access {
address = "Po1 - LACP Trunk"
color = "#DDA0DD"
description = "VLANs 100,110,120 Trunked"
Dist_A;
Dist_B;
Access_1 [description = "Access SW-1\n(L2 Switch)"];
}
network Data_VLAN {
address = "VLAN 100 - 10.x.32.0/24"
color = "#98FB98"
description = "Data VLAN"
Access_1;
Laptops [description = "Laptops\nWorkstations"];
}
network Voice_VLAN {
address = "VLAN 110 - 10.x.64.0/24"
color = "#FFE4B5"
description = "Voice VLAN"
Access_1;
Phones [description = "IP Phones"];
}
network Security_VLAN {
address = "VLAN 120 - 10.x.96.0/24"
color = "#FFDAB9"
description = "Security VLAN"
Access_1;
Cameras [description = "Cameras\nBadge Readers"];
}
}
@enduml
SVI Placement (VRRP VIP banaketa bikotean):
- VLAN 100: 10.x.32.1/24
- VLAN 110: 10.x.64.1/24
- VLAN 120: 10.x.96.1/24
VLAN Trunk konfigurazioa:
| Port-kanala | VLANak | Helburua | - | Po1 (MCLAG) | 100,110,120 | Sarbidea-1 | | Po2 (MCLAG) | 100,110,120,130 | Access-2 | | Po3 (MCLAG) | 100,110 | Access-3 | | Native VLAN | 999 (erabili gabe) | | | | | | | |
MCLAG abantailak:
- Aurreratze aktiboa (bi esteka erabiltzen dira)
- Bigarren mailako hutsegitea
- Aldaketa logiko bakarra sarbide-ikuspegian
- Ez dago zuhaitz-blokeatzerik
Kontuak:
- VLANek sarbide anitzeko kommutadoreak dituzte (difusio-domeinu handiagoak)
- MCLAG peer-link botila-lepo bihurtu daiteke
- STP oraindik beharrezkoa da begizta prebentzioko babeskopia gisa
Aldakuntza: hiru ertzeko hostoa Spine/Leaf Datacentererako
Datu-zentroetan banaketa-geruza bihurtzen daErtzaren hostoabizkarrezurra/sarea gainerako enpresa-sarearekin lotzea.
@startuml Distribution Variation 3 - Border Leaf Datacenter
skinparam backgroundColor #FEFEFE
nwdiag {
network Enterprise_Core {
address = "L3 Routed (eBGP/OSPF)"
color = "#B0E0E6"
description = "From Enterprise Core"
Border_A [description = "Border Leaf A\nVXLAN Gateway"];
Border_B [description = "Border Leaf B\nVXLAN Gateway"];
}
network Border_EVPN {
address = "VXLAN EVPN"
color = "#DDA0DD"
description = "EVPN Type-5 Routes"
Border_A;
Border_B;
Spine_1 [description = "Spine 1"];
Spine_2 [description = "Spine 2"];
}
network Spine_Fabric {
address = "eBGP Underlay"
color = "#FFB6C1"
description = "Spine Layer"
Spine_1;
Spine_2;
}
network Leaf_Tier_1 {
address = "VTEP"
color = "#98FB98"
description = "Compute Rack 1"
Spine_1;
Spine_2;
Leaf_1 [description = "Leaf 1"];
Leaf_2 [description = "Leaf 2"];
}
network Leaf_Tier_2 {
address = "VTEP"
color = "#FFE4B5"
description = "Storage/Services"
Spine_1;
Spine_2;
Leaf_3 [description = "Leaf 3"];
Leaf_4 [description = "Leaf 4"];
}
network Server_Rack_1 {
address = "VNI 10001"
color = "#F0FFF0"
description = "Compute Servers"
Leaf_1;
Leaf_2;
Servers_1 [description = "Rack Servers\nVMs/Containers"];
}
network Storage_Network {
address = "VNI 10002"
color = "#FFDAB9"
description = "Storage Arrays"
Leaf_3;
Storage [description = "SAN/NAS\nStorage"];
}
network Voice_Services {
address = "VNI 10003"
color = "#E6E6FA"
description = "UC Systems"
Leaf_4;
PBX [description = "PBX/UC\nSystems"];
}
}
@enduml
Datu-zentroaren oihalaren xehetasunak:
Osagaia | Funtzioa - -BaiUnderlay| eBGP (ASN switch bakoitzeko) edo OSPF | -BaiOverlay| VXLAN EVPN kontrol-hegazkinarekin -BaiErtzaren hostoa| VXLAN-to-VLAN atebidea, Kanpoko bideak, Inter-VRF bideraketa | -BaiLeaf Workloads| Compute, Storage, Voice/UC, Infrastructure |
Prestazioak:
- Eskala horizontal handia (gehitu hosto bikoteak behar bezala)
- Blokeatu gabeko oihalaren arkitektura
- Iraunkortasuna VRF/VNI bidez
- Ekialde-mendebaldeko trafiko-eredu optimoak
Kontuak:
- VXLAN/EVPNren konplexutasun operatiboa
- Beharrezkoak diren trebetasun espezializatuak
- Ekipamendu-kostuak
5 modulua: sarbide-geruza
Sarbide-geruza azken gailuak konektatzen diren lekua da. Banaketaren topologia edozein dela ere, sarbide-konmutadoreek ematen dute:
@startuml Access Layer Module
skinparam backgroundColor #FEFEFE
nwdiag {
network Distribution_Uplink {
address = "L3 or LACP Trunk"
color = "#B0E0E6"
description = "Uplinks to Distribution"
Access_SW [description = "48-Port Access Switch\nPoE+ Capable"];
}
network Data_VLAN {
address = "VLAN 100 - Ports 1-8, 25-32"
color = "#98FB98"
description = "Data VLAN"
Access_SW;
Laptops [description = "Laptops\nWorkstations"];
}
network Voice_VLAN {
address = "VLAN 110 - Ports 9-16"
color = "#FFE4B5"
description = "Voice VLAN"
Access_SW;
Phones [description = "IP Phones"];
}
network Camera_VLAN {
address = "VLAN 120 - Ports 17-24"
color = "#FFDAB9"
description = "Security VLAN"
Access_SW;
Cameras [description = "IP Cameras"];
}
network Wireless_VLAN {
address = "VLAN 130 - Ports 33-40"
color = "#DDA0DD"
description = "Wireless AP VLAN"
Access_SW;
APs [description = "Wireless APs"];
}
network Mgmt_VLAN {
address = "VLAN 999 - Ports 41-44"
color = "#F0FFF0"
description = "Management VLAN"
Access_SW;
}
}
@enduml
Sarbidetu geruza-segurtasunaren eginbideak:
- 802.1X / MAB autentifikazioa
- VLAN dinamikoaren esleipena
- Portuko segurtasuna
- DHCP snooping
- ARP dinamikoaren ikuskapena
- IP Source Guard
Topologia modular osoa
Hona nola lotzen diren modulu guztiak enpresa-sare osoa osatzeko:
@startuml Complete Modular Network Topology
skinparam backgroundColor #FEFEFE
title Complete Enterprise Modular Network
nwdiag {
internet [shape = cloud, description = "Internet/WAN"];
network Internet_Edge {
address = "Module 1"
color = "#FFE4E1"
description = "INTERNET EDGE MODULE"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B"];
MPLS [description = "MPLS"];
Edge_RTR [description = "Edge Router"];
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Internal_Edge {
address = "Module 2"
color = "#E6E6FA"
description = "INTERNAL EDGE / DMZ MODULE"
FW_A;
FW_B;
IntEdge_A [description = "IntEdge-A"];
IntEdge_B [description = "IntEdge-B"];
WLC [description = "WLC"];
Proxy [description = "Proxy"];
VPN [description = "VPN"];
DNS [description = "DNS/DHCP"];
}
network Core {
address = "Module 3"
color = "#B0E0E6"
description = "CORE MODULE"
IntEdge_A;
IntEdge_B;
Core_A [description = "Core-A"];
Core_B [description = "Core-B"];
}
network Distribution_L3 {
address = "Variation 1"
color = "#98FB98"
description = "DIST - L3 Adjacent\n(Building A)"
Core_A;
Core_B;
Dist_1A [description = "Dist-1A"];
Dist_1B [description = "Dist-1B"];
Access_L3 [description = "Access\n(L3)"];
}
network Distribution_MCLAG {
address = "Variation 2"
color = "#DDA0DD"
description = "DIST - MCLAG\n(Building B)"
Core_A;
Core_B;
Dist_2A [description = "Dist-2A"];
Dist_2B [description = "Dist-2B"];
Access_L2 [description = "Access\n(L2)"];
}
network Datacenter {
address = "Variation 3"
color = "#FFE4B5"
description = "DATACENTER\n(Spine/Leaf)"
Core_A;
Core_B;
Border_Leaf [description = "Border\nLeaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
Servers [description = "Servers\nStorage\nPBX"];
}
network Campus_Users {
address = "End Devices"
color = "#F0FFF0"
description = "Campus Users"
Access_L3;
Access_L2;
Users [description = "Laptops\nPhones\nCameras"];
}
}
@enduml
IP helbide-estrategia VRF isolamenduarekin
Multi-Segment, Multi-VRF Design-en erronka
Sareek hainbat segurtasun-eremu, negozio-unitate edo betetze-muga sartzen dituztenean,VRF (Bidezko Bideraketa eta Aurreratzea)bide-mahaiaren isolamendua eskaintzen du. Hala ere, VRF hainbat tiratzaileren bidez hedatzeak konplexutasuna gehitzen du:
- L3 hop bakoitzak igarotze-azpisare bat behar du
- Azpi-hitzek konplexutasuna biderkatzen dute
- Arazoak konpontzeak hainbat bideraketa-taula ditu
- Dokumentazioak VRFren kidetasunaren jarraipena egin behar du maila guztietan
Azpisareko Schema Estrategia
Ondo diseinatutako azpisare-eskemak ereduak ezagutarazten ditu, karga kognitiboa eta konfigurazio-erroreak murriztuz.
Adibidea: Fabrikazio handiko gunea (10.0.0.0/13)
Gunearen esleipena:10.0.0.0/13 (Alfa fabrikatzailea) - 524,286 ostalari erabilgarri
@startuml VRF Subnet Schema
skinparam backgroundColor #FEFEFE
title Large Site VRF Allocation Schema (10.0.0.0/13)
nwdiag {
network Corporate_VRF {
address = "VRF: CORPORATE\n10.0.0.0/17"
color = "#98FB98"
description = "Production Users"
Corp_Transit [description = "Transit\n10.0.0.0/23"];
Corp_Users [description = "Users\n10.0.32.0/19"];
Corp_Voice [description = "Voice\n10.0.64.0/19"];
Corp_Wireless [description = "Wireless\n10.0.96.0/19"];
Corp_Server [description = "Servers\n10.0.112.0/20"];
}
network Guest_VRF {
address = "VRF: GUEST\n10.1.0.0/17"
color = "#FFE4B5"
description = "Visitor Network"
Guest_Transit [description = "Transit\n10.1.0.0/23"];
Guest_Users [description = "Users\n10.1.32.0/19"];
}
network Security_VRF {
address = "VRF: SECURITY\n10.2.0.0/17"
color = "#FFDAB9"
description = "Physical Security"
Sec_Transit [description = "Transit\n10.2.0.0/23"];
Sec_Camera [description = "Cameras\n10.2.32.0/19"];
Sec_Badge [description = "Badge Readers\n10.2.64.0/19"];
Sec_NVR [description = "NVR/VMS\n10.2.96.0/20"];
}
network IOT_VRF {
address = "VRF: IOT\n10.3.0.0/17"
color = "#E6E6FA"
description = "Manufacturing OT"
IOT_Transit [description = "Transit\n10.3.0.0/23"];
IOT_PLC [description = "PLCs\n10.3.32.0/19"];
IOT_HMI [description = "HMIs\n10.3.64.0/19"];
IOT_SCADA [description = "SCADA\n10.3.96.0/20"];
}
}
@enduml
Transit segmentuaren xehetasuna (10.0.0/23 - 510 IP erabilgarri):
| Azpisarea | Estekaren azalpena -------------------------------------------- | 10.0.0.0/30 | FW-Inside → Barne-Edge-A | | 10.0.4/30 | FW-Inside → Barne-Edge-B | | 10.0.8/30 | Barne-Edge-A → Core-A | | 10.0.12/30 | Barne-Edge-A → Core-B | | 10.0.16/30 | Barne-Edge-B → Core-A | | 10.0.20/30 | Barne-Edge-B → Core-B | | 10.0.0.24/30 | Core-A → Banaketa A | | 10.0.0.28/30 | Core-A → Banaketa B | 10.0.32/30 | Core-B → Banaketa A | | 10.0.36/30 | Core-B → Banaketa B | | 10.0.0.40/30 | Banaketa A → Access-SW-1 | | 10.0.44/30 | Banaketa-B → Access-SW-1 | | ... | (Pattern jarraitzen du)
Oharra:/31 azpisare (RFC 3021) puntutik punturako esteketarako ere erabil daitezke, helbide-espazioa mantenduz.
Ereduak ezagutzearen abantailak
Azpisare-ereduak VRFen zehar koherenteak direnean:
Zer dakizu - | Korporatiboaren loturak 10.0.40/30 erabiltzen du | Gonbidatuaren baliokidea 10.1.0.40/30 da | Access-SW-5 erabiltzaileak 10.0.36.0/24 dira | Segurtasun kamerak kommutadore berean 10.2.36.0/24 | | Site Alpha 10.0.0.0/13 da | Site Beta 10.8.0.0/13 izan daiteke |
Honek ingeniariei aukera ematen die:
- Ibili IP helbideak dokumentazioa kontsultatu gabe
- Ezagutu gaizki konfiguratutako azpisareak berehala
- Sortu VRFetan zehar funtzionatzen duten automatizazio-txantiloiak
- Trebatu langile berriak ereduan, ez memorizazioa
Gunearen tamainaren txantiloiak
Gune txikiko txantiloia (Branch Office)
@startuml Small Site Template
skinparam backgroundColor #FEFEFE
title Small Site Template (< 50 users)
nwdiag {
internet [shape = cloud];
network WAN {
color = "#FFE4E1"
description = "ISP/MPLS Circuit"
internet;
UTM [description = "UTM/SD-WAN\nAppliance\n(Router+FW+VPN+WLC)"];
}
network LAN {
address = "10.100.x.0/24"
color = "#98FB98"
description = "Single Subnet"
UTM;
Access [description = "Access Switch\n(or UTM ports)"];
}
network Endpoints {
color = "#F0FFF0"
description = "End Devices"
Access;
AP [description = "WiFi AP"];
Users [description = "Users"];
Phones [description = "Phones"];
}
}
@enduml
Gune txikiko diseinu oharrak:
- Tolestutako diseinuaFuntzio guztiak gutxieneko hardwarean
- Subnet: /24 edo /23 guneko
- Adibidea: 10.100.1.0/24 (Site 001)
Tarteko gunearen txantiloia (bulego erregularra)
@startuml Medium Site Template
skinparam backgroundColor #FEFEFE
title Medium Site Template (50-500 users)
nwdiag {
internet [shape = cloud];
network WAN_Edge {
color = "#FFE4E1"
description = "Internet Edge"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B/MPLS"];
Edge_RTR [description = "Edge Router"];
}
network Firewall_Tier {
color = "#FFDAB9"
description = "Firewall HA Pair"
Edge_RTR;
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Distribution {
address = "10.50.x.0/21"
color = "#DDA0DD"
description = "MCLAG Distribution\n(Dist/Core Combined)"
FW_A;
FW_B;
Dist_A [description = "Dist-A"];
Dist_B [description = "Dist-B"];
}
network Access_Tier {
color = "#98FB98"
description = "Access Switches (LACP)"
Dist_A;
Dist_B;
Acc1 [description = "Acc1"];
Acc2 [description = "Acc2"];
Acc3 [description = "Acc3"];
Acc4 [description = "Acc4"];
Acc5 [description = "Acc5"];
}
network Users {
color = "#F0FFF0"
description = "End Devices"
Acc1;
Acc2;
Acc3;
Acc4;
Acc5;
Endpoints [description = "Laptops/Phones\nCameras/APs"];
}
}
@enduml
Gune Ertaineko diseinu oharrak:
- Modular partziala: Distinct Edge eta Access tiers
- Subnet: /21 guneko (2.046 IP)
- Adibidea: 10.50.0/21 (Site 050)
Gune handietako txantiloia (Goikopikoak/Kanpoak)
@startuml Large Site Template
skinparam backgroundColor #FEFEFE
title Large Site Template (500+ users)
nwdiag {
internet [shape = cloud];
network Internet_Edge {
color = "#FFE4E1"
description = "INTERNET EDGE MODULE"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B"];
MPLS [description = "MPLS"];
Edge_RTR [description = "Edge-RTR"];
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Internal_Edge {
color = "#E6E6FA"
description = "INTERNAL EDGE MODULE"
FW_A;
FW_B;
IntEdge_A [description = "IntEdge-A"];
IntEdge_B [description = "IntEdge-B"];
WLC [description = "WLC"];
Proxy [description = "Proxy"];
VPN [description = "VPN"];
DNS [description = "DNS"];
}
network Core {
color = "#B0E0E6"
description = "CORE MODULE"
IntEdge_A;
IntEdge_B;
Core_A [description = "Core-A"];
Core_B [description = "Core-B"];
}
network Dist_Var1 {
color = "#98FB98"
description = "L3 Adjacent"
Core_A;
Core_B;
Dist_1 [description = "Dist-1"];
Access_1 [description = "Access"];
}
network Dist_Var2 {
color = "#DDA0DD"
description = "MCLAG Trunk"
Core_A;
Core_B;
Dist_2 [description = "Dist-2"];
Access_2 [description = "Access"];
}
network Dist_Var3 {
color = "#FFE4B5"
description = "MCLAG Trunk"
Core_A;
Core_B;
Dist_3 [description = "Dist-3"];
Access_3 [description = "Access"];
}
network Datacenter {
color = "#87CEEB"
description = "SPINE/LEAF DC"
Core_A;
Core_B;
Border [description = "Border-Leaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
Servers [description = "Servers"];
}
}
@enduml
Gune handiaren diseinuaren oharrak:
- Modularitate osoa-Fisikoki bereizitako lauza guztiak
- Subnet: /13tik 15era guneko (VRF zenbaketan oinarrituta)
- Adibidea: 10.0.0/13 (HQ) - 524,286 IP
VRF eta L3 segmentuak: abantailak eta konplexutasuna
L3 Segmentazioaren abantailak Azpi-Interfazeekin
- Segurtasun isolamendua: VRFen arteko trafikoa suebaki edo gailu politiko batetik igaro behar da
- Erradioa-Segmentu memeratua ezin da beste VRF batzuetara zuzenean iritsi
- Betetze-mugak: PCI, HIPAA edo OT sareak sarbide-domeinu bereizietan
- Trafiko ingeniaritzaVRF bakoitzeko politika desberdinak
Konplexutasuna
Segmentuek lerro anitzen bidez hedatu behar dutenean, L3 muga bakoitzak konfigurazioa gehitzen du:
@startuml Multi-VRF Path Through Tiers
skinparam backgroundColor #FEFEFE
title Multi-VRF Traffic Path: Camera to NVR
nwdiag {
network Camera_Segment {
address = "VLAN 120\n10.2.36.0/24"
color = "#FFDAB9"
description = "VRF: SECURITY"
Camera [description = "Camera"];
Access_SW [description = "Access-SW\nSub-int: 10.2.0.40/30"];
}
network Access_to_Dist {
address = "10.2.0.40/30"
color = "#DDA0DD"
description = "VRF: SECURITY"
Access_SW;
Distribution [description = "Distribution\nSub-int: 10.2.0.24/30"];
}
network Dist_to_Core {
address = "10.2.0.24/30"
color = "#B0E0E6"
description = "VRF: SECURITY"
Distribution;
Core [description = "Core\nSub-int: 10.2.0.8/30"];
}
network Core_to_IntEdge {
address = "10.2.0.8/30"
color = "#E6E6FA"
description = "VRF: SECURITY"
Core;
Internal_Edge [description = "Internal-Edge\nSub-int: 10.2.0.0/30"];
}
network IntEdge_to_FW {
address = "10.2.0.0/30"
color = "#FFE4E1"
description = "VRF: SECURITY"
Internal_Edge;
Firewall [description = "Firewall\nInter-VRF Policy"];
}
network DC_Path {
address = "VXLAN/EVPN"
color = "#87CEEB"
description = "Datacenter Fabric"
Firewall;
Border_Leaf [description = "Border-Leaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
NVR [description = "NVR"];
}
}
@enduml
Konfigurazio-burua:
- 5 azpi-sarrera VRF bideko
- 4 VRFs × 5 azpi-ints = 20 azpi-interface kommutadoreko
- VRF bakoitzean protokolo-ondasunak bideratzea
- Bide-garbiketa edo suebaki-arauak VRF trafikoarentzat
Mitigazio-estrategiak
- Mugatu VRF zenbaketa: Bakarrik sortu VRFak benetako isolamendu-eskakizunetarako
- Centralize inter-VRF bideratzea: Suebaki-politika bakarra vs. banatutakoa
- Erabili VXLAN/EVPN: Gainjartzeak gorputz-azpiko izterra murrizten du
- Banaketa automatikoa: Txantiloiek konfigurazioa bermatzen dute
- Erakutsi ereduaIkasi ondoren, ereduak bilaketa baino bizkorragoak dira
Laburpena: Sare Eskalagarriaren eredua eraikitzea
Sareko diseinu modularraren helburua da bat sortzeaeredu errepikakorrahorrek aukera ematen du:
| Eskala | Guneak | Eredua | |--------- | Txikia | 10.000+ | TM + etengailua, /24 guneko | | Tartekoa | 1.000+ | Edge + MCLAG banaketa + sarbidea, /21 guneko | | Large | 100+ | Full modular (Edge, Internal Edge, Core, Distribution variants, DC fabric), /13-/15 guneko |
Key Takeaways
- Moduluek mugak sortzen dituzteModulu bakoitzak helburu eta interfazea du
- Ereduek eskala gaitzen duteDiseinu bera gune bakoitzean, prestakuntza eta erroreak murrizten ditu
- VRFk isolamendua eskaintzen duBaina gehitu konfigurazioaren konplexutasuna maila bakoitzean
- Azpisareko eskemak materia: Aurresateak karga kognitiboa murrizten du
- Banaketa beharren arabera aldatzen da: L3 ondokoa, MCLAG/LACP edo bizkarrezurra/lef
- Gunearen eskuineko tamainaEz sortu leku txikiak
Eredu hauek ezarri eta etengabe aplikatuz, erakundeek bulego bakar batetik enpresa global batera eskalatzen diren sareak eraiki ditzakete, eragiketa sinpletasuna eta segurtasuna mantenduz.
Artikuluaren 2.0 bertsioa | Argitaratua 2026-02 | Eguneratua PlantUML nwdiag diagramekin