Modular Network Design: A Scalable Architecture Framework
Desain Jaringan Modular: Sebuah Framework Arsitektur Dapat dikalikan
Perkenalan ke Desain Jaringan Modular
Modularitas jaringan adalah praktek merancang jaringan sebagai segmen yang saling terhubung dan saling terhubung dan dibangun daripada struktur monolitik. Setiap modul memiliki fungsi tertentu, telah menentukan batas-batas, dan menghubungkan ke modul yang berdekatan melalui antarmuka yang dipahami dengan baik. Pendekatan ini mengubah desain jaringan dari seni menjadi disiplin rekayasa berulang.
Kekuatan modularitas terletak pada kemampuannya untuk menciptakanpola yang dapat diprediksiyang dapat diterapkan secara konsisten di seluruh organisasi jejak infrastruktur - apakah yang meludah puluhan ribu situs kecil, ribuan situs menengah, atau ratusan perusahaan besar perkemahan.
Mengapa Hal Modularitas
Benefit Across All Network Scales
124; Benefit 134; Small Sies 124; Medium Sits 124; Large Sites 124 124; --------- 14; ----------------- 124; ------------------ 12.4; --------------------- 124 124Ringkasan Masalah Yang DisederhanakanEngineer tunggal dapat memahami seluruh topologi = 124; Teams dapat mengkhususkan diri dengan modul = 124; Bersihkan jalur eskalasi antara pemilik modul = 124 124Skala Dapat DiprediksiTambahkan modul-modul yang diperlukan; Clone terbukti pola 124; Extend tanpa mendesain ulang Alaa124 124Konsistensi KeamananKebijakan yang sama ada di mana-mana, kebijakan yang sama di mana-mana, kebijakan seragam berada 124; batas yang dapat dilipatgandakan 124Efisiensi Operasional124; Template- berdasarkan penyebaran 124; Pengadaan otomatis 124; Standardisasi perubahan manajemen 126 124Kendali Biaya126; ukuran kanan setiap modul 134; pembelian Bulk berdasarkan tipe modul yaitu manajemen Lifecycle dengan tingkat 124
Tantangan Skala
Organisasi jarang tetap statis. Sebuah desain modular harus mengakomodasi:
- 10.000 + situs kecil: Kantor cabang, lokasi ritel, fasilitas remote
- 1.000 + situs medium: Kantor regional, pusat distribusi, pabrik
- 100 + situs besarMarkas, pusat data, kampus utama
Tanpa modularitas, setiap situs menjadi kepingan salju unik yang membutuhkan dokumentasi kustom, pelatihan khusus, dan satu - off. Dengan modularitas, seorang insinyur yang memahami pola dapat bekerja efektif di situs manapun.
Modul Jaringan Inti
Modul 1: Segmen Tepi Internet
The Internet Edge adalah tempat organisasi Anda bertemu dunia luar. Modul ini berisi:
- Sirkuit WAN / Internet(MPLS, DIA, broadband, LTE / 5G)
- Router tepi(BGP mengintip, WAN penghentian)
- Firewalls[Pemeriksaan status, NAT, penghentian VPN]
- Segmentasi VLANuntuk pemisahan fungsional
@startuml Internet Edge Module
!define ICONURL https://raw.githubusercontent.com/Roemer/plantuml-office/master/office2014
skinparam backgroundColor #FEFEFE
skinparam handwritten false
nwdiag {
internet [shape = cloud, description = "Internet"];
network ISP_Transit {
address = "VLAN 10-12"
color = "#FFE4E1"
description = "ISP/MPLS Transit"
internet;
ISP_A [description = "ISP-A\nCircuit"];
ISP_B [description = "ISP-B\nCircuit"];
MPLS [description = "MPLS\nCircuit"];
}
network Edge_Router_Segment {
address = "VLAN 10,11,12"
color = "#E6E6FA"
description = "Edge Router Aggregation"
ISP_A;
ISP_B;
MPLS;
Edge_Router [description = "Edge Router\n(BGP Peering)"];
}
network FW_Outside {
address = "VLAN 100"
color = "#FFFACD"
description = "Firewall Outside"
Edge_Router;
FW_Primary [description = "Firewall\nPrimary"];
FW_Secondary [description = "Firewall\nSecondary"];
}
network FW_HA_Sync {
address = "VLAN 101"
color = "#F0FFF0"
description = "HA Sync Link"
FW_Primary;
FW_Secondary;
}
network FW_Inside {
address = "VLAN 102"
color = "#E0FFFF"
description = "To Internal Edge"
FW_Primary;
FW_Secondary;
}
}
@enduml
Prinsip Desain Kunci:
- Redundant sirkuit dari berbagai penyedia
- Pasangan berkemampuan tinggi firewall
- Bersihkan batas VLAN antara zona kepercayaan
- Titik L3 untuk-titik link antara router dan firewall
Modul 2: Internal Edge / DMZ Tier
Untuk situs menengah dan besar, Internal Edge menyediakan lapisan agregasi untuk layanan yang memerlukan paparan terkendali atau berfungsi sebagai titik transisi antara zona keamanan.
@startuml Internal Edge Module
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Internet_Edge {
address = "VLAN 102"
color = "#E0FFFF"
description = "From Firewall Inside"
IntEdge_A [description = "Internal Edge\nSwitch A"];
IntEdge_B [description = "Internal Edge\nSwitch B"];
}
network MCLAG_Peer {
address = "Peer-Link"
color = "#DDA0DD"
description = "MCLAG/vPC Peer"
IntEdge_A;
IntEdge_B;
}
network WLC_Mgmt {
address = "VLAN 200 - 10.x.200.0/24"
color = "#FFE4B5"
description = "WLC Management"
IntEdge_A;
IntEdge_B;
WLC [description = "Wireless LAN\nController"];
}
network Proxy_Farm {
address = "VLAN 201 - 10.x.201.0/24"
color = "#FFDAB9"
description = "Proxy Services"
IntEdge_A;
IntEdge_B;
Proxy [description = "Web Proxy\nServers"];
}
network VPN_Services {
address = "VLAN 202 - 10.x.202.0/24"
color = "#E6E6FA"
description = "VPN Termination"
IntEdge_A;
IntEdge_B;
VPN [description = "VPN\nConcentrator"];
}
network Infrastructure {
address = "VLAN 204 - 10.x.204.0/24"
color = "#F0FFF0"
description = "Infrastructure Services"
IntEdge_A;
IntEdge_B;
DNS_DHCP [description = "DNS/DHCP\nServers"];
}
network To_Core {
address = "VLAN 205"
color = "#B0E0E6"
description = "Core Transit"
IntEdge_A;
IntEdge_B;
}
}
@enduml
Services Typily in Internal Edge:
- Wireless LAN Controllers (WLC)
- Penyaring isi dan proksi web
- Konsentrator VPN
- Infrastruktur DNS / DHCP
- Muat penyeimbang
- Host / server Sebastian lompat
Modul 3: Lapisan Inti
Inti adalah tulang punggung kecepatan tinggi yang menghubungkan semua modul lain. Ini harus dioptimalkan untuk:
- Maksimum melalui put
- Latensi minimum
- Ketersediaan tinggi
- Sederhana, penerusan cepat
@startuml Core Module
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Internal_Edge {
address = "L3 Routed"
color = "#B0E0E6"
description = "From Internal Edge"
Core_A [description = "Core Switch A\n100G Backbone"];
Core_B [description = "Core Switch B\n100G Backbone"];
}
network Core_Interconnect {
address = "100G+ ISL"
color = "#FFB6C1"
description = "High-Speed Interconnect\nOSPF/IS-IS/BGP"
Core_A;
Core_B;
}
network To_Distribution_1 {
address = "L3 P2P"
color = "#98FB98"
description = "Building A"
Core_A;
Core_B;
Dist_1 [description = "Distribution 1\n(L3 Adjacent)"];
}
network To_Distribution_2 {
address = "L3 P2P"
color = "#DDA0DD"
description = "Building B"
Core_A;
Core_B;
Dist_2 [description = "Distribution 2\n(MCLAG)"];
}
network To_Distribution_3 {
address = "L3 P2P"
color = "#FFDAB9"
description = "Building C"
Core_A;
Core_B;
Dist_3 [description = "Distribution 3\n(MCLAG)"];
}
network To_DC_Border {
address = "L3 Routed"
color = "#87CEEB"
description = "Datacenter"
Core_A;
Core_B;
Border_Leaf [description = "Border Leaf\n(DC Fabric)"];
}
}
@enduml
Prinsip Desain Inti:
- Tak ada perangkat-pengguna yang terpasang secara langsung
- L3 routing between core switches (no spanning tree)
- Sama - biaya multipath (ECMP) untuk distribusi load
- Protokol konvergensi cepat
Modul 4: Lapisan Distribusi
Lapisan Distribusi mengumpulkan switch akses dan memaksakan kebijakan. Ini adalah di mana pilihan desain jaringan memiliki paling variasi berdasarkan persyaratan situs.
Variabel Tier Distribusi
Variabel 1: L3 Addict (Routed Access)
Dalam desain ini, distribusi dan lapisan akses adalahL3 berdekatan- Setiap switch akses memiliki jaringan IP sendiri dan rute langsung ke distribusi.
@startuml Distribution Variation 1 - L3 Adjacent
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Core {
address = "L3 ECMP"
color = "#B0E0E6"
description = "From Core Layer"
Dist_A [description = "Distribution A\n(L3 Router)"];
Dist_B [description = "Distribution B\n(L3 Router)"];
}
network Dist_iBGP {
address = "iBGP Peering"
color = "#DDA0DD"
description = "ECMP/iBGP"
Dist_A;
Dist_B;
}
network P2P_Access_1 {
address = "10.x.2.0/30"
color = "#98FB98"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_1 [description = "Access SW-1\n(L3 Gateway)"];
}
network P2P_Access_2 {
address = "10.x.2.8/30"
color = "#FFE4B5"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_2 [description = "Access SW-2\n(L3 Gateway)"];
}
network P2P_Access_3 {
address = "10.x.2.16/30"
color = "#FFDAB9"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_3 [description = "Access SW-3\n(L3 Gateway)"];
}
network User_VLAN_1 {
address = "10.x.32.0/24"
color = "#F0FFF0"
description = "Users - SW1"
Access_1;
Laptop_1 [description = "Laptops"];
Phone_1 [description = "Phones"];
}
network User_VLAN_2 {
address = "10.x.33.0/24"
color = "#FFF0F5"
description = "Users - SW2"
Access_2;
Laptop_2 [description = "Laptops"];
Camera_2 [description = "Cameras"];
}
network User_VLAN_3 {
address = "10.x.34.0/24"
color = "#F5FFFA"
description = "Users - SW3"
Access_3;
Laptop_3 [description = "Workstations"];
Camera_3 [description = "Cameras"];
}
}
@enduml
Contoh Alokasi Subnet:
Tautan 124; Link 124; Subnet 124 126; ------ 126; ------124 124; Distribusi ke Core 124; 10.x.1.0 / 30, 10,x.1.4 / 30 124 124; Dist--1 = 124; 10.x.2.0 / 30 124 124; Dist-B ke Access- 1 124; 10,x.2.4 / 30 124 124; Akse- 1 Pengguna VLAN 124; 10.x.32.0 / 24 124 124; Akses-2 Pengguna VLAN 124; 10,x33.0 / 24
Keuntungan:
- Isolasi domain broadcast pada setiap switch akses
- Sederhanakan penyerapan (isu-isu yang terkandung ke jaringan)
- Tidak ada pohon pencaran antara distribusi dan akses
- Ringkasan mungkin di lapisan distribusi
Konsistensi:
- Membutuhkan switch akses L3-mampu
- Konfigurasi relay DHCP pada setiap switch akses
- Manajemen alamat IP yang lebih kompleks
MCLAG dengan laCP Trunks
Desain ini menggunakanMulti- Chassis Link Aggregation (MCLAG)di distribusi denganObligasi LACPuntuk mengakses switch membawa VLANs terpotong.
Terminologi VendorCisco menyebut VPC ini (Virtual Port Channel), Arista menggunakan MLAG, Juniper menggunakan MC-LAG, dan HPE / Aruba menggunakan VSX. Perilaku fungsional mirip di seberang vendor.
@startuml Distribution Variation 2 - MCLAG
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Core {
address = "L3 Routed Uplinks"
color = "#B0E0E6"
description = "From Core Layer"
Dist_A [description = "Distribution A\n(MCLAG Member)"];
Dist_B [description = "Distribution B\n(MCLAG Member)"];
}
network MCLAG_Peer_Link {
address = "Peer-Link"
color = "#FFB6C1"
description = "MCLAG/vPC Peer-Link"
Dist_A;
Dist_B;
}
network LACP_To_Access {
address = "Po1 - LACP Trunk"
color = "#DDA0DD"
description = "VLANs 100,110,120 Trunked"
Dist_A;
Dist_B;
Access_1 [description = "Access SW-1\n(L2 Switch)"];
}
network Data_VLAN {
address = "VLAN 100 - 10.x.32.0/24"
color = "#98FB98"
description = "Data VLAN"
Access_1;
Laptops [description = "Laptops\nWorkstations"];
}
network Voice_VLAN {
address = "VLAN 110 - 10.x.64.0/24"
color = "#FFE4B5"
description = "Voice VLAN"
Access_1;
Phones [description = "IP Phones"];
}
network Security_VLAN {
address = "VLAN 120 - 10.x.96.0/24"
color = "#FFDAB9"
description = "Security VLAN"
Access_1;
Cameras [description = "Cameras\nBadge Readers"];
}
}
@enduml
Penempatan SVI (VRRP VIP on Distribution Pair):
- VLAN 100: 10.x.32.1 / 24
- VLAN 110: 10,x.64.1 / 24
- VLAN 120: 10.x.96.1 / 24
Konfigurasi Trunk VLAN:
124; Port-Channel 124; VLANs 124; Tujuan 124 126; -------------- 124; ------- 124; --------------- 124 134; Po1 (MCLAG) 14; 100,11,120 124; Akse- 1 124 134; Po2 (MCLAG) = = = = = = = = = = = = = = = = = = = = = = = 134; Po3 (MCLAG) = = 124; 100,110 = = 124; = = Akses-3 = 124 126; penduduk asli VLAN 124; 999 (tak terpakai) 134; - 124
MCLAG Benefits:
- Aktif-aktif penerusan (kedua uplinks digunakan)
- Sub- second failover
- Switch logical tunggal dari perspektif akses
- Tidak ada pemblokiran pohon spanning
Konsistensi:
- VLANs span multiple access switch (domain siaran lebih besar)
- MCLAG peer- link dapat menjadi tutup botol
- STP masih dibutuhkan sebagai backup pencegahan loop
Variasi 3: Daun Batas untuk Data Spine / Leaf
Dalam lingkungan datacenter, lapisan distribusi menjadiDaun Batasmenghubungkan tulang belakang / daun kain ke seluruh jaringan perusahaan.
@startuml Distribution Variation 3 - Border Leaf Datacenter
skinparam backgroundColor #FEFEFE
nwdiag {
network Enterprise_Core {
address = "L3 Routed (eBGP/OSPF)"
color = "#B0E0E6"
description = "From Enterprise Core"
Border_A [description = "Border Leaf A\nVXLAN Gateway"];
Border_B [description = "Border Leaf B\nVXLAN Gateway"];
}
network Border_EVPN {
address = "VXLAN EVPN"
color = "#DDA0DD"
description = "EVPN Type-5 Routes"
Border_A;
Border_B;
Spine_1 [description = "Spine 1"];
Spine_2 [description = "Spine 2"];
}
network Spine_Fabric {
address = "eBGP Underlay"
color = "#FFB6C1"
description = "Spine Layer"
Spine_1;
Spine_2;
}
network Leaf_Tier_1 {
address = "VTEP"
color = "#98FB98"
description = "Compute Rack 1"
Spine_1;
Spine_2;
Leaf_1 [description = "Leaf 1"];
Leaf_2 [description = "Leaf 2"];
}
network Leaf_Tier_2 {
address = "VTEP"
color = "#FFE4B5"
description = "Storage/Services"
Spine_1;
Spine_2;
Leaf_3 [description = "Leaf 3"];
Leaf_4 [description = "Leaf 4"];
}
network Server_Rack_1 {
address = "VNI 10001"
color = "#F0FFF0"
description = "Compute Servers"
Leaf_1;
Leaf_2;
Servers_1 [description = "Rack Servers\nVMs/Containers"];
}
network Storage_Network {
address = "VNI 10002"
color = "#FFDAB9"
description = "Storage Arrays"
Leaf_3;
Storage [description = "SAN/NAS\nStorage"];
}
network Voice_Services {
address = "VNI 10003"
color = "#E6E6FA"
description = "UC Systems"
Leaf_4;
PBX [description = "PBX/UC\nSystems"];
}
}
@enduml
Rincian Fabric Datacenter:
Komponen 124; Fungsi 124 126; ----------- 124; ---------- 124 124Underlay124; eBGP (ASN per switch) atau OSPF 124 124OverlayVXLAN dengan pesawat kendali EVPN: 124Daun Batas126; VXLAN-to -VLAN gateway, rute eksternal, Inter- VRF routing £124 124Area Kerja Daun126; Compute, Storage, Voice / UC, Infrastruktur 126
Keuntungan:
- Skala horisontal besar-besaran (tambahkan pasangan daun sesuai kebutuhan)
- Tidak-memblok arsitektur kain
- Multi- tenancy via VRF / VNI
- Pola lalu lintas timur-barat optimal
Konsistensi:
- Kompleks operasional VXLAN / EVPN
- Keterampilan khusus diperlukan
- Biaya peralatan yang lebih tinggi
Modul 5: Lapisan Akses
Lapisan Akses adalah dimana perangkat akhir terhubung. Terlepas dari topologi distribusi, tombol akses menyediakan:
@startuml Access Layer Module
skinparam backgroundColor #FEFEFE
nwdiag {
network Distribution_Uplink {
address = "L3 or LACP Trunk"
color = "#B0E0E6"
description = "Uplinks to Distribution"
Access_SW [description = "48-Port Access Switch\nPoE+ Capable"];
}
network Data_VLAN {
address = "VLAN 100 - Ports 1-8, 25-32"
color = "#98FB98"
description = "Data VLAN"
Access_SW;
Laptops [description = "Laptops\nWorkstations"];
}
network Voice_VLAN {
address = "VLAN 110 - Ports 9-16"
color = "#FFE4B5"
description = "Voice VLAN"
Access_SW;
Phones [description = "IP Phones"];
}
network Camera_VLAN {
address = "VLAN 120 - Ports 17-24"
color = "#FFDAB9"
description = "Security VLAN"
Access_SW;
Cameras [description = "IP Cameras"];
}
network Wireless_VLAN {
address = "VLAN 130 - Ports 33-40"
color = "#DDA0DD"
description = "Wireless AP VLAN"
Access_SW;
APs [description = "Wireless APs"];
}
network Mgmt_VLAN {
address = "VLAN 999 - Ports 41-44"
color = "#F0FFF0"
description = "Management VLAN"
Access_SW;
}
}
@enduml
Lapisan Keamanan Akses:
- Otentikasi 802.1X / MAB
- Penugasan VLAN dinamis
- Port keamanan
- Pencarian DHCP
- Inspeksi ARP dinamis
- Pengawal Sumber IP
Topologi Modular Lengkap
Berikut adalah bagaimana semua modul terhubung untuk membentuk jaringan perusahaan lengkap:
@startuml Complete Modular Network Topology
skinparam backgroundColor #FEFEFE
title Complete Enterprise Modular Network
nwdiag {
internet [shape = cloud, description = "Internet/WAN"];
network Internet_Edge {
address = "Module 1"
color = "#FFE4E1"
description = "INTERNET EDGE MODULE"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B"];
MPLS [description = "MPLS"];
Edge_RTR [description = "Edge Router"];
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Internal_Edge {
address = "Module 2"
color = "#E6E6FA"
description = "INTERNAL EDGE / DMZ MODULE"
FW_A;
FW_B;
IntEdge_A [description = "IntEdge-A"];
IntEdge_B [description = "IntEdge-B"];
WLC [description = "WLC"];
Proxy [description = "Proxy"];
VPN [description = "VPN"];
DNS [description = "DNS/DHCP"];
}
network Core {
address = "Module 3"
color = "#B0E0E6"
description = "CORE MODULE"
IntEdge_A;
IntEdge_B;
Core_A [description = "Core-A"];
Core_B [description = "Core-B"];
}
network Distribution_L3 {
address = "Variation 1"
color = "#98FB98"
description = "DIST - L3 Adjacent\n(Building A)"
Core_A;
Core_B;
Dist_1A [description = "Dist-1A"];
Dist_1B [description = "Dist-1B"];
Access_L3 [description = "Access\n(L3)"];
}
network Distribution_MCLAG {
address = "Variation 2"
color = "#DDA0DD"
description = "DIST - MCLAG\n(Building B)"
Core_A;
Core_B;
Dist_2A [description = "Dist-2A"];
Dist_2B [description = "Dist-2B"];
Access_L2 [description = "Access\n(L2)"];
}
network Datacenter {
address = "Variation 3"
color = "#FFE4B5"
description = "DATACENTER\n(Spine/Leaf)"
Core_A;
Core_B;
Border_Leaf [description = "Border\nLeaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
Servers [description = "Servers\nStorage\nPBX"];
}
network Campus_Users {
address = "End Devices"
color = "#F0FFF0"
description = "Campus Users"
Access_L3;
Access_L2;
Users [description = "Laptops\nPhones\nCameras"];
}
}
@enduml
Strategi Alamat IP dengan Isolasi VRF
Tantangan Multi- Segmen, Perancang Multi- VRF
Ketika jaringan berkembang termasuk beberapa zona keamanan, unit bisnis, atau batas kepatuhan,VRF (Virtual Routing and Forwarding)menyediakan rute ruang isolasi. Namun, memperluas VRFs melalui multiple tiers menambahkan kompleksitas:
- Setiap L3 hop membutuhkan subnet transit
- Sub-antarmuka mengalikan kompleksitas konfigurasi
- Troublesshooting spans multiple routing tables
- Dokumentasi harus melacak keanggotaan VRF di setiap tingkat
Strategi Skema Subnet
Skema subnet yang dirancang baik membuat pola dikenali, mengurangi kesalahan kognitif load dan konfigurasi.
Contoh: Lokasi Manufaktur Besar (10,0.0.0 / 13)
Alokasi Situs:10,0.0 / 13 (Manufakturing Site Alpha) - 524.286 host yang dapat digunakan
@startuml VRF Subnet Schema
skinparam backgroundColor #FEFEFE
title Large Site VRF Allocation Schema (10.0.0.0/13)
nwdiag {
network Corporate_VRF {
address = "VRF: CORPORATE\n10.0.0.0/17"
color = "#98FB98"
description = "Production Users"
Corp_Transit [description = "Transit\n10.0.0.0/23"];
Corp_Users [description = "Users\n10.0.32.0/19"];
Corp_Voice [description = "Voice\n10.0.64.0/19"];
Corp_Wireless [description = "Wireless\n10.0.96.0/19"];
Corp_Server [description = "Servers\n10.0.112.0/20"];
}
network Guest_VRF {
address = "VRF: GUEST\n10.1.0.0/17"
color = "#FFE4B5"
description = "Visitor Network"
Guest_Transit [description = "Transit\n10.1.0.0/23"];
Guest_Users [description = "Users\n10.1.32.0/19"];
}
network Security_VRF {
address = "VRF: SECURITY\n10.2.0.0/17"
color = "#FFDAB9"
description = "Physical Security"
Sec_Transit [description = "Transit\n10.2.0.0/23"];
Sec_Camera [description = "Cameras\n10.2.32.0/19"];
Sec_Badge [description = "Badge Readers\n10.2.64.0/19"];
Sec_NVR [description = "NVR/VMS\n10.2.96.0/20"];
}
network IOT_VRF {
address = "VRF: IOT\n10.3.0.0/17"
color = "#E6E6FA"
description = "Manufacturing OT"
IOT_Transit [description = "Transit\n10.3.0.0/23"];
IOT_PLC [description = "PLCs\n10.3.32.0/19"];
IOT_HMI [description = "HMIs\n10.3.64.0/19"];
IOT_SCADA [description = "SCADA\n10.3.96.0/20"];
}
}
@enduml
Transit segment Detail (10,0.0.0 / 23 - 510 dapat digunakan IP):
124; Subnet = 124; Link Description 124 124; -------- 124; -------------------------- 124 10,0.0 / 30 10,0.4 / 30 10,0.8 / 30 10,0.12 / 30 10,0.16 / 30 10,0.20 / 30 124; 10,0.0.24 / 30 124; Core- Distribution- - - 10.0.0.24 / 30; Core- Distribution- - 124; 10.0.0.28 / 30 124; Core- Distribusi - B = 124 124; 10.0.0.32 / 30 = 124; Core- B = Distribusi - 124; 10,0.36 / 30 134; Core- B = Distribusi - B = 124 124; 10,0.40 / 30 134; Distribusi - - - Apa 124; 10,0.0.44 / 30 134; Distribusi - B tertawa-1-124 126... 128..
Catatan:/ 31 subnets (RFC 3021) juga dapat digunakan untuk titik -to-point link, menghemat ruang alamat.
Manfaat Pengenalan Pola
Ketika pola subnet konsisten di seluruh VRFs:
Apa yang Anda ketahui adalah 124; Apa yang Anda Bisa Infer £124 124; ------------------- ----124; ------------------- 124 Jaringan transit di Perusahaan menggunakan 10.0.40 / 30 124; setara dengan 10,0.40 / 30 124; Akses- SW-5 pengguna berada di 10.0.36.0 / 24 kamera keamanan pada saklar yang sama 10.2.36.0 / 24 124 134; Site Alpha 10,0.0 / 13 = 124; Site Beta bisa 10,8.0.0 / 13 = 124
Hal ini memungkinkan insinyur untuk:
- Prediksi alamat IP tanpa dokumentasi konsultasi
- Kenali subnets salah konfigurasi segera
- Buat templat otomatisasi yang bekerja di VRFs
- Melatih staf baru pada pola, tidak menghafal
Templat Ukuran Situs
Templat Site Kecil (Kantor Cabang)
@startuml Small Site Template
skinparam backgroundColor #FEFEFE
title Small Site Template (< 50 users)
nwdiag {
internet [shape = cloud];
network WAN {
color = "#FFE4E1"
description = "ISP/MPLS Circuit"
internet;
UTM [description = "UTM/SD-WAN\nAppliance\n(Router+FW+VPN+WLC)"];
}
network LAN {
address = "10.100.x.0/24"
color = "#98FB98"
description = "Single Subnet"
UTM;
Access [description = "Access Switch\n(or UTM ports)"];
}
network Endpoints {
color = "#F0FFF0"
description = "End Devices"
Access;
AP [description = "WiFi AP"];
Users [description = "Users"];
Phones [description = "Phones"];
}
}
@enduml
Catatan Desain Site Kecil:
- Rancangan Tergulung: Semua fungsi dalam perangkat keras minimal
- Subnet: / 24 atau / 23 per situs
- Contoh: 10.100.1,0 / 24 (Site 001)
Templat Medium Site (Kantor Regional)
@startuml Medium Site Template
skinparam backgroundColor #FEFEFE
title Medium Site Template (50-500 users)
nwdiag {
internet [shape = cloud];
network WAN_Edge {
color = "#FFE4E1"
description = "Internet Edge"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B/MPLS"];
Edge_RTR [description = "Edge Router"];
}
network Firewall_Tier {
color = "#FFDAB9"
description = "Firewall HA Pair"
Edge_RTR;
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Distribution {
address = "10.50.x.0/21"
color = "#DDA0DD"
description = "MCLAG Distribution\n(Dist/Core Combined)"
FW_A;
FW_B;
Dist_A [description = "Dist-A"];
Dist_B [description = "Dist-B"];
}
network Access_Tier {
color = "#98FB98"
description = "Access Switches (LACP)"
Dist_A;
Dist_B;
Acc1 [description = "Acc1"];
Acc2 [description = "Acc2"];
Acc3 [description = "Acc3"];
Acc4 [description = "Acc4"];
Acc5 [description = "Acc5"];
}
network Users {
color = "#F0FFF0"
description = "End Devices"
Acc1;
Acc2;
Acc3;
Acc4;
Acc5;
Endpoints [description = "Laptops/Phones\nCameras/APs"];
}
}
@enduml
Catatan Desain Tempat Sedang:
- Modularitas Parsial: Tepi dan Pengakses berbeda
- Subnet: / 21 per situs (2.046 IP)
- Contoh10.50.0.0 / 21 (Site 050)
Templat Situs Besar (Markas / Kampus)
@startuml Large Site Template
skinparam backgroundColor #FEFEFE
title Large Site Template (500+ users)
nwdiag {
internet [shape = cloud];
network Internet_Edge {
color = "#FFE4E1"
description = "INTERNET EDGE MODULE"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B"];
MPLS [description = "MPLS"];
Edge_RTR [description = "Edge-RTR"];
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Internal_Edge {
color = "#E6E6FA"
description = "INTERNAL EDGE MODULE"
FW_A;
FW_B;
IntEdge_A [description = "IntEdge-A"];
IntEdge_B [description = "IntEdge-B"];
WLC [description = "WLC"];
Proxy [description = "Proxy"];
VPN [description = "VPN"];
DNS [description = "DNS"];
}
network Core {
color = "#B0E0E6"
description = "CORE MODULE"
IntEdge_A;
IntEdge_B;
Core_A [description = "Core-A"];
Core_B [description = "Core-B"];
}
network Dist_Var1 {
color = "#98FB98"
description = "L3 Adjacent"
Core_A;
Core_B;
Dist_1 [description = "Dist-1"];
Access_1 [description = "Access"];
}
network Dist_Var2 {
color = "#DDA0DD"
description = "MCLAG Trunk"
Core_A;
Core_B;
Dist_2 [description = "Dist-2"];
Access_2 [description = "Access"];
}
network Dist_Var3 {
color = "#FFE4B5"
description = "MCLAG Trunk"
Core_A;
Core_B;
Dist_3 [description = "Dist-3"];
Access_3 [description = "Access"];
}
network Datacenter {
color = "#87CEEB"
description = "SPINE/LEAF DC"
Core_A;
Core_B;
Border [description = "Border-Leaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
Servers [description = "Servers"];
}
}
@enduml
Catatan Desain Situs Besar:
- Modularitas Penuh: All tiers physically separate
- Subnet: / 13 sampai / 15 per situs (berdasarkan jumlah VRF)
- Contoh: 10,0.0 / 13 (HQ) - 524.286 IP
VRF dan L3 Segmentasi: Keuntungan dan Kompleksitas
Keuntungan L3 Segmentasi dengan Sub-Antarmuka
- Isolasi Keamanan: Lalu lintas antara VRFs harus melintasi firewall atau perangkat kebijakan
- Ledakan Kendali Radius: segmen yang telah dijanjikan tidak dapat secara langsung mencapai VRF lain
- Bundar BatasPCI, HIPAA, atau jaringan OT dalam domain routing terpisah
- Teknik Lalu Lintas: Kebijakan routing berbeda per VRF
Kompleksitas Tradeoff
Ketika segmen harus memperpanjang melalui beberapa tiers, setiap batas L3 menambahkan konfigurasi overhead:
@startuml Multi-VRF Path Through Tiers
skinparam backgroundColor #FEFEFE
title Multi-VRF Traffic Path: Camera to NVR
nwdiag {
network Camera_Segment {
address = "VLAN 120\n10.2.36.0/24"
color = "#FFDAB9"
description = "VRF: SECURITY"
Camera [description = "Camera"];
Access_SW [description = "Access-SW\nSub-int: 10.2.0.40/30"];
}
network Access_to_Dist {
address = "10.2.0.40/30"
color = "#DDA0DD"
description = "VRF: SECURITY"
Access_SW;
Distribution [description = "Distribution\nSub-int: 10.2.0.24/30"];
}
network Dist_to_Core {
address = "10.2.0.24/30"
color = "#B0E0E6"
description = "VRF: SECURITY"
Distribution;
Core [description = "Core\nSub-int: 10.2.0.8/30"];
}
network Core_to_IntEdge {
address = "10.2.0.8/30"
color = "#E6E6FA"
description = "VRF: SECURITY"
Core;
Internal_Edge [description = "Internal-Edge\nSub-int: 10.2.0.0/30"];
}
network IntEdge_to_FW {
address = "10.2.0.0/30"
color = "#FFE4E1"
description = "VRF: SECURITY"
Internal_Edge;
Firewall [description = "Firewall\nInter-VRF Policy"];
}
network DC_Path {
address = "VXLAN/EVPN"
color = "#87CEEB"
description = "Datacenter Fabric"
Firewall;
Border_Leaf [description = "Border-Leaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
NVR [description = "NVR"];
}
}
@enduml
Konfigurasi Overhead:
- 5 sub- antarmuka per VRF per path
- 4 VRFs × 5 sub-ints = 20 sub-antarmuka per switch
- Mengacak akurasi protokol di setiap VRF
- Route- bocor atau aturan firewall untuk inter- VRF lalu lintas
Strategi Minigasi
- Batas jumlah VRF: Hanya membuat VRFs untuk persyaratan isolasi asli
- Centralize inter- VRF routing: Titik kebijakan firewall tunggal vs. didistribusikan
- Gunakan VXLAN / EVPN: Overlay mengurangi penyiraman antar muka fisik
- Menyediakan otomatis: Templat memastikan konfigurasi konsisten
- Dokumen pola: Setelah belajar, pola lebih cepat dari pencarian
Ringkasan: Membangun Pola Jaringan Scalable
Tujuan modular desain jaringan adalah untuk membuatpola yang dapat diulangyang memungkinkan:
126; Skala 124; Situs 124; Pola 124 124; ------- ------- 124; ------- 124; --------- 124 124; Kecil 12.4; 10.000 + 124; Terkerlip UTM + saklar tunggal, / 24 per situs £124 124; Medium 134; 1.000 + 124; Edge + MCLAG distribusi + akses, / 21 per situs 128 124; Large 14; 100 + 14; Full modular (Edge, Internal Edge, Core, Distribution variants, kain DC), / 13- / 15 per situs 124
Takeaways Kunci
- Modul membuat batas: Setiap modul memiliki tujuan dan antar muka yang didefinisikan
- Pola mengaktifkan skala: Desain yang sama di setiap situs mengurangi pelatihan dan kesalahan
- VRFs menyediakan isolasi: Tapi tambahkan kompleksitas konfigurasi di setiap tingkatan
- Skema subnet penting: Pengalamatan prediktable mengurangi beban kognitif
- Distribusi bervariasi dengan kebutuhan: L3 berdekatan, MCLAG / LACP, atau tulang belakang / daun
- Ukuran kanan untuk situs: Jangan over- insinyur situs kecil
Dengan membangun pola-pola ini dan menerapkannya secara konsisten, organisasi-organisasi dapat membangun jaringan yang skala dari kantor cabang tunggal ke perusahaan-perusahaan global - semua sambil mempertahankan operasional kesederhanaan dan postur keamanan.
Artikel versi 2.0 14; Diterbitkan 2026-02-02 124; Diperbarui dengan diagram PlantuML nwdiag