Modular Network Design: A Scalable Architecture Framework
Modulair netwerkontwerp: een schaalbaar architectuurkader
Inleiding tot Modulair Netwerkontwerp
Netwerkmodulariteit is de praktijk van het ontwerpen van netwerken als onderling verbonden, doelgerichte segmenten in plaats van monolithische structuren. Elke module dient een specifieke functie, heeft grenzen en verbindt met aangrenzende modules via goed begrepen interfaces. Deze aanpak transformeert netwerkontwerp van een kunst in een herhaalbare ingenieursdiscipline.
De kracht van modulariteit ligt in het vermogen om te creërenvoorspelbare patronendat kan consequent worden toegepast over de gehele infrastructuur voetafdruk van een organisatie, of dat nu tienduizenden kleine sites, duizenden middelgrote sites of honderden grote bedrijfscampussen beslaat.
Waarom Modulariteit belangrijk is
Voordelen over alle netwerkschalen
Kleine sites Middelgrote sites Grote sites ******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************* WatVereenvoudigd probleemoplossingSingle engineer kan hele topologie begrijpen WatVoorspelbare schaalverdelingToevoegen modules als nodig . Kloon bewezen patronen . Breid uit zonder herontwerp WatConsistente beveiligingOveral hetzelfde beleid WatOperationele efficiëntieOp sjabloon gebaseerde implementatie Geautomatiseerde provisioning Gestandaardiseerde veranderingsbeheer WatKostenbeheersing| Right-size each module | Bulk purchasing by module type | Lifecycle management by tier |
De uitdaging van de schaal
Organisaties blijven zelden statisch. Een modulair ontwerp moet voorzien zijn van:
- 10.000+ kleine sites: Branch kantoren, winkels, faciliteiten op afstand
- 1.000+ middelgrote locaties: Regionale kantoren, distributiecentra, fabrieken
- 100+ grote locaties: Hoofdkwartier, datacenters, grote campussen
Zonder modulariteit wordt elke site een unieke sneeuwvlok die aangepaste documentatie, gespecialiseerde training en eenmalige probleemoplossing vereist. Met modulariteit kan een ingenieur die het patroon begrijpt effectief werken op elke site.
Kernnetwerkmodules
Module 1: Internet Rand Segment
De internetrand is waar uw organisatie de buitenwereld ontmoet. Deze module bevat:
- WAN/internetcircuits(MPLS, DIA, breedband, LTE/5G)
- Randrouters(BGP peering, WAN beëindiging)
- Firewalls(vermelde inspectie, NAT, VPN beëindiging)
- VLAN-segmentatievoor functionele scheiding
@startuml Internet Edge Module
!define ICONURL https://raw.githubusercontent.com/Roemer/plantuml-office/master/office2014
skinparam backgroundColor #FEFEFE
skinparam handwritten false
nwdiag {
internet [shape = cloud, description = "Internet"];
network ISP_Transit {
address = "VLAN 10-12"
color = "#FFE4E1"
description = "ISP/MPLS Transit"
internet;
ISP_A [description = "ISP-A\nCircuit"];
ISP_B [description = "ISP-B\nCircuit"];
MPLS [description = "MPLS\nCircuit"];
}
network Edge_Router_Segment {
address = "VLAN 10,11,12"
color = "#E6E6FA"
description = "Edge Router Aggregation"
ISP_A;
ISP_B;
MPLS;
Edge_Router [description = "Edge Router\n(BGP Peering)"];
}
network FW_Outside {
address = "VLAN 100"
color = "#FFFACD"
description = "Firewall Outside"
Edge_Router;
FW_Primary [description = "Firewall\nPrimary"];
FW_Secondary [description = "Firewall\nSecondary"];
}
network FW_HA_Sync {
address = "VLAN 101"
color = "#F0FFF0"
description = "HA Sync Link"
FW_Primary;
FW_Secondary;
}
network FW_Inside {
address = "VLAN 102"
color = "#E0FFFF"
description = "To Internal Edge"
FW_Primary;
FW_Secondary;
}
}
@enduml
Belangrijkste ontwerpbeginselen:
- Redundante circuits van diverse aanbieders
- Firewall hoge beschikbaarheid paren
- Duidelijke VLAN-grenzen tussen vertrouwensgebieden
- L3 point-to-point links tussen router en firewall
Module 2: Interne rand / DMZ Niveau
Voor middelgrote en grote locaties biedt de interne rand een aggregatielaag voor diensten die gecontroleerde blootstelling vereisen of dienen als overgangspunten tussen veiligheidszones.
@startuml Internal Edge Module
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Internet_Edge {
address = "VLAN 102"
color = "#E0FFFF"
description = "From Firewall Inside"
IntEdge_A [description = "Internal Edge\nSwitch A"];
IntEdge_B [description = "Internal Edge\nSwitch B"];
}
network MCLAG_Peer {
address = "Peer-Link"
color = "#DDA0DD"
description = "MCLAG/vPC Peer"
IntEdge_A;
IntEdge_B;
}
network WLC_Mgmt {
address = "VLAN 200 - 10.x.200.0/24"
color = "#FFE4B5"
description = "WLC Management"
IntEdge_A;
IntEdge_B;
WLC [description = "Wireless LAN\nController"];
}
network Proxy_Farm {
address = "VLAN 201 - 10.x.201.0/24"
color = "#FFDAB9"
description = "Proxy Services"
IntEdge_A;
IntEdge_B;
Proxy [description = "Web Proxy\nServers"];
}
network VPN_Services {
address = "VLAN 202 - 10.x.202.0/24"
color = "#E6E6FA"
description = "VPN Termination"
IntEdge_A;
IntEdge_B;
VPN [description = "VPN\nConcentrator"];
}
network Infrastructure {
address = "VLAN 204 - 10.x.204.0/24"
color = "#F0FFF0"
description = "Infrastructure Services"
IntEdge_A;
IntEdge_B;
DNS_DHCP [description = "DNS/DHCP\nServers"];
}
network To_Core {
address = "VLAN 205"
color = "#B0E0E6"
description = "Core Transit"
IntEdge_A;
IntEdge_B;
}
}
@enduml
Diensten typisch in de interne rand:
- Draadloze LAN-controllers (WLC)
- Webproxies en content filters
- VPN-concentratoren
- DNS/DHCP infrastructuur
- Load balancers
- Jump hosts / bastion servers
Module 3: kernlaag
De kern is de snelle ruggengraat die alle andere modules verbindt. Het moet worden geoptimaliseerd voor:
- Maximale doorvoer
- Minimale latentie
- Hoge beschikbaarheid
- Eenvoudig, snel doorsturen
@startuml Core Module
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Internal_Edge {
address = "L3 Routed"
color = "#B0E0E6"
description = "From Internal Edge"
Core_A [description = "Core Switch A\n100G Backbone"];
Core_B [description = "Core Switch B\n100G Backbone"];
}
network Core_Interconnect {
address = "100G+ ISL"
color = "#FFB6C1"
description = "High-Speed Interconnect\nOSPF/IS-IS/BGP"
Core_A;
Core_B;
}
network To_Distribution_1 {
address = "L3 P2P"
color = "#98FB98"
description = "Building A"
Core_A;
Core_B;
Dist_1 [description = "Distribution 1\n(L3 Adjacent)"];
}
network To_Distribution_2 {
address = "L3 P2P"
color = "#DDA0DD"
description = "Building B"
Core_A;
Core_B;
Dist_2 [description = "Distribution 2\n(MCLAG)"];
}
network To_Distribution_3 {
address = "L3 P2P"
color = "#FFDAB9"
description = "Building C"
Core_A;
Core_B;
Dist_3 [description = "Distribution 3\n(MCLAG)"];
}
network To_DC_Border {
address = "L3 Routed"
color = "#87CEEB"
description = "Datacenter"
Core_A;
Core_B;
Border_Leaf [description = "Border Leaf\n(DC Fabric)"];
}
}
@enduml
Kernontwerpbeginselen:
- Geen direct aangesloten eindgebruikers
- L3 routing tussen kernschakelaars (geen spanning tree)
- Multipath voor gelijke kosten (ECMP) voor belastingsverdeling
- Snelle convergentieprotocollen
Module 4: Distributielaag
De Distributielaag aggregaten Toegang schakelaars en afdwingt beleid. Dit is waar netwerkontwerp keuzes hebben de meeste variatie op basis van site eisen.
Verdelingsniveauvariaties
Variatie 1: L3 Aangrenzend (Routed Access)
In dit ontwerp zijn de distributie- en toegangslagenL3 naast elkaarElke toegangsschakelaar heeft zijn eigen IP-subnet en routes direct naar distributie.
@startuml Distribution Variation 1 - L3 Adjacent
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Core {
address = "L3 ECMP"
color = "#B0E0E6"
description = "From Core Layer"
Dist_A [description = "Distribution A\n(L3 Router)"];
Dist_B [description = "Distribution B\n(L3 Router)"];
}
network Dist_iBGP {
address = "iBGP Peering"
color = "#DDA0DD"
description = "ECMP/iBGP"
Dist_A;
Dist_B;
}
network P2P_Access_1 {
address = "10.x.2.0/30"
color = "#98FB98"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_1 [description = "Access SW-1\n(L3 Gateway)"];
}
network P2P_Access_2 {
address = "10.x.2.8/30"
color = "#FFE4B5"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_2 [description = "Access SW-2\n(L3 Gateway)"];
}
network P2P_Access_3 {
address = "10.x.2.16/30"
color = "#FFDAB9"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_3 [description = "Access SW-3\n(L3 Gateway)"];
}
network User_VLAN_1 {
address = "10.x.32.0/24"
color = "#F0FFF0"
description = "Users - SW1"
Access_1;
Laptop_1 [description = "Laptops"];
Phone_1 [description = "Phones"];
}
network User_VLAN_2 {
address = "10.x.33.0/24"
color = "#FFF0F5"
description = "Users - SW2"
Access_2;
Laptop_2 [description = "Laptops"];
Camera_2 [description = "Cameras"];
}
network User_VLAN_3 {
address = "10.x.34.0/24"
color = "#F5FFFA"
description = "Users - SW3"
Access_3;
Laptop_3 [description = "Workstations"];
Camera_3 [description = "Cameras"];
}
}
@enduml
Voorbeeld van subnettoewijzing:
Verbinding met Subnet ----------------- Verspreiding naar Core 10.x.1.0/30, 10.x.1.4/30 Dist-A to Access-1 Dist-B to Access-1 10.x.2.4/30 Toegang-1 Gebruiker VLAN 10.x.32.0/24 Toegang-2 Gebruiker VLAN 10.x.3.0/24
Voordelen:
- Broadcast domein isolatie bij elke toegangsschakelaar
- Vereenvoudigde probleemoplossing (op subnet opgeslagen problemen)
- Geen spanning boom tussen distributie en toegang
- Samenvatting mogelijk op distributielaag
Overwegingen:
- Vereist L3-geschikte toegangsschakelaars
- DHCP-relaisconfiguratie op elke toegangsschakelaar
- Meer complexe IP-adresbeheer
Variatie 2: MCLAG met LACP Trunks
Dit ontwerp maakt gebruik vanMulti-Chassis Link Aggregation (MCLAG)bij distributie metLACP-obligatiestoegang tot schakelaars met VLAN's met romp.
Terminologie van de leverancier: Cisco noemt dit vPC (Virtual Port Channel), Arista gebruikt MLAG, Juniper gebruikt MC-LAG, en HPE/Aruba gebruikt VSX. Het functionele gedrag is vergelijkbaar bij leveranciers.
@startuml Distribution Variation 2 - MCLAG
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Core {
address = "L3 Routed Uplinks"
color = "#B0E0E6"
description = "From Core Layer"
Dist_A [description = "Distribution A\n(MCLAG Member)"];
Dist_B [description = "Distribution B\n(MCLAG Member)"];
}
network MCLAG_Peer_Link {
address = "Peer-Link"
color = "#FFB6C1"
description = "MCLAG/vPC Peer-Link"
Dist_A;
Dist_B;
}
network LACP_To_Access {
address = "Po1 - LACP Trunk"
color = "#DDA0DD"
description = "VLANs 100,110,120 Trunked"
Dist_A;
Dist_B;
Access_1 [description = "Access SW-1\n(L2 Switch)"];
}
network Data_VLAN {
address = "VLAN 100 - 10.x.32.0/24"
color = "#98FB98"
description = "Data VLAN"
Access_1;
Laptops [description = "Laptops\nWorkstations"];
}
network Voice_VLAN {
address = "VLAN 110 - 10.x.64.0/24"
color = "#FFE4B5"
description = "Voice VLAN"
Access_1;
Phones [description = "IP Phones"];
}
network Security_VLAN {
address = "VLAN 120 - 10.x.96.0/24"
color = "#FFDAB9"
description = "Security VLAN"
Access_1;
Cameras [description = "Cameras\nBadge Readers"];
}
}
@enduml
SVI Placement (VRRP VIP on Distribution Pair):
- VLAN 100: 10.x.32.1/24
- VLAN 110: 10.x.64.1/24
- VLAN 120: 10.x.96.1/24
VLAN Trunk-configuratie:
Port-Channel VLANs Bestemming ******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************* | Po1 (MCLAG) | 100,110,120 | Access-1 | | Po2 (MCLAG) | 100,110,120,130 | Access-2 | | Po3 (MCLAG) | 100,110 | Access-3 | Inheemse VLAN (ongebruikt)
MCLAG Voordelen:
- Actief doorsturen (beide uplinks gebruikt)
- Subseconde failover
- Enkele logische schakelaar vanuit het perspectief van toegang
- Geen spanning boom blokkeren
Overwegingen:
- VLAN's omvatten meerdere toegangsschakelaars (grotere omroepdomeinen)
- MCLAG peer-link kan bottleneck worden
- STP nog steeds nodig als lus preventie backup
Variatie 3: Border Leaf for Spine/Leaf Datacenter
In datacenter omgevingen wordt de distributielaag deRandbladhet aansluiten van de ruggengraat/bladweefsel op de rest van het bedrijfsnetwerk.
@startuml Distribution Variation 3 - Border Leaf Datacenter
skinparam backgroundColor #FEFEFE
nwdiag {
network Enterprise_Core {
address = "L3 Routed (eBGP/OSPF)"
color = "#B0E0E6"
description = "From Enterprise Core"
Border_A [description = "Border Leaf A\nVXLAN Gateway"];
Border_B [description = "Border Leaf B\nVXLAN Gateway"];
}
network Border_EVPN {
address = "VXLAN EVPN"
color = "#DDA0DD"
description = "EVPN Type-5 Routes"
Border_A;
Border_B;
Spine_1 [description = "Spine 1"];
Spine_2 [description = "Spine 2"];
}
network Spine_Fabric {
address = "eBGP Underlay"
color = "#FFB6C1"
description = "Spine Layer"
Spine_1;
Spine_2;
}
network Leaf_Tier_1 {
address = "VTEP"
color = "#98FB98"
description = "Compute Rack 1"
Spine_1;
Spine_2;
Leaf_1 [description = "Leaf 1"];
Leaf_2 [description = "Leaf 2"];
}
network Leaf_Tier_2 {
address = "VTEP"
color = "#FFE4B5"
description = "Storage/Services"
Spine_1;
Spine_2;
Leaf_3 [description = "Leaf 3"];
Leaf_4 [description = "Leaf 4"];
}
network Server_Rack_1 {
address = "VNI 10001"
color = "#F0FFF0"
description = "Compute Servers"
Leaf_1;
Leaf_2;
Servers_1 [description = "Rack Servers\nVMs/Containers"];
}
network Storage_Network {
address = "VNI 10002"
color = "#FFDAB9"
description = "Storage Arrays"
Leaf_3;
Storage [description = "SAN/NAS\nStorage"];
}
network Voice_Services {
address = "VNI 10003"
color = "#E6E6FA"
description = "UC Systems"
Leaf_4;
PBX [description = "PBX/UC\nSystems"];
}
}
@enduml
Datacenter Stof Details:
Functie ---------------------- WatOnderlaagEBGP (ASN per switch) of OSPF WatOverlayVXLAN met EVPN-besturingsvlak WatRandbladVXLAN-naar-VLAN gateway, Externe routes, Inter-VRF routing WatBladwerkladingenBerekenen, Opslag, Stem/UC, Infrastructuur
Voordelen:
- Massieve horizontale schaal (bladparen toevoegen indien nodig)
- Niet-blokkerende weefselarchitectuur
- Multihuur via VRF/VNI
- Optimale Oost-Westverkeerspatronen
Overwegingen:
- Operationele complexiteit van VXLAN/EVPN
- Vereiste gespecialiseerde vaardigheden
- Hogere uitrustingskosten
Module 5: Laag openen
De Access laag is waar eindapparaten aansluiten. Ongeacht de distributietopologie bieden toegangsschakelaars:
@startuml Access Layer Module
skinparam backgroundColor #FEFEFE
nwdiag {
network Distribution_Uplink {
address = "L3 or LACP Trunk"
color = "#B0E0E6"
description = "Uplinks to Distribution"
Access_SW [description = "48-Port Access Switch\nPoE+ Capable"];
}
network Data_VLAN {
address = "VLAN 100 - Ports 1-8, 25-32"
color = "#98FB98"
description = "Data VLAN"
Access_SW;
Laptops [description = "Laptops\nWorkstations"];
}
network Voice_VLAN {
address = "VLAN 110 - Ports 9-16"
color = "#FFE4B5"
description = "Voice VLAN"
Access_SW;
Phones [description = "IP Phones"];
}
network Camera_VLAN {
address = "VLAN 120 - Ports 17-24"
color = "#FFDAB9"
description = "Security VLAN"
Access_SW;
Cameras [description = "IP Cameras"];
}
network Wireless_VLAN {
address = "VLAN 130 - Ports 33-40"
color = "#DDA0DD"
description = "Wireless AP VLAN"
Access_SW;
APs [description = "Wireless APs"];
}
network Mgmt_VLAN {
address = "VLAN 999 - Ports 41-44"
color = "#F0FFF0"
description = "Management VLAN"
Access_SW;
}
}
@enduml
Toegangslaagbeveiliging:
- 802.1X / MAB-authenticatie
- Dynamische VLAN-toewijzing
- Havenveiligheid
- DHCP-snuffelen
- Dynamische ARP-inspectie
- IP bronguard
Complete modulaire topologie
Hier is hoe alle modules verbinden om een compleet enterprise netwerk te vormen:
@startuml Complete Modular Network Topology
skinparam backgroundColor #FEFEFE
title Complete Enterprise Modular Network
nwdiag {
internet [shape = cloud, description = "Internet/WAN"];
network Internet_Edge {
address = "Module 1"
color = "#FFE4E1"
description = "INTERNET EDGE MODULE"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B"];
MPLS [description = "MPLS"];
Edge_RTR [description = "Edge Router"];
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Internal_Edge {
address = "Module 2"
color = "#E6E6FA"
description = "INTERNAL EDGE / DMZ MODULE"
FW_A;
FW_B;
IntEdge_A [description = "IntEdge-A"];
IntEdge_B [description = "IntEdge-B"];
WLC [description = "WLC"];
Proxy [description = "Proxy"];
VPN [description = "VPN"];
DNS [description = "DNS/DHCP"];
}
network Core {
address = "Module 3"
color = "#B0E0E6"
description = "CORE MODULE"
IntEdge_A;
IntEdge_B;
Core_A [description = "Core-A"];
Core_B [description = "Core-B"];
}
network Distribution_L3 {
address = "Variation 1"
color = "#98FB98"
description = "DIST - L3 Adjacent\n(Building A)"
Core_A;
Core_B;
Dist_1A [description = "Dist-1A"];
Dist_1B [description = "Dist-1B"];
Access_L3 [description = "Access\n(L3)"];
}
network Distribution_MCLAG {
address = "Variation 2"
color = "#DDA0DD"
description = "DIST - MCLAG\n(Building B)"
Core_A;
Core_B;
Dist_2A [description = "Dist-2A"];
Dist_2B [description = "Dist-2B"];
Access_L2 [description = "Access\n(L2)"];
}
network Datacenter {
address = "Variation 3"
color = "#FFE4B5"
description = "DATACENTER\n(Spine/Leaf)"
Core_A;
Core_B;
Border_Leaf [description = "Border\nLeaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
Servers [description = "Servers\nStorage\nPBX"];
}
network Campus_Users {
address = "End Devices"
color = "#F0FFF0"
description = "Campus Users"
Access_L3;
Access_L2;
Users [description = "Laptops\nPhones\nCameras"];
}
}
@enduml
IP-adressingstrategie met VRF-isolatie
De uitdaging van Multi-segment, Multi-VRF Design
Wanneer netwerken uitgroeien tot meerdere beveiligingszones, bedrijfseenheden of nalevingsgrenzen,VRF (Virtuele Routing en Forwarding)biedt route tafel isolatie. Het uitbreiden van VRF's via meerdere niveaus voegt echter complexiteit toe:
- Elke L3 hop vereist een doorvoer subnet
- Subinterfaces vermenigvuldigen configuratiecomplex
- Problemen oplossen overspant meerdere routing tabellen
- Documentatie moet VRF-lidmaatschap volgen op elk niveau
Subnetschemastrategie
Een goed ontworpen subnetschema maakt patronen herkenbaar, waardoor cognitieve belasting en configuratiefouten worden verminderd.
Voorbeeld: Grote productielocatie (10.0.0.0/13)
Plaatstoewijzing:10.0.0.0/13 (Bedrijfsplaats Alfa) - 524.286 bruikbare hosts
@startuml VRF Subnet Schema
skinparam backgroundColor #FEFEFE
title Large Site VRF Allocation Schema (10.0.0.0/13)
nwdiag {
network Corporate_VRF {
address = "VRF: CORPORATE\n10.0.0.0/17"
color = "#98FB98"
description = "Production Users"
Corp_Transit [description = "Transit\n10.0.0.0/23"];
Corp_Users [description = "Users\n10.0.32.0/19"];
Corp_Voice [description = "Voice\n10.0.64.0/19"];
Corp_Wireless [description = "Wireless\n10.0.96.0/19"];
Corp_Server [description = "Servers\n10.0.112.0/20"];
}
network Guest_VRF {
address = "VRF: GUEST\n10.1.0.0/17"
color = "#FFE4B5"
description = "Visitor Network"
Guest_Transit [description = "Transit\n10.1.0.0/23"];
Guest_Users [description = "Users\n10.1.32.0/19"];
}
network Security_VRF {
address = "VRF: SECURITY\n10.2.0.0/17"
color = "#FFDAB9"
description = "Physical Security"
Sec_Transit [description = "Transit\n10.2.0.0/23"];
Sec_Camera [description = "Cameras\n10.2.32.0/19"];
Sec_Badge [description = "Badge Readers\n10.2.64.0/19"];
Sec_NVR [description = "NVR/VMS\n10.2.96.0/20"];
}
network IOT_VRF {
address = "VRF: IOT\n10.3.0.0/17"
color = "#E6E6FA"
description = "Manufacturing OT"
IOT_Transit [description = "Transit\n10.3.0.0/23"];
IOT_PLC [description = "PLCs\n10.3.32.0/19"];
IOT_HMI [description = "HMIs\n10.3.64.0/19"];
IOT_SCADA [description = "SCADA\n10.3.96.0/20"];
}
}
@enduml
Doorvoersegmentdetail (10.0.0.0/23 - 510 bruikbare IP's):
Beschrijving van de koppeling ******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************* FW-Inside → Binnenrand-A FW-Inside → Binnenrand-B Internal-Edge-A → Core-A Internal-Edge-A → Core-B Internal-Edge-B → Core-A Internal-Edge-B → Core-B 10.00.24/30 Verspreiding-B 10.00.32/30 Verspreiding-B Distribution-A → Access-SW-1 Verspreiding-B → Toegang-SW-1 ... (Pattern vervolgt)
Opmerking:/31 subnetten (RFC 3021) kunnen ook worden gebruikt voor punt-tot-punt links, behoud van adresruimte.
Voordelen voor patroonherkenning
Wanneer subnet patronen consistent zijn tussen VRF's:
Wat je weet wat je kunt afleiden ******************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************************* De Transit-link in Corporate gebruikt 10.0.40/30 Access-SW-5 gebruikers zijn op 10.0.36.0/24 Site Alpha is 10.0.0/13 Site Beta zou 10.8.0.0/13 kunnen zijn
Zo kunnen ingenieurs:
- IP-adressen voorspellen zonder documentatie te raadplegen
- Onmiddelijk fout geconfigureerde subnetten herkennen
- Automatiseringssjablonen maken die in VRF's werken
- Trainen van nieuwe medewerkers op het patroon, niet onthouden
Sitegrootte sjablonen
Template voor kleine locaties (Branch Office)
@startuml Small Site Template
skinparam backgroundColor #FEFEFE
title Small Site Template (< 50 users)
nwdiag {
internet [shape = cloud];
network WAN {
color = "#FFE4E1"
description = "ISP/MPLS Circuit"
internet;
UTM [description = "UTM/SD-WAN\nAppliance\n(Router+FW+VPN+WLC)"];
}
network LAN {
address = "10.100.x.0/24"
color = "#98FB98"
description = "Single Subnet"
UTM;
Access [description = "Access Switch\n(or UTM ports)"];
}
network Endpoints {
color = "#F0FFF0"
description = "End Devices"
Access;
AP [description = "WiFi AP"];
Users [description = "Users"];
Phones [description = "Phones"];
}
}
@enduml
Kleine site ontwerp opmerkingen:
- Ingeklapt ontwerp: Alle functies in minimale hardware
- Subnet/24 of /23 per site
- Voorbeeld: 10.100.1.0/24 (Site 001)
Template van de middelste locatie (regionaal bureau)
@startuml Medium Site Template
skinparam backgroundColor #FEFEFE
title Medium Site Template (50-500 users)
nwdiag {
internet [shape = cloud];
network WAN_Edge {
color = "#FFE4E1"
description = "Internet Edge"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B/MPLS"];
Edge_RTR [description = "Edge Router"];
}
network Firewall_Tier {
color = "#FFDAB9"
description = "Firewall HA Pair"
Edge_RTR;
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Distribution {
address = "10.50.x.0/21"
color = "#DDA0DD"
description = "MCLAG Distribution\n(Dist/Core Combined)"
FW_A;
FW_B;
Dist_A [description = "Dist-A"];
Dist_B [description = "Dist-B"];
}
network Access_Tier {
color = "#98FB98"
description = "Access Switches (LACP)"
Dist_A;
Dist_B;
Acc1 [description = "Acc1"];
Acc2 [description = "Acc2"];
Acc3 [description = "Acc3"];
Acc4 [description = "Acc4"];
Acc5 [description = "Acc5"];
}
network Users {
color = "#F0FFF0"
description = "End Devices"
Acc1;
Acc2;
Acc3;
Acc4;
Acc5;
Endpoints [description = "Laptops/Phones\nCameras/APs"];
}
}
@enduml
Opmerkingen over het ontwerp van een middelgroot terrein:
- Gedeeltelijke modulariteit: Onderscheidende rand en toegangsniveaus
- Subnet: /21 per locatie (2.046 IPs)
- Voorbeeld: 10.50.0.0/21 (Site 050)
Sjabloon voor grote locaties (hoofdkwartier/campus)
@startuml Large Site Template
skinparam backgroundColor #FEFEFE
title Large Site Template (500+ users)
nwdiag {
internet [shape = cloud];
network Internet_Edge {
color = "#FFE4E1"
description = "INTERNET EDGE MODULE"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B"];
MPLS [description = "MPLS"];
Edge_RTR [description = "Edge-RTR"];
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Internal_Edge {
color = "#E6E6FA"
description = "INTERNAL EDGE MODULE"
FW_A;
FW_B;
IntEdge_A [description = "IntEdge-A"];
IntEdge_B [description = "IntEdge-B"];
WLC [description = "WLC"];
Proxy [description = "Proxy"];
VPN [description = "VPN"];
DNS [description = "DNS"];
}
network Core {
color = "#B0E0E6"
description = "CORE MODULE"
IntEdge_A;
IntEdge_B;
Core_A [description = "Core-A"];
Core_B [description = "Core-B"];
}
network Dist_Var1 {
color = "#98FB98"
description = "L3 Adjacent"
Core_A;
Core_B;
Dist_1 [description = "Dist-1"];
Access_1 [description = "Access"];
}
network Dist_Var2 {
color = "#DDA0DD"
description = "MCLAG Trunk"
Core_A;
Core_B;
Dist_2 [description = "Dist-2"];
Access_2 [description = "Access"];
}
network Dist_Var3 {
color = "#FFE4B5"
description = "MCLAG Trunk"
Core_A;
Core_B;
Dist_3 [description = "Dist-3"];
Access_3 [description = "Access"];
}
network Datacenter {
color = "#87CEEB"
description = "SPINE/LEAF DC"
Core_A;
Core_B;
Border [description = "Border-Leaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
Servers [description = "Servers"];
}
}
@enduml
Grote Site Ontwerp Notes:
- Volledige modulariteit: Alle niveaus fysiek gescheiden
- Subnet: /13 tot /15 per site (gebaseerd op VRF-telling)
- Voorbeeld: 10.0.0/13 (HQ) - 524.286 IPs
VRF en L3 Segmentatie: Voordelen en complexiteit
Voordelen van L3 Segmentatie met subinterfaces
- Beveiligingsisolatie: Verkeer tussen VRF's moet een firewall of policy device doorkruisen
- Straal inperking: Gecompromitteerd segment kan andere VRF's niet direct bereiken
- Nalevingsgrenzen: PCI, HIPAA of OT netwerken in aparte routing domeinen
- Verkeerstechniek: Verschillende routeringsmaatregelen per VRF
De Complexity Tradeoff
Wanneer segmenten zich moeten uitbreiden via meerdere niveaus, voegt elke L3-grens configuratie overhead toe:
@startuml Multi-VRF Path Through Tiers
skinparam backgroundColor #FEFEFE
title Multi-VRF Traffic Path: Camera to NVR
nwdiag {
network Camera_Segment {
address = "VLAN 120\n10.2.36.0/24"
color = "#FFDAB9"
description = "VRF: SECURITY"
Camera [description = "Camera"];
Access_SW [description = "Access-SW\nSub-int: 10.2.0.40/30"];
}
network Access_to_Dist {
address = "10.2.0.40/30"
color = "#DDA0DD"
description = "VRF: SECURITY"
Access_SW;
Distribution [description = "Distribution\nSub-int: 10.2.0.24/30"];
}
network Dist_to_Core {
address = "10.2.0.24/30"
color = "#B0E0E6"
description = "VRF: SECURITY"
Distribution;
Core [description = "Core\nSub-int: 10.2.0.8/30"];
}
network Core_to_IntEdge {
address = "10.2.0.8/30"
color = "#E6E6FA"
description = "VRF: SECURITY"
Core;
Internal_Edge [description = "Internal-Edge\nSub-int: 10.2.0.0/30"];
}
network IntEdge_to_FW {
address = "10.2.0.0/30"
color = "#FFE4E1"
description = "VRF: SECURITY"
Internal_Edge;
Firewall [description = "Firewall\nInter-VRF Policy"];
}
network DC_Path {
address = "VXLAN/EVPN"
color = "#87CEEB"
description = "Datacenter Fabric"
Firewall;
Border_Leaf [description = "Border-Leaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
NVR [description = "NVR"];
}
}
@enduml
Configuratie Overhead:
- 5 subinterfaces per VRF per pad
- 4 VRFs × 5 subints = 20 subinterfaces per schakelaar
- Routing protocol adjacencies in elke VRF
- Routelerende of firewallregels voor inter-VRF-verkeer
Mitigatiestrategieën
- VRF-aantal beperken: Maak alleen VRF's voor echte isolatievereisten
- Inter-VRF-routing centraliseren: Single firewall policy point vs. gedistribueerd
- Gebruik VXLAN/EVPN: Overlay vermindert fysieke sub-interface sprawl
- Voorzieningen automatiseren: Sjablonen zorgen voor consistente configuratie
- Het patroon documenteren: Zodra geleerd, patronen zijn sneller dan opzoeken
Samenvatting: Bouwen van een schaalbaar netwerkpatroon
Het doel van modulaire netwerkontwerp is het creëren van eenherhaalbaar patroonwaarmee:
Schaal ------------------------- Small | Medium | 1,000+ | Edge + MCLAG distribution + access, /21 per site | | Large | 100+ | Full modular (Edge, Internal Edge, Core, Distribution variants, DC fabric), /13-/15 per site |
Sleutelafhaalpunten
- Modules maken grenzen aan: Elke module heeft een gedefinieerd doel en interface
- Patronen maken schaal mogelijk: Hetzelfde ontwerp op elke site vermindert training en fouten
- VRF's zorgen voor isolatie: Maar voeg configuratie complexiteit op elk niveau
- Subnetschema's: Voorspelbare aanpak vermindert cognitieve belasting
- Verdeling varieert naar behoefte: L3 naast elkaar, MCLAG/LACP, of ruggengraat/blad
- Rechtermaat voor de site: Niet over-engineer kleine sites
Door deze patronen vast te stellen en consequent toe te passen, kunnen organisaties netwerken bouwen die schaal van een enkele vestiging naar een wereldwijde onderneming.
Artikel versie 2.0