Modular Network Design: A Scalable Architecture Framework
Modularno oblikovanje omrežja: Skalable Architecture Framework
Uvod v oblikovanje modularnega omrežja
Optična modularnost je praksa oblikovanja omrežij kot medsebojno povezanih, namensko zgrajenih segmentov in ne monolitnih struktur. Vsak modul služi določeni funkciji, je opredelil meje in se prek dobro razumljenih vmesnikov povezuje s sosednjimi moduli. Ta pristop spreminja oblikovanje omrežja iz umetnosti v ponovljivo inženirsko disciplino.
Moč modularnosti leži v njeni sposobnosti ustvarjanjapredvidljivi vzorciki jih je mogoče dosledno uporabljati v celotni infrastrukturni odtis neke organizacije – ne glede na to, ali obsegajo na desettisoče majhnih lokacij, tisoče srednjih mest ali stotine velikih poslovnih kampusov.
Zakaj je modularnost pomembna
Koristi v vseh omrežnih lestvicah
| Benefit | Small Sites | Medium Sites | Large Sites | |---------|-------------|--------------|-------------| |Poenostavljeno odpravljanje težav| Single engineer can understand entire topology | Teams can specialize by module | Clear escalation paths between module owners | |Napovedano razslojevanje| Add modules as needed | Clone proven patterns | Extend without redesign | |Dosledna varnost| Same policies everywhere | Uniform compliance posture | Auditable boundaries | |Operativna učinkovitost| Template-based deployment | Automated provisioning | Standardized change management | |Nadzor stroškov| Right-size each module | Bulk purchasing by module type | Lifecycle management by tier |
Izziv, ki se širi
Organizacije redko ostanejo statične. Modularna zasnova mora vključevati:
- 10.000+ majhna območja: Podružnice, maloprodajne lokacije, oddaljeni objekti
- 1000 + srednja območja: Regijski uradi, distribucijski centri, proizvodni obrati
- 100+ velika območja: Sedež, podatkovni centri, večji kampusi
Brez modularnosti postane vsaka stran edinstvena snežinka, ki zahteva po meri dokumentacijo, specializirano usposabljanje in enkratno odpravljanje težav. Z modularnostjo lahko inženir, ki razume vzorec, učinkovito deluje na vsakem mestu.
Moduli jedrnega omrežja
Modul 1: segment internetnega roba
Internet Edge je kraj, kjer se vaša organizacija sreča z zunanjim svetom. Ta modul vsebuje:
- WAN/internetna vezja(MPLS, DIA, širokopasovni dostop, LTE/5G)
- Usmerjevalniki robov(BGP vohljanje, WAN zaključek)
- Požarni zidovi(državni pregled, NAT, prenehanje VPN)
- Delitev VLANza funkcionalno ločitev
@startuml Internet Edge Module
!define ICONURL https://raw.githubusercontent.com/Roemer/plantuml-office/master/office2014
skinparam backgroundColor #FEFEFE
skinparam handwritten false
nwdiag {
internet [shape = cloud, description = "Internet"];
network ISP_Transit {
address = "VLAN 10-12"
color = "#FFE4E1"
description = "ISP/MPLS Transit"
internet;
ISP_A [description = "ISP-A\nCircuit"];
ISP_B [description = "ISP-B\nCircuit"];
MPLS [description = "MPLS\nCircuit"];
}
network Edge_Router_Segment {
address = "VLAN 10,11,12"
color = "#E6E6FA"
description = "Edge Router Aggregation"
ISP_A;
ISP_B;
MPLS;
Edge_Router [description = "Edge Router\n(BGP Peering)"];
}
network FW_Outside {
address = "VLAN 100"
color = "#FFFACD"
description = "Firewall Outside"
Edge_Router;
FW_Primary [description = "Firewall\nPrimary"];
FW_Secondary [description = "Firewall\nSecondary"];
}
network FW_HA_Sync {
address = "VLAN 101"
color = "#F0FFF0"
description = "HA Sync Link"
FW_Primary;
FW_Secondary;
}
network FW_Inside {
address = "VLAN 102"
color = "#E0FFFF"
description = "To Internal Edge"
FW_Primary;
FW_Secondary;
}
}
@enduml
Ključna načela oblikovanja:
- Redundant vezja različnih ponudnikov
- Para visoke razpoložljivosti požarnega zidu
- Počistite meje VLAN med območji zaupanja
- Povezava L3 od točke do točke med usmerjevalnikom in požarnim zidom
Modul 2: Notranji rob / DMZ Stopnja
Notranji rob za srednje velika in velika mesta zagotavlja agregacijski sloj za storitve, ki zahtevajo nadzorovano izpostavljenost ali služijo kot prehodne točke med varnostnimi območji.
@startuml Internal Edge Module
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Internet_Edge {
address = "VLAN 102"
color = "#E0FFFF"
description = "From Firewall Inside"
IntEdge_A [description = "Internal Edge\nSwitch A"];
IntEdge_B [description = "Internal Edge\nSwitch B"];
}
network MCLAG_Peer {
address = "Peer-Link"
color = "#DDA0DD"
description = "MCLAG/vPC Peer"
IntEdge_A;
IntEdge_B;
}
network WLC_Mgmt {
address = "VLAN 200 - 10.x.200.0/24"
color = "#FFE4B5"
description = "WLC Management"
IntEdge_A;
IntEdge_B;
WLC [description = "Wireless LAN\nController"];
}
network Proxy_Farm {
address = "VLAN 201 - 10.x.201.0/24"
color = "#FFDAB9"
description = "Proxy Services"
IntEdge_A;
IntEdge_B;
Proxy [description = "Web Proxy\nServers"];
}
network VPN_Services {
address = "VLAN 202 - 10.x.202.0/24"
color = "#E6E6FA"
description = "VPN Termination"
IntEdge_A;
IntEdge_B;
VPN [description = "VPN\nConcentrator"];
}
network Infrastructure {
address = "VLAN 204 - 10.x.204.0/24"
color = "#F0FFF0"
description = "Infrastructure Services"
IntEdge_A;
IntEdge_B;
DNS_DHCP [description = "DNS/DHCP\nServers"];
}
network To_Core {
address = "VLAN 205"
color = "#B0E0E6"
description = "Core Transit"
IntEdge_A;
IntEdge_B;
}
}
@enduml
Storitve, ki so običajno na notranjem robu:
- Brezžični krmilniki LAN (WLC)
- Spletni filtri in filtri za vsebino
- Koncentratorji VPN
- Infrastruktura DNS/DHCP
- Stroji za uravnoteženje obremenitve
- Jump hosts / bastion strežniki
Modul 3: jedrna plast
Jedro je hrbtenica za visoke hitrosti, ki povezuje vse druge module. Optimiziran mora biti za:
- Največji pretok
- Najmanjša zakasnitev
- Visoka razpoložljivost
- Enostavno, hitro posredovanje
@startuml Core Module
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Internal_Edge {
address = "L3 Routed"
color = "#B0E0E6"
description = "From Internal Edge"
Core_A [description = "Core Switch A\n100G Backbone"];
Core_B [description = "Core Switch B\n100G Backbone"];
}
network Core_Interconnect {
address = "100G+ ISL"
color = "#FFB6C1"
description = "High-Speed Interconnect\nOSPF/IS-IS/BGP"
Core_A;
Core_B;
}
network To_Distribution_1 {
address = "L3 P2P"
color = "#98FB98"
description = "Building A"
Core_A;
Core_B;
Dist_1 [description = "Distribution 1\n(L3 Adjacent)"];
}
network To_Distribution_2 {
address = "L3 P2P"
color = "#DDA0DD"
description = "Building B"
Core_A;
Core_B;
Dist_2 [description = "Distribution 2\n(MCLAG)"];
}
network To_Distribution_3 {
address = "L3 P2P"
color = "#FFDAB9"
description = "Building C"
Core_A;
Core_B;
Dist_3 [description = "Distribution 3\n(MCLAG)"];
}
network To_DC_Border {
address = "L3 Routed"
color = "#87CEEB"
description = "Datacenter"
Core_A;
Core_B;
Border_Leaf [description = "Border Leaf\n(DC Fabric)"];
}
}
@enduml
Temeljna načela oblikovanja:
- Brez neposredno pritrjenih naprav za končne uporabnike
- L3 routing med jedrnimi stikali (brez poševnega drevesa)
- Večsmerni stroški (ECMP) za porazdelitev obremenitve
- Hitri konvergenčni protokoli
Modul 4: Distribucijska plast
Distribucijska plast združuje Access stikala in uveljavlja politiko. To je, če so možnosti oblikovanja omrežja najbolj variacije, ki temeljijo na zahtevah mesta.
Distribucijske spremembe stopnje
Spreminjanje 1: priključek L3 (usmerjen dostop)
Pri tej zasnovi sta distribucijska in dostopna plastL3 sosednja– ima vsako stikalo za dostop svojo IP podneto in poti neposredno do distribucije.
@startuml Distribution Variation 1 - L3 Adjacent
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Core {
address = "L3 ECMP"
color = "#B0E0E6"
description = "From Core Layer"
Dist_A [description = "Distribution A\n(L3 Router)"];
Dist_B [description = "Distribution B\n(L3 Router)"];
}
network Dist_iBGP {
address = "iBGP Peering"
color = "#DDA0DD"
description = "ECMP/iBGP"
Dist_A;
Dist_B;
}
network P2P_Access_1 {
address = "10.x.2.0/30"
color = "#98FB98"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_1 [description = "Access SW-1\n(L3 Gateway)"];
}
network P2P_Access_2 {
address = "10.x.2.8/30"
color = "#FFE4B5"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_2 [description = "Access SW-2\n(L3 Gateway)"];
}
network P2P_Access_3 {
address = "10.x.2.16/30"
color = "#FFDAB9"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_3 [description = "Access SW-3\n(L3 Gateway)"];
}
network User_VLAN_1 {
address = "10.x.32.0/24"
color = "#F0FFF0"
description = "Users - SW1"
Access_1;
Laptop_1 [description = "Laptops"];
Phone_1 [description = "Phones"];
}
network User_VLAN_2 {
address = "10.x.33.0/24"
color = "#FFF0F5"
description = "Users - SW2"
Access_2;
Laptop_2 [description = "Laptops"];
Camera_2 [description = "Cameras"];
}
network User_VLAN_3 {
address = "10.x.34.0/24"
color = "#F5FFFA"
description = "Users - SW3"
Access_3;
Laptop_3 [description = "Workstations"];
Camera_3 [description = "Cameras"];
}
}
@enduml
Primer dodelitve podneta:
| Link | Subnet | |------|--------| | Distribution to Core | 10.x.1.0/30, 10.x.1.4/30 | | Dist-A to Access-1 | 10.x.2.0/30 | | Dist-B to Access-1 | 10.x.2.4/30 | | Access-1 User VLAN | 10.x.32.0/24 | | Access-2 User VLAN | 10.x.33.0/24 |
Koristi:
- Oddajna domena na vsakem dostopnem stikalu
- Poenostavljeno odpravljanje težav (vprašanja, ki jih vsebuje podmreža)
- Ni razpotegnjenega drevesa med distribucijo in dostopom
- Seštevanje je možno na razdelilni plasti
Pripombe:
- Zahtevana dostopna stikala L3
- Nastavitev releja DHCP na vsakem dostopnem stikalu
- Bolj zapleteno upravljanje naslovov IP
Variacija 2: MCLAG s Trunki LAKP
Ta oblika uporabljaZdruževanje več šasije (MCLAG)ob porazdelitvi zObveznice LAKPza dostop do stikal, ki nosijo deblo VLAN.
Terminologija prodajalca: Cisco imenuje to vPC (Virtual Port Channel), Arista uporablja MLAG, Juniper uporablja MC-LAG, HPE/Aruba pa VSX. Funkcionalno vedenje je podobno med prodajalci.
@startuml Distribution Variation 2 - MCLAG
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Core {
address = "L3 Routed Uplinks"
color = "#B0E0E6"
description = "From Core Layer"
Dist_A [description = "Distribution A\n(MCLAG Member)"];
Dist_B [description = "Distribution B\n(MCLAG Member)"];
}
network MCLAG_Peer_Link {
address = "Peer-Link"
color = "#FFB6C1"
description = "MCLAG/vPC Peer-Link"
Dist_A;
Dist_B;
}
network LACP_To_Access {
address = "Po1 - LACP Trunk"
color = "#DDA0DD"
description = "VLANs 100,110,120 Trunked"
Dist_A;
Dist_B;
Access_1 [description = "Access SW-1\n(L2 Switch)"];
}
network Data_VLAN {
address = "VLAN 100 - 10.x.32.0/24"
color = "#98FB98"
description = "Data VLAN"
Access_1;
Laptops [description = "Laptops\nWorkstations"];
}
network Voice_VLAN {
address = "VLAN 110 - 10.x.64.0/24"
color = "#FFE4B5"
description = "Voice VLAN"
Access_1;
Phones [description = "IP Phones"];
}
network Security_VLAN {
address = "VLAN 120 - 10.x.96.0/24"
color = "#FFDAB9"
description = "Security VLAN"
Access_1;
Cameras [description = "Cameras\nBadge Readers"];
}
}
@enduml
Postavitev SVI (VRRP VIP na razdelilnem paru):
- VLAN 100: 10.x.32.1/24
- VLAN 110: 10.x64.1/24
- VLAN 120: 10.x.96.1/24
Nastavitve Trunk VLAN:
| Port-Channel | VLANs | Destination | |--------------|-------|-------------| | Po1 (MCLAG) | 100,110,120 | Access-1 | | Po2 (MCLAG) | 100,110,120,130 | Access-2 | | Po3 (MCLAG) | 100,110 | Access-3 | | Native VLAN | 999 (unused) | — |
Koristi MCLAG:
- Aktivno-aktivno posredovanje (uporaba obeh povezav)
- Podsekundni spodrsljaj
- Eno logično stikalo z vidika dostopa
- Brez blokiranja dreves
Pripombe:
- VLAN-i raztezajo več dostopovnih stikal (večje domene oddajanja)
- MCLAG sovrstna povezava lahko postane ozko grlo
- STP je še vedno potreben za preprečevanje zanke
Spreminjanje 3: List meje za podatkovno središče Spine/Leaf
V okolju podatkovnega središča distribucijska plast postaneList mejepovezovanje hrbtenjače/listja z ostalo mrežo podjetij.
@startuml Distribution Variation 3 - Border Leaf Datacenter
skinparam backgroundColor #FEFEFE
nwdiag {
network Enterprise_Core {
address = "L3 Routed (eBGP/OSPF)"
color = "#B0E0E6"
description = "From Enterprise Core"
Border_A [description = "Border Leaf A\nVXLAN Gateway"];
Border_B [description = "Border Leaf B\nVXLAN Gateway"];
}
network Border_EVPN {
address = "VXLAN EVPN"
color = "#DDA0DD"
description = "EVPN Type-5 Routes"
Border_A;
Border_B;
Spine_1 [description = "Spine 1"];
Spine_2 [description = "Spine 2"];
}
network Spine_Fabric {
address = "eBGP Underlay"
color = "#FFB6C1"
description = "Spine Layer"
Spine_1;
Spine_2;
}
network Leaf_Tier_1 {
address = "VTEP"
color = "#98FB98"
description = "Compute Rack 1"
Spine_1;
Spine_2;
Leaf_1 [description = "Leaf 1"];
Leaf_2 [description = "Leaf 2"];
}
network Leaf_Tier_2 {
address = "VTEP"
color = "#FFE4B5"
description = "Storage/Services"
Spine_1;
Spine_2;
Leaf_3 [description = "Leaf 3"];
Leaf_4 [description = "Leaf 4"];
}
network Server_Rack_1 {
address = "VNI 10001"
color = "#F0FFF0"
description = "Compute Servers"
Leaf_1;
Leaf_2;
Servers_1 [description = "Rack Servers\nVMs/Containers"];
}
network Storage_Network {
address = "VNI 10002"
color = "#FFDAB9"
description = "Storage Arrays"
Leaf_3;
Storage [description = "SAN/NAS\nStorage"];
}
network Voice_Services {
address = "VNI 10003"
color = "#E6E6FA"
description = "UC Systems"
Leaf_4;
PBX [description = "PBX/UC\nSystems"];
}
}
@enduml
Podrobnosti o tkanini podatkovnega središča:
| Component | Function | |-----------|----------| |Podloga| eBGP (ASN per switch) or OSPF | |Prekrivanje| VXLAN with EVPN control plane | |List meje| VXLAN-to-VLAN gateway, External routes, Inter-VRF routing | |Listna delovna bremena| Compute, Storage, Voice/UC, Infrastructure |
Koristi:
- Masivna vodoravna lestvica (po potrebi dodajte par listov)
- Arhitektura neblokiranja tkanine
- Multitenance prek VRF/VNI
- Optimalni vzorci prometa v smeri vzhod-zahod
Pripombe:
- Operativna zapletenost VXLAN/EVPN
- Potrebno strokovno znanje
- Višji stroški opreme
Modul 5: Plast dostopa
Plast dostopa je, kjer se končne naprave povezujejo. Ne glede na topologijo distribucije, dostopna stikala zagotavljajo:
@startuml Access Layer Module
skinparam backgroundColor #FEFEFE
nwdiag {
network Distribution_Uplink {
address = "L3 or LACP Trunk"
color = "#B0E0E6"
description = "Uplinks to Distribution"
Access_SW [description = "48-Port Access Switch\nPoE+ Capable"];
}
network Data_VLAN {
address = "VLAN 100 - Ports 1-8, 25-32"
color = "#98FB98"
description = "Data VLAN"
Access_SW;
Laptops [description = "Laptops\nWorkstations"];
}
network Voice_VLAN {
address = "VLAN 110 - Ports 9-16"
color = "#FFE4B5"
description = "Voice VLAN"
Access_SW;
Phones [description = "IP Phones"];
}
network Camera_VLAN {
address = "VLAN 120 - Ports 17-24"
color = "#FFDAB9"
description = "Security VLAN"
Access_SW;
Cameras [description = "IP Cameras"];
}
network Wireless_VLAN {
address = "VLAN 130 - Ports 33-40"
color = "#DDA0DD"
description = "Wireless AP VLAN"
Access_SW;
APs [description = "Wireless APs"];
}
network Mgmt_VLAN {
address = "VLAN 999 - Ports 41-44"
color = "#F0FFF0"
description = "Management VLAN"
Access_SW;
}
}
@enduml
Lastnosti zaščite plasti:
- 802.1X / MAB overovitev
- Dinamična dodelitev VLAN
- Varnost pristanišč
- DHCP vohljanje
- Dinamični pregled ARP
- IP izvorna straža
Popolna modularna topologija
Tako se vsi moduli povezujejo v popolno podjetniško mrežo:
@startuml Complete Modular Network Topology
skinparam backgroundColor #FEFEFE
title Complete Enterprise Modular Network
nwdiag {
internet [shape = cloud, description = "Internet/WAN"];
network Internet_Edge {
address = "Module 1"
color = "#FFE4E1"
description = "INTERNET EDGE MODULE"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B"];
MPLS [description = "MPLS"];
Edge_RTR [description = "Edge Router"];
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Internal_Edge {
address = "Module 2"
color = "#E6E6FA"
description = "INTERNAL EDGE / DMZ MODULE"
FW_A;
FW_B;
IntEdge_A [description = "IntEdge-A"];
IntEdge_B [description = "IntEdge-B"];
WLC [description = "WLC"];
Proxy [description = "Proxy"];
VPN [description = "VPN"];
DNS [description = "DNS/DHCP"];
}
network Core {
address = "Module 3"
color = "#B0E0E6"
description = "CORE MODULE"
IntEdge_A;
IntEdge_B;
Core_A [description = "Core-A"];
Core_B [description = "Core-B"];
}
network Distribution_L3 {
address = "Variation 1"
color = "#98FB98"
description = "DIST - L3 Adjacent\n(Building A)"
Core_A;
Core_B;
Dist_1A [description = "Dist-1A"];
Dist_1B [description = "Dist-1B"];
Access_L3 [description = "Access\n(L3)"];
}
network Distribution_MCLAG {
address = "Variation 2"
color = "#DDA0DD"
description = "DIST - MCLAG\n(Building B)"
Core_A;
Core_B;
Dist_2A [description = "Dist-2A"];
Dist_2B [description = "Dist-2B"];
Access_L2 [description = "Access\n(L2)"];
}
network Datacenter {
address = "Variation 3"
color = "#FFE4B5"
description = "DATACENTER\n(Spine/Leaf)"
Core_A;
Core_B;
Border_Leaf [description = "Border\nLeaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
Servers [description = "Servers\nStorage\nPBX"];
}
network Campus_Users {
address = "End Devices"
color = "#F0FFF0"
description = "Campus Users"
Access_L3;
Access_L2;
Users [description = "Laptops\nPhones\nCameras"];
}
}
@enduml
Strategija za reševanje IP z osamitvijo VRF
Izziv oblikovanja multi-Segmenta, multi-VRF
Kadar omrežja rastejo, da vključujejo več varnostnih območij, poslovnih enot ali meje skladnosti,VRF (virtualno usmerjanje in posredovanje)zagotavlja izolacijo rutne tabele. Vendar razširitev VRF na več stopenj povečuje kompleksnost:
- Vsak hmelj L3 zahteva tranzitno podneto
- Podvmesniki pomnožijo konfiguracijsko kompleksnost
- Odpravljanje težav obsega več miz za usmerjanje
- Dokumentacija mora spremljati članstvo VRF na vseh stopnjah
Strategija sheme Subnet
Dobro zasnovana podmrežna shema naredi vzorce prepoznavne, zmanjšuje kognitivne obremenitve in konfiguracijske napake.
Primer: veliko proizvodno območje (10.0.0.0/13)
Dodelitev območja:10.0.0.0/13 (Proizvodnja Alpha) - 524.286 uporabnih gostiteljev
@startuml VRF Subnet Schema
skinparam backgroundColor #FEFEFE
title Large Site VRF Allocation Schema (10.0.0.0/13)
nwdiag {
network Corporate_VRF {
address = "VRF: CORPORATE\n10.0.0.0/17"
color = "#98FB98"
description = "Production Users"
Corp_Transit [description = "Transit\n10.0.0.0/23"];
Corp_Users [description = "Users\n10.0.32.0/19"];
Corp_Voice [description = "Voice\n10.0.64.0/19"];
Corp_Wireless [description = "Wireless\n10.0.96.0/19"];
Corp_Server [description = "Servers\n10.0.112.0/20"];
}
network Guest_VRF {
address = "VRF: GUEST\n10.1.0.0/17"
color = "#FFE4B5"
description = "Visitor Network"
Guest_Transit [description = "Transit\n10.1.0.0/23"];
Guest_Users [description = "Users\n10.1.32.0/19"];
}
network Security_VRF {
address = "VRF: SECURITY\n10.2.0.0/17"
color = "#FFDAB9"
description = "Physical Security"
Sec_Transit [description = "Transit\n10.2.0.0/23"];
Sec_Camera [description = "Cameras\n10.2.32.0/19"];
Sec_Badge [description = "Badge Readers\n10.2.64.0/19"];
Sec_NVR [description = "NVR/VMS\n10.2.96.0/20"];
}
network IOT_VRF {
address = "VRF: IOT\n10.3.0.0/17"
color = "#E6E6FA"
description = "Manufacturing OT"
IOT_Transit [description = "Transit\n10.3.0.0/23"];
IOT_PLC [description = "PLCs\n10.3.32.0/19"];
IOT_HMI [description = "HMIs\n10.3.64.0/19"];
IOT_SCADA [description = "SCADA\n10.3.96.0/20"];
}
}
@enduml
Podrobnosti o tranzitnem segmentu (10.0.0/23 – 510 uporabnih IP):
| Subnet | Link Description | |--------|------------------| | 10.0.0.0/30 | FW-Inside → Internal-Edge-A | | 10.0.0.4/30 | FW-Inside → Internal-Edge-B | | 10.0.0.8/30 | Internal-Edge-A → Core-A | | 10.0.0.12/30 | Internal-Edge-A → Core-B | | 10.0.0.16/30 | Internal-Edge-B → Core-A | | 10.0.0.20/30 | Internal-Edge-B → Core-B | | 10.0.0.24/30 | Core-A → Distribution-A | | 10.0.0.28/30 | Core-A → Distribution-B | | 10.0.0.32/30 | Core-B → Distribution-A | | 10.0.0.36/30 | Core-B → Distribution-B | | 10.0.0.40/30 | Distribution-A → Access-SW-1 | | 10.0.0.44/30 | Distribution-B → Access-SW-1 | | ... | (Pattern continues) |
Opomba:/31 podmreže (RFC 3021) se lahko uporabljajo tudi za povezave od točke do točke, pri čemer se ohranja naslovni prostor.
Koristi za priznavanje vzorcev
Če so podmrežni vzorci skladni v VRF:
| What You Know | What You Can Infer | |---------------|-------------------| | Transit link in Corporate uses 10.0.0.40/30 | Guest equivalent is 10.1.0.40/30 | | Access-SW-5 users are on 10.0.36.0/24 | Security cameras on same switch are 10.2.36.0/24 | | Site Alpha is 10.0.0.0/13 | Site Beta could be 10.8.0.0/13 |
To omogoča inženirjem, da:
- Predvidi IP naslove brez vpogleda v dokumentacijo
- Takoj prepoznajte napačno nastavljene podmreže
- Ustvarite predloge za avtomatizacijo, ki delujejo po VRF
- Trenirajte novo osebje po vzorcu, ne pomnjenje
Predloge velikosti mesta
Predloga za majhno spletno mesto (Branch Office)
@startuml Small Site Template
skinparam backgroundColor #FEFEFE
title Small Site Template (< 50 users)
nwdiag {
internet [shape = cloud];
network WAN {
color = "#FFE4E1"
description = "ISP/MPLS Circuit"
internet;
UTM [description = "UTM/SD-WAN\nAppliance\n(Router+FW+VPN+WLC)"];
}
network LAN {
address = "10.100.x.0/24"
color = "#98FB98"
description = "Single Subnet"
UTM;
Access [description = "Access Switch\n(or UTM ports)"];
}
network Endpoints {
color = "#F0FFF0"
description = "End Devices"
Access;
AP [description = "WiFi AP"];
Users [description = "Users"];
Phones [description = "Phones"];
}
}
@enduml
Opombe k oblikovanju majhnega območja:
- Skrito oblikovanje: Vse funkcije v minimalni strojni opremi
- Podmreža: /24 ali /23 na območje
- Primer: 10.100.1.0/24 (Site 001)
Predloga srednje strani (regionalni urad)
@startuml Medium Site Template
skinparam backgroundColor #FEFEFE
title Medium Site Template (50-500 users)
nwdiag {
internet [shape = cloud];
network WAN_Edge {
color = "#FFE4E1"
description = "Internet Edge"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B/MPLS"];
Edge_RTR [description = "Edge Router"];
}
network Firewall_Tier {
color = "#FFDAB9"
description = "Firewall HA Pair"
Edge_RTR;
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Distribution {
address = "10.50.x.0/21"
color = "#DDA0DD"
description = "MCLAG Distribution\n(Dist/Core Combined)"
FW_A;
FW_B;
Dist_A [description = "Dist-A"];
Dist_B [description = "Dist-B"];
}
network Access_Tier {
color = "#98FB98"
description = "Access Switches (LACP)"
Dist_A;
Dist_B;
Acc1 [description = "Acc1"];
Acc2 [description = "Acc2"];
Acc3 [description = "Acc3"];
Acc4 [description = "Acc4"];
Acc5 [description = "Acc5"];
}
network Users {
color = "#F0FFF0"
description = "End Devices"
Acc1;
Acc2;
Acc3;
Acc4;
Acc5;
Endpoints [description = "Laptops/Phones\nCameras/APs"];
}
}
@enduml
Opombe o oblikovanju srednje strani:
- Delna modularnost: Razločen rob in dostop stopnje
- Podmreža:/21 na območje (2.046 IP)
- Primer: 10.50.0.0/21 (stolpec 050)
Predloga velikega mesta (sedež/kampus)
@startuml Large Site Template
skinparam backgroundColor #FEFEFE
title Large Site Template (500+ users)
nwdiag {
internet [shape = cloud];
network Internet_Edge {
color = "#FFE4E1"
description = "INTERNET EDGE MODULE"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B"];
MPLS [description = "MPLS"];
Edge_RTR [description = "Edge-RTR"];
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Internal_Edge {
color = "#E6E6FA"
description = "INTERNAL EDGE MODULE"
FW_A;
FW_B;
IntEdge_A [description = "IntEdge-A"];
IntEdge_B [description = "IntEdge-B"];
WLC [description = "WLC"];
Proxy [description = "Proxy"];
VPN [description = "VPN"];
DNS [description = "DNS"];
}
network Core {
color = "#B0E0E6"
description = "CORE MODULE"
IntEdge_A;
IntEdge_B;
Core_A [description = "Core-A"];
Core_B [description = "Core-B"];
}
network Dist_Var1 {
color = "#98FB98"
description = "L3 Adjacent"
Core_A;
Core_B;
Dist_1 [description = "Dist-1"];
Access_1 [description = "Access"];
}
network Dist_Var2 {
color = "#DDA0DD"
description = "MCLAG Trunk"
Core_A;
Core_B;
Dist_2 [description = "Dist-2"];
Access_2 [description = "Access"];
}
network Dist_Var3 {
color = "#FFE4B5"
description = "MCLAG Trunk"
Core_A;
Core_B;
Dist_3 [description = "Dist-3"];
Access_3 [description = "Access"];
}
network Datacenter {
color = "#87CEEB"
description = "SPINE/LEAF DC"
Core_A;
Core_B;
Border [description = "Border-Leaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
Servers [description = "Servers"];
}
}
@enduml
Opombe glede zasnove velikega območja:
- Polna modularnost: Vse stopnje fizično ločene
- Podmreža: /13 do /15 na območje (na podlagi števila VRF)
- Primer: 10.0.0.0/13 (HQ) - 524.286 IP
Segmentacija VRF in L3: koristi in kompleksnost
Koristi segmentacije L3 s podvmesniki
- Varnostna osamitev: Promet med VRF mora prečkati požarni zid ali politično napravo
- Zadrževanje Blast Radius: Kompromitirani segment ne more neposredno doseči drugih VRF
- Meje skladnosti: PCI, HIPAA ali OT omrežja v ločenih domenah
- Prometno inženirstvo: različne politike usmerjanja po VRF
Trgovanje z zapletenostjo
Kadar se segmenti raztezajo skozi več stopenj, vsaka meja L3 doda konfiguracijo nad glavo:
@startuml Multi-VRF Path Through Tiers
skinparam backgroundColor #FEFEFE
title Multi-VRF Traffic Path: Camera to NVR
nwdiag {
network Camera_Segment {
address = "VLAN 120\n10.2.36.0/24"
color = "#FFDAB9"
description = "VRF: SECURITY"
Camera [description = "Camera"];
Access_SW [description = "Access-SW\nSub-int: 10.2.0.40/30"];
}
network Access_to_Dist {
address = "10.2.0.40/30"
color = "#DDA0DD"
description = "VRF: SECURITY"
Access_SW;
Distribution [description = "Distribution\nSub-int: 10.2.0.24/30"];
}
network Dist_to_Core {
address = "10.2.0.24/30"
color = "#B0E0E6"
description = "VRF: SECURITY"
Distribution;
Core [description = "Core\nSub-int: 10.2.0.8/30"];
}
network Core_to_IntEdge {
address = "10.2.0.8/30"
color = "#E6E6FA"
description = "VRF: SECURITY"
Core;
Internal_Edge [description = "Internal-Edge\nSub-int: 10.2.0.0/30"];
}
network IntEdge_to_FW {
address = "10.2.0.0/30"
color = "#FFE4E1"
description = "VRF: SECURITY"
Internal_Edge;
Firewall [description = "Firewall\nInter-VRF Policy"];
}
network DC_Path {
address = "VXLAN/EVPN"
color = "#87CEEB"
description = "Datacenter Fabric"
Firewall;
Border_Leaf [description = "Border-Leaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
NVR [description = "NVR"];
}
}
@enduml
Nadgradnja nastavitev:
- 5 podvmesnikov na VRF na pot
- 4 VRF × 5 sub-sklopov = 20 podvmesnikov na stikalo
- Usmerjevalni protokoli v vsakem VRF
- Pravila za zapuščanje poti ali požarni zid za promet med državami članicami
Strategije blažitve
- Mejno število VRF: Ustvarite samo VRF za pristne izolacijske zahteve
- Centralizirajte usmerjanje med RPF: Točka politike enotnega požarnega zidu v primerjavi s porazdeljeno
- Uporabite VXLAN/EVPN: Overlay zmanjša fizično podvmesno špranjo
- Samodejno zagotavljanje: Predloge zagotavljajo dosledno konfiguracijo
- Dokumentiraj vzorec: Ko se enkrat naučijo, so vzorci hitrejši od videza
Povzetek: Gradnja vzorca razgibanega omrežja
Cilj modularne zasnove omrežja je ustvaritiponovljiv vzorecki omogoča:
| Scale | Sites | Pattern | |-------|-------|---------| | Small | 10,000+ | Collapsed UTM + single switch, /24 per site | | Medium | 1,000+ | Edge + MCLAG distribution + access, /21 per site | | Large | 100+ | Full modular (Edge, Internal Edge, Core, Distribution variants, DC fabric), /13-/15 per site |
Ključna hrana
- Moduli ustvarjajo meje: Vsak modul ima določen namen in vmesnik
- Vzorci omogočajo lestvico: Ista zasnova na vsakem mestu zmanjšuje usposabljanje in napake
- VRF zagotavljajo izolacijo: Ampak dodajte konfiguracijsko kompleksnost na vsaki stopnji
- Subnetna shema: Predvidljiva obravnava zmanjšuje kognitivno obremenitev
- Porazdelitev se razlikuje glede na potrebo: L3 sosednja, MCLAG/LACP ali hrbtenica/list
- Desna velikost za stran: Ne preveč inženir majhne strani
Z vzpostavitvijo teh vzorcev in njihovo dosledno uporabo lahko organizacije gradijo mreže, ki se raztezajo od ene podružnice do svetovnega podjetja – vse ob ohranjanju operativne enostavnosti in varnostne drže.
Člen različica 2.0