Modular Network Design: A Scalable Architecture Framework
模块网络设计:可缩放的架构框架
模块网络设计介绍
网络模块化是将网络设计为互联互通的,目的所构建的片段而不是单体结构的实践. 每个模块都为特定功能服务,有定义的边界,并通过熟知的界面连接到相邻模块. 这种方法将网络设计从艺术转变为可重复的工程学科.
模块化的力量在于它创造能力可预测的模式无论是在数以万计的小地点、数以千计的中地点,还是数百个大型企业校园,都可以一致地适用于一个组织的整个基础设施足迹.
为什么模式问题
所有网络规模的惠益
中地 中地 中地 ······································································ |简单解决问题– 单个工程师可以理解整个地貌 – 团队可以通过模块 – 清除模块所有者之间的升级路径 – 模块拥有者 – 之间 |可预测的缩放* 视需要添加模块 * * 克隆人已证实模式 * * * 扩展而不重新设计 * * * |连续安全* 各地政策相同* * 统一合规姿态* |业务效率基于模板的部署 |成本控制每个模块的右大小 – 按模块类型 – 购买 – 生命周期管理 – 第 一级 – 级
扩大挑战
各组织很少保持静止。 模块设计必须满足:
- 10 000多个小地点:分支办事处、零售地点、远程设施
- 1 000个以上中型地点: 区域办事处、分销中心、制造厂
- 100多个大型地点总部、数据中心、主要校园
没有模块化,每个站点都成为独特的雪花,需要定制文档,专门培训,以及一次性故障排除. 有了模块化,能理解模式的工程师可以在任何地点有效工作.
核心网络模块
模块1:互联网边缘部分
互联网边是你们组织与外界相会的地方. 本单元包括:
- 广域网/因特网线路(MPLS、DIA、宽带、LTE/5G)
- 边缘路由器(BGP对等,WAN终止)
- 防火墙(申报检查,NAT,VPN终止)
- VLAN 分区职能分离
@startuml Internet Edge Module
!define ICONURL https://raw.githubusercontent.com/Roemer/plantuml-office/master/office2014
skinparam backgroundColor #FEFEFE
skinparam handwritten false
nwdiag {
internet [shape = cloud, description = "Internet"];
network ISP_Transit {
address = "VLAN 10-12"
color = "#FFE4E1"
description = "ISP/MPLS Transit"
internet;
ISP_A [description = "ISP-A\nCircuit"];
ISP_B [description = "ISP-B\nCircuit"];
MPLS [description = "MPLS\nCircuit"];
}
network Edge_Router_Segment {
address = "VLAN 10,11,12"
color = "#E6E6FA"
description = "Edge Router Aggregation"
ISP_A;
ISP_B;
MPLS;
Edge_Router [description = "Edge Router\n(BGP Peering)"];
}
network FW_Outside {
address = "VLAN 100"
color = "#FFFACD"
description = "Firewall Outside"
Edge_Router;
FW_Primary [description = "Firewall\nPrimary"];
FW_Secondary [description = "Firewall\nSecondary"];
}
network FW_HA_Sync {
address = "VLAN 101"
color = "#F0FFF0"
description = "HA Sync Link"
FW_Primary;
FW_Secondary;
}
network FW_Inside {
address = "VLAN 102"
color = "#E0FFFF"
description = "To Internal Edge"
FW_Primary;
FW_Secondary;
}
}
@enduml
关键设计原则:
- 来自不同供应商的冗余电路
- 防火墙高可用性配对
- 清除信任区之间的 VLAN 边界
- L3 路由器和防火墙之间的点对点链接
模块2:内部边缘/DMZ 级别
对于中地和大地,内部边缘为需要控制下接触或作为安全区之间过渡点的服务提供聚合层.
@startuml Internal Edge Module
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Internet_Edge {
address = "VLAN 102"
color = "#E0FFFF"
description = "From Firewall Inside"
IntEdge_A [description = "Internal Edge\nSwitch A"];
IntEdge_B [description = "Internal Edge\nSwitch B"];
}
network MCLAG_Peer {
address = "Peer-Link"
color = "#DDA0DD"
description = "MCLAG/vPC Peer"
IntEdge_A;
IntEdge_B;
}
network WLC_Mgmt {
address = "VLAN 200 - 10.x.200.0/24"
color = "#FFE4B5"
description = "WLC Management"
IntEdge_A;
IntEdge_B;
WLC [description = "Wireless LAN\nController"];
}
network Proxy_Farm {
address = "VLAN 201 - 10.x.201.0/24"
color = "#FFDAB9"
description = "Proxy Services"
IntEdge_A;
IntEdge_B;
Proxy [description = "Web Proxy\nServers"];
}
network VPN_Services {
address = "VLAN 202 - 10.x.202.0/24"
color = "#E6E6FA"
description = "VPN Termination"
IntEdge_A;
IntEdge_B;
VPN [description = "VPN\nConcentrator"];
}
network Infrastructure {
address = "VLAN 204 - 10.x.204.0/24"
color = "#F0FFF0"
description = "Infrastructure Services"
IntEdge_A;
IntEdge_B;
DNS_DHCP [description = "DNS/DHCP\nServers"];
}
network To_Core {
address = "VLAN 205"
color = "#B0E0E6"
description = "Core Transit"
IntEdge_A;
IntEdge_B;
}
}
@enduml
内部边缘的服务:
- 无线局域网控制器(WLC)
- 网络代理和内容过滤器
- VPN 集中点
- DNS/DHCP基础设施
- 装入平衡器
- 跳转主机/ 屏蔽服务器
第3单元:核心层
Core是连接所有其他模块的高速骨干. 应优化其用途:
- 最大吞吐量
- 最低延迟
- 可用性高
- 简单、快速转发
@startuml Core Module
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Internal_Edge {
address = "L3 Routed"
color = "#B0E0E6"
description = "From Internal Edge"
Core_A [description = "Core Switch A\n100G Backbone"];
Core_B [description = "Core Switch B\n100G Backbone"];
}
network Core_Interconnect {
address = "100G+ ISL"
color = "#FFB6C1"
description = "High-Speed Interconnect\nOSPF/IS-IS/BGP"
Core_A;
Core_B;
}
network To_Distribution_1 {
address = "L3 P2P"
color = "#98FB98"
description = "Building A"
Core_A;
Core_B;
Dist_1 [description = "Distribution 1\n(L3 Adjacent)"];
}
network To_Distribution_2 {
address = "L3 P2P"
color = "#DDA0DD"
description = "Building B"
Core_A;
Core_B;
Dist_2 [description = "Distribution 2\n(MCLAG)"];
}
network To_Distribution_3 {
address = "L3 P2P"
color = "#FFDAB9"
description = "Building C"
Core_A;
Core_B;
Dist_3 [description = "Distribution 3\n(MCLAG)"];
}
network To_DC_Border {
address = "L3 Routed"
color = "#87CEEB"
description = "Datacenter"
Core_A;
Core_B;
Border_Leaf [description = "Border Leaf\n(DC Fabric)"];
}
}
@enduml
核心设计原则:
- 没有直接附加的最终用户设备
- L3 核心开关之间的路由( 无横跨树)
- 相同成本的多路径载荷分配(ECMP)
- 快速聚合协议
模块4:分布层
分配层汇总Access交换机并执行策略. 这就是根据站点要求,网络设计选择变化最大的地方.
分布水平变化
变化1: L3 相邻(Routed Access)
在这个设计中,分布层和访问层是L3 相邻——每个接入开关都有自己的IP子网和直接到发的路由.
@startuml Distribution Variation 1 - L3 Adjacent
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Core {
address = "L3 ECMP"
color = "#B0E0E6"
description = "From Core Layer"
Dist_A [description = "Distribution A\n(L3 Router)"];
Dist_B [description = "Distribution B\n(L3 Router)"];
}
network Dist_iBGP {
address = "iBGP Peering"
color = "#DDA0DD"
description = "ECMP/iBGP"
Dist_A;
Dist_B;
}
network P2P_Access_1 {
address = "10.x.2.0/30"
color = "#98FB98"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_1 [description = "Access SW-1\n(L3 Gateway)"];
}
network P2P_Access_2 {
address = "10.x.2.8/30"
color = "#FFE4B5"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_2 [description = "Access SW-2\n(L3 Gateway)"];
}
network P2P_Access_3 {
address = "10.x.2.16/30"
color = "#FFDAB9"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_3 [description = "Access SW-3\n(L3 Gateway)"];
}
network User_VLAN_1 {
address = "10.x.32.0/24"
color = "#F0FFF0"
description = "Users - SW1"
Access_1;
Laptop_1 [description = "Laptops"];
Phone_1 [description = "Phones"];
}
network User_VLAN_2 {
address = "10.x.33.0/24"
color = "#FFF0F5"
description = "Users - SW2"
Access_2;
Laptop_2 [description = "Laptops"];
Camera_2 [description = "Cameras"];
}
network User_VLAN_3 {
address = "10.x.34.0/24"
color = "#F5FFFA"
description = "Users - SW3"
Access_3;
Laptop_3 [description = "Workstations"];
Camera_3 [description = "Cameras"];
}
}
@enduml
子网分配示例 :
链接 子网 |-|- QQ 分发至核心 10x.1.0/30, 10.x.1.4/30 QQ (原始内容存档于2018-10-01) (英语). Dist-A to Access-1 | Dist-B到Access-1 10.x.2.4/30 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |-2 用户 VLAN | 10.x.33.0/24 |
福利:
- 每个接入开关的广播域隔离
- 简化故障排除( 包含在子网中)
- 分布和访问之间没有横跨树
- 分布层可进行总结
考虑因素:
- 需要L3容量访问开关
- 每个访问开关上的 DHCP 中继配置
- 更为复杂的IP地址管理
变体2:与LACP Trunks的MCLAG
此设计使用多链路连接聚合(MCLAG)在分发时使用LACP 债券连接带有干线VLAN的开关.
供应商术语: Cisco称这为vPC(Virtual Port Channel),Arista使用MLAG,Juniper使用MC-LAG,HPE/Aruba使用VSX. 售货商的功能行为相似.
@startuml Distribution Variation 2 - MCLAG
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Core {
address = "L3 Routed Uplinks"
color = "#B0E0E6"
description = "From Core Layer"
Dist_A [description = "Distribution A\n(MCLAG Member)"];
Dist_B [description = "Distribution B\n(MCLAG Member)"];
}
network MCLAG_Peer_Link {
address = "Peer-Link"
color = "#FFB6C1"
description = "MCLAG/vPC Peer-Link"
Dist_A;
Dist_B;
}
network LACP_To_Access {
address = "Po1 - LACP Trunk"
color = "#DDA0DD"
description = "VLANs 100,110,120 Trunked"
Dist_A;
Dist_B;
Access_1 [description = "Access SW-1\n(L2 Switch)"];
}
network Data_VLAN {
address = "VLAN 100 - 10.x.32.0/24"
color = "#98FB98"
description = "Data VLAN"
Access_1;
Laptops [description = "Laptops\nWorkstations"];
}
network Voice_VLAN {
address = "VLAN 110 - 10.x.64.0/24"
color = "#FFE4B5"
description = "Voice VLAN"
Access_1;
Phones [description = "IP Phones"];
}
network Security_VLAN {
address = "VLAN 120 - 10.x.96.0/24"
color = "#FFDAB9"
description = "Security VLAN"
Access_1;
Cameras [description = "Cameras\nBadge Readers"];
}
}
@enduml
SVI 安置(分配对等的VRRP要人):
- VLAN 100: 10.x.32.1/24 (英语)
- VLAN 110: 10.x.641/24 (中文(简体) )
- VLAN 120: 10.x96.1/24 (中文(简体) )
VLAN Trunk 配置 :
* 港口频道 * VLANs * 目的地 * |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- QQ Po1 (MCLAG) QQ 100,110,120 QQ 访问 1 QQ QQ Po2(MCLAG) QQ 100,110,120,130 访问-2 QQ QQ Po3(MCLAG) QQ 100,110 QQ 访问-3 QQ * 土著VLAN* * 999(未使用) * * * * *
MCLAG 福利:
- 主动主动转发(使用了上行链路)
- 次秒故障
- 从访问角度出发的单一逻辑开关
- 没有横跨树的屏蔽
考虑因素:
- VLAN 跨越多个接入开关(较大的广播域)
- MCLAG 对等链接可能变成瓶颈
- 仍然需要作为循环预防备份的STP
变体3:斯宾克/莱克数据中心的边叶
在数据中心环境中,分布层变为边叶将脊椎/叶织物与企业网络的其他部分连接起来.
@startuml Distribution Variation 3 - Border Leaf Datacenter
skinparam backgroundColor #FEFEFE
nwdiag {
network Enterprise_Core {
address = "L3 Routed (eBGP/OSPF)"
color = "#B0E0E6"
description = "From Enterprise Core"
Border_A [description = "Border Leaf A\nVXLAN Gateway"];
Border_B [description = "Border Leaf B\nVXLAN Gateway"];
}
network Border_EVPN {
address = "VXLAN EVPN"
color = "#DDA0DD"
description = "EVPN Type-5 Routes"
Border_A;
Border_B;
Spine_1 [description = "Spine 1"];
Spine_2 [description = "Spine 2"];
}
network Spine_Fabric {
address = "eBGP Underlay"
color = "#FFB6C1"
description = "Spine Layer"
Spine_1;
Spine_2;
}
network Leaf_Tier_1 {
address = "VTEP"
color = "#98FB98"
description = "Compute Rack 1"
Spine_1;
Spine_2;
Leaf_1 [description = "Leaf 1"];
Leaf_2 [description = "Leaf 2"];
}
network Leaf_Tier_2 {
address = "VTEP"
color = "#FFE4B5"
description = "Storage/Services"
Spine_1;
Spine_2;
Leaf_3 [description = "Leaf 3"];
Leaf_4 [description = "Leaf 4"];
}
network Server_Rack_1 {
address = "VNI 10001"
color = "#F0FFF0"
description = "Compute Servers"
Leaf_1;
Leaf_2;
Servers_1 [description = "Rack Servers\nVMs/Containers"];
}
network Storage_Network {
address = "VNI 10002"
color = "#FFDAB9"
description = "Storage Arrays"
Leaf_3;
Storage [description = "SAN/NAS\nStorage"];
}
network Voice_Services {
address = "VNI 10003"
color = "#E6E6FA"
description = "UC Systems"
Leaf_4;
PBX [description = "PBX/UC\nSystems"];
}
}
@enduml
数据中心细节 :
* 组件 * * 函数 * * |-|- |底线QQ eBGP( ASN 每个开关) 或 OSPF QQ |重叠VXLAN与EVPN控制平面 |边叶VXLAN对VLAN网关、外部路线、VRF间路线 |工作负荷* 计算、存储、语音/UC、基础设施
福利:
- 大规模水平尺度(视需要添加叶对)
- 无阻断面料结构
- 通过VRF/VNI提供多种租借
- 优化东西交通格局
考虑因素:
- VXLAN/EVPN的业务复杂性
- 所需专业技能
- 设备费用增加
模块5:访问层
访问层是终端设备连接的地方. 无论分布地形如何,接入开关提供:
@startuml Access Layer Module
skinparam backgroundColor #FEFEFE
nwdiag {
network Distribution_Uplink {
address = "L3 or LACP Trunk"
color = "#B0E0E6"
description = "Uplinks to Distribution"
Access_SW [description = "48-Port Access Switch\nPoE+ Capable"];
}
network Data_VLAN {
address = "VLAN 100 - Ports 1-8, 25-32"
color = "#98FB98"
description = "Data VLAN"
Access_SW;
Laptops [description = "Laptops\nWorkstations"];
}
network Voice_VLAN {
address = "VLAN 110 - Ports 9-16"
color = "#FFE4B5"
description = "Voice VLAN"
Access_SW;
Phones [description = "IP Phones"];
}
network Camera_VLAN {
address = "VLAN 120 - Ports 17-24"
color = "#FFDAB9"
description = "Security VLAN"
Access_SW;
Cameras [description = "IP Cameras"];
}
network Wireless_VLAN {
address = "VLAN 130 - Ports 33-40"
color = "#DDA0DD"
description = "Wireless AP VLAN"
Access_SW;
APs [description = "Wireless APs"];
}
network Mgmt_VLAN {
address = "VLAN 999 - Ports 41-44"
color = "#F0FFF0"
description = "Management VLAN"
Access_SW;
}
}
@enduml
访问层安全特性 :
- 802.1X / MAB 认证
- 动态 VLAN 任务
- 港口安全
- DHCP 监视器
- ARP动态检查
- IP 源代码守护
完整的模块地形学
以下是所有模块如何连接形成完整的企业网络:
@startuml Complete Modular Network Topology
skinparam backgroundColor #FEFEFE
title Complete Enterprise Modular Network
nwdiag {
internet [shape = cloud, description = "Internet/WAN"];
network Internet_Edge {
address = "Module 1"
color = "#FFE4E1"
description = "INTERNET EDGE MODULE"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B"];
MPLS [description = "MPLS"];
Edge_RTR [description = "Edge Router"];
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Internal_Edge {
address = "Module 2"
color = "#E6E6FA"
description = "INTERNAL EDGE / DMZ MODULE"
FW_A;
FW_B;
IntEdge_A [description = "IntEdge-A"];
IntEdge_B [description = "IntEdge-B"];
WLC [description = "WLC"];
Proxy [description = "Proxy"];
VPN [description = "VPN"];
DNS [description = "DNS/DHCP"];
}
network Core {
address = "Module 3"
color = "#B0E0E6"
description = "CORE MODULE"
IntEdge_A;
IntEdge_B;
Core_A [description = "Core-A"];
Core_B [description = "Core-B"];
}
network Distribution_L3 {
address = "Variation 1"
color = "#98FB98"
description = "DIST - L3 Adjacent\n(Building A)"
Core_A;
Core_B;
Dist_1A [description = "Dist-1A"];
Dist_1B [description = "Dist-1B"];
Access_L3 [description = "Access\n(L3)"];
}
network Distribution_MCLAG {
address = "Variation 2"
color = "#DDA0DD"
description = "DIST - MCLAG\n(Building B)"
Core_A;
Core_B;
Dist_2A [description = "Dist-2A"];
Dist_2B [description = "Dist-2B"];
Access_L2 [description = "Access\n(L2)"];
}
network Datacenter {
address = "Variation 3"
color = "#FFE4B5"
description = "DATACENTER\n(Spine/Leaf)"
Core_A;
Core_B;
Border_Leaf [description = "Border\nLeaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
Servers [description = "Servers\nStorage\nPBX"];
}
network Campus_Users {
address = "End Devices"
color = "#F0FFF0"
description = "Campus Users"
Access_L3;
Access_L2;
Users [description = "Laptops\nPhones\nCameras"];
}
}
@enduml
IP 以 VRF 隔离处理策略
多领域、多VRF设计的挑战
当网络发展到包括多个安全区、业务单位或合规边界时,VRF(虚拟路线和前进)提供路由表隔离。 然而,通过多层次扩展通用报告格式增加了复杂性:
- L3 跳跃都需要一个中转子网
- 分界面相乘配置复杂度
- 问题解决跨越多个路径表
- 文件必须逐级跟踪退伍军人论坛的成员情况
子网络Schema战略
一个设计良好的子网计划使得模式可以识别,减少了认知负载和配置出错.
实例:大型制造场(10.0.0/13)
场地分配 :10.0.0.0/13 (Alpha制造站点) - 524 286台可用主机
@startuml VRF Subnet Schema
skinparam backgroundColor #FEFEFE
title Large Site VRF Allocation Schema (10.0.0.0/13)
nwdiag {
network Corporate_VRF {
address = "VRF: CORPORATE\n10.0.0.0/17"
color = "#98FB98"
description = "Production Users"
Corp_Transit [description = "Transit\n10.0.0.0/23"];
Corp_Users [description = "Users\n10.0.32.0/19"];
Corp_Voice [description = "Voice\n10.0.64.0/19"];
Corp_Wireless [description = "Wireless\n10.0.96.0/19"];
Corp_Server [description = "Servers\n10.0.112.0/20"];
}
network Guest_VRF {
address = "VRF: GUEST\n10.1.0.0/17"
color = "#FFE4B5"
description = "Visitor Network"
Guest_Transit [description = "Transit\n10.1.0.0/23"];
Guest_Users [description = "Users\n10.1.32.0/19"];
}
network Security_VRF {
address = "VRF: SECURITY\n10.2.0.0/17"
color = "#FFDAB9"
description = "Physical Security"
Sec_Transit [description = "Transit\n10.2.0.0/23"];
Sec_Camera [description = "Cameras\n10.2.32.0/19"];
Sec_Badge [description = "Badge Readers\n10.2.64.0/19"];
Sec_NVR [description = "NVR/VMS\n10.2.96.0/20"];
}
network IOT_VRF {
address = "VRF: IOT\n10.3.0.0/17"
color = "#E6E6FA"
description = "Manufacturing OT"
IOT_Transit [description = "Transit\n10.3.0.0/23"];
IOT_PLC [description = "PLCs\n10.3.32.0/19"];
IOT_HMI [description = "HMIs\n10.3.64.0/19"];
IOT_SCADA [description = "SCADA\n10.3.96.0/20"];
}
}
@enduml
过境分段详情( 0.0. 0.0/23 - 510个可用的IP):
字幕网 链接描述 |-|-|- ^ 10.0.0.0/30 ^ FW-Inside → 内部-Edge-A → ^ 10.0.0.4/30 ^ FW-Inside → 内部-Edge-B → +10.0.0.8/30 + 内部-Edge-A + 核心-A + 内部-Edge-A + 10.0.0.12/30 + 内部-Edge-A + 核心-B + + 内部-Edge-A + 10.0.0.16/30 + 内部-Edge-B + 核心-A + 内部-Edge-B +10.0.0.20/30 + 内部-Edge-B + 核心-B + 10.0.0.24/30 + 核心-A + 分发-A + + 核心-A + 10.0.0.28/30 + 核心-A + 分发-B + + 核心-A + 10.0.0.32/30 + 核心-B + 分发-A + + · 10.0.0.36/30 · 核心-B · 分发-B · · ^ 10.0.0.40/30 → 分布-A → Access-SW-1 → ^ 10.0.0.44/30 → 分布-B → Access-SW-1 → {\fn黑体\fs22\bord1\shad0\3aHBE\4aH00\fscx67\fscy66\2cHFFFFFF\3cH808080}嗯..
说明:31子网(RFC 3021)也可以用于点对点链接,保存地址空间.
模式确认福利
当各脆弱区域论坛的子网模式一致时:
"你知道什么" "你能推断什么" |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- QQ 公司使用中的中转链接 10.0.0.40/30 QQ 宾客等同为 10.1.0.40/30 QQ QQ Access-SW-5用户在10.036.0/24上 安全相机在同一开关上是10.2.36.0/24 QQ站点阿尔法为10.0.0/13站点Beta站可能为10.8.0.0/13站点
这使得工程师可以:
- 在不查阅文件的情况下预计IP地址
- 立即识别配置错误的子网
- 创建跨虚拟区域论坛的自动化模板
- 对新工作人员进行模式培训,而不是回忆
站点大小模板
小站点模板( Branch 办公室)
@startuml Small Site Template
skinparam backgroundColor #FEFEFE
title Small Site Template (< 50 users)
nwdiag {
internet [shape = cloud];
network WAN {
color = "#FFE4E1"
description = "ISP/MPLS Circuit"
internet;
UTM [description = "UTM/SD-WAN\nAppliance\n(Router+FW+VPN+WLC)"];
}
network LAN {
address = "10.100.x.0/24"
color = "#98FB98"
description = "Single Subnet"
UTM;
Access [description = "Access Switch\n(or UTM ports)"];
}
network Endpoints {
color = "#F0FFF0"
description = "End Devices"
Access;
AP [description = "WiFi AP"];
Users [description = "Users"];
Phones [description = "Phones"];
}
}
@enduml
小站点设计说明 :
- 折叠设计: 最小硬件中的所有函数
- 子网络:24个或23个
- 示例: 10.100.1.0/24(第001页)
中站点模板(区域办事处)
@startuml Medium Site Template
skinparam backgroundColor #FEFEFE
title Medium Site Template (50-500 users)
nwdiag {
internet [shape = cloud];
network WAN_Edge {
color = "#FFE4E1"
description = "Internet Edge"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B/MPLS"];
Edge_RTR [description = "Edge Router"];
}
network Firewall_Tier {
color = "#FFDAB9"
description = "Firewall HA Pair"
Edge_RTR;
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Distribution {
address = "10.50.x.0/21"
color = "#DDA0DD"
description = "MCLAG Distribution\n(Dist/Core Combined)"
FW_A;
FW_B;
Dist_A [description = "Dist-A"];
Dist_B [description = "Dist-B"];
}
network Access_Tier {
color = "#98FB98"
description = "Access Switches (LACP)"
Dist_A;
Dist_B;
Acc1 [description = "Acc1"];
Acc2 [description = "Acc2"];
Acc3 [description = "Acc3"];
Acc4 [description = "Acc4"];
Acc5 [description = "Acc5"];
}
network Users {
color = "#F0FFF0"
description = "End Devices"
Acc1;
Acc2;
Acc3;
Acc4;
Acc5;
Endpoints [description = "Laptops/Phones\nCameras/APs"];
}
}
@enduml
中型站点设计说明 :
- 部分模式: 不同的边缘和出入等级
- 子网络:21,每个站点(2,046个实施伙伴)
- 示例: 10.50.0.0/21(第05页)
大站点模板(总部/营地)
@startuml Large Site Template
skinparam backgroundColor #FEFEFE
title Large Site Template (500+ users)
nwdiag {
internet [shape = cloud];
network Internet_Edge {
color = "#FFE4E1"
description = "INTERNET EDGE MODULE"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B"];
MPLS [description = "MPLS"];
Edge_RTR [description = "Edge-RTR"];
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Internal_Edge {
color = "#E6E6FA"
description = "INTERNAL EDGE MODULE"
FW_A;
FW_B;
IntEdge_A [description = "IntEdge-A"];
IntEdge_B [description = "IntEdge-B"];
WLC [description = "WLC"];
Proxy [description = "Proxy"];
VPN [description = "VPN"];
DNS [description = "DNS"];
}
network Core {
color = "#B0E0E6"
description = "CORE MODULE"
IntEdge_A;
IntEdge_B;
Core_A [description = "Core-A"];
Core_B [description = "Core-B"];
}
network Dist_Var1 {
color = "#98FB98"
description = "L3 Adjacent"
Core_A;
Core_B;
Dist_1 [description = "Dist-1"];
Access_1 [description = "Access"];
}
network Dist_Var2 {
color = "#DDA0DD"
description = "MCLAG Trunk"
Core_A;
Core_B;
Dist_2 [description = "Dist-2"];
Access_2 [description = "Access"];
}
network Dist_Var3 {
color = "#FFE4B5"
description = "MCLAG Trunk"
Core_A;
Core_B;
Dist_3 [description = "Dist-3"];
Access_3 [description = "Access"];
}
network Datacenter {
color = "#87CEEB"
description = "SPINE/LEAF DC"
Core_A;
Core_B;
Border [description = "Border-Leaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
Servers [description = "Servers"];
}
}
@enduml
大站点设计说明 :
- 完整模式: 物理上分离的所有等级
- 子网络:每站点13至15个(根据VRF计数)
- 示例: 10.0.0.0/13(总部) - 524 286个实施伙伴
VRF和L3分离:效益和复杂性
L3 与子界面分割的好处
- 安全隔离: 脆弱区域论坛之间的交通必须穿越防火墙或政策设备
- 防爆半径: 压缩段无法直接到达其他脆弱区域论坛
- 遵守边界: PCI, HIPAA, 或不同路由域的OT网络
- 交通工程:每个脆弱区域论坛不同的路线政策
复杂性的取舍
当区段必须延伸至多层时,每个L3边界会增加配置上方:
@startuml Multi-VRF Path Through Tiers
skinparam backgroundColor #FEFEFE
title Multi-VRF Traffic Path: Camera to NVR
nwdiag {
network Camera_Segment {
address = "VLAN 120\n10.2.36.0/24"
color = "#FFDAB9"
description = "VRF: SECURITY"
Camera [description = "Camera"];
Access_SW [description = "Access-SW\nSub-int: 10.2.0.40/30"];
}
network Access_to_Dist {
address = "10.2.0.40/30"
color = "#DDA0DD"
description = "VRF: SECURITY"
Access_SW;
Distribution [description = "Distribution\nSub-int: 10.2.0.24/30"];
}
network Dist_to_Core {
address = "10.2.0.24/30"
color = "#B0E0E6"
description = "VRF: SECURITY"
Distribution;
Core [description = "Core\nSub-int: 10.2.0.8/30"];
}
network Core_to_IntEdge {
address = "10.2.0.8/30"
color = "#E6E6FA"
description = "VRF: SECURITY"
Core;
Internal_Edge [description = "Internal-Edge\nSub-int: 10.2.0.0/30"];
}
network IntEdge_to_FW {
address = "10.2.0.0/30"
color = "#FFE4E1"
description = "VRF: SECURITY"
Internal_Edge;
Firewall [description = "Firewall\nInter-VRF Policy"];
}
network DC_Path {
address = "VXLAN/EVPN"
color = "#87CEEB"
description = "Datacenter Fabric"
Firewall;
Border_Leaf [description = "Border-Leaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
NVR [description = "NVR"];
}
}
@enduml
配置覆盖 :
- 每个路径每个 VRF 有5个分界面
- 4个VRF×5个分图 = 每开关20个分图
- 每一脆弱区域论坛的例行协议附则
- 用于VRF间交通的出行路线或防火墙规则
减缓战略
- 限制 VRF 计数: 只为真正的隔离要求创建 VRF
- 集中VRF之间的路线: 单一防火墙政策点对已分发
- 使用 VXLAN/ EVPN: 重叠减少物理子界面扩展
- 自动提供: 模板确保配置一致
- 记录模式: 学习后,模式比查找快
摘要:构建可扩展网络模式
模块网络设计的目标是建立一个可重复模式能够:
* 缩放 * 站点 * 模式 * |------------ + 小型 + 10,000+ + 折叠的 UTM + 单开关,每个站点24 + QQ + 中等 + 1000+ + 边缘 + MCLAG 分布 + 访问,每个站点21 + +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
关键外卖
- 模块创建边界: 每个模块都有定义的目的和接口
- 模式启用规模:每个站点的设计相同,减少了培训和出错
- VRF提供隔离: 但在每个级别添加配置复杂度
- 子网计划事项: 可预测的地址减少认知负荷
- 分布因需要而异相邻L3、MCLAG/LACP或脊椎/叶
- 站点的右大小:不要过度改造小站点
通过确立这些模式并始终如一地加以应用,各组织可以建立网络,从一个分支办事处扩大到一个全球企业,同时保持业务简便和安全态势.
文章版 2.0 |已发布 2026-02-02 |已用 PlantUML nwdiag 图表更新