企业网络解决方案

1八：企业网络解决方案中小型企业网络解决方案3适合24用户采用24口交换机构建一个一级的小型局域网。主服务器与交换机，之间的链路数据流量较大，因此它采用2个100M高速交换端口连接服务器，以免形成传输瓶颈。24个10M交换端口最多可连接24个桌面用户。此外，它还通过10M接口连接共享网络打印机，普通打印机也可以通过打印服务器的方式共享。该方案的安全措施可采用路由器内置的软件防火墙，它使路由器在承担远程连接的同时实施数据包检验和过滤，防止非法用户侵入到内部局域网中。4中型企业网络解决方案5方案引入了二级联网的方式，骨干层交换机采用了1000M高速交换端口与服务器连接，以满足大容量数据的传输需求。接入层交换机以10/100M自适应交换端口连接桌面用户。这样便很容易扩充桌面用户数。骨干交换机和接入交换机的连接则采用了快速以太网通道（FEC）技术，有效地扩展了网络的带宽。这项技术能够把2-4个物理链路聚合在一起，在全双工工作模式下达到400M-800M的带宽。安全措施：可采用路由器内置的软件防火墙，也可以采用功能更强大的专用防火墙，根据企业对安全性的要求级别来决定。6RedundantUplinksRedundantUplinks大型企业网络解决方案7采用三级模式：接入层、汇接层、核心层。接入层交换机是面向桌面用户。汇接层交换机是多台接入层交换机的集合点，汇接层交换机一般能够通过路由处理器进行三层交换。如Catalyst5000系列交换机。接入层交换机到汇接层交换机采用双冗余连接。核心层交换机完成整个网络数据快速交换。核心层可采用双核心的冗余连接。8VLAN介绍9EthernetBroadcastDomainInaflatnetwork,everydeviceseeseverytransmittedpacket10VLANsAVLANisabroadcastdomain11VLANsEngineeringVLANMarketingVLANSalesVLANFloor#1Floor#2Floor#3PhysicalLayerLANSwitchHumanLayerNetworkLayer192.20.24.0RoutingFunctionInterconnectsVLANs192.20.21.0192.30.20.0Data-LinkLayerBroadcastDomains12VLANsEstablishBroadcastDomainsBroadcastDomain1BroadcastDomain213ScalingtheSwitchBlockwithVLANs34125678910DecisionsincludehowmanyVLANsexistinaswitchblockandwherethesedevicesareplaced.ServerBlockCore14Layer2End-to-EndVLANDistributionLayerCoreLayerFastorGigabitEthernetWiringClosetFastEthernetFastEthernetWorkgroupServersSwitchedEthernetEnterpriseServersInter-VLANRouting15LocalVLANsSTPBlockedLinksSTPBlockedLinksRedundantUplinksRedundantUplinksRedundantUplinksHSRPPeersHSRPPeers16EstablishingVLANMembershipPort-BasedVLAN1VLAN2VLAN3MACAddressesMACAddressesVLAN2MAC-BasedVLAN1MACAddress-Driven(Layer2)Port-DrivenStaticDynamic17MembershipbyPortMaximizesForwardingPerformanceVLAN2VLAN1VLAN318VLAN的特征一个vlan中的所有设备处于同一个广播域一个VLAN是一个逻辑的子网或由定义的成员所组成的一个网络段,VLAN之间通信必须要进行路由VLAN的成员通常是基于交换机的端口号,但也可基于设备的MAC地址而动态设置.19VLAN解决的问题有效的带宽利用增强了安全性,VLAN间通信,可利用路由器的安全和过虑功能负载均衡多条路径,可利用路由协议进行负载均衡.20LinkTypes接入链路AccessLinksAnaccesslinkisalinkthatisamemberofonlyoneVLAN21LinkTypes(Cont.)干道链路TrunkLinksAtrunklinkiscapableofcarryingmultipleVLANs22VLANFrameIdentificationSpecificallydevelopedformulti-VLAN,inter-switchcommunicationsPlacesauniqueidentifierintheheaderofeachframe,functionsatLayer2VLANidentificationoptions:CiscoISLIEEE802.1QVLAN1VLAN1VLAN2VLAN2VLAN3VLAN3BackboneVLAN1VLAN2VLAN323VLANIdentificationUsingISLTrunkLinkVLAN100VLAN200(PortC)VLAN200(PortA)TrunkLinksVLAN200(AccessLink)XZYWTrunkLinkTrunkLinkFrame12Frame3VLAN200(PortB)ISLmaintainsVLANinformationasframestravelbetweenswitchesontrunklinksYFrameISL24VLANIdentificationUsingIEEE802.1Q2-bytetagprotocolidentifier(TPID)Afixedvalueof0x8100.ThisTPIDvalueindicatesthattheframecarriesthe802.1Q/802.1ptaginformation.2-bytetagcontrolinformation(TCI)InitialMACAddressInitialType/DataNewCRC2-ByteTPID2-ByteTCI25ConfiguringTrunkingSwitch(config-if)#trunk[on|off|desirable|auto|nonegotiate]Catalyst1900Catalyst2900Switch(config-if)#switchportmodetrunkSwitch(config-if)#switchporttrunkencapsulation{isl|dot1q}Catalyst5500Switch(enable)settrunkmod/port[on|off|desirable|auto|nonegotiate][range][isl|dot1q|dot10|lane|negotiate]26AddingaVLANSwitch(config)#vlanvlan#[namevlan-name]Catalyst1900Catalyst2900Switch#vlandatabaseSwitch(vlan)#vlanvlan#[namevlan-name]Catalyst5500Switch(enable)setvlanvlan#[namevlan-name]27AssigningSwitchPortstoaVLANSwitch(config-if)#vlan-membership{staticvlan#|dynamic}Catalyst1900Catalyst2900Switch(config-if)#switchportaccessvlanvlan#Catalyst5500Switch(enable)setvlanvlan#mod/port_list28VerifyingaTrunkCatalyst2900Switch#showinterfaceinterfaceswitchportSwitch#showtrunk[A|B]Catalyst1900Switch(enable)showtrunk[mod/port]Catalyst550029VerifyingaVLAN/VLANMembershipCatalyst2900Switch#showvlan[vlan#]Switch#showvlanbriefSwitch#showvlan[vlan#]Swotch#showvlan-membershipCatalyst1900Switch(enable)showvlanCatalyst550030VLAN的路由31Problem:IsolatedBroadcastDomainsVLAN10VLAN20172.16.20.4VLAN30Becauseoftheirnature,VLANsinhibitcommunicationbetweenVLANs.32Solution:RoutingBetweenVLANsVLAN10VLAN20172.16.20.4VLAN30CommunicationsbetweenVLANsrequirearoutingprocessor33Problem:FindingtheRouteVLAN10Network172.16.10.0172.16.10.3VLAN20Network172.16.20.0172.16.20.4Ineedtosendthispacketto172.16.20.4.Thataddressisnotonmylocalsegment.Wherecanend-userstationssendnonlocalpackets?34Solution:DefiningaDefaultGatewayVLAN10Network172.16.10.0172.16.10.3VLAN20Network172.16.20.0172.16.20.4Iknowwherenetwork172.16.20.0is!End-userstationssendnonlocalpacketstoadefaultrouterIwillsendthepackettomydefaultrouter.35VLAN20VLAN10Problem:SupportingMultipleVLANTrafficVLAN30Ihavethreedistinctstreamsoftrafficdestinedforthesameplace!??FileServerA172.16.3.127IneedinformationfromFileServerA.IneedinformationfromFileServerA.IneedinformationfromFileServerA.MultipleVLANsinterfacingwithasinglerouteprocessorrequiremultipleconnectionsorVLANtrunking??36VLAN60VLAN10VLAN30VLAN20Solution:MultipleLinksTheroutercansupportaseparateinterfaceforeachVLAN37Solution:Inter-SwitchLinkTheroutercansupportasingleISLlinkformultipleVLANsVLAN10VLAN30VLAN20Eth3/