Professional Documents
Culture Documents
Mc lc
S mng kt ni vt l
H thng mng c xy dng da trn tiu ch khng h tr tnh nng sng sang
cao (HA), do chi tit thit b xut cho cc module nh sau:
- Core/Distribution Block: 1 x Switch c cng kt ni tc ti thiu 1Gbps v hot
ng lp 3.
- Access Layer Block: n x Switch c cng kt ni downlink tc ti thiu
100Mbps v Uplink 1Gbps, hot ng lp 2.
- Server Farm Block:
S nh tuyn
i vi h thng mng n gin v khng i hi tnh nng sng sng cao (HA),
vic chn v s dng nh tuyn tnh (Static Routing) l hon ton c th chp
nhn.
- Core Switch s chu trch nhim nh tuyn gia cc VLAN ngi dng v cc
module khc. Chi tit nh tuyn tham kho m hnh trn.
- External Firewall: ngoi vic nh tuyn cc traffic ra/vo Internet, thit b ny
cn c cu hnh thm:
o Firewall: lc cc packets ra/vao gia cc vng: TRUSTED (cn gi l INSIDE
Router(config-if)#
Router(config-if)#
Router(config-if)#
Router(config-if)#
Router(config-if)#
Router(config-if)#
Router(config-if)#
Router(config-if)#
encapsulation ppp
no cdp enable
ip address x.x.x.x y.y.y.y
no ip proxy-arp
no ip unreachables
no ip redirects
no ip mask-reply
no ip directed-broadcast
v khng cn thit
service tcp-small-servers
service udp-small-servers
ip bootp server
ip finger
service finger
service config
boot host
boot network
boot system
service pad
ip domain-lookup
Router(config)#
Router(config)#
Router(config)#
Router(config)#
Router(config)#
timezone
v khng cn thit
service tcp-small-servers
service udp-small-servers
ip bootp server
ip finger
service finger
service config
boot host
boot network
boot system
service pad
ip domain-lookup
255.255.0.0
ASA5510(config)# ip local pool VPN_IPPOOL_IT 192.168.50.21-192.168.50.254
mask 255.255.255.0
ASA5510(config)# group-policy VPN_IT internal
ASA5510(config)# group-policy VPN_IT attributes
ASA5510(config-vpn-att)# dns-server value 192.168.11.11 192.168.11.12
ASA5510(config-vpn-att)# vpn-filter value ACL_VPN_IT
ASA5510(config-vpn-att)# ip-comp enable
ASA5510(config-vpn-att)# split-tunnel-policy tunnelspecified
ASA5510(config-vpn-att)# split-tunnel-network-list value ACL_SPLIT_TUNNEL
ASA5510(config-vpn-att)# address-pools value VPN_IPPOOL_IT
!Cu hnh VPN tunnel-group
ASA5510(config)# tunnel-group TG_IT type remote-access
ASA5510(config)# tunnel-group TG_IT general-attributes
ASA5510(config-vpn-tunnel-ge)# address-pool VPN_IPPOOL_IT
ASA5510(config-vpn-tunnel-ge)# default-group-policy VPN_IT
ASA5510(config)# tunnel-group TG_IT ipsec-attributes
ASA5510(config-vpn-tunnel-att)# pre-shared-key 123456
!To VPN user
ASA5510(config)# Username vpn-user1 password <password>
ASA5510(config)# Username vpn-user1 attributes
ASA5510(config-user-att)# vpn-group-policy TG_IT
ASA5510(config-user-att)# service-type remote-access
!Cu hnh NAT Publich Web (TCP:80) va Mail (POP3) ra ngoi Internet
ASA5510(config)# static (DMZ,UNTRUSTED) tcp interface 80 192.168.20.20 80
netmask 255.255.255.255
ASA5510(config)# static (DMZ,UNTRUSTED) tcp interface 110 192.168.20.20 110
netmask 255.255.255.255
!Cu hnh NAT n-1 cho php ngi dng c th truy cp Internet
ASA5510(config)# global (UNTRUSTED) 1 interface
!Cu hnh NAT Exempt traffic tu DMZ->TRUSTED, DMZ->VPN, TRUSTED>DMZ, TRUSTED->VPN
ASA5510(config)# access-list DMZ_nat0 remark NO NAT Traffic DMZ->VPN, DMZ>TRUSTED
ASA5510(config)# access-list DMZ_nat0 extended permit ip 192.168.20.0
192.168.10.0 255.255.255.0
ASA5510(config)# access-list DMZ_nat0 extended permit ip 192.168.20.0
192.168.50.0 255.255.255.0
!
ASA5510(config)# access-list TRUSTED_nat0 remark NO NAT Traffic TRUSTED>DMZ, TRUSTED->VPN
ASA5510(config)# access-list TRUSTED_nat0 extended permit ip 192.168.10.0
192.168.20.0 255.255.255.0
Power Supply: cung cp ngun cho ton b Switch, thng thng 1 Chassis s
h tr t 2 n 3 Power Supply thit lp d phng trong trng hp 1 Power
Supply h hng hoc 1 Power Grid gp s c. Thng thng thc tn Power
Supply s c kt ni vo UPS (Uninterrupt Power Supply) nhm cung cp ngun
tm thi cho Switch khi ngun in chnh gp s c.
Example: Cisco Catalyst 6500 Series Chassis
Fans Tray: lm mt
ton b Switch, thng
thng 1 Chassis s c 1 hoc vi Fans Tray vi nhiu Fans lm mt, cung cp kh
nng d phng trong trng hp 1 Fans h hng.
Example: WS-C6509-E-FAN Catalyst 6500 Fan tray
http://www.cisco.com/image/jpg/en/us...186a0080843375
Chi tit c th tham kho link sau:
http://www.cisco.com/en/US/products/...801af2c6.shtml
Khai nim IOS Universal Image
Trong qu kh, mi khi mun nng cp feature cho Switch / Router nhm h tr
cc tnh nng mi, cch duy nht l phi nng cp IOS (v d: t IP Base ln
Advanced IP Service), ngha l phi Copy IOS mi vo Flash: ca Router/Switch,
i khi phi delete IOS c do khng ch cha cng lc IOS c v mi, sau
cn phi reboot li Router/Switch vi IOS mi, iu ny tng chng rt n
gin khi thc hin vi vi thit b. Nhng hy tng tng, iu g s sy ra nu s
lng thit b cn nng cp ln n hng trm, thm ch hng nghn... r rng vic
ny s i hi v tiu tn rt nhiu thi gian v nhn lc. Do cc phin bn v
sau (t IOS version 15.0 tr v sau), Cisco h tr ng gi tt c cc feature vo 1
phin bn IOS duy nht gi l Universal IOS Image, v c active sng cc
feature c trong phin bn IP Base, lc ny khi khch hng cn s dng thm cc
tnh nng no khc (v d: cn s dng thm IPSEC VPN) th ch cn install
license cho phin bn Advanced Security active cc feature c trong phin
bn Advanced Security ny.
http://www.cisco.com/en/US/i/200001-...000/202464.jpg
Example of Universal Image Components
Tham kho thm link sau:
http://www.cisco.com/en/US/docs/ios/..._overview.html
Hm nay, xin gii thiu n cc bn phng thc thit k h thng mng LAN cho
SMB vi d phng y da trn STP.
Tuy nhin, thit k da trn STP c t rt lu, cng vi nhng hn ch vn c,
thit k ny khng p ng c cc yu cu kht khe ngy nay v s c thay
th bng cc cng ngh mi hn (s c cp trong bi "D phng y s
dng Virtualize Switch, loi b STP").
V nguyn tc tng quan khi thit k h thng mng LAN d phng y cng
tng bao gm cc module nh trong phn thit k h thng mng LAN khng d
phng. Tuy nhin, im khc bit l, cc module c thit k d phng, kt ni
gia cc module cng c thit k d phng nhm m bo kh nng High
Availability (HA) ca h thng mng. Tnh nng chnh c s dng trong m hnh
thit k ny l Spanning Tree Protocol (STP) Layer 2 v Dynamic Routing Layer
3. Chi tit c cp nh bn di:
H thng mng c thit k da trn nguyn tc module ha cc thnh phn.
Vic module ha khi thit k c nhng c im ni bt sau:
S dng STP Layer 2 v Dynamic Routing Layer 3 cung cp HA.
n gin, r rng.
C th m rng h thng mng d dng.
Tch bit r rng chng nng ca tng module, t c y thng tin chn
la ng thit b mng cho tng module:
Core/Distribution Block: l module trung tm ca h thng mng, chu trch
nhim kt ni cc module cn li vi nhau. T y c th thy u tin chn thit
b lp ny l cng nhanh cng tt.
Access Layer Block: l module cung cp kt ni cho ngi dng cui. u tin
khi chn thit b thuc module ny l cung cp nhiu cng kt ni downlink cho
ngi dng, ng thi phi c kt ni Uplink tc cao kt ni ln module
Core/Distribution, v ti u ha ch s gi thnh / cng downlink. Thng thng
thit b s dng ti module ny ch cn h tr cc tnh nng lp 2.
Server Farm Block: y l module cung cp kt ni cho cc my ch (Servers)
cung cp dch v trong mng ni b, v d: AD, DNS, DHCP, File, Application,
Database. Thit b chn lp ny cn c cng kt ni downlink tc ti thiu l
1Gbps v hot ng lp 2.
WAN Block: l module cung cp kt ni n cc chi nhnh khc. Thng thng,
thit b trong module ny cn h tr:
Cc cng giao tip WAN: Serial, FTTH, ADSL,
Cc tnh nng: nh tuyn ng, m ha VPN phn cng (VPN supported in
hardward).
Internet Access Block: l module nm ngoi cng ca h thng mng, cung
cp kt ni Internet cho ngi dng ni b. Thng thng thit b c chn
module ny cn h tr cc tnh nng:
nh tuyn.
NAT/PAT.
Firewall.
Remote Access VPN.
DMZ Block: l module kt ni trc tip vi module Internet Access Block. Chc
nng ca module ny:
Cung cp cc dch v ra ngoi Internet: Mail, Web.
S mng kt ni vt l
Internal FW.
2 x Switch c cng kt ni downlink/uplink tc 1Gbps v hot ng lp 2. Cc
Server vi 2 NIC Port c kt ni vt l vo 2 Server Switch nh m hnh v c
cu hnh NIC Teaming nhm m bo nu 1 Server Switch gp s c, traffic s
c t ng chuyn sang Server Switch cn li.
WAN Block:
2 x Router c cng kt ni LAN/WAN tng ng. Nhm m bo tnh HA, 2 Router
nn c kt ni vo 2 ISP khc nhau v 1 iu quan trng l nn yu cu 2 ISP
ny s dng 2 ng kt ni vt l ring bit (v d: khng i chung tr in, u
chung ODF, m thng thng iu ny rt kh c p ng).
2 x WAN Switch tc ti thiu 100Mbps v hot ng lp 2. 2 WAN Switch ny
cung cp kt ni lp 2 thun ty v c kt ni nh m hnh, (c th dng
chung vi DMZ Switch bng cch chia 1 VLAN ring bit trn DMZ Switch v c
ch nh dng ring cho WAN Router)
DMZ Block, Internet Access Block:
2 x Switch c tc ti thiu 100Mbps v hot ng lp 2.
2 x Firewall: h tr IPSEC VPN hoc SSL VPN (nu yu cu). Tng t nh Internal
FW, 2 External FW cng c cu hnh chy Mode Cluster, nhm n gin
trong thit k, v thng thng kt ni Internet tc khng ln, do 2 External
FW s c thit k dng Firewall on a Stick. Trong 1 cng c kt ni
gia 2 FW c s dng lm Heartbeat traffic, 2 cng cn li c kt ni vo mi
Core/Dist Switching nh m hnh trn, nu s dng Cisco ASA5500, 2 cng ny s
c cu hnh Mode Interface Redundant (tc l 1 cng s hot ng Mode
Active, cng cn li hot ng Mode Standby trong Interface Redundant). V
Interface Redundant ny c cu hnh 3 SubInterface bao gm: TRUSTED (facing
to LAN), UNTRUSTED (facing to Internet) v DMZ.
2 x Router: c cng kt ni LAN/WAN tng ng. Chi tit c cp trong m
hnh kt ni lun l bn di.
S mng kt ni lun l
S nh tuyn
Cho cc bn.
Thi gian ny cui nm nn cng bn qu, tranh th vit phn "configuration
template" cho phn " Thit k h tng mng lan d phng y dng stp".
V c bn, phn cu hnh ny c mt s im khc so vi phn configuration
template cho phn " Thit k h tng mng lan khng d phng" nh sau:
- S dung OSPF Routing lm nh tuyn.
- Cu hnh HSRP trn Core/Dist Switch m bo kh nng HA cho ngi dng
Switch Access Layer.
- Cu hnh Failover cho Internal Firewall (ASA5550) v External Firewall (ASA5510).
- Cu hnh Redundant Interface cho Internal v External FW.
Router(config-if)# no ip mask-reply
Router(config-if)# no ip directed-broadcast
!Cu hnh LAN Interface
Router(config-if)# ip address x.x.x.x y.y.y.y
Router(config-if)# no ip proxy-arp
Router(config-if)# no ip proxy-arp
Router(config-if)# no ip unreachables
Router(config-if)# no ip redirects
Router(config-if)# no ip mask-reply
Router(config-if)# no ip directed-broadcast
!Cu hnh VTI IPSEC VPN Site-to-Site
!Cu hnh VPN Policy Phase 1 (ISAKMP)
Router(config)# crypto isakmp policy 1
Router(config-isakmp)# encr 3des
Router(config-isakmp)# authentication pre-share
Router(config-isakmp)# group 2
Router(config)# crypto isakmp key <secret-key> address <IP-Address> <SubnetMask>
Router(config)# crypto isakmp keepalive 10
!Cu hnh VPN Policy Phase 2 (IPSEC)
Router(config)# crypto ipsec transform-set TRAN_TEST esp-3des esp-sha-hmac
Router(config)# crypto ipsec profile VTI
Router(config-vti)# set transform-set TRAN_TEST
!Cu hnh Interface VTI v apply IPSEC profile
Router(config)# interface tunnel 0
Router(config-if)# ip address x.x.x.x y.y.y.y
Router(config-if)# tunnel source <IP-WAN-Interface> <SubnetMask>
Router(config-if)# tunnel destination <IP-Router-Next-Hop> <SubnetMask>
Router(config-if)# tunnel protection ipsec ipv4
Router(config-if)# tunnel protection ipsec profile VTI
!Cu hnh OSPF Routing
Router(config)# router ospf 1
Router(config-router)# router-id <x.x.x.x>
Router(config-router)# network <x.x.x.x> <y.y.y.y> area 0
Router(config-router)# network <x.x.x.x> <y.y.y.y> area <n>
Router(config-router)# area <n> stub no-summary
Router(config-router)# area <n> range <ip-subnet> <subnet-mask>
Router(config-router)# auto-cost reference-bandwidth 10000
!
Router(config)# interface Fa x/y
Router(config-if)# description connect to peer WAN Router
Router(config-if)# ip ospf authentication message-digest
v khng cn thit
service tcp-small-servers
service udp-small-servers
ip bootp server
ip finger
service finger
service config
boot host
boot network
boot system
service pad
ip domain-lookup
v khng cn thit
service tcp-small-servers
service udp-small-servers
ip bootp server
ip finger
service finger
service config
boot host
boot network
boot system
service pad
ip domain-lookup
ASA5510(config)#
ASA5510(config)#
ASA5510(config)#
10.1.1.2
ASA5510(config)#
ASA5510(config)#
ASA5510(config)#
netmask 255.255.255.255
!Cu hnh NAT n-1 cho php ngi dng c th truy cp Internet
ASA5510(config)# global (UNTRUSTED) 1 interface
!Cu hnh NAT Exempt traffic tu DMZ->TRUSTED, DMZ->VPN, TRUSTED>DMZ, TRUSTED->VPN
ASA5510(config)# access-list DMZ_nat0 remark NO NAT Traffic DMZ->VPN, DMZ>TRUSTED
ASA5510(config)# access-list DMZ_nat0 extended permit ip 192.168.20.0
192.168.10.0 255.255.255.0
ASA5510(config)# access-list DMZ_nat0 extended permit ip 192.168.20.0
192.168.50.0 255.255.255.0
!
ASA5510(config)# access-list TRUSTED_nat0 remark NO NAT Traffic TRUSTED>DMZ, TRUSTED->VPN
ASA5510(config)# access-list TRUSTED_nat0 extended permit ip 192.168.10.0
192.168.20.0 255.255.255.0
ASA5510(config)# access-list TRUSTED_nat0 extended permit ip 192.168.10.0
192.168.50.0 255.255.255.0
ASA5510(config)# nat (DMZ) 0 access-list DMZ_nat0
ASA5510(config)# nat (TRUSTED) 0 access-list TRUSTED_nat0
!Cu hnh Firewall Policy
!Cu hnh ACL
ASA5510(config)# access-list TRUSTED_IN remark Permit traffic from Internal
Network access Internet
ASA5510(config)# access-list TRUSTED_IN extended permit ip any any
!
ASA5510(config)# access-list DMZ_IN remark Permit Servers from DMZ zone to
access Internet and Internal IP Address 192.168.11.11
ASA5510(config)# access-list DMZ_IN extended permit ip any host 192.168.11.11
ASA5510(config)# access-list DMZ_IN extended deny ip any 192.168.0.0
255.255.0.0 log
ASA5510(config)# access-list DMZ_IN extended permit ip any any
!
ASA5510(config)# access-list UNTRUSTED_IN remark Permit Some traffic
(mail,web) access to DMZ Zone from Internet
ASA5510(config)# access-list DMZ_IN extended permit tcp any host
203.162.100.2 eq 80
ASA5510(config)# access-list DMZ_IN extended permit tcp any host
203.162.100.2 eq 110
!Apply ACL to Interface
ASA5510(config)# access-group TRUSTED_IN in interface TRUSTED
ASA5510(config)# access-group DMZ_IN interface DMZ
ASA5510(config)# access-group UNTRUSTED_IN interface UNTRUSTED
S mng kt ni vt l
S mng kt ni lun l
Khng c loop trong m hnh thit k s dng Stack, tuy nhin cn thc hin cu
V traffic flow khi User truy cp Internet hon ton ging nh trong m hnh thit
k h thng mng d phng y s dng STP, tuy nhin iu khc bit y
l bng thng trn kt ni gia FW v Core/Dist c nng ln gp 2 ln v h
thng mng s phc hi nhanh hn (n v tnh l ms).
i vi Cisco Firewall ASA5500, khi cu hnh Cluster cho 2 FW, 2 FW s hot ng
Logic nh 1 FW, 2 cng kt ni vt l t mi FW vo 2 Core/Dist Switch s c
cu hnh Mode Channel s dng LACP (c 2 port u hot ng mode Active).
Do chng ta cn chia 3 Zone (TRUSTED, DMZ v UNTRUSTED), do trn
Interface Channel s c cu hnh 3 SubInterface vi cc VLAN ln lt thuc:
TRUSTED, DMZ v UNTRUSTED nh m hnh trn.
Trn m hnh l 1 v d traffic flow khi Users mun truy cp Internet:
Example: Traffice flow from USERS to INTERNET:
Users ==(user vlan)==> Access Switch ==(trunking)==> Core Switch
====(trusted vlan)====> External Firewall ==(untrusted vlan) ==> Core
Switch ==(untrusted vlan)==> External Switch ==(untrusted vlan)==> Router
====> INTERNET.
S nh tuyn
V hot ng nh tuyn trong thit k ny, im khc bit duy nht so vi thit
k trc l khng cn s dng OSPF trn 2 Core/Dist Switch na, m thay vo
OSPF c cu hnh trn 1 Switch Stack, gip n gin ha hn rt nhiu trong
vic cu hnh, ti u cng nh troubleshoot li.
Gi s y l Tr S chnh ca doanh nghip. OSPF c s dng v thit k nh
m hnh trn:
2.Comment ca bn dante04:
http://vnpro.org/forum/showthread.php/55290-Thi%E1%BA%BFt-k%E1%BA%BF-m
%E1%BA%A1ng-t%E1%BB%AB-l%C3%BD-thuy%E1%BA%BFt-%C4%91%E1%BA
%BFn-th%E1%BB%B1c-ti%E1%BB%85n-%E2%80%93-l%E1%BB%9Di-n%C3%B3i%C4%91%E1%BA%A7u?p=188186#post188186
cho mnh hi 1 cht l vi Internal Firewall sao li chon dng asa cao hn so vi
internet firewall, v mnh ngh internet firewall chu lu lng cao hn internal
firewall, c lu lng VPN v internet
Response:
http://vnpro.org/forum/showthread.php/55290-Thi%E1%BA%BFt-k%E1%BA%BF-m
%E1%BA%A1ng-t%E1%BB%AB-l%C3%BD-thuy%E1%BA%BFt-%C4%91%E1%BA
%BFn-th%E1%BB%B1c-ti%E1%BB%85n-%E2%80%93-l%E1%BB%9Di-n%C3%B3i%C4%91%E1%BA%A7u?p=188210#post188210
Chao ban,
Nguyen nhau chinh la Internal FW phai bao ve nhung may chu ung dung trong
mang noi bo, thong thuong nhu cap truy cap tu nguoi dung noi bo vao cac may
chu nay se qua cac ket noi LAN toc do cao (1 Gbps hoac hon). Do do, neu FW kg
du manh se tao thanh nghen co chai khi nguoi dung truy cap cc ung dung nay.
Voi Internet FW, do toc do duong truyen Internet thuong khong cao (vai Mbps den
khoang vai chuc Mbps), nen FW kg can phai manh me nhu Internal FW. Tuy nhien
can quan tam den cac thong so khac khi chon Internet FW nhu: max concurrent
connects, connection per-second, VPN througut, ho tro them Anti-x (anti-Virus,
spyware,...).
3.Comment ca bn homeless (c nhn ti cm thy rt hay)
http://vnpro.org/forum/showthread.php/55290-Thi%E1%BA%BFt-k%E1%BA%BF-m
%E1%BA%A1ng-t%E1%BB%AB-l%C3%BD-thuy%E1%BA%BFt-%C4%91%E1%BA
%BFn-th%E1%BB%B1c-ti%E1%BB%85n-%E2%80%93-l%E1%BB%9Di-n%C3%B3i%C4%91%E1%BA%A7u?p=192864#post192864
C thc s hay nh cc bn ni hay khng? Bi vit l i v hng thc tin
nhng mnh thy c g khng tho ng cho lm. V d bi cui HA + No STP,
1/ nhn vo physical topology thy c 2 WAN switches + 2 External Switches v 2
switches trong server farm. Liu thc t c cn 2 WAN switch khng? mt SMB c
bao nhiu branch offices, gi s 5 remote offices i th mnh cn 2x5 (to WAN
router links) + 2 uplink to cores = 12 ports. Nu dng 2 x24 ports switches cho
WAN switches th minh cn d 36 ports. hi ph. Ti sao khng kt ni vo core
switches hoc external ones.
2/ Vi SMB, liu dng 4 con firewall c overkill khng? nu dng virtual context c
tt hn khng?
3/ Sau khi dng staking(virtual switch) tt c cc kt ni gia cc "Block" u l
single link (etherchannel) , khng c alternative link, vy chy OSPF c tht s l
tt nht khng?
4/ Vi SMB, kh nng dng VOIP l ln. Nhng access switch c nn support PoE
khng?
5/nhin vao physical diagram, can co ( vi du 5 remote offices cho SMB)
12 ports for remote offices + 8 ports for 2 ASA (dung virtual context) + 10 ports
for 5 access switces + 4 ports for internet routers = 34 ports nh vy cn 14 ports
cho servers. Vi cng ngh VM, bn c th c 100+ servers tre6n 14 ports nay.
Vy ch dung 2 x 3750 c phi l thoa khng?( Vi staking, bn luon c th thm
switch th 3 va stack vo core. Nh vy tnh scalability vn bo m.)
Liu m hnh 3 layers Core/Dist/Access c cn thch hp khng khi m VM/ cloud
ang pht trin mnh? HP c m hnh 2 layers v mt s vendor khac c m hnh
1 layer. Cng ng tham kho.
Ch suy ngh chut thi, mi ngi mi
Taolao
Response: cha thy Mr.Binhhd response