Professional Documents
Culture Documents
Network Design
Network Design
Objectives Contents
Upon completion of this section, you will be able to: 1. Overview
Understand common network types 2. Physical Network Design
Understand each layer of the network design
3. Logical Network Design
Understand common products and technologies
4. Other Network Technologies
Be familiar with advantages and disadvantages of common
5. Overall Technological Solution
protocols
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 2 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 3
1
Network Design Overview Network Design Content
Physical network design:
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 4 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 5
Manageability SNMP, NETCONF, SDN, GUI, and NMS 3. Logical Network Design
2
Typical Architecture of a Medium-Scale
Typical Architecture of a Small-Scale Network
Network
Characteristics: Characteristics:
Not hierarchical
Multiple functional
Server area
areas
Simple requirements
Preliminary hierarchical
architecture
Marketing
R&D Dept Service Dept
Dept
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 8 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 9
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 10 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 11
3
Hierarchical Network - Two-Layer
Common Network Topologies
Architecture
Access layer
Access layer
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 12 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 13
4
Network Device Classification Architectures of Switches
CPU memory
Switch
CPU Fabric
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 16 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 17
-Port density: number of ports provided by the switch S3700: Layer 3 FE switch
This switch series provides 24 or 48 10M/100M self-adaptive
access ports, as well as two GE uplink ports.
-Port rate: 100 Mbit/s, 1 Gbit/s, and 10 Gbit/s
S5700: Layer 3 GE switch
-Switching capacity: maximum throughput of This switch series provides 24 or 48 10M/100M/1000M self-
adaptive access ports, as well as four GE/10GE uplink ports.
the switching matrix or data bus
Switch -Packet forwarding rate: actual packet S6700: Layer 3 10GE switch
This switch series provides 24 or 48 10GE SFP+ optical ports.
forwarding capability of the switch
Selection
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 18 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 19
5
Huawei Modular Switches Key Points for Router Selection
S7700:
Three models of this series provide 3, 6, or 12 slots for 100M/1G/10G/40G
interface cards.
MPUs, power supplies, and fans use redundancy design, and all modules are Type: fixed/modular/cluster-based
hot swappable.
A single chassis supports a maximum of 480 10GE ports.
Provides rich features such as MPLS VPN, traffic analysis, QoS, and multicast.
which support line rate forwarding. Port density: Number of ports supported
Provides modules such as the firewall, intrusion detection, and wireless
control.
by a single router
Supports cluster switch system (CSS) technology.
A single chassis provides a maximum of 576 10GE ports and 96 40GE ports,
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 20 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 21
AR2200:
Multi-core CPU, non-blocking switching architecture
Four SIC slots, two WSIC slots, and two XSIC slots
Integration of services such as the routing, switching, 3G/LTE, WLAN, NE20E-S NE40E NE5000E
and security
Well-designed QoS mechanism, hot swappable LPUs • NP architecture • NP/CLOS architecture • Non-blocking CLOS architecture
• Dual-engine • Dual-engine • Multiple cluster modes: Back-to-
• 2/4/8 service card • 3/8/16 service card slots back, 2+8, and 16+64
slots • Multi-service support • 1GE to 100GE Ethernet
AR3200:
• Multi-service support • HQoS and MPLS-TS • 155 Mbit/s to 40 Gbit/s POS
Separated forwarding and control planes, 1:1 redundancy for MPUs • Five-level HQoS • ISSU, NSR, and • Bandwidth per slot: 480 Gbit/s
Four SIC slots, two WSIC slots, and four XSIC slots • ISSU, NSR, and • FRR support
Integration of services such as the routing, switching, 3G/LTE, WLAN, • FRR support
and security
Well-designed QoS mechanism, hot swappable LPUs
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 22 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 23
6
Product Documentation Case: Campus Network Device Selection
Huawei Enterprise Network Products A university plans to deploy a network for dormitories. There are
http://e.huawei.com/en/allproduct eight dormitory buildings, each of which has six floors. One floor
Huawei Routers has four units, and each unit has five dormitory rooms with six
http://e.huawei.com/en/products/enterprise-networking/routers students in each.
Huawei Switches How to select access devices for the dormitories
http://e.huawei.com/en/products/enterprise-networking/switches How to select aggregation devices for the dormitories
Huawei Security Products
http://e.huawei.com/en/products/enterprise-networking/security
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 24 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 25
7
Structural Cabling in a Building Data Center Cabling Structure
Cabling subsystem in a building:
Horizontal subsystem: from
information panels to
equipment rooms in the floor
(using twisted pairs)
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 28 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 29
Twisted pair test Optical fiber test Coaxial cable connection Coaxial cable loop test
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 30 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 31
8
Contents Device Identifier
1. Overview Device Identifier
2. Physical Network Design
Unique identifier of a device on
Typical Topology a network <Huawei>system-view
Physical label and logical Enter system view, return user
Device Selection
device name view with Ctrl+Z.
Media Selection Unified rule and naming [Huawei]sysname HQ-CS-HW-S7706-1
Content:
Network ID
Device installation position
3. Logical Network Design Device role
Device model
4. Other Network Technologies Logical number
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 34 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 35
9
Contents LAN Selection
1. Overview
LAN Ethernet switch + twisted pair + optical fiber
2. Physical Network Design
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 38 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 39
10
STP Protocol STP Settings
STP/RSTP/MSTP Default Configuration Key points Positions of the root bridge and blocked port
STP: basic version. Huawei switches use the MSTP
protocol. The core switch can serve as
RSTP: convergence speed the root bridge.
improved. One switch belongs to one
MSTP: concepts of region and region.
instance introduced. All VLANs are mapped to
instance 0.
Port blocking is
not applicable.
Compatibility MSTP Design Switches at the same position
Downward compatible. Port blocking is cannot be blocked.
Region definition. applicable.
RSTP: enables STP for ports Revision version definition.
that receive STP BPDUs. Instance definition.
MSTP: Switches running RSTP VLAN mapping definition.
work in different regions.
Adjustment BID priority, cost ...
methods
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 40 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 41
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 42 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 43
11
Layer 2 Network Security Design Case Study
On a campus network, access switches and aggregation switches
Layer 2 Attack Type Layer 2 Protection Mechanism
are connected at Layer 2. User gateways are deployed on
DoS attacks on devices Switch CPU defense
aggregation switches. The aggregation and core switches are
Traffic overload Traffic suppression and storm control
connected at Layer 3. To isolate broadcast domains, design a
MAC address spoofing Port security
VLAN assignment solution for the Layer 2 network.
DHCP attack DHCP snooping
Rate limit, solidification, isolation, and
ARP attack
DAI
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 44 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 45
12
WAN Technology Selection Layer 2 Protocol for WAN
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 50 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 51
13
Case Study Contents
A campus network needs to connect to an education network on 1. Overview
which access points are deployed in the same city. The straight- 2. Physical Network Design
line distance between the two networks is about 10 km. It is 3. Logical Network Design
estimated that the bandwidth requires about 1Gbit/s. Then, what LAN Design
link technologies can be used? WAN Design
Route Architecture Design
Network Egress Design
High Availability Design
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 54 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 55
14
Routing Boundary Identification Routing Protocol Selection
Focus
- Device cost Classification Protocol Algorithm Description
- Bandwidth cost RIP DV Simple, cost of hop count, V1 and V2
- Security Hierarchical, bandwidth cost, fast, and
OSPF LS loop-free
- Maintainability IGP
IS-IS LS Similar to OSPF
Inter-domain routing, strong bearing
When client gateways are deployed at the EGP BGP DP and manipulation capabilities, and
aggregation layer, access switches work in loop-free
switching mode, and devices above the
aggregation layer work in routing mode.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 56 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 57
Separated area
VLAN scale Sub-optimal route
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 58 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 59
15
Case Study - IP Address Allocation Contents
IP address allocation solution 1. Overview
The network segment 10.0.0.0/8 is recommended due to the scale of the 2. Physical Network Design
campus network. (If education network segments are specified, use the
3. Logical Network Design
corresponding ones.) In this case, network segments are divided based on
the principle of one room per VLAN.
LAN Design
Building No. Floor Unit Room No. Network Segment Gateway IP Address WAN Design
1 10.11.11.0/29 10.11.11.1/29
Unit 1 Route Architecture Design
2 10.11.12.8/29 10.11.12.9/29
1st floor
1 10.11.21.0/29 10.11.21.9/29 Network Egress Design
Building 1 Unit 2
2 10.11.22.0/29 10.11.22.9/29
1 10.12.11.0/29 10.12.11.1/29
High Availability Design
2nd floor Unit 1
2 10.12.12.8/29 10.12.12.9/29
4. Other Network Technologies
Building 2 1st floor Unit 1 1 10.21.11.0/29 10.21.11.1/29
5. Overall Technological Solution
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 60 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 61
Enterprise
Public IP address requirements
intranet
Connection address
Address pool
Various links including E1, POS, and DSL links can be used. Firewall
PON and Ethernet are commonly used.
Focus: NAT
Traffic type
Link connection Generally, enterprises do not have sufficient public IP addresses.
Private IP addresses need to be translated into public ones
Enterprise Internal PCs access external servers
before being used to access the Internet.
Intranet address Internal servers provide external
intranet
services
Device connection WWW
Specific adapters are needed for different link types.
Routers or firewalls are required to translate network
addresses.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 62 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 63
16
Single-Carrier and Multi- Egress Network Multi-Carrier and Multi-Egress Network
Architecture Architecture - Outgoing Traffic
Providing redundancy
Connection condition
Two connection
Two connection addresses
addresses, and one ISP1 ISP2
Two address pools
address pool
Firewall Firewall Outbound path selection
NAT Outbound path selection NAT
Optimal selection of path
Route direction
Enterprise Enterprise NAT address pool selection
intranet
Inbound path selection
intranet Corresponding to path
WWW
Lack of controllability WWW
selection
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 64 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 65
NAT mapping
The server IP address is statically
mapped to addresses of two ISP1 ISP2 This mode is commonly used in
ISP1 ISP2
address pools ICP and DC scenarios.
Firewall
The link through which users Public IP addresses and AS
NAT access a server depends on the numbers are required.
address used for the connection
NAT is not performed.
Enterprise Outbound path selection ICP/DC
intranet BGP route selection is required.
WWW
Static route selection
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 66 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 67
17
Project Case Contents
A campus network connects to an education network using a 1. Overview
single link, and internal servers provide services for the education 2. Physical Network Design
network. Design network egress architecture for the campus 3. Logical Network Design
network. LAN Design
WAN Design
Route Architecture Design
Network Egress Design
High Availability Design
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 70 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 71
18
Link Redundancy Project Case
Multilink PPP After the assessment by both parties, the engineering personnel
Bandwidth increase and school campus network project group reach a consensus that
Multilink PPP
Data fragmentation and requirements for network reliability are different on different
reassembly components. For example, access in dormitories requires low
Multi-link load balancing and
reliability, while high reliability is required at the aggregation and
Eth-Trunk backup
core layers. Design a network as required.
Eth-Trunk
Link bundling
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 72 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 73
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 74 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 75
19
Network Security Network Security System
Web vulnerabilities, buffer overflow, viruses,
Limitations of TCP/ IP Trojan horses, etc.
protocols Network boundary security: A network boundary is located at the
Internet intersection point of the controlled network and uncontrolled network,
TCP spoofing, TCP DoS attacks, port scanning, and is the position where inbound and outbound traffic are checked.
No data source etc.
Extranet
verification
Intranet
No confidentiality IP spoofing, Smurf attacks, ICMP attacks, etc.
Internal network security: Verify, check, and filter passing traffic, and
take necessary protection measures on network devices.
protection
MAC spoofing, MAC flood, ARP spoofing, etc.
No integrity check
Intranet access security: Authenticate and check devices accessing the
intranet to ensure that access is authorized and complies with security
requirements.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 76 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 77
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 78 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 79
20
Evolution of Firewalls Intranet Access Security
Packet Application Status Next-generation firewall
filtering proxy Detection UTM
NGFW
Specify Block Monitor
Isolate and repair Authorize user
enterprise unauthorized auditing and collect
unauthorized users access scope
security policies users evidences
Firewall technology has been developed and innovated for multiple Onsite
employees
times. Core information
resources
Stateful inspection firewalls are mainstream ones. Guests
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 80 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 81
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 82 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 83
21
Other Huawei Boundary Security Products Project Case
NIP6000:
Is the next-generation intrusion prevention system that is targeted for Select devices to connect the school campus and education
enterprise, campus, and carrier networks.
Effec vely defends against common a acks including worms, Trojan horses,
and SQL injection. networks.
Identifies multiple applications including mainstream P2P, IM, online games,
and social networks.
Extracts files from transmission protocols and analyzes them. On a school campus network, servers deployed in equipment
Supports flow model self-learning.
USG2000BSR: USG6000V:
Is targeted for small-sized enterprises, and Is an NFV- and cloud-based multi-service gateway.
integrates security, routing, switching, and Supports 1 to 8 CPUs.
wireless functions. Supports 1+1 or N+1 redundant deployment.
Supports FE, GE, E1/CE1, serial, ADSL2+, and 3G Supports a maximum of 500 tenants.
access modes.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 84 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 85
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 86 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 87
22
VPN Application Scenario IPSec VPN Features and Applications
Headquarters
Internet
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 88 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 89
SSL VPN Features and Applications MPLS VPN Features and Applications
P PE2 CE2
CE1 PE1 Inner labels determine the VPN where
Remote users data belongs.
Enterprise headquarters
HTTP • Use standard browsers, and do • By default, SSL VPN supports • VPNs are implemented based on MPLS, BGP, or LDP, and are classified into Layer 2
not require client software. limited applications. and Layer 3 VPNs.
SSL • Run at the application layer, • More devices at the application • VPN implementation is based on carrier networks, and VPNs are transparent to
requiring no NAT and providing and network layers can be customer networks.
TCP more fine-granular control. connected to the SSL VPN after • MPLS VPN does not provide encryption and authentication functions.
• Provide simplified O&M. plug-ins are installed.
IP • Carriers divide VPNs based on access ports.
It applies to the access VPN. MPLS VPN can be the replacement of leased lines
Engineering Currently, no applications of site-to-site VPN Engineering
and applies to the site-to-site VPN.
applications are provided. applications
Contact local carriers for corresponding services.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 90 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 91
23
Huawei VPN Product Line Project Case
IPSec VPN:
IPSec VPN does not require dedicated devices, and is supported by A university has the headquarters and branch networks located
common routers and firewalls. Note the number of connections, and
purchase the required license. in different cities. Design a cost-effective network solution for
You need to configure IPSec VPN client software that runs on a PC when
deploying the access VPN.
data exchange between the headquarters and the branch
networks.
SSL VPN: SVN5600 or SVN5800
The SVN5600 or SVN5800 supports a maximum of 100,000 concurrent
users, and mainstream operating systems including Android, Windows, Some college teachers want to log in to the school campus
iOS, MacOS, Linux, Symbian, and Blackberry.
It supports SSL VPN, IPSec VPN, GRE VPN, and L2TP VPN.
It supports web proxy, network extension, file sharing, and port network when they are at home or on a business trip. What
forwarding.
solution do you adopt?
Other VPNs:
MPLS VPN: There are no special requirements for client devices, and
…… common network devices such as routers and switches can use MPLS
VPN.
L2TP and GRE VPNs: Common routers and advanced switches support the
functions.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 92 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 93
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 94 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 95
24
Fat AP Wireless Network Fit AP+AC Wireless Network
A Fat AP provides complete
IP protocol stack and runs Core A Fit AP provides an incomplete
network independently. network
protocol stack, and needs to be used
A Fat AP provides complete
CAPWAP tunnel with an AC.
and abundant functions:
DHCP A Fit AP can be easily deployed and
Access FW-NAT
switches IP managed.
Each Fat AP is separately
network
managed. Fit APs are managed in a centralized
AP … AP Inter-AP roaming is not AC manner.
supported.
Inter-AP roaming is supported.
A Fat AP applies to a small-
……
STA STA sized network. A Fit AP applies to a large-sized
AP1 AP n network.
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 96 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 97
Indoor
1. Overview
settled APs AP5010SN
AP3010DN AP5010DN
AP6010SN
AP6010DN AP7110DN AP7110SN
2. Physical Network Design
Indoor
5. Overall Technological Solution
distributed AP6310SN
APs
AC
AC6005 AC6605 ACU
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 98 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 99
25
Significance of Technological Solution Technological Solution Content
Project Baseline Project background
1
Survey results in the planning stage
Work Summary Objectives of 2 Project requirement
the later Topology
Milestone Summary of the implementation Detailed technological Physical network design
early planning stage 3 solution
Boundary between and design Logical network design
the early planning stage
Engineering interface
and design stage
and the later Relevant engineering
4 problems
Schedule
implementation
stage of a project Organization
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 100 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 101
D. NSF
2 Authorization profile Authorization from project design partners
C. Access subsystem
4 Other related documents
Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 102 Copyright © 2017 Huawei Technologies Co., Ltd. All rights reserved. Page 103
26
Thank You
www.huawei.com
27