Professional Documents
Culture Documents
HCM
N TT NGHIP
Tn ti:
XY DNG H TNG MNG DOANH NGHIP
Tp.HCM, nm 2015
LI M U
Mng internet ngy cng m rng trn ton Th Gii, khng ch vy, vic tn dng
ngun ti nguyn v tn ny em li nhng hiu qu v cng to ln. Vn trao i
thng tin lin lc l cc k quan trng, c bit vi nhng t chc, cng ty, doanh nghip
c tr s hoc chi nhnh t khp ni trn cc vng a l khc nhau. C rt nhiu gii php
c t ra, tuy nhin, u l gii php va p ng nhu cu trao i thng tin va p
ng nhu cu bo mt thng tin khi n c truyn ngang qua mng internet mt mi
trng khng bo mt. Nhng gii php ny c th l thu nhng ng truyn leased line.
Nh vy va bo mt va c bng thng nhiu. Tuy nhin n khng kh thi khi phi kt
ni nhng ni cch xa nhau. Gii php khc l s dng cc cng ngh ATM hoc Frame
Relay t nh cung cp dch v. Tuy nhin, chi ph cho gii php ny cng kh cao.VPN l
gii php kh thi nht v va m bo c nhng yu t bo mt va b ra chi ph va
phi. Hin nay VPN ang c s dng rt rng ri. Cng ngh ny ngy cng pht trin.
Mc d vy, VPN thng thng c nhng nhc im ca n. l cc im kt ni phi
thu nhng a ch IP tnh, ng thi trn router ng vai tr trung tm phi thc hin vic
cu hnh kh nhiu v phc tp. Thm vo , khi cc im mun kt ni vi nhau phi
thng qua router trung tm ny m khng th kt ni trc tip c. T nhng hn ch trn
ny sinh cng ngh DMVPN. Cng ngh ny l mt bc pht trin ca VPN nhm ci
thin nhng hn ch trn. Vi DMVPN, vic cu hnh tr nn n gin, cc kt ni c
thc hin mt cch t ng v chi ph b ra cng t hn mt VPN thng thng. hiu
DMVPN l g v ti sao li s dng n, bt u. Chng ta cng tm hiu ti ny.
Vi ti: Xy Dng H Thng H Tng Mng Cho Doanh Nghip, Ti hy vng
rng vi ni dung ti vit cc bn s hiu hn v DMVPN v nhng u th ca n t
xy dng c d n hay trong tng lai.
Trn thnh cm n!
LI CM N
Li u tin ti xin chn thnh cm n n tt c cc thy c gio trong khoa Cng
Ngh Thng Tin Trng Cao ng ngh CNTT Ispace, nhng ngi trc tip ging
dy, truyn t nhng kin thc b ch trong sut nhng nm hc qua, cung cp cho ti
rt nhiu nhng kin thc c bn, l nhng kin thc v cng qu gi, l nn tng phc
v cho cng vic hin ti cng nh cng vic sau ny.
c bit nht, Ti xin t lng bit n n thy Nguyn Phi Thi, ngi trc tip
hng dn tn tnh v gip ti trong qu trnh nghin cu thc hin hon thnh
ti ny.
Trn trng cm n!
TpHCM, Ngy 28 Thng 03 nm 2015
Ngi thc hin
L Vn Thun
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
NHN XT CA GIO VIN HNG DN
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
MC LC
DANH MC CC T VIT TT ...................................................................................11
DANH MC CC HNH V ...........................................................................................15
DANH MC BNG..........................................................................................................20
CHNG 1. TNG QUAN TI ...............................................................................21
1.1 Gii thiu ti ...........................................................................................................21
1.2 Xu hng cng ngh ...................................................................................................21
1.3 ng dng thc tin ......................................................................................................21
CHNG 2. TM HIU KIN THC.............................................................................23
I. TNG QUAN V H THNG MNG LAN .............................................................. 23
1. Khi nim v LAN .........................................................................................................23
1.1 Mt s thit b cu thnh mng ....................................................................................23
1.1.1 Thit b chuyn mch (Switch) .................................................................................23
1.1.2 B tm ng (Router) .............................................................................................. 30
1.1.3 Cp (Cable) ...............................................................................................................31
1.1.4 Card mng (Nic Card) ............................................................................................... 32
1.1.5 Cng ra vo (Gateway) ............................................................................................. 32
1.1.6 B iu gii (Modems) ............................................................................................. 33
1.2 M hnh mng 3 lp ca cisco .....................................................................................33
1.2.1 Lp Core ....................................................................................................................34
1.2.2 Lp Distribution.........................................................................................................35
1.2.3 Lp Access .................................................................................................................35
2. Khi nim Routing .........................................................................................................35
2.1 Khi qut v nh tuyn ............................................................................................... 35
2.2 Nguyn tc nh tuyn .................................................................................................36
2.3 Phn loi nh tuyn.....................................................................................................38
2.3.1 nh tuyn tnh .........................................................................................................38
2.3.2 nh tuyn ng ........................................................................................................38
4.5.5 Vitural Router Redundancy Protocol v Gateway Load Balancing Protocol ..........81
5. Gii thiu Access Control List ......................................................................................83
5.1 Ti sao phi s dng ACL? .........................................................................................84
5.2 ngha ca IP v Wildcard trong ACL ......................................................................85
5.3 Cc loi Access Control List .......................................................................................85
5.4 Cc v tr Access Control List ......................................................................................88
5.4.1 Inbound ACLs ...........................................................................................................88
5.4.2 Outbound ACLs ........................................................................................................88
5.5 Hot ng ca ACLs ....................................................................................................88
5.6 Mt s im cn lu .................................................................................................89
6. Dynamic Host Configuration Protocol (DHCP) ............................................................ 89
6.1 Mc ch v chc nng ................................................................................................ 89
6.2 Gii thiu v NAT v PAT ..........................................................................................90
6.2.1 Thut ng trong k thut NAT .................................................................................91
6.3 u im NAT ..............................................................................................................92
6.4 PAT (Port- Address- Translation)................................................................................93
II. KIN THC C BN V MNG WAN ...................................................................93
1. Cc cng ngh WAN ph bin ......................................................................................93
1.1 Cng ngh Leased Line ............................................................................................... 93
1.2 Cng ngh Frame-Relay .............................................................................................. 94
1.3 Cng ngh DSL............................................................................................................96
1.4 Cng ngh MPLS ( Multi Protocol Label Switching ) ................................................98
1.4.1 u im v ng dng ca MPLS .............................................................................99
2. Cng ngh mng ring o VPN (Vitural Private Network) .........................................100
2.1 nh ngha VPN .........................................................................................................101
2.2 Lch s hnh thnh v pht trin ................................................................................102
2.3 Nhng li ch VPN mang li .....................................................................................103
2.4 Nhng yu cu i vi VPN ......................................................................................105
DANH MC CC T VIT TT
VIT
STT CM T NGHA
TT
Triple Data Encryption
1 3DES Thut ton mt m 3DES
Standard
Cng ngh truy nhp
Asymmetric Digital
2 ADSL ng dy thu bao s bt
Subscriber Line
i xng
Advanced Encryption
3 AES Chun mt m cao cp
Standard
4 AH Authentication Header Giao thc tiu xc thc
Giao thc nh tuyn cng
5 BGP Border Gateway Protocol
min
Broadband Integrated Mng s a dch v bng
6 B-ISDN
Service Digital Network rng
Nh phn phi chng thc
7 CA Certificate Authority
s
Challenge Handshake Giao thc xc thc yu
8 CHAP
Authentication Protocol. cu bt tay
Cng ngh chuyn tip t
9 CR Cell Relay
bo
Data Communication Thit b truyn thng d
10 DCE
Equipment liu
11 DES Data Encryption Standard Thut ton mt m DES
Dynamic Host Giao thc cu hnh host
12 DHCP
Configuration Protocol ng
13 DNS Domain Name System h thng tn min
Encapsulating Security Giao thc ti an ninh ng
14 ESP
Payload. gi
15 FCS Frame Check Sequence Chui kim tra khung
VIT
STT CM T NGHA
TT
16 FR Frame Relay Chuyn tip khung d liu
17 GVPNS Global VPN Service Dch v VPN ton cu
Internet Control Message Giao thc bn tin iu
18 ICMP
Protocol khin Internet
Giao thc trao i kho
19 IKE Internet Key Exchange
Internet
Giao thc nh tuyn
20 IGP Interior Gateway Protocol
trong min
21 IN Intelligent Network Mng thng minh
22 IP Internet Protocol Giao thc Internet
23 IP-Sec Internet Protocol Security Giao thc an ninh Internet
Internet Security Asociasion
Giao thc qun l kho v
24 ISAKMP and Key Management
kt hp an ninh Internet
Protocol
Integrated Service Digital
25 ISDN Mng s a dch v
Network
International Standard
26 ISO T chc chun quc t
Organization
Nh cung cp dch v
27 ISP Internet Service Provider
internet
Giao thc chuyn tip lp
28 L2F Layer 2 Forwarding
2
Giao thc ng ngm
29 L2TP Layer 2 Tunneling Protocol
lp 2
B tp trung truy cp
30 LAC L2TP Access Concentrator
L2TP
31 LAN Local Area Network Mng cc b
VIT
STT CM T NGHA
TT
Giao thc iu khin lin
32 LCP Link Control Protocol
kt
33 LNS L2TP Network Server My ch mng L2TP
Message Authentication
34 MAC M xc thc bn tin
Code
35 MD5 Message Digest 5 Thut ton MD5
36 MG Media Gateway Cng kt ni phng tin
Thit b iu khin truy
37 MGC Media Gateway Controller
nhp
Multi Protocol Laber B nh tuyn chuyn
38 MPLS
Switching mch nhn
Microsoft Point-to-Point M ho im-im ca
39 MPPE
Encryption Microsoft
40 MTU Maximum Transfer Unit n v truyn ti ln nht
41 NAS Network Access Server My ch truy nhp mng
Giao thc iu khin
42 NCP Network Control Protocol
mng
Passwork Authentication Giao thc xc thc mt
43 PAP
Protocol khu.
C s h tng kho cng
44 PKI Public Key Infrastructure
khai
im truy cp truyn
45 POP Point of Presence
thng.
46 PPP Point to Point Protocol Giao thc im ti im
Point to Point Tunneling Giao thc ng ngm
47 PPTP
Protocol im ti im
48 PVC Permanrnent Virtual Circuit Mng o c nh
VIT
STT CM T NGHA
TT
49 QoS Quality of Service Cht lng dch v
50 RAS Remote Access Service Dch v truy nhp t xa
Remote Authentication Xc thc ngi dng quay
51 RADIUS
Dial-In User Service s t xa
Routing and Remote Access My ch truy cp nh
52 RRAS
Server hng v truy vp t xa.
53 SA Securty Association Kt hp an ninh
54 SG Signling Gateway Cng kt ni bo hiu
55 RTP Real Time Protocol Giao thc thi gian thc
56 SVC Switched Virtual Circuit Mch o chuyn mch
Transmission Control Giao thc iu khin
57 TCP
Protocol ng truyn
58 TE Terminal Equipment Thit b u cui
59 UDP User Datagram Protocol Giao thc UDP
60 VC Virtual Circuit Knh o
61 VCI Virtual Circuit Identifier Nhn dng knh o
62 VNS Virtual Network Service Dch v mng o
63 VPI Virtual Path Identifier Nhn dng ng o
64 VPN Virtual Private Network Mng ring o
65 VLAN Virtual Local Area Network Mng LAN o
66 WAN Wide Area Network Mng din rng
DANH MC CC HNH V
Hnh 1 Phm vi hot ng ca b chuyn mch ....................................................24
Hnh 2 Chuyn mch Lp 3 ...................................................................................27
Hnh 3 Mt s dng router ca cisco ......................................................................30
Hnh 4 Mt s loi cp thng dng ........................................................................31
Hnh 5 Card mng ...................................................................................................32
Hnh 6 Gateway ......................................................................................................33
Hnh 7 Modems ......................................................................................................33
Hnh 8 Mng 3 lp ..................................................................................................33
Hnh 9 Mng phn cp ...........................................................................................34
Hnh 10 nh tuyn vc t khong cch.................................................................39
Hnh 11 M hnh Vlan ...........................................................................................45
Hnh 12 Cch thc hot ng ca Vlan .................................................................47
Hnh 13 M hnh VLAN TRUNKING PROTOCOL 1 ........................................48
Hnh 14 M hnh VLAN TRUNKING PROTOCOL 2 .........................................49
Hnh 15 Cc mode trong VTP ................................................................................52
Hnh 16. S lt bt trong VTP ............................................................................55
Hnh 17 M hnh High Availability.......................................................................57
Hnh 18 M hnh Etherchannel ..............................................................................59
Hnh 19 M hnh PAgP v LACP .........................................................................62
Hnh 20 C ch hot ng STP .............................................................................65
Hnh 21 M hnh Default Gateway ........................................................................70
Hnh 22 M hnh Proxy ARP .................................................................................72
Hnh 23 M hnh Router Redundancy 1 .................................................................73
Hnh 24 M hnh Router Redundancy 2 ................................................................ 74
Hnh 25 Quy trnh hot ng HSRP .......................................................................75
Hnh 26 Cch thc hot ng a ch IP v a ch Mac trong HSRP ....................76
Hnh 27 Cch thc hot ng ca cc gi tin trong HSRP ....................................78
DANH MC BNG
thng mng cc b, gip cho vic s dng h thng, thng tin truyn ti d liu din ra
mt cch an ton v hiu qu.
DMVPN (Dynamic Multipoint Virtual Network) l s kt hp ca cc cng ngh:
IPSec, MGRE v NHRP cc cng ngh ny kt hp li cho php c trin khai IPSec
trong mng ring o, c th xy dng trn c s h tng sn c ca mng Internet gip
kt ni cc nhnh h thng mng li vi nhau trn vng a l rng ln nhng li c c
cc tnh cht ca mt mng cc b nh khi s dng cc ng Leased-line. Vi chi ph
hp l, DMVPN c th gip doanh nghip tip xc ton cu mt cch nhanh chng v hiu
qu.
Cc c im chnh ca switch:
- Tch bit giao thng trn tng on mng.
- Tng nhiu hn lng bng thng dnh cho mi ngi dng bng cch to ra min
ng nh hn.
c im u tin: Tch bit giao thng trn tng on mng, switch chia h thng mng
ra thnh cc n v cc nh gi l microsegment. Cc segment nh vy cho php cc
ngi dng trn nhiu segment khc nhau c th gi d liu cng mt lc m khng lm
chm cc hot ng ca mng.
Bng cch chia nh h thng mng, s lm gim lng ngi dng v thit b cng chia s
mt bng thng. Mi segment l mt min ng ring bit, switch gii hn lu lng
bng thng ch chuyn gi tin n ng cng cn thit da trn a ch MAC Lp 2.
c im th hai: Switch l bo m cung cp bng thng nhiu hn cho ngi dng bng
cch to ra cc min ng nh hn. Switch chia nh mng LAN thnh nhiu on mng
(segment) nh. Mi segment ny l mt kt ni ring ging nh mt ln ng ring 100
Mb/s. Mi server c th t trn mt kt ni 100 Mb/s ring. Trong cc h thng mng
hin nay Fast Ethernet switch c s dng lm ng trc chnh cho mng LAN, cn
Ethernet switch hoc Fast Ethernet hub c s dng kt ni xung my tnh.
Thi gian tr l thi gian t lc switch nhn frame vo cho n khi switch chuyn
ht frame ra cng ch. Thi gian tr ny ph thuc vo cu hnh chuyn mch v lng
giao thng qua switch.
Thi gian tr c o bng n v nh hn giy. i vi thit b mng hot ng vi
tc cao th mi nano giy (ns) tr hn l mt nh hng ln n hot ng mng.
Chuyn mch Lp 2 v Lp 3
Chuyn mch l tin trnh nhn frame vo t mt cng v chuyn frame ra ti mt cng
khc. Router s dng chuyn mch Lp 3 chuyn cc gi c nh tuyn xong.
Switch s dng chuyn mch Lp 2 chuyn frame.
S khc nhau gia chuyn mch Lp 2 v Lp 3 l loi thng tin nm trong frame c
s dng quyt nh chn cng ra l khc nhau. Chuyn mch Lp 2 da trn thng tin
l a ch MAC. Cn chuyn mch Lp 3 l da trn a ch lp mng (v d nh: a ch
IP).
Chuyn mch Lp 2 nhn vo a ch MAC ch trong phn header ca frame v chuyn
frame ra ng cng da theo thng tin a ch MAC trn bng chuyn mch. Bng chuyn
mch c lu trong b nh a ch CAM ( Content Addressable Memory). Nu switch
lp 2 khng bit gi frame vo port no, c th th n gin l n qung b frame ra tt c
cc port ca n. Khi nhn c gi tr li v, switch s nhn a ch mi vo CAM.
Chuyn mch Lp 3 l mt chc nng ca Lp mng. Chuyn mch Lp 3 kim tra
thng tin nm trong phn header ca Lp 3 v da vo a ch IP chuyn gi.
Dng giao thng trong mng chuyn mch ngang hng hon ton khc vi dng giao
thng trong mng nh tuyn hay mng phn cp. Trong mng phn cp dng giao thng
trong mng c uyn chuyn hn trong mng ngang hng.
7 Application
6 Presention
ti: Xy dng h tng mng doanh nghip 26
5 Session
137C Nguyn Ch Thanh, P.9, Qun 5, Tp.HCM
B nh m
Trong b m theo cng, frame c lu thnh tng t tng ng vi tng cng nhn
vo. Sau frame s c chuyn sang hng i ca cng ch khi tt c cc frame trc
n trong hng i c chuyn ht. Nh vy mt frame c th lm cho tt c cc frame
cn li trong trong hng i phi hon li v cng ch ca frame ny ang bn. Ngay khi
cng ch cn ang trng th cng phi ch mt khong thi gian chuyn ht frame .
B c chia s tt c cc frame vo chung mt b nh. Tt c cc cng ca switch
chia s cng mt b m dung lng b m phn b theo nhu cu ca mi cng ti mi
thi im. Frame c t ng a ra cng pht. Nh c ch chia s ny, mt frame nhn
c t cng ny khng cn phi chuyn hng i pht ra cng khc.
Swicth gi mt s cho bit frame no tng ng vi cng no v s ny s xa i
sau khi truyn frame thnh cng. B m c s dng theo dng chia s. Do lng
frame trong b m b gii hn bi tng dung lng ca b m ch khng ph thuc vo
vng m ca tng cng nh dng b m theo cng. Do frame ln c th chuyn i
c v t b rt gi hn. iu ny rt quan trng vi chuyn mch bt ng b v frame
c chuyn gia hai cng c hai tc khc nhau.
- B m theo cng lu cc frame theo hng i tng ng vi tng cng nhn vo.
- B m chia s lu tt c cc frame vo chung mt b nh. Tt c cc cng trn
switch chia s cng mt vng nh ny.
Phng php chuyn mch
- Cut through: Frame c chuyn i trc khi nhn xong ton b frame. Ch cn
a ch ch c th c c ri l c th chuyn frame ra. Phng php ny lm
gim thi gian tr nhng ng thi lm gim kh nng pht hin li frame.
Sau y l hai ch chuyn mch c th theo phng php cut through:
o Fast forward: Chuyn mch nhanh c thi gian gian tr thp nht. Chuyn
mch nhanh s chuyn frame ra ngay sau khi c c a ch ch ca frame
m khng cn phi ch nhn ht frame. Do c ch ny khng kim tra
c frame nhn vo c b li hay khng d iu ny khng xy ra thng
xuyn v my ch s hy gi tin nu gi tin b li. Trong c ch chuyn
mch nhanh, thi gian tr c tnh t lc switch nhn vo bit u tin cho
n khi switch pht ra bit u tin.
o Fragment free: c ch chuyn mch ny s lc b cc mnh gy do dng
gy ra trc khi bt u chuyn gi. Hu ht cc frame b li trong mng
l nhng gy ca frame do b ng . Trong mng hot ng bnh thng,
mt mnh frame gy do ng gy ra phi nh hn 64 byte. Bt k trong
frame no ln hn 64 byte u xem l hp l v thng khng c li. Do c
ch chuyn mch khng mnh gy s ch nhn 64byte u tin ca frame
bo m frame nhn c khng phi l mt mnh gy do b ng ri
mi bt u chuyn frame i. Trong ch chuyn mch ny, thi gian tr
cng c tnh t switch nhn c bit u tin cho n khi switch pht
switch pht i bit u tin .
1.1.2 B tm ng (Router)
1.1.3 Cp (Cable)
Cp dng lm phng tin truyn dn kt ni gia cc thnh phn ca mng vi nhau.
Trong m hnh OSI cp c coi l thit b tng 1.
Cp ng trc Cp ng trc Cp xon i Cp quang
mnh 10Base2 dy 10Base5 10BaseT
Chi ph t hn cp t hn cp R nht t nht
xon i mnh
di ng 185m 500m 100m Di n vi
chy ti a Km
Chng nhiu Tt Tt Khng tt Rt tt
Tc truyn 10Mbps 10Mbps 10Mbps C th n
2Gbps
Hnh 6 Gateway
1.1.6 B iu gii (Modems)
Modem l b iu ch v gii iu ch bin i cc tn hiu s thnh tn hiu tng
t v ngc li trn mng.
Tn hiu s t my tnh n Modem, c Modem bin i thnh tn hiu tng t
c th i qua mng. Tn hiu ny n Modem im B c bin i ngc li thnh tn
hiu s a vo my tnh B
Hnh 7 Modems
1.2 M hnh mng 3 lp ca cisco
Hnh 8 Mng 3 lp
Cisco a ra m hnh thit k mng cho php ngi thit k to mt mng lun l bng
cch nh ngha v s dng cc lp ca thit b mang li tnh hiu qu, tnh thng minh,
tnh m rng v qun l d dng.
M hnh mng phn cp (Hierarchical Network Model)
1.2.1 Lp Core
Lp Core ca mng Campus cung cp cc kt ni ca tt c cc thit b lp Distribution.
Lp Core thng xut hin backbone ca mng, v phi c kh nng chuyn mch lu
lng mt cch hiu qu. Cc thit b lp Core thng c gi l cc backbone switch,
v c nhng thuc tnh sau:
Chi ph cao
1.2.2 Lp Distribution
Mt port cao.
nh tuyn trn Internet c thc hin da trn cc bng nh tuyn (Routing table)
c lu ti cc trm (Host) hay trn cc thit b nh tuyn (Router). Thng tin trong cc
bng nh tuyn c cp nht t' ng hoc do ngi dng cp nht.
Cc phm tr dng trong nh tuyn l:
Trong hot ng nh tuyn, ngi ta chia lm hai loi l nh tuyn trc tip v nh
tuyn gin tip. nh tuyn trc tip l nh tuyn gia hai my tnh ni vi nhau vo mt
mng vt l. nh tuyn gin tip l nh tuyn gia hai my tnh cc mng vt l khc
nhau nn chng phi thc hin thng qua cc Gateway.
kim tra xem my ch c nm trn cng mt mng vt l vi my ngun khng
th ngi gi phi tch ly a ch mng ca my ch trong phn tiu ca gi d liu
v so snh vi phn a ch mng trong phn a ch IP ca n. Nu trng th gi tin s
c truyn trc tip nu khng cn phi xc nh mt Gateway
truyn cc gi tin ny thng qua n ra mng ngoi thch hp.
Hot ng nh tuyn bao gm hai hot ng c bn sau:
10.0.0.0 Direct 2
11.0.0.0 Direct 1
12.0.0.0 11.0.0.2 1
13.0.0.0 Direct 3
13.0.0.0 13.0.0.2 3
15.0.0.0 10.0.02 5
Nh vy, mi cng truyn khng bit c ng truyn y i n ch.
Trong bng nh tuyn cn c nhng thng tin v cc cng c th ti ch
nhng khng nm trn cng mt mng vt l. Phn thng tin ny c che khut i v
c gi l mc nh (default). Khi khng tm thy cc thng tin v a ch ch cn tm,
cc gi d liu c gi ti cng truyn mc nh.
Thut ton nh tuyn c m t nh sau:
+ Nu a ch ch l mt trong cc a ch IP ca cc kt ni trn mng th x l gi
d liu IP ti ch.
+ Xc nh a ch mng ch bng cch nhn (AND) mt n mng (Network Mask)
vi a ch IP ch.
+ Nu a ch ch khng tm thy trong bng nh tuyn th tm tip trong tuyn ng
mc nh, sau khi tm trong tuyn ng mc nh m khng tm thy cc thng tin v a
ch ch th hu b gi d liu ny v gi thng ip ICMP bo li mng ch khng n
c cho thit b gi.
+ Nu a ch mng ch bng a ch mng ca h thng, ngha l thit b ch n
c kt ni trong cng mng vi h thng, th tm a ch mc lin kt tng ng vi
bng tng ng a ch IP-MAC, nhng gi IP trong gi d liu mc lin kt v chuyn
tip gi tin trong mng.
+ Trong trng hp a ch mng ch khng bng a ch mng ca h thng th
phng php ny, thng tin nh tuyn c cung cp t nh qun tr mng thng
qua cc thao tc bng tay vo trong cu hnh ca Router. Nh qun tr mng phi cp nht
bng tay i vi cc mc ch tuyn tnh ny bt c khi no topo lin mng b thay i.
2.3.2 nh tuyn ng
phng php ny, thng tin nh tuyn c cp nht mt cch t ng. Cng vic
ny c thc hin bi cc giao thc nh tuyn c ci t trong Router. Chc nng ca
giao thc nh tuyn l nh ng dn m mt gi tin truyn qua mt mng t ngun n
ch. V d giao thc thng tin nh tuyn RIP, OSPF.
2.3.3 Cc thut ton nh tuyn ng
nh tuyn vector khong cch da trn thut ton nh tuyn Bellman Ford l mt
phng php nh tuyn n gin, hiu qu v c s dng trong nhiu giao thc nh
tuyn nh RIP, OSPF.
Vector khong cch c thit k gim ti a s lin lc gia cc Router cng nh
lng d liu trong bng nh tuyn. Bn cht ca nh tuyn vector khong cch l mt
Router khng cn bit tt c cc ng i n cc phn on mng, n ch cn bit phi
truyn mt datagram c gn a ch n mt phn on mng i theo hng no. Khong
cch gia cc phn on mng c tnh bng s lng Router m datagram phi i qua
khi c truyn t phn on mng ny n phn on mng khc. Router s dng thut
ton vector khong cch ti u ho ng i bng cch gim ti a s lng Router m
datagram i qua. Tham s khong cch ny chnh l s chng phi qua (hop count).
nh tuyn vector khong cch da trn quan nim rng mt router s thng bo cho
cc router ln cn n v tt c cc mng n bit v khong cch n mi mng ny. Mt
router chy giao thc nh tuyn vector khong cch s thng bo n cc router k cn
c kt ni trc tip vi n mt hoc nhiu hn cc vector khong cch. Mt vector
khong cch bao gm mt b (network, cost) vi network l mng ch v cost l mt gi
tr c lin quan n biu din s cc router hoc link trong ng dn gia router thng bo
v mng ch. Do c s d liu nh tuyn bao gm mt s cc vector khong cch
hoc cost n tt c cc mng t router .
Khi mt router thu c bn tin cp nht vector khong cch t router k cn n th
n b xung gi tr cost ca chnh n (thng bng 1) vo gi tr cost thu c trong bn
tin cp nht. Sau router so snh gi tr cost tnh c ny vi thng tin thu c trong
bn tin cp nht trc . Nu cost nh hn th router cp nht c s d liu nh tuyn
vi cc cost mi, tnh ton mt bng nh tuyn mi, n bao gm cc router k cn va
thng bo thng tin vector khong cch mi nh next-hop.
(netl,lhop) (netl.2hop)
----- -------------- ----
LSP (Link State Paket) khp mng. Mt LSP ni chung cha mt xc nh ngun, xc nh
k cn v cost ca tuyn gia chng. Cc LSP c thu bi tt c cc router c s dng
to nn mt c s d liu cu hnh ca ton b mng. Bng nh tuyn sau c tnh
ton da trn ni dung ca c s d liu cu hnh. Tt c cc router trong mng cha mt
s ca cu hnh mng v t chng tnh ton ng ngn nht (least-cost path) t
ngun bt k n ch bt k. Gi tr gn vi cc link gia cc router l cost ca link .
Cc router truyn b cc LSP n tt c cc router khc trong mng, n c s dng
xy dng c s d liu trng thi ng. Tip theo, mi router trong mng tnh ton mt
cy bt ngun t chnh n v phn nhnh n tt c cc router khc da trn tiu ch ng
ngn nht hay ng c chi ph t nht.
T chc IETF a ra hai phin bn RIP-2 khc phc nhng hn ch ca RIP-1. RIP-
Giao thc OSPF l mt giao thc cng trong. N c pht trin khc phc nhng
hn ch ca giao thc RIP. Bt u c xy dng vo nm 1988 v hon thnh vo nm
1991, cc phin bn cp nht ca giao thc ny hin vn c pht hnh. Ti liu mi nht
hin nay ca chun OSPF l RFC2328.OSPF c nhiu tnh nng khng c cc giao thc
vector khong cch.Vic h tr cc tnh nng ny khin cho OSPF tr thnh mt giao
thc nh tuyn c s dng rng ri trong cc mi trng mng ln. Trong thc t, RFC
1812 (a ra cc yu cu cho b nh tuyn IPv4) - xc nh OSPF l giao thc nh
tuyn ng duy nht cn thit. Sau y s lit k cc tnh nng to nn thnh cng ca
giao thc ny:
Cn bng ti gia cc tuyn cng cost: Vic s dng cng lc nhiu tuyn cho php
tn dng c hiu qu ti nguyn mng.
Phn chia mng mt cch logic: iu ny lm gim bt cc thng tin pht ra trong
nhng iu kin bt li. N cng gip kt hp cc thng bo v nh tuyn, hn ch vic
pht i nhng thng tin khng cn thit v mng.
H tr nhn thc: OSPF h tr nhn thc cho tt c cc node pht thng tin qung co
nh tuyn. iu ny hn ch c nguy c thay i bng nh tuyn vi mc ch xu.
Thi gian hi t nhanh hn: OSPF cho php truyn cc thng tin v thay i tuyn
mt cch tc th. iu gip rt ngn thi gian hi t cn thit cp nht thng tin cu
hnh mng.
H tr CIDR v VLSM: iu ny cho php nh qun tr mng c th phn phi
ngun a ch IP mt cch c hiu qu hn.
OSPF l mt giao thc da theo trng thi lin kt. Ging nh cc giao thc trng
thi lin kt khc, mi b nh tuyn OSPF u thc hin thut ton SPF x l cc
thng tin cha trong c s d liu trng thi lin kt. Thut ton to ra mt cy ng i
ngn nht m t c th cc tuyn ng nn chn dn ti mng ch.
- Bo mt ti a gia cc VLAN.
- Gi d liu khng r r sang cc min khc.
- D dng kim sot qua mng.
3.2 Cch thc hot ng ca VLAN
- Mi port trn switch c th gn cho mt VLAN khc nhau. Cc port nm trong cng
mt VLAN s chia s gi tin qung b vi nhau. Nh m mng LAN hot ng hiu
qu hn.
- Li ch ca VLAN l cho php ngi qun tr mng t chc mng theo logic ch khng
theo vt l na. Nh nhng cng vic sau thc hin d dng hn:
VLAN duy nht, khng truyn i cc VLAN khc nn gim lu lng qung b, tit
kim bng thng ng truyn.
a. Ch my ch ( server)
- To VLAN
- Chnh sa VLAN
- Xa VLAN
- Gi hoc chuyn thng tin qung b
- ng b ha thng tin VLAN
- Lu cu hnh vo NVRAM
b. Ch my khch (Client)
- To VLAN
- Chnh sa VLAN
- Xa VLAN
- Chuyn thng tin qung b
- Khng ng b ha thng tin VLAN
- Lu cu hnh vo NVRAM
Giao thc Trunking c pht trin nng cao hiu qu qun l vic lu chuyn cc
Frame t VLAN khc nhau trn mt ng truyn vt l. Giao thc Trunking thit lp
u ng trunk.
Hin nay c 2 k thut Trunking l Frame Filtering v Frame Tagging. Trong khun
Giao thc Trunking Frame Tagging phn bit cc Frame v dng qun l v
phn
no th th i v VLAN .
- Mi thit b switch tham gia vo VTP phi qung b s VLAN (ch cc VLAN t
1 n 1005) , v cc tham s VLAN trn cng trunk ca n bo cho cc switch khc
trong min qun l. Qung b VTP c gi theo kiu gi gi thng tin ti mt s a
ch trong mng . Switch chn cc i tung gi n a ch VTP v x l n. Cc i
tung VTP c chuyn tip ra ngoi lin kt trunk nh l mt trng hp c bit.
3.4.4 S lc bt VTP
3.4.5 Li ch ca VTP
VTP c th cu hnh khng ng, khi s thay i to ra. Cc cu hnh khng ng
c
th tng hp trong trng hp thng k cc vi phm nguyn tc bo mt. bi v
cc k
ni VLAN b chng cho khi cc VLAN b t trng tn. Cc cu hnh khng
ng ny
c th b ct kt ni khi chng c nh x t mt kiu LAN ti mt kiu LAN
khc.
VTP cung cp cc li ch sau:
Cu hnh ng cc VLAN qua mng.
- Mt h thng mng vi tnh sn sng cao cung cp phng tin thay th m theo
tt c cc c s h tng v cc my ch quan trng c th truy cp mi lc v thi gian
gin on nu c l thp nht
KHUYT IM:
U IM:
Vic sm thm ti nguyn ng truyn, gip chng ta c thm c hi thc hin vic
gim ti & phn b ti hp l bng cc k thut load balancing & load sharing trn cc
ng truyn
- Etherchannel
- Spanning-tree
4.3 Etherchannel
- Giao thc PAgP ( Port Aggregation Protocol ) l mt giao thc c quyn ca Cisco ,
cc gi tin PAgP c trao i gia cc Switch trn cc cng Etherchannel .
- PAgP hnh thnh nn EtherChannel ch trn nhng cng c cu hnh cng Static
Vlan hoc l cng loi Trunkking (MAX=8 cng)
- Giao thc DTP (Dynamic Trunking Protocol) v giao thc CDP (Cisco Discovery
Protocol) c kh nng gi v nhn nhng gi tin trn nhng port vt l trong mt
EtherChannel. Cc port c cu hnh trunk c th gi v nhn cc gi tin PAgP protocol
data units (PDUs) trn Vlan c ID thp nht.
- PAgP c kh nng gi v nhn PAgP PDU duy nht trn nhng port vt l hot ng
(up) v c giao thc PAgP c hot ng mt trong hai ch : Auto hoc Desirable
- LACP cng gi cc gi trn cng Etherchannel ca switch. Tuy nhin LACP cng
gn vai tr cng n cc u cui ca Etherchannel .
- C rt nhiu switch khng thc hin vic truyn nhng frame BPDUs nhng nhng
switch vn s dng xy dng ng khng loop (loop-free). BPDUs cha nhng
thng tin v swtich gi v cc port ca switch , bao gm MAC address, switch priority,
port priority, v cost path.
- Thut ton Spanning-Tree s s dng nhng thng tin bu chn root swtich v
root port cho h thng switch v cc root port v designated port cho mi mt phn on
mng chuyn mch (Colision domain = segment).
- Khi hai port trn mt switch l thnh phn ca mt loop, gi tr u tin ca port
spanning-tree v chi ph ng i s iu khin v a mt port tr v trng thi forwarding
(trng thi truyn d liu) v mt port tr v trng thi blocking.
Trng thi Mc ch
Disabled Tt cng
Hy b cc frame nhn c
Khng c bng MAC
Nhn cc BPDU
Chi ph ca ng ti root.
- Khi mt switch nhn mt gi tin BPDU c cha nhng thng tin tt hn (nh: Bridge
ID thp hn, Chi ph ng i thp hn), swtich s lu thng tin li trn port ca
switch. Nu BPDU ny c nhn trn root port ca switch th switch s chuyn tip
gi BPDU ny n tt c cc designated Switch.
thng tin khng tin bng nhng thng tin m switch ang c trn port th switch s
thay th nhng thng tin tt hn ca mnh vo gi BPDU v s gi i. Vi phng php
hot ng nh vy, th nhng thng tin khng tt s b hy v nhng thng tin tt hn s
c qung b ra ton b h thng.
Mt root port s c chn trn mi switch (tr trng hp l root switch). Port ny
s cung cp chi ph thp nht khi m switch chuyn d liu n root switch.
Khong cch ngn nht n root switch c tnh ton cho mi switch da trn chi
ph ng i.
- Chun IEEE 802.1D yu cu mi switch phi c duy nht mt bridge ID, c dng
trong qu trnh bu chn root switch. Bi v mi VLAN c logical bridge khc nhau vi
PVST+ v rapid PVST+, trn cng switch phi c cc bridge ID khc nhau cho mi cu
hnh VLAN. Mi VLan trn mi switch c duy nht 8-byte bridge ID. Trong dng 2
byte xc nh switch priority, v 6 byte cn li dnh cho switch MAC Address.
- Catalyst switch 2960 h tr IEEE 802.1t spanning-tree m rng, v cc bit trc kia
c dng cho switch priority th by gi c s dng lm VLAN ID. Cc bn c thy
rng trong 2 byte trc kia c dng lm switch priority th trong c 4-bit c dng
lm gi tr priority v 12-bit cn li c m rng lm System ID tng ng vi VLAN
ID.
- Hot Standby Routing Prototocol (HSRP) l mt trong nhng s tnh nng cung cp kh
nng Redundancy layer 3 cho cc host trong network. HSRP s ti u ha vic cung cp
cc ng kt ni khi pht hin mt ng link b fail v nhng c ch phc hi sau khi ta
gp s c trong mng.
-Trc tin ta cn phi hiu mt s khi nim c lin quan n qu trnh routing nh sau
b. Proxy ARP
- Cisco IOS s dng proxy Arp cho php cc host m n khng c tnh nng nh
tuyn c th ly c a ch Mac address ca gateway c th forward packet ra khi
local subnet. V d nh trong m hnh trn proxy ARP router nhn c mt gi tin ARP
request t mt host cho mt a ch IP. a ch IP ny khng c cng nm chung mt
segment so vi host gi gi tin request. Router s gi v mt gi tin ARP vi Mac address
l ca router v IP l a ch m my cn i n. Nh vy host s gi ton b tt c cc
packet n a ch IP c phn gii thnh Mac address ca router. Sau router li
lm tip cng vic y gi tin ny i n a ch IP cn n.
proxy ARP b fail th cc end station vn tip tc gi packet n IP c phn gii thnh
Mac address ca fail router. V cc packet s b discard.
- Thc t th Proxy Mac address c thi gian sng nht nh trong bng ARP cache ca
my tnh. Sau khong thi gian ny th workstation s yu cu a ch ca mt router khc.
Nhng n khng th gi traffic trong sut khong thi gian ny.
c. Router Redundancy
c x l tip tc bi active hoc l standby router trc thuc group router o m ta ang
cu hnh.
- Active Router: trong HSRP group mt router s c chn lm active router. Active
router thc t l thit b vt l forward packet v n cng l thit b gi Mac address o
n cc thit b u cui
- Hnh trn hin th bng ARP ca mt router ang lm thnh vin ca HSRP group 1
trong Vlan 10. Trong bng ARP trn ta thy rng virtual router c a ch l
172.16.10.110 v c mt Well-known Mac l 0000.0c07.ac01 vi 01 l s group. S
HSRP group 1 hin th di dng c s 10 v 01 l di h c s 16
- HSRP standby router lun theo di trng thi hot ng ca HSRP group v s nhanh
chng chuyn trng thi forwarding packet nu active router khng c hot ng. C hai
active router v standby router s truyn hello message thng bo cho tt c router khc
trong group HSRP bit rng vai tr ca n lc ny l g ? Cc router dng a ch destination
multicast 224.0.0.2, kiu truyn UDP port 1985. V a ch IP source l a ch IP ca
sending router.
Hello Interval Time: Khong thi gian gia hai gi tin Hello HSRP thnh cng t mt
router. Thi gian ny l 3 giy
Hold Interval Time: khong thi gian gia hai gi tin hello c nhn v gi nh rng
sender router b fail. Mc nh l 10 giy
- Khi active router b fail, th nhng router khc thuc cng HSRP group s khng cn
nhn c message t active router. V standby router sau s c gi nh l Active
router. V nu nh c router khc bn trong HSRP group th n s c a ln lm
standby router. Nu nh c hai active v standby router b fail th tt c router trong group
lm active v standby router.
4.5.3 c im ca HSRP
- a ch IP l o v a ch MAC cng o trn router active.
- Cc router d phng s lng nghe cc gi hello t router ang active, mc nh mi 3
giy v 10 giy cho khong thi gian dead.
- u tin cao nht (mc nh l 100, trong tm t 1-255) s xc nh router, vi c ch
pre-emption b tt.
- H tr tnh nng tracking, trong u tin ca mt router s b gim khi mt
interface ang b theo di b hng hc.
- C th c ti a 255 nhm HSRP trn mi interface, cho php mt hnh thc cn bng
ti.
- a ch MAC o c dng 0000.0C07.Acxx trong xx l ch s ca nhm HSRP.
- a ch ca IP o phi trong cng gi tr subnet ca cng ca router trong LAN.
- a ch ca IP o phi khc vi bt k mt a ch tht no ca cc cng tham gia vo
HSRP.
- Mt router trong HSRP group c mt s trng thi hot ng nh sau: initial, learn,
listen, speak, standby hoc l active
- Khi mt router ang trong mt s nhng trng thi trn th n s thc hin mt s
hnh ng nht nh. Khng phi tt c HSRP router trong group s chuyn i sang tt c
cc trng thi. V d nh ta c 3 router trong group, mt trong ba con router thuc group
khng ng vai tr l standby hay active th con router ny vn duy tr trng thi Listen.
- C 3 dng timer c s dng trong giao thc HSRP l active, standby, hello. Nu
nh khng c mt gi tin hello no c nhn t Active HSRP router trong khong thi
gian active, th router chuyn sang trng thi HSRP mi.
- Hello timer: thi gian ca hello packet. Tt c HSRP router trong bt k trng thi no
ca HSRP u to ra hello packetkhi m hello timer expire
- VRRP dng a ch multicast 224.0.0.18, dng giao thc IP 112. VRRP c trong router
IOS phin bn Cisco IOS Software Release 12.0(18)ST.
- Qun l cc IP traffic
Chc nng:
* ACLs c bit
a. Dynamic ACLs
c im: ch s dng lc cc IP traffic, Dynamic ACLs b ph thuc vo s kt ni Telnet,
s xc thc (local or remote), v extended ACLs.
-Mt user s m kt ni n router bin c cu hnh lock-and-key. Nhng kt ni ca
user thng qua virtual terminal port trn router.
-Khi nhn telnet packet router s m mt telnet session v yu cu xc thc mt password
hoc mt ti khon username. User phi vt qua st thc mi c cho php i qua router.
Qu trnh xc thc s thc hin bi router hoc mt server xc thc s dng giao thc
RADIUS hoc TACACS server.
-Khi user qua c st thc, chng s thot ra khi telnet session v mt entry s xut hin
trng Dynamic ACLs
-Lc , cc ngi dng s trao i d liu thng qua Firewall.
- Khi ng khong thi gian timeout c cu hnh, router s xa entry va to trong
dynamic ACLs hoc ngi qun tr c th xa bng tay. Timeout c hai loi l idle timeout
hoc absolute timeout. Idle timeout l nu user khng s dng session ny trong mt
khong thi gian th entry trong Dynamip s b xa. Absolute timeout l khong thi gian
c nh cho php user s dng session ny khi ht thi gian th entry trong Dynamic ACLs
s b xa.
ng dng:
- Khi bn mun ch nh mt user hay mt group user truy cp n mt host no trong
mng ca bn, hay kt ni ti nhng host t xa thng qua Internet. Lock-and-key ACLs s
xc thc ngi dng v sau cho php gii hn truy cp thng qua router firewall cho
mt host hay mt mng con trong mt chu k thi gian gii hn.
- Khi bn mun mt ng mng con trong mng local network truy cp ti mt host no
trong mng t xa m c bo v bi mt firewall. Vi lock-and-key ACLs, bn c th
truy cp ti host xa ch vi mt nhm host c ngh. Lock-and-key ACLs yu cu
nhng ngi dng xc thc thng qua mt AAA, TACACS+ server, hay nhng server bo
mt khc trc khi cho php nhng host truy cp n nhng host xa.
b. Reflexive ACLs
c im: ACLs ny ch c to bi Extend Name ACLs khng c to bi Numbering hay
Standard Name ACL
ng dng: c s dng cho php cc IP traffic t bn ngoi ca session m khi to
t bn trng ni mng v ngn nhng IP traffic khi to session t mng bn ngoi. ACLs
ny s xem xt gi tin gi ra ngoi nu l gi khi to session n t ng thm vo mt
outbound entry cho php traffic tr li v. Rflexive ACLs c th lc session tt hn
thay v ch ACK v RST bit nh cu lnh permitestablished. Rflexive lc c a ch
ngun, ch, port, ACK v RST bit ca gi tin. Ngoi ra, session filtering s dng nhng
b lc tm thi ci m c xa khi mt session kt thc.
c. Time-based ACLs
c im: chc nng tng t extended ACLs, nhng chng cho php iu khin truy
cp da vo thi gian
ng dng: Dng lc gi tin da vo nhiu thng tin nh Exended ACLs v da vo
c thng tin v thi gian.
- ACL s c thc hin theo trnh t ca cc cu lnh trong danh sch cu hnh khi to
access-list. Nu c mt iu kin c so khp (matched) trong danh sch th n s thc
hin, v cc cu lnh cn li s khng c kim tra na.Trng hp tt c cc cu lnh
trong danh sch u khng khp (unmatched) th mt cu lnh mc nh deny any c
thc hin. Cui access-list mc nh s l lnh loi b tt c (deny all). V vy, trong access-
list cn phi c t nht mt cu lnh permit.
Khi packet i vo mt interface, router s kim tra xem c mt ACL trong inbound
interface hay khng, nu c packet s c kim tra i chiu vi nhng iu kin trong
danh sch.
Nu packet c cho php (allow) n s tip tc c kim tra trong bng routing
quyt nh chn interface i n ch.
Tip , router s kim tra xem outbound interface c ACL hay khng. Nu khng
th packet c th s c gi ti mng ch. Nu c ACL outbound interface, n s
kim tra i chiu vi nhng iu kin trong danh sch ACL .
5.6 Mt s im cn lu
- DHCP lm vic theo ch Client-Server. DHCP server cho php cc DHCP client
trong mt mng IP nhn cu hnh IP t mt DHCP server.
- DHCP l gii php gip qun l h thng mng dng v c kh nng m rng.
- NAT ( Network-Address-Translation)
Static NAT
- Static NAT c nhp trc tip vo cu hnh v nm trong bng translation, thng
c s dng cho cc my ch web.
Dynamic NAT
6.3 u im NAT
- Khng cn gn a ch IP mi cho tng host khi thay i sang mt ISP mi, tit kim
thi gian v tin bc.
Hnh 35 u im NAT
- PAT s dng s PORT ngun cng vi a ch IP Private bn trong phn bit khi
chuyn i.
- Khi s dng knh thu ring, ngi s dng cn thit phi c cc giao tip trn cc
b nh tuyn sao cho c mt giao tip kt ni WAN cho mi kt ni knh thu ring ti
mi node. iu c ngha l, ti im node c kt ni knh thu ring n 10 im khc
nht thit phi c 10 giao tip WAN phc v cho cc kt ni knh thu ring. y l
mt vn hn ch v u t thit b ban u, khng linh hot trong m rng pht trin,
APB: l giao thc truyn thng lp 2 tng t nh giao thc mng X.25 vi y
cc th tc, qu trnh kim sot truyn dn, pht trin v sa li. LAPB t c s
dng.
- L chun ca t chc lin minh vin thng th gii (ITU-T) v vin tiu chun quc
gia M (ANSI)
- L cng ngh chuyn mch gi lp Data-Link theo hng kt ni. S dng mt phn
giao thc HDLC lm giao thc LADF (Link Access Procedure for Frame Relay )
- Thc hin truyn frame gia DTE v DCE ti im demarcation. Cc Router bin ca
Lan l DTE. Cc DTE s c kt ni qua ng E1/T1 vo Frame-Relay Switch l DCE.
- c xem nh giao din gia ngi dng v thit b mng, do ISP cung cp hoc mng
do t nhn qun l, trin khai dch v Frame Relay cng cng bng vic t Frame Relay
Switch trong tng i ca ISP.
- Dng Frame Relay tit kim kt ni hn Leased Line nhng phi tn thm chi ph cho
cc Frame Relay Switch
* Cisco :
- L kiu ng gi Frame Relay c quyn ca Cisco
- L mc nh ca Router Cisco khi ng gi Frame Relay
- Kiu ng gi ny s dng 2 byte phn Header, trong :
- 1 byte xc nh ch s DLCI
- 1 byte xc nh loi gi d liu
- S dng chun Cisco khi router hai u u ca Cisco. Tuy nhin mt s router ca
hng khc cng h tr chun ny.
* IETF:
- DSL ( Digital Subscriber Line) : L cng ngh cho php s dng nhng tn s cha
dng trn cp ng truyn d liu tc cao, ln n hng Megabits.
- DSL s dng k thut truyn bng thng rng ghp nhiu di tn s khc nhau trn
cng mt ng truyn vt l truyn d liu.
a. c im DSL
- DSL c th cho php tn hiu thoi v d liu cng truyn mt lc qua cng mt
ng cp.
- V dch v DSL lun sn sng nn ngi dng khng phi quay s dialup hoc i
cho cuc gi c thit lp.
- DSL types
Hnh 37 Tc DSL
u im v gii hn ca DSL:
Cc u im ca ADSL:
- Tc truy cp cao
- Truyn thng tin tch hp data, voice v video.
- Lun lun online (always on): gip trin khai cc dch v nh personal web.
- Chi ph bo tr thp.
Gii hn ca DSL:
- Tc truyn DSL t l nghch vi khong cch gia CPE v DSLAM.
- V l mng cng cng nn phi tn km chi ph cho vn bo mt.
- MPLS ( Multi Protocol Label Switching) l cng ngh chuyn mch s dng label
(nhn ) chuyn cc gi tin, s dng vi c cc giao thc Non-IP.
- Cc gi tin c chuyn tip s dng nhn t bng LFIB, qu trnh cu hnh MPLS
bao gm cu hnh IP CEF, tag switching, v thit lp kch thc MTU.
- K thut MPLS VPN kt hp tnh nng tt nht cho chuyn mch mng li v nh
tuyn mng bin. Router PE chuyn cc gi tin theo ng MPLS VPN s dng chng
nhn (label stack)
u im :
ng dng :
- MPLS VPN
- MPLS traffic Engineering
- MPLS QoS
- MPLS Multicast/ Unicast Routing.
2. Cng ngh mng ring o VPN (Vitural Private Network)
Mng ring o, c tn ting Anh l Virtual Private Network, vit tt l VPN. Sau y ta
thng gi ngn gn theo tn vit tt. VPN l phng php lm cho mt mng cng cng
(nh mng Internet) hot ng ging nh mng cc b, cng c cc c tnh nh bo mt
v tnh u tin m ngi dng yu thch.
Theo cch ni n gin, VPN l mt s m rng ca mng Intranet qua mt mng cng
cng (nh Internet) m m bo s bo mt v hiu qu kt ni gia 2 im truyn thng
cui. Mng Intranet ring c m rng nh s tr gip ca cc "ng hm". Cc ng
hm ny cho php cc thc th cui trao i d liu theo cch tng t nh truyn thng
im - im.
Mng ring o thc s chinh phc cuc sng. Vic kt ni cc mng my tnh ca
cc doanh nghip lu nay vn c thc hin trn cc ng truyn thu ring, cng c
th l kt ni Frame Relay hay ATM. Nhng, ro cn ln nht n vi cc doanh nghip
t chc l chi ph. Chi ph t nh cung cp dch v, chi ph t vic duy tr, vn hnh h
tng mng, cc thit b ring ca doanh nghip... rt ln. V vy, iu d hiu l trong thi
gian di, chng ta gn nh khng thy c nhiu ng dng, gii php hu ch trn mng
din rng WAN.
R rng, s ra i ca cng ngh mng ring o cho php cc t chc, doanh nghip
c thm s la chn mi. Khng phi v c m cc chuyn gia vin thng nhn nh:
"Mng ring o chnh l cng ngh mng WAN th h mi".
VPN cho php cc host gia nhiu chi nhnh truyn thng vi nhau thng qua mt ng
hm o (tunnel). Khi , gia cc chi nhnh nh c kt ni trc tip vi nhau trong
cng mt mng Private.
- Gim chi ph thc thi: Chi ph cho VPN t hn rt nhiu so vi cc gii php truyn
thng da trn ng Lease-Line nh Frame Relay, ATM hay ISDN. Bi v VPN loi tr
c nhng yu t cn thit cho cc kt ni ng di bng cch thay th chng bi cc
kt ni cc b ti ISP hoc im i din ca ISP.
- Gim c chi ph thu nhn vin v qun tr: V gim c chi ph truyn thng
ng di. VPN cng lm gim c chi ph hot ng ca mng da vo WAN mt cch
ng k. Hn na, mt t chc s gim c ton b chi ph mng nu cc thit b dng
trong mng VPN c qun tr bi ISP. V lc ny, thc t l T chc khng cn thu
nhiu nhn vin mng cao cp.
- Nng cao kh nng m rng: V VPN da trn Internet, nn cho php Intranet ca mt
cng ty c th m rng v pht trin khi cng vic kinh doanh cn phi thay i vi ph
tn ti thiu cho vic thm cc phng tin, thit b. iu ny lm cho Intranet da trn
VPN c kh nng m rng cao v d dng tng thch vi s pht trin trong tng lai.
- Intranet VPN c p dng thit lp cho cc cng ty khi h c nhiu chi nhnh
xa v mi chi nhnh u c mt cc b mng LAN. Lin kt cc vn phng trung
tm, cc chi nhnh ti mng intranet thng qua c s h tng dng chung bng
cc kt ni chuyn bit.
- u im:
+ V Internet hot ng nh mt phng tin kt ni, n d dng cung cp cc lin
kt ngang hng mi.
+ V kt ni ti cc ISP cc b, kh nng truy cp nhanh hn, tt hn. Cng vi vic
loi tr cc dch v ng di gip cho t chc gim c chi ph ca hot ng Intranet.
- Nhc im:
+ V d liu c nh ng hm qua mt mng chia s cng cng nn cc tn cng
mng nh: t chi dch v vn e do nghim trng n an ninh mng.
+ Kh nng mt cc gi d liu khi truyn vn cn cao.
+ ng truyn d liu u trn nh multimedia, tr truyn tin vn rt cao v
thng lng c th b gim xung rt thp di s hin din ca Internet.
Phng thc v cc kha cho cc thut ton xc nhn c dng bi cc giao thc
Authentication Header (AH) hay Encapsulation Security Payload (ESP) ca b IPSec.
Thut ton m ha v gii m v cc kha.
Thng tin lin quan kha nh khong thi gian thay i hay khong thi gian lm
ti ca cc kha.
Thng tin lin quan n chnh bn thn SA bao gm a ch ngun SA v khong
thi gian lm mi.
IPSec SA gm c 3 trng:
Hnh 43 Ba trng ca SA
SPI (Security Parameter Index): y l mt trng 32 bit dng nhn dng giao
thc bo mt, c nh ngha bi trng Security protocol, trong b IPSec ang dng.
SPI c mang theo nh l mt phn u ca giao thc bo mt v thng c chn bi
h thng ch trong sut qu trnh tha thun ca SA.
Destination IP address: y l a ch IP ca nt ch. Mc d n c th l a
ch broadcast, unicast, hay multicast, nhng c ch qun l hin ti ca SA ch c nh
ngha cho h thng unicast.
Security protocol: Phn ny m t giao thc bo mt IPSec, c th l AH hoc
ESP.
Ch thch:
- Broadcasts c ngha cho tt c h thng thuc cng mt mng hoc mng con. Cn
multicasts gi n nhiu (nhng khng phi tt c) nt ca mt mng hoc mng con cho
sn. Unicast c ngha cho 1 nt ch n duy nht.
- B v bn cht theo mt chiu duy nht ca SA, cho nn 2 SA phi c nh
ngha cho hai bn thng tin u cui, mt cho mi hng. Ngoi ra, SA c th cung cp
4. Thut ton xc thc v xc nh kha trong SA c s dng tnh ton mt ICV cho
ton b cc gi d liu, v kt qu c so snh vi gi tr ban u trong tiu AH. Nu
gi tr khng ging nhau, gi d liu b loi b. Nu gi tr ging nhau, gi tin c xc
thc l ton vn.
5. Cc tiu AH c ly ra t datagram, v cc trng IP header gc c phc hi.
Datagram c t vo hng i u vo x l cho gi tin IP bnh thng.
- Encapsulating Security Payload (ESP)
Giao thc ESP cung cp xc thc, ton vn, m bo tnh bo mt cho gi tin.
ESP cng h tr tnh nng cu hnh s dng trong tnh hung ch cn m ho hay ch cn
xc thc.
Aggressive mode v bn cht ging Main mode. Ch khc nhau thay v main mode
c 6 thng ip th cht ny ch c 3 thng ip c trao i. Do , Aggressive mode
nhanh hn mai mode. Cc thng ip bao gm:
Thng ip u tin dng a ra chnh sch bo mt, pass data cho kha chnh,
v trao i nonces cho vic k v xc minh tip theo.
Thng ip k tip hi p li cho thng tin u tin. N xc thc ngi nhn v
hon thnh chnh sch bo mt bng cc kha.
Thng ip cui cng dng xc nhn ngi gi (hoc b khi to ca phin
lm vic).
nu vic gii m tht bi ti ngi nhn hoc ch k khng c xc minh thnh cng,
Informational mode c dng thng bo cho cc bn khc bit.
2.7.7 Qu trnh hot ng ca IPSec
Ta bit rng, mc ch chnh ca IPSec l bo v lung d liu mong mun vi cc
dch v bo mt cn thitv hot ng ca IPSec c th chia thnh 5 bc chnh nh sau:
Bc 1- Kch hot lu lng cn bo v.
Vic xc nh lu lng no cn c bo v l mt phn vic trong chnh sch an
ninh (Security Policy) ca mt mng VPN. Chnh sch c s dng quyt nh lu
lng no cn c bo v v khng cn bo v (lu lng dng bn r (clear text) khng
cn bo v).
Chnh sch sau s c thc hin giao din ca mi i tc IPSec. i vi mi
gi d liu u vo v u ra s c ba la chn: Dng IPSec, cho qua IPSec, hoc hu gi
d liu. i vi mi gi d liu c bo v bi IPSec, ngi qun tr h thng cn ch r
cc dch v bo mt c s dng cho gi d liu. Cc c s d liu, chnh sch bo mt
ch r cc giao thc IPSec, cc node, v cc thut ton c s dng cho lung lu lng.
V d: cc danh sch iu khin truy nhp (ACLs Access Control Lists) ca cc
router c s dng bit lu lng no cn mt m. ALCs nh ngha bi cc dng lnh.
Chng hn: - Lnh Permit: Xc nh lu lng phi c mt m.
- Lnh deny: Xc nh lu lng phi c gi i di dng khng mt m.
Khi pht hin ra lu lng cn bo v th mt i tc IPSec s kch hot bc tip
theo: Tho thun mt trao i IKE Phase 1.
Bc 2 IKE Phase 1
Mc ch c bn ca IKE Phase 1 l tho thun cc tp chnhsch IKE (IKE policy),
xc thc cc i tc ngang hng, v thit lp knh an ton gia cc i tc. IKE Phase 1 c
hai ch : Ch chnh (main mode) v Ch nhanh (Aggressive mode).
giao thc mt m, xc thc v cc giao thc khc c tho thun. Thay v phi tho tng
giao thc mt, cc giao thc c nhm thnh cc tp, chnh l tp chnh sch IKE (IKE
policy set). Cc tp chnh sch IKE c trao i trong IKE Phase 1 ch chnh v
trong trao i th nht. Nu mt chnh sch thng nht (matching policy) c tm thy
hai pha th ch chnh tip tc. Nu khng tm thy chnh sch thng nht no th ng
hm s b loi b.
Hnh 61 Xc thc cc i tc
Ba phng php xc thc ngun gc d liu:
- Pre-shared keys (Cc kho chia s trc) mt gi tr kho b mt c nhp vo bng
tay xc nh i tc.
- RSA signatures (Cc ch k RSA) s dng vic trao i cc chng nhn s (digital
certificates) xc thc i tc.
- RSA encryption nonces Cc s ngu nhin (nonces_mt s ngu nhin c to ra bi
mi i tc) c m ho v sau c trao i gia cc i tc ngang hng, 2 nonce
c s dng trong sut qu trnh xc thc i tc ngang hng.
Bc 3 IKE Phase 2
Mc ch ca IKE Phase 2 l tho thun cc thng s bo mt IPSec c s
dng bo mt ng hm IPSec.
Hnh 64 Cc kt hp an ninh
Bc 4 ng hm mt m IPSec
Sau khi hon thnh IKE Phase 2 v quick mode thit lp cc kt hp an ninh
IPSec SA, lu lng trao i gia Host A v Host B thng qua mt ng hm an ton.
Lu lng c mt m v gii m theo cc thut ton xc nh trong IPSec SA.
ng hm IPSec c thit lp
Bc 5 Kt thc ng hm
Hnh 65 Kt thc ng hm
Cc kt hp an ninh IPSec SA kt thc khi b xo hoc ht hn. Mt SA ht hn khi
lng thi gian ch ra d ht hoc mt s lng Byte nht nh truyn qua ng hm.
Khi cc SA kt thc, cc kho cng b hu. Lc cc IPSec SA mi cn c thit lp,
mt IKE Phase 2 mi s c thc hin, v nu cn thit th s tho thun mt IKE Phase
1 mi. Mt ho thun thnh cng s to ra cacSA v kho mi. Cc SA mi c thit lp
trc cc SA c ht hn m bo tnh lin tc ca lung thng tin.
gian vi mi hot ng ring l cng c ghi li. Thng tin chi tit v ngi dng gip
ngi qun tr mng theo di c nhng hot ng ca ngi dng v a ra nhng hnh
ng ph hp duy tr an ton mng. Mc d, kim ton c xem l bc lgic tip
theo ca xc thc v cp quyn, nhng n c th thc thi khng theo tun t . Trong
thc t, kim ton c th c thc thi ngay c khi hot ng xc thc v cp quyn khng
c thc hin. Trong m hnh c s d liu bo mt Client/Server phn tn, mt s cc
Client, Server trong truyn thng xc thc mt nh danh ca ngi dng quay s qua mt
trung tm c s d liu n hoc mt Server xc thc. Server xc thc lu tr tt c thng
tin v ngi dng, cc mt khu v cc quyn u tin truy cp ca h. Phn phi bo mt
ng vai tr nh mt trung tm v d liu xc thc, n an ton hn s phn tn thng tin
ngi dng trn cc thit b khc qua mt mng. Mt Server xc thc n c th h tr c
hng trm Server truyn thng, hng nghn ngi dng. Cc Server trong qu trnh truyn
thng c th truy cp mt Server xc thc cc b hoc t xa qua kt ni mng din
rng(WAN).
Mt s i l cung cp truy cp t xa v IETF i u trong vic c gng bo m an
ton cho truy cp t xa, cc phng tin bo mt c chun ho. Dch v xc thc ngi
dng quy s t xa(RADIUS) v h thng kim sot truy cp cc thit b cui(TACACS)
nh l hai d n m ra b khung ca chun Internet v cc i l truy cp t xa.
phin bn m ngun Client mi v mt tp ring bit cc chnh sch cu hnh trn Firewall.
Tuy nhin, my server khng cn thay i, tht vy, n khng cn bit rng phin ang
c tip bi Server SOCKS. C Client v Server SOCKS u cn c m SOCKS. Server
SOCKS hot ng nh mt router mc ng dng gia Client v Server ng dng thc.
SOCKSv4 ch vi cc phin TCP hng ngoi. N rt n gin cho mng ring ca ngi
dng, nhng khng c phn phi mt khu an ton v vy n khng c dng cho cc
phin gia ngi dng mng cng cng v cc ng dng mng ring. SOCKSv5 vi mt
s phng php xc thc v v th c s dng cho cc kt ni hng ni, SOCKS cng
h tr cc giao thc v ng dng da trn UDP.
Phn ln cc trnh duyt Web l SOCKSified v ngi dng c th nhn c cc
ngn xp TCP/IP SOCKSified cho hu ht cc nn.
2.8.5 Giao thc SSL v TLS:
SSL l giao thc bo mt c pht trin bi hng truyn thng Netscape, cng vi
hng bo mt d liu RSA. Mc ch chnh ca giao thc SSL l cung cp mt knh ring
gia cc ng dng ang lin lc vi nhau, trong m bo tnh ring t ca d liu, tnh
ton vn v xc thc cho cc i tc. SSL cung cp mt kh nng la chn cho API socket
TCP/IP chun c thc thi bo mt bn trong n. Do , v l thuyt n c kh nng chy
vi bt k ng dng TCP/IP no theo cch an ton m khng phi thay i ng dng. Trong
thc t, SSL ch c thc thi vi cc kt ni HTTP, nhng hng truyn thng Netscape
tuyn b nh tn dng n cho cc kiu ng dng khc, nh giao thc NNTP v Telnet,
v c mt s min ph sn c trn Internet. V d, IBM ang s dng SSL nng cao tnh
bo mt cho cc phin TN3270 trong cc Host ca n, cc phng tin lin lc c nhn v
cc sn phm Server, min l cu hnh bo mt truy cp c cc Firewall.
SSL gm c 2 tng:
Ti tng thp, c mt giao thc truyn d liu s dng loi mt m c xc nh
trc v kt hp xc thc, gi l giao thc bn ghi SSL, hnh 35 minh ha giao thc ny,
v i chiu n vi mt kt ni socket HTTP chun.
+ Tnh xc thc: trong khi thm d trc, Client xc thc Server s dng kha cng khai.
N cng c th da trn chng ch.
TLS c pht trin nh s dng SSL, ging nh SSL, TLS cho php cc Server v
Client cui lin lc mt cch an ton qua cc mng cng cng khng an ton. Thm vo
cc kh nng bo mt c cung cp bi SSL, TLS cng ngn chn k nghe trm, gi mo,
chn bt gi tin.
TLS cng gm 2 tng: Giao thc bn ghi TLS v giao thc thm d trc TLS.
Giao thc bn ghi TLS mang li s an ton bng cch tn dng cc c ch m ha, nh
DES chng hn. Giao thc thm d trc TLS cung cp kh nng xc thc 2 chiu bng
cch cho php c Server v Client xc thc ln nhau, hn na 2 thc th mun lin lc c
th thng lng cc thut ton m ha v cc kha phc v cho vic trao i d liu v
sau gia chng.
Trong cc kch bn mng ring o, SSL v TLS c th c thc thi to Server VPN
cng nh ti Client u cui.
So snh giao thc IPSec vi SSL:
Nh m t cc phn trn, IPSec cung cp tnh nng m ho v xc thc mnh
cho lu lng IP v cng cung cp tnh nng trao i v lm ti kho da trn chng ch
nh s dng IKE.
i n kt lun mt cch thn trng, ta phi xut rng nhng tnh nng ny l
cn thit ging nh cc tnh nng m SSL v TLS cung cp. Trong phn ny chng ta lu
n s ging nhau v khc nhau c bn gia IPSec v SSL v gii thch nhng phm vi
no s dng c hai giao thc.
Nhng im ging nhau:
o IPSec(qua IKE) v SSL cung cp xc thc Client v Server.
o IPSec v SSL cung cp tnh nng m bo an ton v xc thc i vi d liu,
thm ch trn cc mc khc nhau ca chng giao thc.
o IPSec v SSL c th dng cc thut ton mt m mnh cho vic m ho v cc
hm bm, c th s dng xc thc da trn chng ch (IPSec qua IKE).
o IPSec(qua IKE) v SSL cung cp tnh nng sinh kho v lm ti kho m khng
phi truyn bt k kho no di dng r hay ngoi tuyn.
Nhng im khc nhau:
o SSL c thc thi nh mt API gia tng ng dng v tng vn ti; IPSec c
thc thi nh mt khung lm vic ti tng lin mng.
o SSL cung cp tnh nng bo mt t ng dng - ti - ng dng (v d: gia
WebBrowser v WebServer); IPSec cung cp tnh nng bo mt t thit b - ti -
thit b.
o SSL khng bo v lu lng UDP; IPSec th c.
o SSL hot ng t im cui - ti - im cui v khng c khi nim ng hm.
iu ny c th l mt vn lc lu lng cn c xem xt bng cch kim tra
ni dung v qut virus trc khi n c phn phi thnh cng n ch; IPSec c
th hot ng theo hai cch, im cui - ti - im cui v nh mt ng hm.
o SSL c th vt qua NAT hoc SOCKS, chng dng che du cu trc a ch
bn trong hoc trnh s xung t a ch IP ring; IPSec trong ch vn ti (end
to- end) khng th s dng NAT nhng n c th dng mt ng hm IPSec
t c mc tiu tng t v thm ch bo mt hn NAT v ng hm cng c
th c m ho.
o Cc ng dng cn phi sa i s dng SSL. iu ny c th l mt vn
lc ta khng truy cp c m ngun ca ng dng hoc khng c thi gian hay
kinh nghim thay i m ngun ca ng dng; IPSec hon ton trong sut vi
cc ng dng.
Thng thng SSL l tt lc ta ch c mt ng dng c bo v v n sn c
trong mt phin bn SSL-aware. y l trng hp c mt ng dng chun a dng, khng
ch vi WebBrowser v WebServer. Ngoi ra, nu c tu chn ca vic thc thi khi nim
3-tier bng cch tn dng cc cng ng dng Web ti vnh ai ca mng, SSL l mt s
la chn tt. Nu c mt s lng ln cc ng dng bo m an ton c th phi chn
gii php tt hn cho mng. Trong trng hp ny, IPSec l s la chn tt hn. Tr khi
trin khai mng DMVPN, chng ta c hai cch thc trin khai. l hub-and-spoke
v spoke-and-spoke. hiu c hai khi nim ny, trc tin bn nn hiu hub l g, v
spoke l g. Hub y l trung tm (central), tc l h thng mng WAN t trung tm
ca cng ty. Cn Spoke ch chi nhnh, vn phng. Hnh 72 minh ha cho iu , Hub
chnh l phn Central Site, cn Spoke chnh l phn Branches.
Khi ni n Hub v Spoke l ang ni n router thc hin chc nng DMVPN
trung tm v chi nhnh. Cn khi ni n Site Central v Site Branch (hay gi tc l Central
v Branch) l ni n nhiu thit b c , Hub v Spoke nm Central v Branch.
IPSec: M ha d liu, cung cp nhng tnh nng chng thc v ton vn d liu.
GRE: Thit lp nhng ng hm (tunnel) cho php ng gi bt k gi tin no
ca lp network. Ngoi ra GRE cn c th nh tuyn trn tunnel.
NHRP: Giao thc dng nh x a ch tunnel sang a ch trn cng vt l ca
Router. N gii quyt c vn cc spoke c th s dng a ch IP c cp
ng bi ISP.
Cc cng ngh ny kt hp li cho php trin khai IPSec trong DMVPN mt cch d dng,
linh ng v an ton.
u tin, khng cn phi tnh ton, l h thng Hub v Spoke. hai pha phi c
nhng thit b h tr tt trong vic to kt ni DMVPN. C nhiu gii php chng ta
la chn, nhng ph bin nht vn l Router ca Cisco.
Nhn vo m hnh hnh 72, chng ta nhn thy rng, kt ni c gia Hub v
Spoke n phi kt ni thng qua Cloud. Cloud y m ch nh cung cp dch v internet
(ISP). C nhiu gii php cho bn s dng cc dch v ca ISP cung cp. Cloud ny c th
l Frame-Reply, ATM, Leased Lines
Trong m hnh Dual hub dual DMVPN cloud, hnh 73, Hub 1 l trung tm chnh, n
kt ni vi cc Branch qua DMVPN cloud 1, v d nhin chng c cng subnet. N duy tr
kt ni thng xuyn hn. Trong khi , Hub 2 c khuyn co l d phng trong
trng hp Hub 1 gp cht trc trc. Gia Hub1 v Hub 2 c khuyn co kt ni vi
nhau trong mng campus v khng cng subnet (cng mt net, tc l net c chia mng
con). iu tt nhin phi m bo l c hub 1 v hub 2 u phi giao tip c vi h thng
mng bn trong. Gii php ny c bit n vi kh nng Failover, tc l hn ch s c,
lun duy tr kt ni.
Trong m hnh th hai, dual hub single DMVPN cloud, hnh 74, bn ch c mt ng
mng kt ni tt c cc hub v branch. T DMVPN Cloud bn thy chng ta c hai kt
ni v hai hub. Gii php ny c bit n vi kh nng load balanced.
3.4.1 Hub-and-Spoke:
Vi Dual DMVPN cloud trong model hub-and-spoke, c cha hai headend (hub1 v
hub2), mi ci c mt hoc nhiu tunnel mGRE kt ni n tt c cc branch. Hnh 75
minh ha cho chng ta iu .
Mi DMVPN cloud c i din bng IP duy nht trong subnet. Mt DMVPN cloud
c gi l primary (cloud chnh), chu trch nhim cho mi lng mng ca Branch i
qua. Mi branch c cha hai interface P2P GRE kt ni n mi Hub ring l. Trong model
trin khai ny khng c tunnel no gia cc branch. Giao tip ni b gia cc branch c
cung cp thng qua hub. Thng s metric ca giao thc nh tuyn m h thng s dng,
c s dng xc nh u l primary hub.
3.4.2 Spoke-and-Spoke:
Cng ging nh Hub-and-spoke, trong model ny cng c hai Hub trung tm, mi hub
c mt hoc nhiu tunnel kt ni n tt c cc chi nhnh. Giao tip gia cc Branch c
thc hin thng qua Hub, tr khi n c mt ng kt ni c to ra gia hai Spoke.
chnh l s khc bit ca trng hp ny. Tunnel gia Spoke and Spoke c gi l
dynamic, n phi nm trong mt single DMVPN cloud hoc cng mt subnet. Tunnel ca
spoke-and-spoke th khng gia hai DMVPN cloud.
Trong kin trc Single Tier, v mt chc nng th mGRE v Crypto cng tn ti trong
mt CPU ca router.
Cc Branch trong kiu trin khai ny kt ni vi nhau thng qua tunnel ring, v phi i
qua DMVPN Cloud. Giao thc thng xuyn thy gia cc tunnel ny l IPSec. giao
tip vi h thng trung tm, chng ta c giao thc Single Tier, trong cc chc nng ca
mGRE v Crypto c gi gn trong mt router.
Trong m hnh ny, c hai headend c s dng, nhng chng c cng mt subnet.
Cc vn phng chi nhnh s kt ni vi trung tm thng qua giao din mGRE. V chng
cng phi c cng subnet thc hin giao tip ni b. M hnh ny khng c khuyn
co v chng khng kh dng v khng chng li c. Vi kiu trin khai Spoke-and-
Spoke th vic trin khai theo Single DMVPN ny cn c cn nhc k.
Hai headend phi c cu hnh DMVPN ging nhau, c a ch IP cng mt subnet.
Khi chng s h tr cho chng ta chc nng load balanced gia hai trung tm.
Nh vy khi nhc n topology trin khai cho gii php DMVPN, chng ta c s tm
tt nh sau:
Trong c hai kin trc th trung tm (header) c th trin khai theo hai gii php:
o Single Tier: hai giao thc mGRE v Crypto trn cng mt router.
o Dual Tier: hai giao thc mGRE v Crypto hai router khc nhau.
Hnh 81 M hnh IP
Nhn vo m hnh minh ha ny, chng ta cng thy c mt vn c cp n
chnh l a ch IP. Bn thn gi d liu gi t A, c a ch IP ca ring n v ca ch
m n cn n. Khi c tunnel ha i, n mang thm vo mt a ch IP ngun v ch
ca tunnel. Ngi ta gi y l IP tunnel, v giao tip gia hai IP tunnel ny gi l Tunnel
GRE tunnel cng cho php cc giao thc nh tuyn hot ng khi n chuyn tip t mng
private n cc router khc trn mng internet. GRE cng ng gi d liu multicast
chuyn qua internet.
Hnh 82 V d v GRE
NHRP l giao thc ging giao thc ARP (giao thc phn gii a ch) lm gim nhng
vn mng NBMA (Non-Broadcast Multiple Access). Vi NHRP, cc h thng hc a
ch ca cc h thng khc c c nh n mng NBMA mt cch linh ng. Cho php
cc mng ny thng trc tip vi nhau m traffic c dng khng cn qua hop trung gian.
NHRP c thit k tr gip IP d ng cho qu trnh truyn khi d liu trn h
thng mng NBMA. NHRP khng phi l giao thc d ng. ch l mt gii php k
thut v a ch sp xp li cc a ch ca IP trong qu trnh chuyn d liu sang cc
a ch kiu mng NBMA tri ngc li vi mng pht tn. Trn h thng mng pht tn,
nhiu my tnh cng nh cc thit b cng dng chung mt cp mng hay cc thit b truyn
thng khc. Khi mt my tnh truyn i cc frame thng tin, tt c cc nt trn mng cng
lng nghe cc frame, nhng ch nt no m a ch ca n c ch nh trn frame mi
tht s nhn c cc frame ny. Bi vy, cc frame gi l c pht tn. Mng kiu
NBMA s dng cc mch hng kt ni phn phi cc frame hay cell t u ny n
u kia ca mch. Khng c trm no khc lin quan n mch ny ngoi tr 2 nt cui
ca n. Cc dch v chuyn d liu trong IP phi kt ni (connectionless) khng phi lun
lun ph hp vi cc lin kt hng kt ni ca ATM.
3.7.4 Tunnel Protection Mode
Tiu biu vn l IPSec, chng ta c th cu hnh crypto theo kiu dynamic hoc static
c hai u router header v branch.Trong cc phin bn IOS 13 (hoc ln hn) h tr hu
ht cc cu hnh ca IPSec. Cng t phin bn 13 ny, khi nim IPSec profile c gii
thiu. IPSec Profile c p dng cho hu ht cc kt ni, chng ta khng cn phi s dng
nhiu ACL cho mi interface. Tuy nhin, ch c nhng subnet no c cu hnh giao tip
v c php giao tip vi IPSec th mi s dng c profile ny.
3.7.5 S dng giao thc nh tuyn
Trong thit k ca DMVPN khuyn co s dng cc giao thc nh tuyn ng nh
tuyn t headen n branch. Vic s dng cc giao thc nh tuyn ng c nhiu li th
hn ng gp trc tuyn bng IPSec (IPSec Direct Encapsulation). Trong VPN, giao thc
nh tuyn phi m bo cng mt li ch so vi mng truyn thng, n bao gm:
CAC IKE ph thuc rt nhiu vo cc nn tng c th v cng ngh crypto, cu trc lin
kt mng, v nhng thit lp c trin khai.
3.8 So snh gia VPN v DMVPN
3.8.1 M hnh VPN thng thng
Hn ch cc gi tin Multicast.
C nhiu cch, tnh hung c th gii quyt c cc yu t trn. Nhng gii quyt
trit th li rt t, ng thi phi tha mt yu cu m nhiu doanh nghip mong mun
chnh l chi ph thi cng v vn hnh h thng. V th Ti la chn gii php l DMVPN.
AD
SL
FP
T
AD
SL
FP
T
F1/10 11 VLAN 20 IT
VLAN 30
F1/12 13 KINHDOANH
F1/14 15 VLAN 40 NHANSU
VLAN 50
KETOAN
PORTCHANNEL 2
F1/2 3
PORTCHANNEL 3
F1/4 5
VLAN 10
F1/6 7
GIAMDOC
SW- F1/8 9
VLAN 20 IT
ACCESS2 F1/10 11
VLAN 30
F1/12 13
KINHDOANH
VLAN 40 NHANSU
F1/14 15
VLAN 50 KETOAN
S1/3 AREA
F0/0.10 113.190.49.2/30 1
F0/0.20 192.168.2.1/28 AREA VLAN 10 QUANLY
R-HN TUNNEL 192.168.2.17/28 1 VLAN 20 TUVAN
100 100.100.100.2/29 AREA
TUNNEL 200.200.200.2/29 1
200 AREA
1
F1/1 5 VLAN 10 QUANLY
SW-HN
F1/6 10 VLAN 20 TUVAN
R-DN S1/2 113.190.48.2/30
SW-DN(config)#interface f1/0
SW-DN(config-if-range)#switchport mode trunk
SW-DN(config-if-range)#switchport trunk encapsulation dot1q
Cu hnh Etherchannel:
SW-CORE1(config)#interface range f1/0 1
SW-CORE1(config-if-range)#channel-group 1 mode on
SW-CORE1(config)#interface range f1/2 3
SW-CORE1(config-if-range)#channel-group 2 mode on
SW-CORE1(config)#vtp pruning
SW-DN#vlan database
SW-DN(vlan)#vlan 10 name kinhdoanh
SW-DN(vlan)#vlan 20 name tuvan
SW-DN(vlan)#vlan 30 name quanly
SW-CORE1(config-if)#standby 40 preempt
SW-CORE1(config-if)#standby 40 track port-channel 2
SW-CORE1(config-if)#standby 40 authentication 40
SW-CORE2(config-if)#standby 40 ip 192.168.1.66
SW-CORE2(config-if)#standby 40 priority 150
SW-CORE2(config-if)#standby 40 preempt
SW-CORE2(config-if)#standby 40 track port-channel 2 65
SW-CORE2(config-if)#standby 40 authentication 40
SW-CORE2(config)#interface vlan 50
SW-CORE2(config-if)#ip address 192.168.1.35 255.255.255.240
SW-CORE2(config-if)#standby 50 ip 192.168.1.34
SW-CORE2(config-if)#standby 50 preempt
SW-CORE2(config-if)#standby 50 track port-channel 2
SW-CORE2(config-if)#standby 50 authentication 50
SW-CORE1(config)#router ospf 1
SW-CORE1(config-router)#network 172.16.1.0 0.0.0.3 area 1
SW-CORE1(config-router)#network 172.16.3.0 0.0.0.3 area 1
SW-CORE1(config-router)#network 192.168.1.48 0.0.0.15 area 1
SW-CORE1(config-router)#network 192.168.1.80 0.0.0.15 area 1
SW-CORE1(config-router)#network 192.168.1.0 0.0.0.31 area 1
SW-CORE1(config-router)#network 192.168.1.64 0.0.0.15 area 1
SW-CORE1(config-router)#network 192.168.1.32 0.0.0.15 area 1
SW-CORE2(config)#router ospf 1
SW-CORE2(config-router)#network 172.16.2.0 0.0.0.3 area 1
SW-CORE2(config-router)#network 172.16.4.0 0.0.0.3 area 1
SW-CORE2(config-router)#network 192.168.1.48 0.0.0.15 area 1
SW-CORE2(config-router)#network 192.168.1.80 0.0.0.15 area 1
SW-CORE2(config-router)#network 192.168.1.0 0.0.0.31 area 1
SW-CORE2(config-router)#network 192.168.1.64 0.0.0.15 area 1
SW-CORE2(config-router)#network 192.168.1.32 0.0.0.15 area 1
9. Cu hnh ACL ch cho phng IT telnet
NAT-HN (config)#access-list 10 permit 192.168.1.80 0.0.0.15
R-HN(config)#interface f0/0.20
R-HN(config-subif)#encapsulation dot1Q 20
R-HN(config-subif)#ip address 192.168.2.17 255.255.255.240
R-DN(config)#interface f0/0
R-DN(config-if)#no shutdown
R-DN(config)#interface f0/0.10
R-DN(config-subif)#encapsulation dot1Q 10
R-DN(config-subif)#ip address 192.168.3.1 255.255.255.240
R-DN(config)#interface f0/0.20
R-DN(config-subif)#encapsulation dot1Q 20
R-DN(config-subif)#ip address 192.168.3.17 255.255.255.240
R-DN(config)#interface f0/0.30
R-DN(config-subif)#encapsulation dot1Q 30
R-DN(config-subif)#ip address 192.168.3.33 255.255.255.248
12. Cu hnh cp DHCP cho chi nhnh HN DN
R-HN(config)#ip dhcp pool quanly
R-HN(dhcp-config)#network 192.168.2.0 255.255.255.240
R-HN(dhcp-config)#default-router 192.168.2.1
R-HN(dhcp-config)#dns-server 8.8.8.8
R-HN(config)#ip dhcp pool tuvan
R-HN(dhcp-config)#network 192.168.2.16 255.255.255.240
R-HN(dhcp-config)#default-router 192.168.2.17
R-HN(dhcp-config)#dns-server 8.8.8.8
R-HN(config)#router ospf 1
R-HN (config-router)#network 100.100.100.0 0.0.0.7 area 1
R-HN (config-router)#network 200.200.200.0 0.0.0.7 area 1
R-HN (config-router)#network 192.168.2.0 0.0.0.15 area 1
R-HN (config-router)#network 192.168.2.16 0.0.0.15 area 1
R-DN(config)#router ospf 1
R-DN (config-router)#network 100.100.100.0 0.0.0.7 area 1
R-DN (config-router)#network 200.200.200.0 0.0.0.7 area 1
R-DN (config-router)#network 192.168.3.0 0.0.0.15 area 1
R-DN (config-router)#network 192.168.3.16 0.0.0.15 area 1
R-DN (config-router)#network 192.168.3.32 0.0.0.7 area 1
R-DN (config)#ip route 0.0.0.0 0.0.0.0 serial 1/2
13.6 Cu hnh IPSec cho cc ng tunnel
NAT-HN(config)#crypto isakmp policy 1
NAT-HN (config-isakmp)#authentication pre-share
NAT-HN (config)#crypto isakmp key 6 vietbank address 0.0.0.0 0.0.0.0
NAT-HN (config)#crypto ipsec transform-set myset esp-aes esp-sha-hmac
NAT-HN (config)#crypto ipsec profile dmvpn
NAT-HN (ipsec-profile)#set security-association lifetime seconds 120
NAT-HN (ipsec-profile)#set transform-set myset
NAT-HN (ipsec-profile)#set pfs group2
NAT-HN (config)#interface tunnel 100
NAT-HN (config-if)#tunnel protection ipsec profile dmvpn
CHNG 5. KT LUN
1. Kt qu hon thnh
Sau thi gian nghin cu v thc hin ti XY DNG H THNG H TNG
MNG DOANH NGHIP, Ngi thc hin ti p ng ng tin v t cc
yu cu ca ti.
V ti:
Thit k v cu hnh thnh cng h thng h tng mng theo yu cu ca doanh
nghip.
Thc thi cu hnh c cc chnh sch m doanh nghip yu cu, trn thit b
Cisco.
S dng cng ngh Etherchannel nhm m bo tnh HA & Redundancy cho h
thng mng, p ng lu lng bng thng cho ton b h thng.
S dng VLAN & VTP qun l v ti u ha h thng mng.
Gim thiu ti a chi ph mua IP tnh bng vic s dng DMVPN.
V ngi thc hin ti:
Nm vng kin thc mng cn bn, m hnh OSI, m hnh TCP/IP.
Nm vng kin thc cu hnh cc thit b mng. v tnh nng cc thit b mng.
Nm vng kin thc thit k mng, kin trc mng.
S dng thnh tho cc phn mm m phng cu hnh mng.
Tshoot thnh tho khi mng xy ra s c.
2. Nhng mt cn hn ch
Do thc hin ti trn phn mm m phng GNS3, GNS3 h tr nhiu trn cc
thit bi layer 3, h tr t trn thit b Layer 2 nn cu hnh lp Distribution trn
Switch nn kh khn cho vic cu hnh.
GNS3 khng h tr cc thit b Wireless nn khng thc hin cu hnh c trn
cc thit b Wireless.
Cha xy dng c h thng gim st thit b mng trong doanh nghip.