Datn XDMDN 23CCHT02

137C Nguyn Ch Thanh, P.9, Qun 5, Tp.
HCM
KHOA CNG NGH THNG TIN
N TT NGHIP
Tn ti:
XY DNG H TNG MNG DOANH NGHIP
Ging vin hng dn: ThS. Nguyn Phi Thi
Sinh vin thc hin
1. L Vn Thun MSSV: 93510030067
Trnh : Cao ng Chuyn ngnh: Qun tr mng my tnh
Lp: 23CCHT02 Nin kho: 2013 2015
Tp.HCM, nm 2015
ti: Xy dng h tng mng doanh nghip 1

137C Nguyn Ch Thanh, P.9, Qun 5, Tp.HCM
LI M U

Mng internet ngy cng m rng trn ton Th Gii, khng ch vy, vic tn dng
ngun ti nguyn v tn ny em li nhng hiu qu v cng to ln. Vn trao i
thng tin lin lc l cc k quan trng, c bit vi nhng t chc, cng ty, doanh nghip
c tr s hoc chi nhnh t khp ni trn cc vng a l khc nhau. C rt nhiu gii php
c t ra, tuy nhin, u l gii php va p ng nhu cu trao i thng tin va p
ng nhu cu bo mt thng tin khi n c truyn ngang qua mng internet mt mi
trng khng bo mt. Nhng gii php ny c th l thu nhng ng truyn leased line.
Nh vy va bo mt va c bng thng nhiu. Tuy nhin n khng kh thi khi phi kt
ni nhng ni cch xa nhau. Gii php khc l s dng cc cng ngh ATM hoc Frame
Relay t nh cung cp dch v. Tuy nhin, chi ph cho gii php ny cng kh cao.VPN l
gii php kh thi nht v va m bo c nhng yu t bo mt va b ra chi ph va
phi. Hin nay VPN ang c s dng rt rng ri. Cng ngh ny ngy cng pht trin.
Mc d vy, VPN thng thng c nhng nhc im ca n. l cc im kt ni phi
thu nhng a ch IP tnh, ng thi trn router ng vai tr trung tm phi thc hin vic
cu hnh kh nhiu v phc tp. Thm vo , khi cc im mun kt ni vi nhau phi
thng qua router trung tm ny m khng th kt ni trc tip c. T nhng hn ch trn
ny sinh cng ngh DMVPN. Cng ngh ny l mt bc pht trin ca VPN nhm ci
thin nhng hn ch trn. Vi DMVPN, vic cu hnh tr nn n gin, cc kt ni c
thc hin mt cch t ng v chi ph b ra cng t hn mt VPN thng thng. hiu
DMVPN l g v ti sao li s dng n, bt u. Chng ta cng tm hiu ti ny.
Vi ti: Xy Dng H Thng H Tng Mng Cho Doanh Nghip, Ti hy vng
rng vi ni dung ti vit cc bn s hiu hn v DMVPN v nhng u th ca n t
xy dng c d n hay trong tng lai.
Trn thnh cm n!

LI CM N

Li u tin ti xin chn thnh cm n n tt c cc thy c gio trong khoa Cng
Ngh Thng Tin Trng Cao ng ngh CNTT Ispace, nhng ngi trc tip ging
dy, truyn t nhng kin thc b ch trong sut nhng nm hc qua, cung cp cho ti
rt nhiu nhng kin thc c bn, l nhng kin thc v cng qu gi, l nn tng phc
v cho cng vic hin ti cng nh cng vic sau ny.
c bit nht, Ti xin t lng bit n n thy Nguyn Phi Thi, ngi trc tip
hng dn tn tnh v gip ti trong qu trnh nghin cu thc hin hon thnh
ti ny.
Trn trng cm n!
TpHCM, Ngy 28 Thng 03 nm 2015
Ngi thc hin
L Vn Thun

NHN XT CA DOANH NGHIP
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
NHN XT CA GIO VIN HNG DN
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................
................................................................................................................................................

MC LC
DANH MC CC T VIT TT ...................................................................................11
DANH MC CC HNH V ...........................................................................................15
DANH MC BNG..........................................................................................................20
CHNG 1. TNG QUAN TI ...............................................................................21
1.1 Gii thiu ti ...........................................................................................................21
1.2 Xu hng cng ngh ...................................................................................................21
1.3 ng dng thc tin ......................................................................................................21
CHNG 2. TM HIU KIN THC.............................................................................23
I. TNG QUAN V H THNG MNG LAN .............................................................. 23
1. Khi nim v LAN .........................................................................................................23
1.1 Mt s thit b cu thnh mng ....................................................................................23
1.1.1 Thit b chuyn mch (Switch) .................................................................................23
1.1.2 B tm ng (Router) .............................................................................................. 30
1.1.3 Cp (Cable) ...............................................................................................................31
1.1.4 Card mng (Nic Card) ............................................................................................... 32
1.1.5 Cng ra vo (Gateway) ............................................................................................. 32
1.1.6 B iu gii (Modems) ............................................................................................. 33
1.2 M hnh mng 3 lp ca cisco .....................................................................................33
1.2.1 Lp Core ....................................................................................................................34
1.2.2 Lp Distribution.........................................................................................................35
1.2.3 Lp Access .................................................................................................................35
2. Khi nim Routing .........................................................................................................35
2.1 Khi qut v nh tuyn ............................................................................................... 35
2.2 Nguyn tc nh tuyn .................................................................................................36
2.3 Phn loi nh tuyn.....................................................................................................38
2.3.1 nh tuyn tnh .........................................................................................................38
2.3.2 nh tuyn ng ........................................................................................................38

2.3.3 Cc thut ton nh tuyn ng ................................................................................38

3. Khi nim v VLAN ......................................................................................................44
3.1 Cc Loi VLAN ...........................................................................................................45
3.2 Cch thc hot ng ca VLAN ..................................................................................46
3.3 u im v ng dng ca VLAN ................................................................................47
3.4 Vlan Trunking Protocol (VTP) ....................................................................................48
3.4.1 Khi nim v VTP v cc mode trong VTP ............................................................. 50
3.4.2 Hot ng ca VTP ...................................................................................................52
3.4.3 Qung b VTP...........................................................................................................53
3.4.4 S lc bt VTP .......................................................................................................55
3.4.5 Li ch ca VTP ........................................................................................................56
4. Tng quan v HIGH AVAILABILITY (H.A)............................................................... 56
4.1 Khi nim High Availability........................................................................................56
4.2 Cc k thut H.A thng thng trong h tng mng ...................................................58
4.3 Etherchannel ................................................................................................................59
4.3.1 Gii thiu Etherchannel ............................................................................................ 59
4.3.2 Giao thc PAgP v LACP ........................................................................................60
4.4 Spanning Tree Protocol (STP) .....................................................................................62
4.4.1 Khi nim ..................................................................................................................62
4.4.2 C ch hot ng STP .............................................................................................. 64
4.4.3 Trng thi ca STP....................................................................................................65
4.4.4 M hnh Spanning - Tree v BPDUs ........................................................................66
4.4.5 Bridge ID, Switch Priority, v Extended System ID ................................................68
4.5 Hot Standby Router Protocol (HSRP ) ........................................................................69
4.5.1 Cc c ch hot ng ca HSRP ..............................................................................70
4.5.2 Quy trnh hot ng HSRP .......................................................................................75
4.5.3 c im ca HSRP .................................................................................................78
4.5.4 Cc trng thi trong giao thc HSRP........................................................................79

4.5.5 Vitural Router Redundancy Protocol v Gateway Load Balancing Protocol ..........81
5. Gii thiu Access Control List ......................................................................................83
5.1 Ti sao phi s dng ACL? .........................................................................................84
5.2 ngha ca IP v Wildcard trong ACL ......................................................................85
5.3 Cc loi Access Control List .......................................................................................85
5.4 Cc v tr Access Control List ......................................................................................88
5.4.1 Inbound ACLs ...........................................................................................................88
5.4.2 Outbound ACLs ........................................................................................................88
5.5 Hot ng ca ACLs ....................................................................................................88
5.6 Mt s im cn lu .................................................................................................89
6. Dynamic Host Configuration Protocol (DHCP) ............................................................ 89
6.1 Mc ch v chc nng ................................................................................................ 89
6.2 Gii thiu v NAT v PAT ..........................................................................................90
6.2.1 Thut ng trong k thut NAT .................................................................................91
6.3 u im NAT ..............................................................................................................92
6.4 PAT (Port- Address- Translation)................................................................................93
II. KIN THC C BN V MNG WAN ...................................................................93
1. Cc cng ngh WAN ph bin ......................................................................................93
1.1 Cng ngh Leased Line ............................................................................................... 93
1.2 Cng ngh Frame-Relay .............................................................................................. 94
1.3 Cng ngh DSL............................................................................................................96
1.4 Cng ngh MPLS ( Multi Protocol Label Switching ) ................................................98
1.4.1 u im v ng dng ca MPLS .............................................................................99
2. Cng ngh mng ring o VPN (Vitural Private Network) .........................................100
2.1 nh ngha VPN .........................................................................................................101
2.2 Lch s hnh thnh v pht trin ................................................................................102
2.3 Nhng li ch VPN mang li .....................................................................................103
2.4 Nhng yu cu i vi VPN ......................................................................................105

2.5 Cc m hnh kt ni VPN thng dng .......................................................................106

2.5.1 VPN truy cp t xa (Remote VPN) ........................................................................106
2.5.2 VPN cc b (Intranet VPN) ....................................................................................106
2.5.3 VPN m rng (Extranet VPN) ................................................................................108
2.6 Giao thc ng hm ti Layer 2 trong VPN ............................................................109
2.6.1 Giao thc PPTP (Point-to-Point Tunneling Protocol) ............................................109
2.6.2 Giao thc chuyn tip L2F (Layer 2 Forwarding) ..................................................109
2.6.3 Giao thc L2TP (Layer 2 Tunneling Protocol) ......................................................109
2.7 Giao thc ng hm ti Layer 3 trong VPN (IPSec) ...............................................109
2.7.1 Tm hiu v IPSec ...................................................................................................109
2.7.2 Lin kt bo mt IPSec (SA-IPSec) ........................................................................110
2.7.3 IPSec Security Protocols .........................................................................................112
2.7.4 Cc giao thc ca IPSec .........................................................................................114
2.7.5 Cc ch ca IPSec ..............................................................................................123
2.7.6 Giao thc Internet Key Exchange ...........................................................................126
2.7.7 Qu trnh hot ng ca IPSec ...............................................................................131
2.8 Mt vi giao thc an ton b sung cho VPN .............................................................138
2.8.1 Xc thc vi ngi dng quay s truy cp t xa ....................................................139
2.8.2 Dch v xc thc ngi dng quay s t xa(RADIUS) ..........................................141
2.8.3 H thng kim sot truy cp thit b u cui (TACACS) .....................................142
2.8.4 Giao thc SOCKS ...................................................................................................146
2.8.5 Giao thc SSL v TLS ............................................................................................148
3. Dynamic Multipoint VPN ( DMVPN )........................................................................153
3.1 Gii thiu v DMVPN ...............................................................................................153
3.2 Cc thnh phn ca DMVPN .....................................................................................154
3.3 K thut thit k .........................................................................................................155
3.4 Dual DMVPN Cloud Topology .................................................................................157
3.4.1 Hub-and-Spoke .......................................................................................................158

3.4.2 Spoke-and-Spoke ....................................................................................................159

3.5 Kin trc h thng trung tm (system headend) ........................................................159
3.5.1 Single Tier ...............................................................................................................160
3.5.2 Dual Tier .................................................................................................................161
3.6 Single DMVPN Cloud Topology ..............................................................................162
3.7 Cc vn khi trin khai DMVPN ............................................................................163
3.7.1 C ch tunnel v a ch IP .....................................................................................163
3.7.2 Giao thc GRE ........................................................................................................165
3.7.3 Giao thc NHRP .....................................................................................................166
3.7.4 Tunnel Protection Mode .........................................................................................167
3.7.5 S dng giao thc nh tuyn .................................................................................167
3.7.6 Cn nhc s dng Crypto ........................................................................................168
3.7.7 IKE Call Admission Control ...................................................................................168
3.8 So snh gia VPN v DMVPN ..................................................................................170
3.8.1 M hnh VPN thng thng ...................................................................................170
3.8.2 M hnh DMVPN ...................................................................................................171
3.8.3 u im ca vic s dng DMVPN .......................................................................172
CHNG 3. PHN TCH V THIT K TI ......................................................173
1. Phn tch chi tit u v nhc im ca m hnh ........................................................173
1.1 M hnh trin khai DMVPN, High Availability cho h thng ngn hng Vietbank .173
1.1.1 M hnh .................................................................................................................173
1.1.2 Phn tch cc dch v v u nhc im ca m hnh ...........................................173
2. Phn tch yu cu v xc nh m hnh cn thc hin cho ngn hng Vietbank .........174
2.1 Thit k m hnh ........................................................................................................175
4. M hnh v cc dch v trin khai................................................................................182
4.1 M hnh ......................................................................................................................182
4.2 Cc dch v trin khai ................................................................................................182
CHNG 4. TRIN KHAI THC HIN ......................................................................183

TRIN KHAI THC HIN ............................................................................................183

1. Cu hnh hostname, password, ip(enable console vty pass) ..................................183
2. Cu hnh Trunking v Etherchannel ............................................................................183
3. Cu hnh VTP ..............................................................................................................185
4. Cu hnh VLAN v Gn Port cho tng VLAN ...........................................................187
5. Cu hnh Spanning Tree ...........................................................................................189
6. Cu hnh HSRP ............................................................................................................190
7. Cu hnh DHCP cho tr s Tp.HCM ...........................................................................196
8. Cu hnh OSPF cho tr s Tp.HCM ............................................................................198
9. Cu hnh ACL ch cho phng IT telnet........................................................................198
10. Cu hnh NAT ch cho php phng IT v Gim c ra internet ................................200
11. Cu hnh Routing InterVLAN cho Router HN & DN ...............................................200
12. Cu hnh cp DHCP cho chi nhnh HN DN...........................................................201
13. Cu hnh DMVPN Dual-Hub-Dual Layout ...............................................................203
13.1 Trn NAT-HN to tunnel 100 ..................................................................................203
13.2 Trn NAT-DN to tunnel 200 ..................................................................................203
13.3 Trn R-HN to tunnel 100 v tunnel 200 ................................................................204
13.4 Trn R-DN to tunnel 100 v tunnel 200 ................................................................206
13.5 nh tuyn OSPF cc ng tunnel vi cc ng mng ni b ..........................207
13.6 Cu hnh IPSec cho cc ng tunnel .....................................................................208
CHNG 5. KT LUN ...............................................................................................210
1. Kt qu hon thnh..................................................................................................210
2. Nhng mt cn hn ch ...............................................................................................210
3. Hng pht trin ti ................................................................................................211
TI LIU THAM KHO ...............................................................................................212
I. TI LIU TING ANH ...............................................................................................212
II. TI LIU TING VIT .............................................................................................212

DANH MC CC T VIT TT
VIT
STT CM T NGHA
TT
Triple Data Encryption
1 3DES Thut ton mt m 3DES
Standard
Cng ngh truy nhp
Asymmetric Digital
2 ADSL ng dy thu bao s bt
Subscriber Line
i xng
Advanced Encryption
3 AES Chun mt m cao cp
Standard
4 AH Authentication Header Giao thc tiu xc thc
Giao thc nh tuyn cng
5 BGP Border Gateway Protocol
min
Broadband Integrated Mng s a dch v bng
6 B-ISDN
Service Digital Network rng
Nh phn phi chng thc
7 CA Certificate Authority
s
Challenge Handshake Giao thc xc thc yu
8 CHAP
Authentication Protocol. cu bt tay
Cng ngh chuyn tip t
9 CR Cell Relay
bo
Data Communication Thit b truyn thng d
10 DCE
Equipment liu
11 DES Data Encryption Standard Thut ton mt m DES
Dynamic Host Giao thc cu hnh host
12 DHCP
Configuration Protocol ng
13 DNS Domain Name System h thng tn min
Encapsulating Security Giao thc ti an ninh ng
14 ESP
Payload. gi
15 FCS Frame Check Sequence Chui kim tra khung

VIT
STT CM T NGHA
TT
16 FR Frame Relay Chuyn tip khung d liu
17 GVPNS Global VPN Service Dch v VPN ton cu
Internet Control Message Giao thc bn tin iu
18 ICMP
Protocol khin Internet
Giao thc trao i kho
19 IKE Internet Key Exchange
Internet
Giao thc nh tuyn
20 IGP Interior Gateway Protocol
trong min
21 IN Intelligent Network Mng thng minh
22 IP Internet Protocol Giao thc Internet
23 IP-Sec Internet Protocol Security Giao thc an ninh Internet
Internet Security Asociasion
Giao thc qun l kho v
24 ISAKMP and Key Management
kt hp an ninh Internet
Protocol
Integrated Service Digital
25 ISDN Mng s a dch v
Network
International Standard
26 ISO T chc chun quc t
Organization
Nh cung cp dch v
27 ISP Internet Service Provider
internet
Giao thc chuyn tip lp
28 L2F Layer 2 Forwarding
2
Giao thc ng ngm
29 L2TP Layer 2 Tunneling Protocol
lp 2
B tp trung truy cp
30 LAC L2TP Access Concentrator
L2TP
31 LAN Local Area Network Mng cc b

VIT
STT CM T NGHA
TT
Giao thc iu khin lin
32 LCP Link Control Protocol
kt
33 LNS L2TP Network Server My ch mng L2TP
Message Authentication
34 MAC M xc thc bn tin
Code
35 MD5 Message Digest 5 Thut ton MD5
36 MG Media Gateway Cng kt ni phng tin
Thit b iu khin truy
37 MGC Media Gateway Controller
nhp
Multi Protocol Laber B nh tuyn chuyn
38 MPLS
Switching mch nhn
Microsoft Point-to-Point M ho im-im ca
39 MPPE
Encryption Microsoft
40 MTU Maximum Transfer Unit n v truyn ti ln nht
41 NAS Network Access Server My ch truy nhp mng
Giao thc iu khin
42 NCP Network Control Protocol
mng
Passwork Authentication Giao thc xc thc mt
43 PAP
Protocol khu.
C s h tng kho cng
44 PKI Public Key Infrastructure
khai
im truy cp truyn
45 POP Point of Presence
thng.
46 PPP Point to Point Protocol Giao thc im ti im
Point to Point Tunneling Giao thc ng ngm
47 PPTP
Protocol im ti im
48 PVC Permanrnent Virtual Circuit Mng o c nh

VIT
STT CM T NGHA
TT
49 QoS Quality of Service Cht lng dch v
50 RAS Remote Access Service Dch v truy nhp t xa
Remote Authentication Xc thc ngi dng quay
51 RADIUS
Dial-In User Service s t xa
Routing and Remote Access My ch truy cp nh
52 RRAS
Server hng v truy vp t xa.
53 SA Securty Association Kt hp an ninh
54 SG Signling Gateway Cng kt ni bo hiu
55 RTP Real Time Protocol Giao thc thi gian thc
56 SVC Switched Virtual Circuit Mch o chuyn mch
Transmission Control Giao thc iu khin
57 TCP
Protocol ng truyn
58 TE Terminal Equipment Thit b u cui
59 UDP User Datagram Protocol Giao thc UDP
60 VC Virtual Circuit Knh o
61 VCI Virtual Circuit Identifier Nhn dng knh o
62 VNS Virtual Network Service Dch v mng o
63 VPI Virtual Path Identifier Nhn dng ng o
64 VPN Virtual Private Network Mng ring o
65 VLAN Virtual Local Area Network Mng LAN o
66 WAN Wide Area Network Mng din rng

DANH MC CC HNH V
Hnh 1 Phm vi hot ng ca b chuyn mch ....................................................24
Hnh 2 Chuyn mch Lp 3 ...................................................................................27
Hnh 3 Mt s dng router ca cisco ......................................................................30
Hnh 4 Mt s loi cp thng dng ........................................................................31
Hnh 5 Card mng ...................................................................................................32
Hnh 6 Gateway ......................................................................................................33
Hnh 7 Modems ......................................................................................................33
Hnh 8 Mng 3 lp ..................................................................................................33
Hnh 9 Mng phn cp ...........................................................................................34
Hnh 10 nh tuyn vc t khong cch.................................................................39
Hnh 11 M hnh Vlan ...........................................................................................45
Hnh 12 Cch thc hot ng ca Vlan .................................................................47
Hnh 13 M hnh VLAN TRUNKING PROTOCOL 1 ........................................48
Hnh 14 M hnh VLAN TRUNKING PROTOCOL 2 .........................................49
Hnh 15 Cc mode trong VTP ................................................................................52
Hnh 16. S lt bt trong VTP ............................................................................55
Hnh 17 M hnh High Availability.......................................................................57
Hnh 18 M hnh Etherchannel ..............................................................................59
Hnh 19 M hnh PAgP v LACP .........................................................................62
Hnh 20 C ch hot ng STP .............................................................................65
Hnh 21 M hnh Default Gateway ........................................................................70
Hnh 22 M hnh Proxy ARP .................................................................................72
Hnh 23 M hnh Router Redundancy 1 .................................................................73
Hnh 24 M hnh Router Redundancy 2 ................................................................ 74
Hnh 25 Quy trnh hot ng HSRP .......................................................................75
Hnh 26 Cch thc hot ng a ch IP v a ch Mac trong HSRP ....................76
Hnh 27 Cch thc hot ng ca cc gi tin trong HSRP ....................................78

Hnh 28 Cc trng thi trong giao thc HSRP ......................................................79

Hnh 29 M hnh Vitural Router Redundancy Protocol ........................................81
Hnh 30 M hnh Gateway Load Balancing Protocol ...........................................82
Hnh 31 Bng so snh HSRP, VRRP, GLBP .........................................................83
Hnh 32 u im ca Access Control List ............................................................ 84
Hnh 33 Hot ng ca DHCP ..............................................................................90
Hnh 34 M hnh Dynamic NAT ...........................................................................91
Hnh 35 u im NAT ..........................................................................................92
Hnh 36 M hnh Frame-Relay ..............................................................................95
Hnh 37 Tc DSL .............................................................................................. 97
Hnh 38 M hnh MPLS Topology ........................................................................99
Hnh 39 M hnh VPN .........................................................................................102
Hnh 40 Thit lp VPN t xa ..............................................................................106
Hnh 41 Thit lp Intranet VPN ............................................................................107
Hnh 42 Thit lp mng VPN Extranet.................................................................108
Hnh 43 Ba trng ca SA...................................................................................111
Hnh 44 Cc giao thc trong IP-Sec .....................................................................114
Hnh 45 Cu trc gi tin AH .................................................................................115
Hnh 46 Cc phn tin chng thc trong AH .........................................................117
Hnh 47 Qu trnh to gi tin trong AH ...............................................................117
Hnh 48 Cu trc gi tin ESP ..............................................................................119
Hnh 49 Qu trnh to gi tin trong ESP..............................................................121
Hnh 50 So snh gia AH v ESP .......................................................................123
Hnh 51 Ch Tunnel Mode v Transport Mode..............................................124
Hnh 52 Datagram IPSec trong Tunnel Mode .....................................................124
Hnh 53 Datagram IPSec trong Transport Mode .................................................125
Hnh 54 Cc giai on ca IKE Phases ................................................................127
Hnh 55 Cc qu trnh ca Main mode ................................................................128

Hnh 56 C Main mode v Aggressive mode u thuc giai on I. ...................129

Hnh 57 Cc qu trnh ca Quick mode................................................................130
Hnh 58 Cc qu trnh ca New group mode ......................................................130
Hnh 59 IKE Phase 1 ...........................................................................................132
Hnh 60 Tp chnh sch IKE ................................................................................133
Hnh 61 Xc thc cc i tc ...............................................................................134
Hnh 62 Tho thun cc thng s bo mt IPSec .................................................135
Hnh 63 Tp chuyn i IPSec ............................................................................136
Hnh 64 Cc kt hp an ninh ................................................................................137
Hnh 65 Kt thc ng hm................................................................................138
Hnh 66 Dch v xc thc ngi dng quay s t xa RADIUS. ..........................142
Hnh 67 Xc thc t xa da trn TACACS. .........................................................142
Hnh 68 Lung thng tin trong RADIUS. ...........................................................144
Hnh 69 S dng RADIUS vi cc ng hm tng 2. .......................................146
Hnh 70 Cng mch vng. ...................................................................................147
Hnh 71 SSL so snh chun gia chun v phin SSL. .....................................149
Hnh 72 M hnh trin khai DMVPN ..................................................................153
Hnh 73 Dual DMVPN Cloud Topology .............................................................156
Hnh 74 Single DMVPN Cloud Topology ..........................................................157
Hnh 75 Hub-and-Spoke Deployment Model .......................................................158
Hnh 76 Spoke-to-Spoke Deployment Model .....................................................159
Hnh 77 Single Tier Headend Architecture .........................................................160
Hnh 78 Dual Tier Headend Architecture ............................................................161
Hnh 79 Single DMVPN Cloud Topology ...........................................................162
Hnh 80 M hnh VPN vi c ch Tunnel ............................................................164
Hnh 81 M hnh IP .............................................................................................164
Hnh 82 V d v GRE ..........................................................................................166
Hnh 83 M hnh VPN thng thng ...................................................................170

Hnh 84 M hnh DMVPN ..................................................................................171

Hnh 85 M hnh s dng DMVPN, HA ..............................................................173
Hnh 86 S tng quan kt ni tr s v chi nhnh ..........................................175
Hnh 87 S tng quan tr s TP.HCM ............................................................176
Hnh 88 S tng quan chi nhnh H Ni .........................................................177
Hnh 89 S tng quan chi nhnh Nng ......................................................178
Hnh 90 S lab thc hin ti .......................................................................182
Hnh 91 Etherchannel trn SW-CORE1 ...............................................................185
Hnh 92 Etherchannel trn SW-ACCESS2...........................................................185
Hnh 93 VTP trn SW-CORE1.............................................................................186
Hnh 94 VTP trn SW-ACCESS1 ........................................................................186
Hnh 95 VLAN trn SW-CORE1 .........................................................................187
Hnh 96 Gn port cho VLAN trn SW-ACCESS1 ...............................................188
Hnh 97 HSRP VLAN 10 SW-CORE1 ................................................................190
Hnh 100 HSRP VLAN 40 SW-CORE1 ..............................................................192
Hnh 107 IP c cp bi DHCP Server ..............................................................196
Hnh 108 DHCP cp cho VLAN 10 Gim c ....................................................197
Hnh 109 K ton telnet tht bi ...........................................................................199
Hnh 110 IT Telnet thnh cng .............................................................................200
Hnh 111 Kim tra NAT ti NAT-HN ..................................................................200

Hnh 112 DHCP cp cho R-HN............................................................................202

Hnh 113 Tunnel trn NAT-HN ...........................................................................203
Hnh 114 Tunnel trn NAT-DN ...........................................................................204
Hnh 115 Tunnel trn R-HN .................................................................................205
Hnh 116 Tunnel trn R-DN .................................................................................206
Hnh 117 Kim tra IPSec trn NAT-HN ..............................................................208

DANH MC BNG
2.2 Bng phn hoch a ch IP.........................................................................179

3. Bng thng k chi ph thit b .......................................................................181

CHNG 1. TNG QUAN TI
1.1 Gii thiu ti

Ngn hng Vietbank hnh thnh trin khai kt ni mng WAN ti nhiu tnh v
thnh ph ln trong c nc (Tp.HCM, H ni, nng), Vietbank ang tng bc xy
dng h thng mng trc chnh kt ni 3 trung tm 3 thnh ph ln Tp.HCM, H ni,
nng ni xung cc chi nhnh cp di theo m hnh phn cp, do yu cu pht trin ca
dch v ngn hng mi mng WAN ny cn phi kt ni v trao i thng tin vi mng
Internet ton cu v vi mng ca cc n v khc Vit Nam. Do vy Vietbank quyt
nh xy dng 2 cng kt ni ra Internet v cc t chc bn ngoi. Trong tr s chnh
lp t ti TP.HCM l trng im pht trin cng ngh nn tng cho ton b cng on
pht trin mng WAN trong tng lai ca Vietbank.
1.2 Xu hng cng ngh

Cng vi s pht trin ca x hi v nhu cu ca ngi s dng cho cng vic ngy
cng cao do cng thc y qu trnh pht trin ca nghnh cng ngh thng tin. Trong
mt cng ty, t chc th nhu cu trao i thng tin ti liu gia cc nhn vin vi nhau l
rt quan trng, v vy vic thit k mng cho cng ty l iu khng th thiu. V cc cng
ngh mng c ra i nhm h tr cho cc doanh nghip, c quan tit kim c chi
ph cho h thng m vn m bo c s vn hnh ca h thng, nng cao hiu sut lm
vic, tng tnh bo mt.
1.3 ng dng thc tin

VLAN (Virual Local Area Network) hay cn gi l mng Lan o l mt la chn ti
u ca cc c quan doanh nghip ng dng h thng CNTT, vi chi ph hp l tn dng
c c s h tng c sn, gim chi ph vn hnh v bo dng, tnh linh ng cao gip
cho cc c quan, doanh nghip tn dng ti a ti nguyn h thng da trn nn ca h

thng mng cc b, gip cho vic s dng h thng, thng tin truyn ti d liu din ra
mt cch an ton v hiu qu.
DMVPN (Dynamic Multipoint Virtual Network) l s kt hp ca cc cng ngh:
IPSec, MGRE v NHRP cc cng ngh ny kt hp li cho php c trin khai IPSec
trong mng ring o, c th xy dng trn c s h tng sn c ca mng Internet gip
kt ni cc nhnh h thng mng li vi nhau trn vng a l rng ln nhng li c c
cc tnh cht ca mt mng cc b nh khi s dng cc ng Leased-line. Vi chi ph
hp l, DMVPN c th gip doanh nghip tip xc ton cu mt cch nhanh chng v hiu
qu.

CHNG 2. TM HIU KIN THC
I. TNG QUAN V H THNG MNG LAN

1. Khi nim v LAN
LAN (vit tt t tn ting Anh Local Area Network, "mng my tnh cc b") l mt
h thng mng dng kt ni cc my tnh trong mt phm vi nh nh nh , phng lm
vic, trng hc. Cc my tnh trong mng LAN c th chia s ti nguyn vi nhau, m
in hnh l chia s tp tin, my in, my qut v mt s thit b khc.
Mt mng LAN ti thiu cn c my ch (server), cc thit b ghp ni (Repeater, Hub,
Switch, Bridge), my tnh con (client), card mng (Network Interface Card NIC) v dy
cp (cable) kt ni cc my tnh li vi nhau. Trong thi i ca h iu hnh MS-DOS,
my ch mng LAN thng s dng phn mm Novell NetWare, tuy nhin iu ny
tr nn li thi hn sau khi Windows NT v Windows for Workgroups xut hin. Ngy
nay hu ht my ch s dng h iu hnh Windows, v tc mng LAN c th ln n
10 Mbps, 100 Mbps hay thm ch l 1 Gbps.
1.1 Mt s thit b cu thnh mng

1.1.1 Thit b chuyn mch (Switch)
C hai loi l Switch lp 2 lm vic trn tng Data Link v Switch lp 3 lm vic
trn tng Network ca m hnh OSI.
Chuyn mch l mt qu trnh thc hin u ni v chuyn thng tin cho ngi s
dng thng qua h tng mng vin thng. Ni cch khc, chuyn mch trong vin thng
bao gm chc nng nh tuyn cho thng tin v chc nng chuyn tip thng tin. Nh vy,
theo kha cnh thng tin thng khi nim chuyn mch gn lin vi mng v lp lin kt
d liu trong m hnh OSI ca t chc tiu chun quc t ISO.
B chuyn mch l s tin ha ca cu ni, nhng c nhiu cng v dng cc mch tch
hp nhanh gim tr ca vic chuyn khung d liu.

Hnh 1 Phm vi hot ng ca b chuyn mch

Nhim v ca switch l chuyn tip cc khung t nhnh mng ny sang nhnh mng
khc mt cch c chn lc da vo a ch MAC ca my tnh. lm c iu ny,
switch cn phi duy tr trong b nh ca mnh mt bng a ch cc b cha v tr ca tt
c cc my tnh trong mng. Mi my tnh s chim mt mc t trong bng a ch. Mi
switch c thit k vi mt dung lng b nh gii hn. V nh th, n xc nh kh
nng phc v ti a ca mt switch. Chng ta khng th dng switch ni qu nhiu
mng vi nhau.
Switch l mt thit b chn la ng dn gi frame n ch, switch hot ng
Lp 2 ca m hnh OSI.
Switch quyt nh chuyn frame da trn a ch MAC, do switch c xp vo thit
b hot ng Lp 2. Chnh nh switch la chn ng dn quyt nh chuyn frame
ln mng LAN c th hot ng hiu qu hn. Switch nhn bit my no kt ni vo cng
ca n bng cch c a ch MAC ngun trong frame m n nhn c. Khi hai my thc
hin lin lc vi nhau, switch ch thit lp mt mch o gia hai cng tng ng m khng
lm nh hng n lu thng trn cc cng khc. Do , mng LAN c hiu sut hot
ng cao thng s dng chuyn mch ton b.

Switch tp trung cc kt ni v quyt nh chn ng dn truyn d liu hiu qu.

Frame c chuyn mch t cng nhn vo n cng pht ra. Mi cng l mt kt ni
cung cp chn bng thng cho my.
chuyn frame hiu qu gia cc cng, switch lu gi mt bng a ch. Khi switch
nhn vo mt frame, n s ghi a ch MAC ca my gi tng ng vi cng m n nhn
frame vo.
Cc c im chnh ca switch:
- Tch bit giao thng trn tng on mng.
- Tng nhiu hn lng bng thng dnh cho mi ngi dng bng cch to ra min
ng nh hn.
c im u tin: Tch bit giao thng trn tng on mng, switch chia h thng mng
ra thnh cc n v cc nh gi l microsegment. Cc segment nh vy cho php cc
ngi dng trn nhiu segment khc nhau c th gi d liu cng mt lc m khng lm
chm cc hot ng ca mng.
Bng cch chia nh h thng mng, s lm gim lng ngi dng v thit b cng chia s
mt bng thng. Mi segment l mt min ng ring bit, switch gii hn lu lng
bng thng ch chuyn gi tin n ng cng cn thit da trn a ch MAC Lp 2.
c im th hai: Switch l bo m cung cp bng thng nhiu hn cho ngi dng bng
cch to ra cc min ng nh hn. Switch chia nh mng LAN thnh nhiu on mng
(segment) nh. Mi segment ny l mt kt ni ring ging nh mt ln ng ring 100
Mb/s. Mi server c th t trn mt kt ni 100 Mb/s ring. Trong cc h thng mng
hin nay Fast Ethernet switch c s dng lm ng trc chnh cho mng LAN, cn
Ethernet switch hoc Fast Ethernet hub c s dng kt ni xung my tnh.
Thi gian tr ca Ethernet switch

Thi gian tr l thi gian t lc switch nhn frame vo cho n khi switch chuyn
ht frame ra cng ch. Thi gian tr ny ph thuc vo cu hnh chuyn mch v lng
giao thng qua switch.
Thi gian tr c o bng n v nh hn giy. i vi thit b mng hot ng vi
tc cao th mi nano giy (ns) tr hn l mt nh hng ln n hot ng mng.
Chuyn mch Lp 2 v Lp 3
Chuyn mch l tin trnh nhn frame vo t mt cng v chuyn frame ra ti mt cng
khc. Router s dng chuyn mch Lp 3 chuyn cc gi c nh tuyn xong.
Switch s dng chuyn mch Lp 2 chuyn frame.
S khc nhau gia chuyn mch Lp 2 v Lp 3 l loi thng tin nm trong frame c
s dng quyt nh chn cng ra l khc nhau. Chuyn mch Lp 2 da trn thng tin
l a ch MAC. Cn chuyn mch Lp 3 l da trn a ch lp mng (v d nh: a ch
IP).
Chuyn mch Lp 2 nhn vo a ch MAC ch trong phn header ca frame v chuyn
frame ra ng cng da theo thng tin a ch MAC trn bng chuyn mch. Bng chuyn
mch c lu trong b nh a ch CAM ( Content Addressable Memory). Nu switch
lp 2 khng bit gi frame vo port no, c th th n gin l n qung b frame ra tt c
cc port ca n. Khi nhn c gi tr li v, switch s nhn a ch mi vo CAM.
Chuyn mch Lp 3 l mt chc nng ca Lp mng. Chuyn mch Lp 3 kim tra
thng tin nm trong phn header ca Lp 3 v da vo a ch IP chuyn gi.
Dng giao thng trong mng chuyn mch ngang hng hon ton khc vi dng giao
thng trong mng nh tuyn hay mng phn cp. Trong mng phn cp dng giao thng
trong mng c uyn chuyn hn trong mng ngang hng.
7 Application
6 Presention
5 Session
Hnh 2 Chuyn mch Lp 3
Khi nim v collisont domain :
Min xung t c nh ngha l vng mng m trong cc khung pht ra c th gy

xung t vi nhau. Cng nhiu trm trong cng mt min xung t th s lm tng s xung
t v lm gim tc truyn, v th m min xung t cn c th gi l min bng thng
(cc trm trong cng min ny s chia s bng thng ca min) mt trong nhng nguyn
nhn chnh lm cho hot ng ca mng khng hiu qu.
Mi khi mt ng xy ra trn mt mng, tt c cc hot ng truyn dng li trong

mt khong thi gian. Khong thi gian ngng tt c hot ng truyn ny thay i v
c xc nh bi mt thut ton vn hi (backoff) trong mi thit b mng.
B nh m
Ethernet switch s dng b m gi v chuyn frame. B m cn c s dng khi

cng ch ang bn. C hai loi b m c th s dng chuyn frame l b m theo
cng v b m chia s.

Trong b m theo cng, frame c lu thnh tng t tng ng vi tng cng nhn
vo. Sau frame s c chuyn sang hng i ca cng ch khi tt c cc frame trc
n trong hng i c chuyn ht. Nh vy mt frame c th lm cho tt c cc frame
cn li trong trong hng i phi hon li v cng ch ca frame ny ang bn. Ngay khi
cng ch cn ang trng th cng phi ch mt khong thi gian chuyn ht frame .
B c chia s tt c cc frame vo chung mt b nh. Tt c cc cng ca switch
chia s cng mt b m dung lng b m phn b theo nhu cu ca mi cng ti mi
thi im. Frame c t ng a ra cng pht. Nh c ch chia s ny, mt frame nhn
c t cng ny khng cn phi chuyn hng i pht ra cng khc.
Swicth gi mt s cho bit frame no tng ng vi cng no v s ny s xa i
sau khi truyn frame thnh cng. B m c s dng theo dng chia s. Do lng
frame trong b m b gii hn bi tng dung lng ca b m ch khng ph thuc vo
vng m ca tng cng nh dng b m theo cng. Do frame ln c th chuyn i
c v t b rt gi hn. iu ny rt quan trng vi chuyn mch bt ng b v frame
c chuyn gia hai cng c hai tc khc nhau.
- B m theo cng lu cc frame theo hng i tng ng vi tng cng nhn vo.
- B m chia s lu tt c cc frame vo chung mt b nh. Tt c cc cng trn
switch chia s cng mt vng nh ny.
Phng php chuyn mch
C hai phng php chuyn mch:
- Store and forward: Nhn vo ton b frame xong ri mi bt u chuyn i.

Switch c a ch ngun, ch v lc frame nu cn trc khi quyt nh chuyn
frame ra. V switch phi nhn xong ton b frame ri mi bt u tin trnh chuyn
mch frame nn thi gian tr cng ln i vi frame cng ln. Tuy nhin nh vy
switch mi kim tra li cho ton b frame gip kh nng pht hin li cao hn.

- Cut through: Frame c chuyn i trc khi nhn xong ton b frame. Ch cn
a ch ch c th c c ri l c th chuyn frame ra. Phng php ny lm
gim thi gian tr nhng ng thi lm gim kh nng pht hin li frame.
Sau y l hai ch chuyn mch c th theo phng php cut through:
o Fast forward: Chuyn mch nhanh c thi gian gian tr thp nht. Chuyn
mch nhanh s chuyn frame ra ngay sau khi c c a ch ch ca frame
m khng cn phi ch nhn ht frame. Do c ch ny khng kim tra
c frame nhn vo c b li hay khng d iu ny khng xy ra thng
xuyn v my ch s hy gi tin nu gi tin b li. Trong c ch chuyn
mch nhanh, thi gian tr c tnh t lc switch nhn vo bit u tin cho
n khi switch pht ra bit u tin.
o Fragment free: c ch chuyn mch ny s lc b cc mnh gy do dng
gy ra trc khi bt u chuyn gi. Hu ht cc frame b li trong mng
l nhng gy ca frame do b ng . Trong mng hot ng bnh thng,
mt mnh frame gy do ng gy ra phi nh hn 64 byte. Bt k trong
frame no ln hn 64 byte u xem l hp l v thng khng c li. Do c
ch chuyn mch khng mnh gy s ch nhn 64byte u tin ca frame
bo m frame nhn c khng phi l mt mnh gy do b ng ri
mi bt u chuyn frame i. Trong ch chuyn mch ny, thi gian tr
cng c tnh t switch nhn c bit u tin cho n khi switch pht
switch pht i bit u tin .
Thi gian tr ca mi ch chuyn mch ph thuc vo cch m switch chuyn frame

nh th no. chuyn frame c nhanh hn, switch bt thi gian kim tra li frame
i nhng lm nh vy li lm tng d liu cn truyn li.

1.1.2 B tm ng (Router)
Hnh 3 Mt s dng router ca cisco

Cu to ca mt router tng t nh mt my tnh bao gm cc thnh phn chnh: CPU,
ROM, RAM, NVRAM, Flash memory, interface.
Router l mt thit b hot ng trn tng 3, n c th tm c ng i tt nht cho

cc gi tin qua nhiu kt ni i t trm gi thuc mng u n trm nhn thuc mng
cui. Router c th c s dng trong vic ni nhiu mng vi nhau v cho php cc gi
tin c th i theo nhiu ng khc nhau ti ch.
Khi x l mt gi tin Router phi tm c ng i ca gi tin qua mng. lm c
iu Router phi tm c ng i tt nht trong mng da trn cc thng tin n c v
mng, thng thng trn mi Router c mt bng ch ng (Router table). Da trn d
liu v Router gn v cc mng trong lin mng, Router tnh c bng ch ng
(Router table) ti u da trn mt thut ton xc nh trc.

1.1.3 Cp (Cable)
Cp dng lm phng tin truyn dn kt ni gia cc thnh phn ca mng vi nhau.
Trong m hnh OSI cp c coi l thit b tng 1.
Cp ng trc Cp ng trc Cp xon i Cp quang
mnh 10Base2 dy 10Base5 10BaseT
Chi ph t hn cp t hn cp R nht t nht
xon i mnh
di ng 185m 500m 100m Di n vi
chy ti a Km
Chng nhiu Tt Tt Khng tt Rt tt
Tc truyn 10Mbps 10Mbps 10Mbps C th n
2Gbps
Hnh 4 Mt s loi cp thng dng

1.1.4 Card mng (Nic Card)

Card mng (hay cn gi l NIC card hay Adapter card) l thit b ni kt gia my tnh
v cp mng. Chng thng giao tip vi my tnh qua cc khe cm. Cc chc nng chnh
ca card mng:
- Chun b d liu a ln mng: trc khi a ln mng, d liu phi c chuyn

t dng byte, bit sang tn hiu in c th truyn trn cp.
- Gi d liu n my tnh khc.
- Kim sot lung d liu gia my tnh v h thng cp.
Hnh 5 Card mng

1.1.5 Cng ra vo (Gateway)
Gateway dng kt ni cc mng khng thun nht chng hn nh cc mng cc
b v cc mng my tnh ln (Mainframe), do cc mng hon ton khng thun nht nn
vic chuyn i thc hin trn c 7 tng ca h thng m OSI. Thng c s dng ni
cc mng LAN vo my tnh ln. Gateway c cc giao thc xc nh trc thng l nhiu
giao thc, mt Gateway a giao thc thng c ch to nh cc Card c cha cc b x
l ring v ci t trn cc my tnh hoc thit b chuyn bit.
Hot ng ca Gateway thng thng phc tp hn l Router nn thng sut ca n
thng chm hn v thng khng dng ni mng LAN - LAN.

Hnh 6 Gateway
1.1.6 B iu gii (Modems)
Modem l b iu ch v gii iu ch bin i cc tn hiu s thnh tn hiu tng
t v ngc li trn mng.
Tn hiu s t my tnh n Modem, c Modem bin i thnh tn hiu tng t
c th i qua mng. Tn hiu ny n Modem im B c bin i ngc li thnh tn
hiu s a vo my tnh B
Hnh 7 Modems
1.2 M hnh mng 3 lp ca cisco
Hnh 8 Mng 3 lp

Cisco a ra m hnh thit k mng cho php ngi thit k to mt mng lun l bng
cch nh ngha v s dng cc lp ca thit b mang li tnh hiu qu, tnh thng minh,
tnh m rng v qun l d dng.
M hnh mng phn cp (Hierarchical Network Model)
Hnh 9 Mng phn cp

M hnh ny gm c ba lp: Access, Distribution, v Core. Mi lp c cc thuc tnh
ring cung cp c chc nng vt l ln lun l mi im thch hp trong mng Campus.
Vic hiu r mi lp v chc nng cng nh hn ch ca n l iu quan trng ng
dng cc lp ng cch qu trnh thit k.
1.2.1 Lp Core
Lp Core ca mng Campus cung cp cc kt ni ca tt c cc thit b lp Distribution.
Lp Core thng xut hin backbone ca mng, v phi c kh nng chuyn mch lu
lng mt cch hiu qu. Cc thit b lp Core thng c gi l cc backbone switch,
v c nhng thuc tnh sau:
Thng lng lp 2 hoc lp 3 rt cao.
Chi ph cao
C kh nng d phng v tnh co dn cao.

Chc nng QoS.
1.2.2 Lp Distribution
Lp Distribution cung cp kt ni bn trong gia lp Access v lp Core ca mng

Campus.
Thit b lp ny c gi l cc siwtch phn pht, v c cc c im nh sau:
Thng lng lp ba cao i vi vic x l gi.
Chc nng bo mt v kt ni da trn chnh sch qua danh sch truy cp

hoc lc gi.
Tnh nng QoS.

1.2.3 Lp Access
Lp Access xut hin ngi dng u cui c kt ni vo mng. Cc thit b trong

lp ny thng c gi l cc switch truy cp, v c cc c im sau:
Chi ph trn mi port ca switch thp.
Mt port cao.
M rng cc uplink n cc lp cao hn.
Chc nng truy cp ca ngi dng nh l thnh vin VLAN, lc lu lng

v giao thc, v QoS.
Tnh co dn thng qua nhiu uplink.
2. Khi nim Routing
2.1 Khi qut v nh tuyn
nh tuyn trn Internet c thc hin da trn cc bng nh tuyn (Routing table)
c lu ti cc trm (Host) hay trn cc thit b nh tuyn (Router). Thng tin trong cc
bng nh tuyn c cp nht t' ng hoc do ngi dng cp nht.
Cc phm tr dng trong nh tuyn l:

Tnh c th c (Reachability) dng cho cc giao thc EGP nh BGP.

Vect kkong cch (Vector-Distance) gia ngun v ch dng cho RIP.
Trng thi kt ni (Link State) nh thng tin v kt ni dng cho OSPF.
2.2 Nguyn tc nh tuyn
Trong hot ng nh tuyn, ngi ta chia lm hai loi l nh tuyn trc tip v nh
tuyn gin tip. nh tuyn trc tip l nh tuyn gia hai my tnh ni vi nhau vo mt
mng vt l. nh tuyn gin tip l nh tuyn gia hai my tnh cc mng vt l khc
nhau nn chng phi thc hin thng qua cc Gateway.
kim tra xem my ch c nm trn cng mt mng vt l vi my ngun khng
th ngi gi phi tch ly a ch mng ca my ch trong phn tiu ca gi d liu
v so snh vi phn a ch mng trong phn a ch IP ca n. Nu trng th gi tin s
c truyn trc tip nu khng cn phi xc nh mt Gateway
truyn cc gi tin ny thng qua n ra mng ngoi thch hp.
Hot ng nh tuyn bao gm hai hot ng c bn sau:
Qun tr c s d liu nh tuyn: Bng nh tuyn(bng thng tin chn ng)

l ni lu thng tin v cc ch c th ti c v cch thc ti c ch . Khi phn
mm nh tuyn IP ti mt trm hay mt cng truyn nhn c yu cu truyn mt gi
d liu, trc ht n phi tm trong bng nh tuyn, quyt nh xem s phi gi
Datagram n u. Tuy nhin, khng phi bng nh tuyn ca mi trm hay cng u
cha tt c cc thng tin v cc tuyn ng c th ti c. Mt bng nh tuyn bao
gm cc cp (N,G). Trong :
+ N l a ch ca IP mng ch
+ G l a ch cng tip theo dc theo trn ng truyn n mng N

Bng nh tuyn ca mt cng truyn

n Host trn mng B nh tuyn Cng vt l
10.0.0.0 Direct 2
11.0.0.0 Direct 1
12.0.0.0 11.0.0.2 1
13.0.0.0 Direct 3
13.0.0.0 13.0.0.2 3
15.0.0.0 10.0.02 5
Nh vy, mi cng truyn khng bit c ng truyn y i n ch.
Trong bng nh tuyn cn c nhng thng tin v cc cng c th ti ch
nhng khng nm trn cng mt mng vt l. Phn thng tin ny c che khut i v
c gi l mc nh (default). Khi khng tm thy cc thng tin v a ch ch cn tm,
cc gi d liu c gi ti cng truyn mc nh.
Thut ton nh tuyn c m t nh sau:
+ Nu a ch ch l mt trong cc a ch IP ca cc kt ni trn mng th x l gi
d liu IP ti ch.
+ Xc nh a ch mng ch bng cch nhn (AND) mt n mng (Network Mask)
vi a ch IP ch.
+ Nu a ch ch khng tm thy trong bng nh tuyn th tm tip trong tuyn ng
mc nh, sau khi tm trong tuyn ng mc nh m khng tm thy cc thng tin v a
ch ch th hu b gi d liu ny v gi thng ip ICMP bo li mng ch khng n
c cho thit b gi.
+ Nu a ch mng ch bng a ch mng ca h thng, ngha l thit b ch n
c kt ni trong cng mng vi h thng, th tm a ch mc lin kt tng ng vi
bng tng ng a ch IP-MAC, nhng gi IP trong gi d liu mc lin kt v chuyn
tip gi tin trong mng.
+ Trong trng hp a ch mng ch khng bng a ch mng ca h thng th

chuyn tip gi tin n thit b nh tuyn cng mng.
2.3 Phn loi nh tuyn
2.3.1 nh tuyn tnh
phng php ny, thng tin nh tuyn c cung cp t nh qun tr mng thng
qua cc thao tc bng tay vo trong cu hnh ca Router. Nh qun tr mng phi cp nht
bng tay i vi cc mc ch tuyn tnh ny bt c khi no topo lin mng b thay i.
2.3.2 nh tuyn ng
phng php ny, thng tin nh tuyn c cp nht mt cch t ng. Cng vic
ny c thc hin bi cc giao thc nh tuyn c ci t trong Router. Chc nng ca
giao thc nh tuyn l nh ng dn m mt gi tin truyn qua mt mng t ngun n
ch. V d giao thc thng tin nh tuyn RIP, OSPF.
2.3.3 Cc thut ton nh tuyn ng
a. nh tuyn vector khong cch (distance-vector routing protocols)
nh tuyn vector khong cch da trn thut ton nh tuyn Bellman Ford l mt
phng php nh tuyn n gin, hiu qu v c s dng trong nhiu giao thc nh
tuyn nh RIP, OSPF.
Vector khong cch c thit k gim ti a s lin lc gia cc Router cng nh
lng d liu trong bng nh tuyn. Bn cht ca nh tuyn vector khong cch l mt
Router khng cn bit tt c cc ng i n cc phn on mng, n ch cn bit phi
truyn mt datagram c gn a ch n mt phn on mng i theo hng no. Khong
cch gia cc phn on mng c tnh bng s lng Router m datagram phi i qua
khi c truyn t phn on mng ny n phn on mng khc. Router s dng thut
ton vector khong cch ti u ho ng i bng cch gim ti a s lng Router m
datagram i qua. Tham s khong cch ny chnh l s chng phi qua (hop count).
nh tuyn vector khong cch da trn quan nim rng mt router s thng bo cho
cc router ln cn n v tt c cc mng n bit v khong cch n mi mng ny. Mt

router chy giao thc nh tuyn vector khong cch s thng bo n cc router k cn
c kt ni trc tip vi n mt hoc nhiu hn cc vector khong cch. Mt vector
khong cch bao gm mt b (network, cost) vi network l mng ch v cost l mt gi
tr c lin quan n biu din s cc router hoc link trong ng dn gia router thng bo
v mng ch. Do c s d liu nh tuyn bao gm mt s cc vector khong cch
hoc cost n tt c cc mng t router .
Khi mt router thu c bn tin cp nht vector khong cch t router k cn n th
n b xung gi tr cost ca chnh n (thng bng 1) vo gi tr cost thu c trong bn
tin cp nht. Sau router so snh gi tr cost tnh c ny vi thng tin thu c trong
bn tin cp nht trc . Nu cost nh hn th router cp nht c s d liu nh tuyn
vi cc cost mi, tnh ton mt bng nh tuyn mi, n bao gm cc router k cn va
thng bo thng tin vector khong cch mi nh next-hop.
(netl,lhop) (netl.2hop)
----- -------------- ----
Hnh 10 nh tuyn vc t khong cch

Router C thng bo mt vecto khong cch (netl, lhop) cho mng ch netl c ni
trc tip vi n. Router B thu c vc t khong cch ny thc hin b sung cost ca n
(lhop) v thng bo n cho router A (netl, 2hop). Nh router A bit rng n c th t
ti netl vi 2 hop v qua router B.
Mc d nh tuyn vc t khong cch n gin nhng mt s vn ph bin c th
xy ra. V d lin kt gia 2 router B v C b hng th router B s c gng ti nh tuyn
cc gi qua router A v router A theo mt ng no thng bo cho router B mt vc
t khong cch l (netl, 4hop). Router B s thu vc t khong cch ny v gi ngc li

cho router A vc t khong cch (netl, 5hop). y l s c m v hn c th lm cho thi

gian cn thit hi t ko di hn.
b. nh tuyn theo trng thi lin kt (Link-state routing protocols)
nh tuyn vector khong cch s khng cn ph hp i vi mt mng ln gm rt

nhiu Router. Khi mi Router phi duy tr mt mc trong bng nh tuyn cho mi ch,
v cc mc ny ch n thun cha cc gi tr vector v hop count. Router cng khng th
tit kim nng lc ca mnh khi bit nhiu v cu trc mng. Hn na, ton b bng gi
tr khong cch v hop count phi c truyn gia cc Router cho d hu ht cc thng
tin ny khng thc s cn thit trao i gia cc Router.
nh tuyn trng thi lin kt ra i l khc phc c cc nhc im ca nh
tuyn vector khong cch.
Bn cht ca nh tuyn trng thi lin kt l mi Router xy dng bn trong n mt
s cu trc mng. nh k, mi Router cng gi ra mng nhng thng ip trng thi.
Nhng thng ip ny lit k nhng Router khc trn mng kt ni trc tip vi Router
ang xt v trng thi ca lin kt. Cc Router s dng bn tin trng thi nhn c t cc
Router khc xy dng s mng. Khi mt Router chuyn tip d liu, n s chn
ng i n ch tt nht da trn nhng iu kin hin ti.
Giao thc trng thi lin kt i hi nhiu thi gian x l trn mi Router, nhng gim
c s tiu th bng thng bi v mi Router khng cn gi ton b bng nh tuyn ca
mnh. Hn na, Router cng d dng theo di li trn mng v bn tin trng thi t mt
Router khng thay i khi lan truyn trn mng (ngc li, i vi phng php vector
khong cch, gi tr hop count tng ln mi khi thng tin nh tuyn i qua mt Router
khc).
nh tuyn trng thi lin kt lm vic trn quan im rng mt router c th thng
bo vi mi router khc trong mng trng thi ca cc tuyn c kt ni n n, cost ca
cc tuyn v xc nh bt k router k cn no c kt ni vi cc tuyn ny. Cc
router chy mt giao thc nh tuyn trng thi ng s truyn b cc gi trng thi ng

LSP (Link State Paket) khp mng. Mt LSP ni chung cha mt xc nh ngun, xc nh
k cn v cost ca tuyn gia chng. Cc LSP c thu bi tt c cc router c s dng
to nn mt c s d liu cu hnh ca ton b mng. Bng nh tuyn sau c tnh
ton da trn ni dung ca c s d liu cu hnh. Tt c cc router trong mng cha mt
s ca cu hnh mng v t chng tnh ton ng ngn nht (least-cost path) t
ngun bt k n ch bt k. Gi tr gn vi cc link gia cc router l cost ca link .
Cc router truyn b cc LSP n tt c cc router khc trong mng, n c s dng
xy dng c s d liu trng thi ng. Tip theo, mi router trong mng tnh ton mt
cy bt ngun t chnh n v phn nhnh n tt c cc router khc da trn tiu ch ng
ngn nht hay ng c chi ph t nht.
c. So snh cc thut ton nh tuyn
Cc giao thc nh tuyn vi thut ton vector t ra n gin v hiu qu trong cc

mng nh, v i hi t (nu c) s gim st. Tuy nhin, chng khng lm vic tt, v c
ti nguyn tp hp t i, dn n s pht trin ca cc thut ton trng thi kt ni tuy phc
tp hn nhng tt hn dng trong cc mng ln. Giao thc vector km hn vi rc ri
v m n v tn.
u im chnh ca nh tuyn bng trng thi kt ni l phn ng nhanh nhy hn,
v trong mt khong thi gian c hn, i vi s thay i kt ni. Ngoi ra, nhng gi
c gi qua mng trong nh tuyn bng trng thi kt ni th nh hn nhng gi dng
trong nh tuyn bng vector. nh tuyn bng vector i hi bng nh tuyn y
phi c truyn i, trong khi nh tuyn bng trng thi kt ni th ch c thng tin v
hng xm ca node c truyn i. V vy, cc gi ny dng ti nguyn mng mc
khng ng k. Khuyt im chnh ca nh tuyn bng trng thi kt ni l n i hi
nhiu s lu tr v tnh ton chy hn nh tuyn bng vector.
d. Cc giao thc nh tuyn c s dng
e. Giao thc nh tuyn RIP

RIP s dng mt thut ton Vector khong cch m ng xc nh ng tt nht

bng s dng metric bc nhy. Khi c s dng trong nhng mng cng loi nh,
RIP l mt giao thc hiu qu v s vn hnh ca n l kh n gin. RIP duy tr tt c
bng nh tuyn trong mt mng c cp nht bi truyn nhng li nhn cp nht bng
nh tuyn sau mi 30s. Sau mt thit b RIP nhn mt cp nht, n so snh thng tin
hin ti ca n vi nhng thng tin c cha trong thng tin cp nht.
Vo gia nm 1988, IETF pht hnh RFC 1058 m t hot ng ca h thng s
dng RIP. Tuy nhin RFC ny ra i sau khi rt nhiuh thngRIP
c trin khai thnh cng. Do , mt s h thng s dng RIP khng h tr tt c
nhng ci tin ca thut ton vector khong cch c bn.
Cc c tnh chc nng c bn ca RIP
S dng thut ton nh tuyn vector khong cch.

S dng tham s host-count.
Cc router broadcast ton b c s d liu nh tuyn 30s mt ln.
ng knh mng cc i m RIP h tr l 15hop.
N khng h tr VLSM (Variable Length Subnet Mask).
Hn ch ca RIP
Gii hn di tuyn ng: Trong RIP, cost c gi tr ln nht c t l 16. Do ,

RIP khng cho php mt tuyn ng c cost ln hn 15. Tc l, nhng mng c kch
thc ln hn 15 bc nhy phi dng thut ton khc. Lu lng cn thit cho vic
trao i thng tin nh tuyn ln.
Tc hi t kh chm
Khng h tr mt n mng con c di thay i (VLSM): Khi trao i thng tin
v cc tuyn ng, RIP khng km theo thng tin g v mt n mng con. Do , mng
s dng RIP khng th h tr mt n mng con c di thay i.
Giao thc thng tn nh tuyn phin bn 2 (RIP-2)
T chc IETF a ra hai phin bn RIP-2 khc phc nhng hn ch ca RIP-1. RIP-

2 c nhng ci tin sau so vi RIP:

H tr CIDR v VLSM.
H tr chuyn gi a im.
H tr nhn thc.
H tr RIP-1: RIP-2 tng thch hon ton vi RIP-1.
f. Giao thc nh tuyn OSPF
Giao thc OSPF l mt giao thc cng trong. N c pht trin khc phc nhng
hn ch ca giao thc RIP. Bt u c xy dng vo nm 1988 v hon thnh vo nm
1991, cc phin bn cp nht ca giao thc ny hin vn c pht hnh. Ti liu mi nht
hin nay ca chun OSPF l RFC2328.OSPF c nhiu tnh nng khng c cc giao thc
vector khong cch.Vic h tr cc tnh nng ny khin cho OSPF tr thnh mt giao
thc nh tuyn c s dng rng ri trong cc mi trng mng ln. Trong thc t, RFC
1812 (a ra cc yu cu cho b nh tuyn IPv4) - xc nh OSPF l giao thc nh
tuyn ng duy nht cn thit. Sau y s lit k cc tnh nng to nn thnh cng ca
giao thc ny:
Cn bng ti gia cc tuyn cng cost: Vic s dng cng lc nhiu tuyn cho php
tn dng c hiu qu ti nguyn mng.
Phn chia mng mt cch logic: iu ny lm gim bt cc thng tin pht ra trong
nhng iu kin bt li. N cng gip kt hp cc thng bo v nh tuyn, hn ch vic
pht i nhng thng tin khng cn thit v mng.
H tr nhn thc: OSPF h tr nhn thc cho tt c cc node pht thng tin qung co
nh tuyn. iu ny hn ch c nguy c thay i bng nh tuyn vi mc ch xu.
Thi gian hi t nhanh hn: OSPF cho php truyn cc thng tin v thay i tuyn
mt cch tc th. iu gip rt ngn thi gian hi t cn thit cp nht thng tin cu
hnh mng.
H tr CIDR v VLSM: iu ny cho php nh qun tr mng c th phn phi
ngun a ch IP mt cch c hiu qu hn.

OSPF l mt giao thc da theo trng thi lin kt. Ging nh cc giao thc trng
thi lin kt khc, mi b nh tuyn OSPF u thc hin thut ton SPF x l cc
thng tin cha trong c s d liu trng thi lin kt. Thut ton to ra mt cy ng i
ngn nht m t c th cc tuyn ng nn chn dn ti mng ch.
3. Khi nim v VLAN

- VLAN l mt nhm cc thit b mng khng b gii hn theo v tr vt l hoc theo
Lan switch m chng kt ni vo.
- VLAN l mt segment mng theo logic da trn chc nng, i nhm hoc ng dng
ca mt t chc ch khng ph thuc v tr vt l hay kt ni vt l trong mng. Tt c cc
my trm v server c s dng bi cng mt nhm lm vic s c t trong cng
VLAN bt k v tr hay kt ni vt l ca chng.
- Mi cng vic cu hnh VLAN hoc thay i cu hnh VLAN u c thc hin
trn phn mm m khng cn thay i cp v thit b vt l.
- Mt my trm trong mt VLAN ch c lin lc vi file server trong cng VLAN

vi n. VLAN c nhm theo chc nng logic v mi VLAN l mt broadcast, do
gi d liu ch c chuyn mch trong cng mt VLAN.
- VLAN c kh nng m rng, bo mt v qun l mng tt hn. Router trong cu trc

VLAN thc hin ngn chn qung b, bo mt v qun l traffics. Switch khng th
chuyn mch traffic gia cc VLAN khc nhau, traffic gia cc VLAN phi c nh
tuyn thng qua router.

Hnh 11 M hnh Vlan

3.1 Cc Loi VLAN
C 3 loi thnh vin VLAN xc nh v kim sot vic x l cc gi d liu:
- VLAN da trn cng (port based VLAN): mi cng (Ethernet hoc Fast Ethernet)
c gn vi mt VLAN xc nh. Do mi my tnh/thit b host kt ni mt cng
ca switch u ph thuc vo VLAN . y l cch cu hnh VLAN n gin v ph
bin nht.
- VLAN theo a ch MAC ( MAC address based VLAN): mi a ch MAC c gn
ti mt VLAN nht nh. Cch cu hnh ny rt phc tp v kh khn trong vic qun
l.
- VLAN theo giao thc (protocol based VLAN): tng t vi VLAN da trn a ch
MAC nhng s dng a ch IP thay cho a ch MAC.
Cch cu hnh ny khng thng dng.
- Ngi dng thuc VLAN no th ty theo vo port kt ni ca ngi dng .
- Khng cn tm trong c s d liu khi xc nh thnh vin ca VLAN.
- D dng qun l bng giao din ha (GUIs).
- Qun l thnh vin ca VLAN theo port cng d dng v n gin.

- Bo mt ti a gia cc VLAN.
- Gi d liu khng r r sang cc min khc.
- D dng kim sot qua mng.
3.2 Cch thc hot ng ca VLAN
- Mi port trn switch c th gn cho mt VLAN khc nhau. Cc port nm trong cng
mt VLAN s chia s gi tin qung b vi nhau. Nh m mng LAN hot ng hiu
qu hn.
- Thnh vin c nh ca VLAN c xc nh theo port. Khi thit b kt ni mt port

vo switch, ty theo port thuc loi VLAN no th thit b s nm trong VLAN .
- Mc nh, tt c cc port trn mt switch u nm trong VLAN qun l. VLAN qun

l lun lun l VLAN 1 v chng ta khng th xa VLAN ny c. Sau chng ta c
th cu hnh gn port vo cc VLAN khc. VLAN cung cp bng thng tin nhiu hn cho
user so vi mng chia s. Trong mng chia s, cc user cng chia s mt bng thng trong
mng , cng nhiu user trong mt mng chia s th lng bng thng cng thp hn v
hiu sut hot ng cng gim i.
- Thnh vin ng ca VLAN c cu hnh bng phn mm qun l mng. Bn c th

s dng Ciscoworks 2000 hoc Ciscoworks for Switch Internetworks to VLAN ng.
VLAN ng cho php cc nh thnh vin da theo a ch MAC ca thit b kt ni vo
switch ch khng cn xc nh theo port na. Khi thit b kt ni vo switch, Switch s
tm trong c s d liu ca n xc nh thit b ny thuc VLAN no.

Hnh 12 Cch thc hot ng ca Vlan

3.3 u im v ng dng ca VLAN
- Li ch ca VLAN l cho php ngi qun tr mng t chc mng theo logic ch khng
theo vt l na. Nh nhng cng vic sau thc hin d dng hn:
+ C tnh linh ng cao: Di chuyn my trm trong LAN d dng.
+ Thm my trm vo LAN d dng: Trn mt switch nhiu cng, c th cu hnh

VLAN khc nhau cho tng cng, do d dng kt ni thm cc my tnh vi cc
VLAN.
+ Thay i cu hnh LAN d dng.
+ Kim sot giao thng mng d dng.
+ Gia tng bo mt: Cc VLAN khc nhau khng truy cp c vo nhau ( tr khi c
khai bo nh tuyn ).
+ Tit kim bng thng ca mng: Do VLAN c th chia nh LAN thnh cc on (

hay mt vng qung b ). Khi mt gi tin qung b, n s c truyn i ch trong mt

VLAN duy nht, khng truyn i cc VLAN khc nn gim lu lng qung b, tit
kim bng thng ng truyn.
3.4 Vlan Trunking Protocol (VTP)
- Gi s trong mt mng c nhiu switch c kt ni vi nhau, trn cu hnh nhiu

VLAN. Mi VLAN c cu hnh bng tay trn nhiu switch. Khi h thng mng pht
trin ln hn, thm nhiu switch hn , mi switch thm vo li cu hnh bng tay cc thng
tin VLAN cho n. Qu mt thi gian v cng sc v tim tng li rt cao. V th ta dng
VTP gii quyt vn trn.
- VTP vit tt ca t VLAN Trunking Protocol l phung thc c quyn ca Cisco

hot ng tng 2. VTP gip cho vic cu hnh VLAN lun ng nht khi thm, xa, sa
thng tin v VLAN trong mt h thng mng. Vi VTP, bn phi cu hnh VLAN ban u
trn mt switch duy nht, switch ny c vai tr qung b bt k Revison VLAN ( khi ta
xa, sa, hoc to th s revision s
Hnh 13 M hnh VLAN TRUNKING PROTOCOL 1
tng ln 1 n v ) , cc switch khc nhn c cp nht ny th phi c chung min

VTP (nu ta t khc nhau th cc switch s khng lin kt vi nhau . Cc thng tin ny s

c gi nh a ch qung b n mt a ch MAC duy nht m cc thit b Cisco tham

gia vo VTP s l 01-00-0C-CC- CC-CC.
Hnh 14 M hnh VLAN TRUNKING PROTOCOL 2

3.4.1 Khi nim v VTP v cc mode trong VTP
- Tt c switch mun nhn lu lung vi nhau th phi cng tn min . Cc ch

VTP mun tham gia vo min qun l , mi switch phi c cu hnh hot ng
ch nht nh no . Ta c 3 ch sau:
a. Ch my ch ( server)
- Cc VTP ch ny s iu khin vic to VLAN v thay i min ca n. Tt c

thng tin VTP u c qung b n cc switch trong min , v cc switch khc s
nhn ng thi . Mc nh l mt switch hot ng ch my ch .
Ch l min VTP phi c t nht mt my ch , thay i hoc xa v truyn thng
tin VLAN.
Nhim v ca VTP server :
- To VLAN
- Chnh sa VLAN
- Xa VLAN
- Gi hoc chuyn thng tin qung b
- ng b ha thng tin VLAN
- Lu cu hnh vo NVRAM
b. Ch my khch (Client)
- Cc VTP ch ny khng cho php ngi qun tr to, thay i hoc xa bt c

VLAN no thay v lng nghe cc qung b VTP t cc switch khc v thay i cu
hnh VLAN mt cch thch hp. y l ch lng nghe th ng .Cc thng tin VTP
c chuyn tip ra lin kt trunkn cc switch ln cn trong min

Nhim v ca VTP client :
- Chuyn thng tin qung b .

- ng b ha thng tin VLAN .
- Khng lu cu hnh vo NVRAM.
c. Ch trong sut (Transparent Mode)
- Ch ny c gi l trong sut v khng tham gia trong VTP. ch trong

sut , mt switch khng qung b cu hnh VLAN ca chnh n, v mt switch khng
ng b c s d liu VLAN ca n vi thng tin qung b nhn c. Trong phin
bn 1, switch hot ng ch trong sut khng chuyn tip thng tin qung b VTP
nhn c n cc switch khc, tr khi tn min v s phin bn VTP ca n khp vi
cc switch khc . Trong phin bn 2 , switch trong sut chuyn tip thng tin qung
b VTP nhn c ra cng trunk ca n
- Ch : switch hot ng ch trong sut c th to v xa VLAN cc b ca

n. Tuy nhin cc thay i ca VLAN khng c truyn n bt c switch no.
Nhim v ca VTP Transparent
- To VLAN
- Chnh sa VLAN
- Xa VLAN
- Chuyn thng tin qung b
- Khng ng b ha thng tin VLAN
- Lu cu hnh vo NVRAM

Hnh 15 Cc mode trong VTP
3.4.2 Hot ng ca VTP
Giao thc Trunking c pht trin nng cao hiu qu qun l vic lu chuyn cc
Frame t VLAN khc nhau trn mt ng truyn vt l. Giao thc Trunking thit lp
cc tha thun cho vic sp xp cc frame vo cc cng c lin kt vi nhau hai
u ng trunk.
Hin nay c 2 k thut Trunking l Frame Filtering v Frame Tagging. Trong khun
kh n ny ch cp n k thut Frame Tagging.
Giao thc Trunking Frame Tagging phn bit cc Frame v dng qun l v
phn
pht Frame nhanh hn. Cc tag c thm vo trn ng gi tin i ra vo ng

trunk. Cc gi tin c gn tag khng phi l gi tin qung b.
Mt ng vt l duy nht kt ni gia hai switch th c th truyn ti cho mi VLAN.
lu tr, mi Frame c gn tag nhn dng trc khi gi i, Frame ca VLAN
no th th i v VLAN .
3.4.3 Qung b VTP
- Mi thit b switch tham gia vo VTP phi qung b s VLAN (ch cc VLAN t
1 n 1005) , v cc tham s VLAN trn cng trunk ca n bo cho cc switch khc
trong min qun l. Qung b VTP c gi theo kiu gi gi thng tin ti mt s a
ch trong mng . Switch chn cc i tung gi n a ch VTP v x l n. Cc i
tung VTP c chuyn tip ra ngoi lin kt trunk nh l mt trng hp c bit.
- Bi v tt c switch trong min qun l hc s thay i cu hnh VLAN mi , nn

mt VLAN phi c to v cu hnh ch trn mt my ch trong min. Mc nh ,
min qun l s dng qung b c ch khng c mt khu . Ta c th thm mt khu
thit lp min ch bo mt. Mi switch trong min phi c cu hnh vi cng
mt khu tt c switch s dng phng php m ha ng thng tin thay i ca
VTP.
- Qu trnh qung b VTP bt u cu hnh vi s ln sa li l 0. Khi c s thay

i tip theo, s ny tng ln trc khi gi qung b ra ngoi. Khi swich nhn mt
qung b vi s ln sa li ln hn s lu tr cc b th qung b s c ghi ln
thng tin VLAN, v vy thm s 0 ny vo rt quan trng. S ln sa li VTP c
lu tr trong NVRAM v switch khng c thay i. S ln sa li ny ch c
khi to l 0 bng mt trong cch sau :

Switch thay i thnh ch trong sut, v sau thay i thnh ch

my ch .
Thay i min VTP ca switch thnh tn khng tn ti v sau thay i
min VTP thnh tn c.
Tt hay m ch loc b VTP trn my ch. Nu s ln sa li VTP
khng c thit lp li 0, th mt ch my ch mi trn switch phi
qung b VLAN khng tn ti , hoc xa. Nu s ln sa ln hn ln
qung b lin trc, th switch lng nghe ri ghi ln ton b c s d
liu ca VLAN vi thng tin trng thi VLAN b xa. iu ny cp n
vn ng b VTP.

3.4.4 S lc bt VTP
Hnh 16. S lt bt trong VTP

- S lc bt VTP l mt tnh nng c s dng loi lu lng truy cp khng
cn thit . Theo mc nh, tt c cc thit b switch ca Cisco c cu hnh ch
my ch . iu ny l ph hp vi quy m nh, ni cc mng li kch c ca VLAN
thng tin va v nh, d dng lu tr trong tt c cc thit b trong NVRAM . Trong
mt mng li rng ln , phi c thc hin cuc gi ti mt s im khi NVRAM
lu tr cn thit l lng ph, v n c nhn i trn mi ln chuyn i. Ti thi
im ny,ngui dng nn chn mt s trang thit b v gi n nh ch my ch .
Tt c mi th g khc tham gia vo VTP c th c chuyn sang ch my khch.
- S lc bt VTP s s dng hiu qu bng thng bng cch gim bt vic lu

lng khng cn thit. Cc i tung qung b khng xc nh trn mt VLAN ch
c chuyn tip trn lin kt trunk nu switch nhn trn u cui ca trunk c cng
thuc VLAN . S loc bt VTP l s m rng trn phin bn 1 ca VTP, s dng

kiu thng ip VTP b sung. Khi mt switch c mt cng vi mt VLAN, th switch

gi qung b n cc switch ln cn m c cng hot ng trn VLAN . Cc min
ln cn ca n s gi thng tin ny gii quyt nu c lu lng trn t mt VLAN
c s dng cng trunk hay khng.
3.4.5 Li ch ca VTP
VTP c th cu hnh khng ng, khi s thay i to ra. Cc cu hnh khng ng
c
th tng hp trong trng hp thng k cc vi phm nguyn tc bo mt. bi v
cc k
ni VLAN b chng cho khi cc VLAN b t trng tn. Cc cu hnh khng
ng ny
c th b ct kt ni khi chng c nh x t mt kiu LAN ti mt kiu LAN
khc.
VTP cung cp cc li ch sau:
Cu hnh ng cc VLAN qua mng.
4. Tng quan v HIGH AVAILABILITY (H.A)
4.1 Khi nim High Availability
- High Availability tm hiu l 1 m hnh h thng c tnh d phng s c v ng

truyn trn mng .Mc ch chnh ca m hnh ny gip cho h thng mng khng bao gi
b gin on tn hiu truyn ti d liu, tin tc, ... C th hiu n gin nh sau: Chng ta
mun i t im A n im B, nhng trn ng i ti B th giao thng b tc nghn. Nu
chng ta bit NHIU con ng khc c th i n B th khng cn vn phi lo s tnh
trng bng thng b tc nghn .

- Mt h thng mng vi tnh sn sng cao cung cp phng tin thay th m theo
tt c cc c s h tng v cc my ch quan trng c th truy cp mi lc v thi gian
gin on nu c l thp nht
Hnh 17 M hnh High Availability
KHUYT IM:
Duy tr 1 ng kt ni tn km, nay lm thm 1 (vi) ng khc "m bo"

HA s cng tn hn (v mt kinh t)
Nu phi thc hin vic chuyn kt ni sang ng kt ni d phng th cng th

chc phi sm 1 router hay 1 my lm monitor khi no "ng truyn n cht" cn
bit ng chuyn qua
Trc y ch phi qun l 1 ng kt ni, gi phi tn cng qun l thm 1 (s)

ng na

U IM:
C thm ng d phng th "tt hn" l khng c (v c ci m chuyn sang

nhm m bo c tnh sn sng)
Vic sm thm ti nguyn ng truyn, gip chng ta c thm c hi thc hin vic
gim ti & phn b ti hp l bng cc k thut load balancing & load sharing trn cc
ng truyn
V t bit i vi nhng cng ty c tnh c th cng vic cn thit bo mt v

mong mun ng truyn c lin tc mang tnh sn sng cao th H.A l mt tnh nng
khng th thiu khi trin khai h tng.
4.2 Cc k thut H.A thng thng trong h tng mng
High Availability trong h tng mng u c thc hin c layer2 v layer3.
Ti Layer 2 c cc k thut H.A thng dng nh :
- Etherchannel
- Spanning-tree
Ti Layer 3 c cc k thut H.A thng dng nh :
- Hot Standby Router Protocol

- Vitural Router Redundacy Protocol
- Gateway Load Balancing Protocol

4.3 Etherchannel
4.3.1 Gii thiu Etherchannel
- Etherchannel s cung cp kh nng d phng, kt ni tc cao hn gia cc switch,

vi switch hoc vi router hoc vi cc server. Mt etherchannel c cha nhiu lin kt
Fast Ethernet hoc Gigabit Ethernet vo trong mt lin kt logical. Nu mt lin kt nm
trong Etherchannel m b li, th lu lng d liu s c thay i truyn trn nhng
lin kt cn li thuc etherchannel
- Mt etherchannel c cha t 2 n 8 lin kt Fast ethernet hoc Gygabit Ethernet vo

trong mt lin kt logical .
- Kt ni ny cung cp mt bng thng ln n 1600 Mbps hoc 16 Gbps tnh c 2 chiu

truyn v nhn tng ng 8 ng FastEthernet hoc Gygabit Ethernet
Hnh 18 M hnh Etherchannel

4.3.2 Giao thc PAgP v LACP
a. Giao thc PAgP
- Giao thc PAgP ( Port Aggregation Protocol ) l mt giao thc c quyn ca Cisco ,
cc gi tin PAgP c trao i gia cc Switch trn cc cng Etherchannel .
- Cc thng s ca Switch lng ging c xc nh( nh kh nng ca cng) v s

c so snh vi switch cc b
- PAgP hnh thnh nn EtherChannel ch trn nhng cng c cu hnh cng Static
Vlan hoc l cng loi Trunkking (MAX=8 cng)
- PAgP thay i cc thng s ng ca EtherChannel nu mt trong nhng cng ca

bundle( b) b thay i .
- PAgP c th c cu hnh ch Desirable trong mt switch ch ng yu cu

1 switch u xa hnh thnh nn Etherchannel
- Khi Switch hot ng ch Auto ca PAgP, Switch s ch bt tay nu Switch u

xa yu cu n.
b. Mt s tnh nng khc ca PagP
- Giao thc DTP (Dynamic Trunking Protocol) v giao thc CDP (Cisco Discovery
Protocol) c kh nng gi v nhn nhng gi tin trn nhng port vt l trong mt
EtherChannel. Cc port c cu hnh trunk c th gi v nhn cc gi tin PAgP protocol
data units (PDUs) trn Vlan c ID thp nht.
- Trong mi EtherChannel, port vt l u tin trong channel s hot ng v cung

cp a ch MAC ca n cho EtherChannel. Nu port b xa b khi EtherChannel, th

mt port no cn li trong EtherChannel s hot ng (up) v cung cp a ch MAC

ca n cho EtherChannel .
- PAgP c kh nng gi v nhn PAgP PDU duy nht trn nhng port vt l hot ng
(up) v c giao thc PAgP c hot ng mt trong hai ch : Auto hoc Desirable
c. Giao thc LACP
- LACP ( Link Aggregation Control Protocol)
- LACP cng gi cc gi trn cng Etherchannel ca switch. Tuy nhin LACP cng
gn vai tr cng n cc u cui ca Etherchannel .
- Cc Switch c u tin thp nht s c quyt nh v cc cng no s c tham

gia vo Etherchannel mt thi im.
- Cc cng c chn la v tr thnh Active theo gi tr u tin priority ca n,

trong gi tr u tin thp s c mc u tin cao.
- Mt tp hp 16 kt ni c th c tham gia mt Etherchannel.
- Thng qua LACP, mt switch s la chn ra 8 cng c u tin thp nht nh l

cc member Active ca Etherchannel.
- Cc cng cn li s nm trong trng thi standby v s c enable nu mt trong

nhng kt ni active b down .
- LACP c th c cu hnh trong mode active, trong c mt switch s ch ng

hi ng xa bt tay hnh thnh Etherchannel.
- Ch Passive switch ch ch ng hnh thnh Etherchannel nu switch u xa khi

to n.

Hnh 19 M hnh PAgP v LACP
4.4 Spanning Tree Protocol (STP)
4.4.1 Khi nim
- STP l mt giao thc qun l lin kt layer 2, cung cp mt ng d phng trong

khi vn ngn cn c hin tng loop xy ra trong h thng. Khi cng ngh Ethernet
hot ng Layer 2 trong m hnh OSI c cu hnh ng, th duy nht mt ng
s c hot ng gia hai PC.
- Trong h thng tn ti nhiu ng cng hot ng gia 2 PC s l nguyn nhn ca

hin tng loop xy ra.
- Nu mt loop tn ti trong h thng, th cc thit b u cui (PC) s phi nhn nhiu

cc thng ip trng nhau (C ch ny gi l Multi-Frame copy). Switch s phi hc thng
tin v a ch MAC ca cc PC trn nhiu port (C ch ny gi l MAC Table Instable).

- Nhng hu qu nh vy s lm cho h thng ca chng ta tr nn khng n nh.

Spanning-Tree hot ng trn cc switch s c th gip h thng ca chng ta ngn c
loop v vn cho php h thng xy dng c m hnh c d phng.
- STP s dng thut ton Spanning-Tree chn mt switch ng vai tr lm Root

Bridge trong m hnh h thng c d phng. Thut ton Spanning-tree s tnh ton ng
tt nht khng c loop thng qua h thng switch layer2 bng cch gn vai tr cho mi
port hot ng trong m hnh h thng , v mi port s c mt vai tr trong s nhng
vai tr di y:
- Root: l mt port c kh truyn d liu trong m hnh spanning-Tree.
- Designated: mt port c kh nng truyn d liu c chn cho tt c cc switch trong

segment LAN.
- Alternate: l mt port s b blocked v port s l port c dng trong trng hp d

phng.
- Backup: l mt port blocked trong cu hnh loopback.
- Switch c tt c cc port ca n ng vai tr l designated hoc ng vai tr l backup

th swtich l root swtich. Switch c t nht mt port ca n ng vai tr l designated th
switch gi l designated switch.

4.4.2 C ch hot ng STP
- Spanning tree s a ng dng cho vic d phng tr v trng thi standby

(blocked).
Nu mt h thng ang dng spanning-tree b li xy ra v ng d phng vn c, th
thut ton spanning-tree s thc hin vic tnh ton li m hnh spanning-tree v a ng
d phng nn hot ng. Cc switch s gi v nhn cc frame spanning-tree, nhng frame
c gi l Bridge Protocol Data Units (BPDUs).
- C rt nhiu switch khng thc hin vic truyn nhng frame BPDUs nhng nhng
switch vn s dng xy dng ng khng loop (loop-free). BPDUs cha nhng
thng tin v swtich gi v cc port ca switch , bao gm MAC address, switch priority,
port priority, v cost path.
- Thut ton Spanning-Tree s s dng nhng thng tin bu chn root swtich v
root port cho h thng switch v cc root port v designated port cho mi mt phn on
mng chuyn mch (Colision domain = segment).
- Khi hai port trn mt switch l thnh phn ca mt loop, gi tr u tin ca port
spanning-tree v chi ph ng i s iu khin v a mt port tr v trng thi forwarding
(trng thi truyn d liu) v mt port tr v trng thi blocking.
- Gi tr u tin ca port s i din cho v tr ca port m hnh h thng v hn

ht n xc nh v tr cho php lu lng i qua. Chi ph ng i l gi tr i din cho
tc ng truyn.

Hnh 20 C ch hot ng STP
4.4.3 Trng thi ca STP
Trng thi Mc ch
Forwading Gi v nhn d liu
Learning Xy dng cy STP
Listening Xy dng cy STP
Blocking Ch nhn BPDU
Disabled Tt cng
- Trng thi Blocking :
Hy b cc frame nhn c
Khng c bng MAC
Nhn cc BPDU

Khng gi BPDU nhn c

Nhn v tr li nhng bn tin qun tr mng
- Trng thi Listening
Hy b cc frame nhn c v cc Frame t khc cng khc chuyn n

Khng c bng MAC
Nhn v x l cc BPDU
- Trng thi Learning
Hy bcc frame nhn c v cc Frame t khc cng khc chuyn n

Xy dng bng a ch MAC
Nhn, gi v x l cc BPDU
- Trng thi Forwarding
Chuyn tip cc frame nhn c t mng v t cc cng khc chuyn n

Xy dng bng a ch MAC
Nhn BPDU v x l BPDU
4.4.4 M hnh Spanning - Tree v BPDUs
- Spanning-tree hot ng trong h thng switch s c iu khin bi nhng thnh

phn sau:
Bridge ID (switch priority v MAC address) tng ng vi mi mt VLan trn mt

switch.

Spanning-Tree path cost n root switch.
Port ID (port priority v MAC address) tng ng vi mi mt interface layer 2 ca

switch.
- Khi cc switch trong h thng c khi ng, th mi switch s hot ng vi chc

nng nh mt root swtich. Mi switch s gi mt cu hnh BPDU thng qua tt c cc port
ca switch n cc switch khc. BPDUs dng thng bo v tnh ton m hnh
spanning-tree. Mi gi BPDU c cha nhng thng tin sau:
Bridge ID ca switch ng vai tr l root switch (trong trng hp ny chnh l switch

ang gi gi BPDU)
Chi ph ca ng ti root.
Bridge ID ca switch ang gi gi BPDU.
Thi gian tn ti ca gi BPDU.
ID ca port gi BPDU ra ngoi qua port .
Thi gian ca gi Hello, Forward delay, v max-age.
- Khi mt switch nhn mt gi tin BPDU c cha nhng thng tin tt hn (nh: Bridge
ID thp hn, Chi ph ng i thp hn), swtich s lu thng tin li trn port ca
switch. Nu BPDU ny c nhn trn root port ca switch th switch s chuyn tip
gi BPDU ny n tt c cc designated Switch.
- Nu mt switch nhn c mt gi BPDU c cha nhng thng tin khng tt bng

nhng thng tin m switch ang c trn port th switch s hy gi BPDU i. Nu
switch ng vai tr l designated switch cho mng LAN m nhn c mt gi BPDU c

thng tin khng tin bng nhng thng tin m switch ang c trn port th switch s
thay th nhng thng tin tt hn ca mnh vo gi BPDU v s gi i. Vi phng php
hot ng nh vy, th nhng thng tin khng tt s b hy v nhng thng tin tt hn s
c qung b ra ton b h thng.
- Kt qu cui cng ca vic trao i cc gi BPUD gia cc switch s l:
Mt switch trng h thng s c bu chn l root switch. Trong mi Vlan, switch

c priority cao nht (gi tr s priority thp nht) s c bu chn vi vai tr l root
switch. Nu tt c cc switch trong h thng c cu hnh priority mc nh (32768),
th switch no c a ch MAC thp nht trong VLAN s tr thnh root switch.
Mt root port s c chn trn mi switch (tr trng hp l root switch). Port ny
s cung cp chi ph thp nht khi m switch chuyn d liu n root switch.
Khong cch ngn nht n root switch c tnh ton cho mi switch da trn chi
ph ng i.
Mt designated Switch cho mi LAN segment (Colision Domain) s c chn.

Designated Switch s phi c ng c chi ph thp nht khi chuyn d liu t mng
LAN n Root Switch. Port c dng truyn d liu thng qua n trn
designated switch c gn vo mng LAN gi l designated port.
Tt c cc ng i nu khng cn thit truyn d liu n root switch t mi ni

trn cc switch trong mng th s c a v trng thi spanning-tree blocking.
4.4.5 Bridge ID, Switch Priority, v Extended System ID
- Chun IEEE 802.1D yu cu mi switch phi c duy nht mt bridge ID, c dng
trong qu trnh bu chn root switch. Bi v mi VLAN c logical bridge khc nhau vi
PVST+ v rapid PVST+, trn cng switch phi c cc bridge ID khc nhau cho mi cu

hnh VLAN. Mi VLan trn mi switch c duy nht 8-byte bridge ID. Trong dng 2
byte xc nh switch priority, v 6 byte cn li dnh cho switch MAC Address.
- Catalyst switch 2960 h tr IEEE 802.1t spanning-tree m rng, v cc bit trc kia
c dng cho switch priority th by gi c s dng lm VLAN ID. Cc bn c thy
rng trong 2 byte trc kia c dng lm switch priority th trong c 4-bit c dng
lm gi tr priority v 12-bit cn li c m rng lm System ID tng ng vi VLAN
ID.
- Spanning tree s dng System ID m rng, switch priority v MAC address lm

bridge ID duy nht trng mi mt VLAN.
- Da vo vic cc catalyst switch c h tr System ID, bn c th cu hnh chn root

switch, secondary root switch, v switch priority cho mi VLAN. V d, khi bn thay i
gi tr switch priority, vic thay i c th dn n switch s c bu chn lm root
switch.
4.5 Hot Standby Router Protocol (HSRP )
- Mt network c cung cp tnh nng High Availability ngha l cc c s h tng

mng hay cc server quan trng trong network lun lun trong trng thi c th c
truy cp n vo bt k thi im no.
- Hot Standby Routing Prototocol (HSRP) l mt trong nhng s tnh nng cung cp kh
nng Redundancy layer 3 cho cc host trong network. HSRP s ti u ha vic cung cp
cc ng kt ni khi pht hin mt ng link b fail v nhng c ch phc hi sau khi ta
gp s c trong mng.

- Virtual Router Redundancy Protocol (VRRP) v Gateway Load Balancing Protocol

(GLBP)cng l nhng giao thc cung cp kh nng Redundancy layer 3. VRRP l mt
giao thc standard. GLBP l giao thc ca Cisco.
- N c ci tin t VRRP v cung cp thm tnh nng cn bng ti.
-Trc tin ta cn phi hiu mt s khi nim c lin quan n qu trnh routing nh sau
4.5.1 Cc c ch hot ng ca HSRP
a. S dng Default Gateway
Hnh 21 M hnh Default Gateway

- Mt my tnh trong mng c th i n cc ng mng khc nhau th ta phi cu

hnh default gateway. Gi s PC trn s cu hnh default gateway hng n Router A
chuyn tip gi tin i n file server A. V Router B cng c cu hnh nh tuyn.
- Trong m hnh bn di Router A c chc nng routing cc packet n nhn c n

subnet A. Cn router B c chc nng routing n subnet B. Nu nh Router A b hng hc
khng c cn s dng c na th cc c ch nh tuyn ng s tnh ton li v quyt
nh Router B s l thit b chuyn tip gi tin thay th cho router A.
- Nhng PC A th khng th no nhn bit c thng tin nh tuyn ny c. cc

PC ta thng ch cu hnh duy nht mt default gateway IP v a ch IP ny s khng thay
i khi m hnh mng ca ta thay i. Nh vy dn n trng hp l PC A khng th gi
traffic i n cc host thuc cc ng mng khc trong m hnh mng.
- Nu nh mt router no d phng v hot ng ging nh default gateway cho

segment th ta khng cn phi cu hnh li a ch IP default gatway cho cc PC.

b. Proxy ARP
Hnh 22 M hnh Proxy ARP
- Cisco IOS s dng proxy Arp cho php cc host m n khng c tnh nng nh
tuyn c th ly c a ch Mac address ca gateway c th forward packet ra khi
local subnet. V d nh trong m hnh trn proxy ARP router nhn c mt gi tin ARP
request t mt host cho mt a ch IP. a ch IP ny khng c cng nm chung mt
segment so vi host gi gi tin request. Router s gi v mt gi tin ARP vi Mac address
l ca router v IP l a ch m my cn i n. Nh vy host s gi ton b tt c cc
packet n a ch IP c phn gii thnh Mac address ca router. Sau router li
lm tip cng vic y gi tin ny i n a ch IP cn n.
- Nh vy vi tnh nng proxy ARP cc end-user station s coi nh l cc destination

device c kt ni n chnh phn on mng ca n. Nu nh router l chc nng

proxy ARP b fail th cc end station vn tip tc gi packet n IP c phn gii thnh
Mac address ca fail router. V cc packet s b discard.
- Thc t th Proxy Mac address c thi gian sng nht nh trong bng ARP cache ca
my tnh. Sau khong thi gian ny th workstation s yu cu a ch ca mt router khc.
Nhng n khng th gi traffic trong sut khong thi gian ny.
c. Router Redundancy
Hnh 23 M hnh Router Redundancy 1
- Trong HSRP mt thit lp cho cc router hot ng phi hp vi nhau a ra mt

router o cho cc host trong mng LAN. Bng cch dng chung mt a ch IP v a ch
Mac layer 2, hai hay nhiu router c th hot ng nh l mt router o. IP address o
c cu hnh nh l default gateway cho cc my trm trong mt segment. Khi nhng
frame c gi t mt my trm n n default gateway, cc my trm dng c ch ARP
phn gii MAC address vi a ch IP default gateway. C ch ARP s c tr v bng
Mac address ca virtual router. Cc frame gi n Mac address o v sau frame ny

c x l tip tc bi active hoc l standby router trc thuc group router o m ta ang
cu hnh.
- Mt hay nhiu router s dng giao thc ny quyt nh router vt l no s c trch

nhim x l frame c gi n a ch IP o v a ch Mac o. Cc my trm s gi
traffic n router o. Mt router tht s c trch nhim forward traffic ny i tip tuy nhin
router tht nay trong trng thi transparent so vi cc my trm u cui.Giao thc
redundacy ny cung cp cho ta mt c ch quyt nh router no s vai tr active trong
vic forward traffic v router no s vai tr standby.
Hnh 24 M hnh Router Redundancy 2
- Khi mt forwarding router b fail th qu trnh chuyn i s din ra nh sau
Khi standby router khng cn nhn c gi tin hello t mt forwarding router

Sau standby router s gi nh vai tr ca n lc ny l forwarding router
Lc ny qu trnh truyn frame ca PC s khng b nh hng g bi v router
ang trng thi forwarding s dng IP address o vo Mac address nh lc
ban u.

4.5.2 Quy trnh hot ng HSRP
Hnh 25 Quy trnh hot ng HSRP
Tt c router trong mt HSRP group c mt vai tr c th v tng tc vi nhau theo

mt phng php xc nh
- Virtual Router: thc t ch l mt cp IP address v Mac address m tt c cc thit b

u cui dng n lm IP default gateway. Active router x l tt c packet v tt c cc
frame c gi ti virtual router address.
- Active Router: trong HSRP group mt router s c chn lm active router. Active
router thc t l thit b vt l forward packet v n cng l thit b gi Mac address o
n cc thit b u cui
- Trong m hnh trn router A c gi nh vai tr active v forward tt c cc frame

n a ch Mac l 0000.0c07.acXX vi XX l s group ca HSRP. XX l h s hexa

- a ch IP v a ch Mac tng ng ca virtual router c duy tr trong bng ARP

ca mi router thuc HSRP group. kim tra bng ARP trong bng ARP ta dng
lnh show ip arp
Hnh 26 Cch thc hot ng a ch IP v a ch Mac trong HSRP
- Hnh trn hin th bng ARP ca mt router ang lm thnh vin ca HSRP group 1
trong Vlan 10. Trong bng ARP trn ta thy rng virtual router c a ch l
172.16.10.110 v c mt Well-known Mac l 0000.0c07.ac01 vi 01 l s group. S
HSRP group 1 hin th di dng c s 10 v 01 l di h c s 16
- HSRP standby router lun theo di trng thi hot ng ca HSRP group v s nhanh
chng chuyn trng thi forwarding packet nu active router khng c hot ng. C hai
active router v standby router s truyn hello message thng bo cho tt c router khc
trong group HSRP bit rng vai tr ca n lc ny l g ? Cc router dng a ch destination
multicast 224.0.0.2, kiu truyn UDP port 1985. V a ch IP source l a ch IP ca
sending router.

- Ngoi ra bn trong HSRP group c th cha mt s router khc nhng vai tr ca n

khng phi active hay standby. Nhng router dng ny s monitor hello message c gi
bi active v standby router chc chn rng active v standby router ang tn ti trong
HSRP group. Router ny ch forward nhng packet n chnh a ch IP ca n nhng
khng forward packet c t a ch n virtual router. Nhng router dng ny s c
message ti mi thi gian gia hai gi tin hello
- Mt s thut ng trong HSRP
Hello Interval Time: Khong thi gian gia hai gi tin Hello HSRP thnh cng t mt
router. Thi gian ny l 3 giy
Hold Interval Time: khong thi gian gia hai gi tin hello c nhn v gi nh rng
sender router b fail. Mc nh l 10 giy
- Khi active router b fail, th nhng router khc thuc cng HSRP group s khng cn
nhn c message t active router. V standby router sau s c gi nh l Active
router. V nu nh c router khc bn trong HSRP group th n s c a ln lm
standby router. Nu nh c hai active v standby router b fail th tt c router trong group
lm active v standby router.

Hnh 27 Cch thc hot ng ca cc gi tin trong HSRP
- Trong qu trnh ny new activer router gnh ly IP o v Mac o ca virtual router nh

vy dn n cc thit b u cui s nhn thy tnh trng h hng ca cc dch v. Cc thit
b u cui tip tc gi traffic n Mac addres ca virtual router. New activer router s
gnh vc chp nhn phn phi gi tin.
4.5.3 c im ca HSRP
- a ch IP l o v a ch MAC cng o trn router active.
- Cc router d phng s lng nghe cc gi hello t router ang active, mc nh mi 3
giy v 10 giy cho khong thi gian dead.
- u tin cao nht (mc nh l 100, trong tm t 1-255) s xc nh router, vi c ch
pre-emption b tt.
- H tr tnh nng tracking, trong u tin ca mt router s b gim khi mt
interface ang b theo di b hng hc.
- C th c ti a 255 nhm HSRP trn mi interface, cho php mt hnh thc cn bng

ti.
- a ch MAC o c dng 0000.0C07.Acxx trong xx l ch s ca nhm HSRP.
- a ch ca IP o phi trong cng gi tr subnet ca cng ca router trong LAN.
- a ch ca IP o phi khc vi bt k mt a ch tht no ca cc cng tham gia vo
HSRP.
4.5.4 Cc trng thi trong giao thc HSRP
- Mt router trong HSRP group c mt s trng thi hot ng nh sau: initial, learn,
listen, speak, standby hoc l active
Hnh 28 Cc trng thi trong giao thc HSRP
- Khi mt router ang trong mt s nhng trng thi trn th n s thc hin mt s
hnh ng nht nh. Khng phi tt c HSRP router trong group s chuyn i sang tt c
cc trng thi. V d nh ta c 3 router trong group, mt trong ba con router thuc group
khng ng vai tr l standby hay active th con router ny vn duy tr trng thi Listen.

- Tt c cc router u bt u trng thi Initial, iu ny hin th rng HSRP ang

khng hot ng. Sau n s chuyn sang trng thi learn, trng thi ny router s mong
ch thy c HSRP packet v t nhng packet ny n quyt nh xem virtual IP l g ?
v xc nh active router trong HSRP group.
- Khi mt interface thy HSRP packet v quyt nh xem virtual IP l g th n tip tc

chuyn sang trng thi listen. Mc ch ca trng thi listen l xc nh xem c Active
hay Standby router cho HSRP group. Nu nh c active hay standby router ri th n
vn gi nguyn trng thi. Tuy nhin nu gi tin hello khng c thy t bt k router
no, interface chuyn sang trng thi Speak.
- Trng trng thi Speak, cc router ch ng tham d vo qu trnh chn la ra active

router, standby router bng cch nhn vo gi tin hello xc nh vai tr.
- C 3 dng timer c s dng trong giao thc HSRP l active, standby, hello. Nu
nh khng c mt gi tin hello no c nhn t Active HSRP router trong khong thi
gian active, th router chuyn sang trng thi HSRP mi.
- Active timer: dng monitor Active Router. Timer s reset li vo bt k thi im

no khi mt router trong group HSRP nhn c gi tin hello c gi ra t Active Router.
Gi tr Timer expire ph hp vi gi tr hold time ang c set tng ng vi field trong
HSRP hello message.
- Standby timer: dng monitor standby router. Timer s reset li vo bt k thi im

no khi mt router trong group HSRP nhn c gi tin hello c gi ra t Standby
Router. Gi tr Timer expire ph hp vi gi tr hold time ang c set tng ng vi
field trong HSRP hello message.
- Hello timer: thi gian ca hello packet. Tt c HSRP router trong bt k trng thi no
ca HSRP u to ra hello packetkhi m hello timer expire

4.5.5 Vitural Router Redundancy Protocol v Gateway Load Balancing Protocol
a. Vitural Router Redundancy Protocol (VRRP)
- VRRP to ra mt gateway d phng t mt nhm cc router. Router active c gI

l master router, tt c cc router cn lI u trong trng thi backup. Router master l
router c u tin cao nht trong nhm VRRP.
- Ch s nhm ca VRRP thay I t 0 n 255; u tin ca router thay I t 1 cho

n 254 (254 l cao nht, mc nh l 100).
- a ch MAC ca router o s c dng 0000.5e00.01xx, trong xx l mt s dng

thp lc phn ch ra s ca nhm.
- Cc qung b ca VRRP c gI mI chu k mt giy. Cc router backup c th hc

cc chu k qung b t router master.
- Mc nh, tt c cc VRRP router c cu hnh theo ch pre-empt. Ngha l nu

c router no c u tin cao hn u tin ca router master th router s chim
quyn.
- VRRP khng c c ch theo di mt cng ca router.
Hnh 29 M hnh Vitural Router Redundancy Protocol

- VRRP dng a ch multicast 224.0.0.18, dng giao thc IP 112. VRRP c trong router
IOS phin bn Cisco IOS Software Release 12.0(18)ST.
b. Gateway Load Balancing Protocol ( GLBP )
- GLBP l mt giao thc mi hn ca Cisco cho php c tnh cn bng ti bn cnh

tnh nng d phng cho gateway. Cc host vn c th ch n mt a ch gateway mc
nh, nhng GLBP cho php cc host gi traffic n mt trong bn router trong mt nhm
GLBP. thc hin vic ny, router AVG s gn tng router trong mt nhm mt a ch
MAC duy nht c dng 0007.B400.xxyy trong xx l a ch nhm v yy l cc s khc
nhau cho tng router (01,02,03 hay 04).
Hnh 30 M hnh Gateway Load Balancing Protocol
- Khi mt my client hi a ch MAC ca a ch o ca n, AVG s tr li bng mt

trong bn a ch MAC o c th. Do c tr li vi cc a ch MAC khc nhau, cc host
trong subnet s cn bng traffic gia cc router ch khng ch gi traffic v mt router
duy nht. cung cp tnh nng d phng cho mt group cc user no , ta s dng nhiu
router m bo tin cy.

Hnh 31 Bng so snh HSRP, VRRP, GLBP
5. Gii thiu Access Control List
- ACL l mt danh sch cc cu lnh c p t vo cc cng (interface) ca router.

Danh sch ny ch ra cho router bit loi packet no c chp nhn (allow) v loi packet
no b hy b (deny). S chp nhn v hu b ny c th da vo a ch ngun, a ch
ch hoc ch s port.

5.1 Ti sao phi s dng ACL?
Hnh 32 u im ca Access Control List
- Qun l cc IP traffic
- H tr mc c bn v bo mt cho cc truy cp mng, th hin tnh nng lc cc

packet qua router
Chc nng:
- Xc nh tuyn ng thch hp cho DDR (dial-on-demand routing)

- Thun tin cho vic lc gi tin ip
- Cung cp tnh sn sn mng cao

5.2 ngha ca IP v Wildcard trong ACL
IP v Wildcard c s dng so snh coi gi tin c phi ng l i tng cn

xc nh khng
Vi Standard ACL, ch a ch ngun ca gi tin c em ra so snh
Vi Extended ACL, s so snh tt c cc thng tin khai bo trong mi mc ca
ACL
a ch IP (ngun hoc ch) ca gi tin s c i snh vi ni dung tng ng
trong mt mc k ca ACL theo cch:
o IP tng ng ca mc trong ACL c cng logic (OR) vi Wildcard
o IP ca gi tin c cng logic (OR) vi Wildcard
o Hai kt qu c so snh, nu trng nhau ph hp
V d:
ACL: IP = 172.16.0.0; Wildcard = 0.15.255.255
Gi tin 1: IP = 172.17.1.100
OR #1 (ACE): 172.31.255.255 = OR #2: 172.31.255.255
Gi tin 2: IP = 172.32.1.100
OR #1 (ACE): 172.31.255.255 != OR #2: 172.47.255.255
Do kt qu ca OR lun bng 1 khi bt k gi tr no trong s gi tr u vo bng
1, thc cht vic i snh ch xy ra vi cc bt trong Wildcard c gi tr bng 0.
5.3 Cc loi Access Control List
* C 2 loi Access lists l: Standard Access lists v Extended Access lists
- Standard (ACLs): Lc (Filter) a ch ip ngun (Source) vo trong mng t gn ch

(Destination).

- Extended (ACLs): Lc a ch ip ngun v ch ca 1 gi tin (packet), giao thc tng

Network layer header nh TCP, UDP, ICMP, v port numbers trong tng Transport
layer header. Nn t gn ngun (source).
* ACLs c bit
a. Dynamic ACLs
c im: ch s dng lc cc IP traffic, Dynamic ACLs b ph thuc vo s kt ni Telnet,
s xc thc (local or remote), v extended ACLs.
-Mt user s m kt ni n router bin c cu hnh lock-and-key. Nhng kt ni ca
user thng qua virtual terminal port trn router.
-Khi nhn telnet packet router s m mt telnet session v yu cu xc thc mt password
hoc mt ti khon username. User phi vt qua st thc mi c cho php i qua router.
Qu trnh xc thc s thc hin bi router hoc mt server xc thc s dng giao thc
RADIUS hoc TACACS server.
-Khi user qua c st thc, chng s thot ra khi telnet session v mt entry s xut hin
trng Dynamic ACLs
-Lc , cc ngi dng s trao i d liu thng qua Firewall.
- Khi ng khong thi gian timeout c cu hnh, router s xa entry va to trong
dynamic ACLs hoc ngi qun tr c th xa bng tay. Timeout c hai loi l idle timeout
hoc absolute timeout. Idle timeout l nu user khng s dng session ny trong mt
khong thi gian th entry trong Dynamip s b xa. Absolute timeout l khong thi gian
c nh cho php user s dng session ny khi ht thi gian th entry trong Dynamic ACLs
s b xa.
ng dng:
- Khi bn mun ch nh mt user hay mt group user truy cp n mt host no trong
mng ca bn, hay kt ni ti nhng host t xa thng qua Internet. Lock-and-key ACLs s
xc thc ngi dng v sau cho php gii hn truy cp thng qua router firewall cho
mt host hay mt mng con trong mt chu k thi gian gii hn.

- Khi bn mun mt ng mng con trong mng local network truy cp ti mt host no
trong mng t xa m c bo v bi mt firewall. Vi lock-and-key ACLs, bn c th
truy cp ti host xa ch vi mt nhm host c ngh. Lock-and-key ACLs yu cu
nhng ngi dng xc thc thng qua mt AAA, TACACS+ server, hay nhng server bo
mt khc trc khi cho php nhng host truy cp n nhng host xa.
b. Reflexive ACLs
c im: ACLs ny ch c to bi Extend Name ACLs khng c to bi Numbering hay
Standard Name ACL
ng dng: c s dng cho php cc IP traffic t bn ngoi ca session m khi to
t bn trng ni mng v ngn nhng IP traffic khi to session t mng bn ngoi. ACLs
ny s xem xt gi tin gi ra ngoi nu l gi khi to session n t ng thm vo mt
outbound entry cho php traffic tr li v. Rflexive ACLs c th lc session tt hn
thay v ch ACK v RST bit nh cu lnh permitestablished. Rflexive lc c a ch
ngun, ch, port, ACK v RST bit ca gi tin. Ngoi ra, session filtering s dng nhng
b lc tm thi ci m c xa khi mt session kt thc.
c. Time-based ACLs
c im: chc nng tng t extended ACLs, nhng chng cho php iu khin truy
cp da vo thi gian
ng dng: Dng lc gi tin da vo nhiu thng tin nh Exended ACLs v da vo
c thng tin v thi gian.

5.4 Cc v tr Access Control List
5.4.1 Inbound ACLs
+ Inbound: ni nm na l 1 ci cng vo(theo chiu i vo ca gi tin) trn Router nhng

gi tin s c x l thng qua ACL trc khi c nh tuyn ra ngoi (outbound
interface). Ti y nhng gi tin s dropped nu khng trng vi bng nh tuyn
(routing table), nu gi tin (packet) c chp nhn n s c x l trc khi chuyn giao
(transmission).
5.4.2 Outbound ACLs
+Outbound: l cng i ra ca gi tin trn Router, nhng gi tin s c nh tuyn n

outbound interface v x l thng qua ACLs, trc khi a n ngoi hng i (outbound
queue).
5.5 Hot ng ca ACLs
- ACL s c thc hin theo trnh t ca cc cu lnh trong danh sch cu hnh khi to
access-list. Nu c mt iu kin c so khp (matched) trong danh sch th n s thc
hin, v cc cu lnh cn li s khng c kim tra na.Trng hp tt c cc cu lnh
trong danh sch u khng khp (unmatched) th mt cu lnh mc nh deny any c
thc hin. Cui access-list mc nh s l lnh loi b tt c (deny all). V vy, trong access-
list cn phi c t nht mt cu lnh permit.
Khi packet i vo mt interface, router s kim tra xem c mt ACL trong inbound
interface hay khng, nu c packet s c kim tra i chiu vi nhng iu kin trong
danh sch.
Nu packet c cho php (allow) n s tip tc c kim tra trong bng routing
quyt nh chn interface i n ch.

Tip , router s kim tra xem outbound interface c ACL hay khng. Nu khng
th packet c th s c gi ti mng ch. Nu c ACL outbound interface, n s
kim tra i chiu vi nhng iu kin trong danh sch ACL .
5.6 Mt s im cn lu
* Ch c th thit lp 1 ACL trn giao thc cho mi hng trn mi interface. Mt

interface c th c nhiu ACL.
* Router khng th lc traffic m bt u t chnh n.
* Cu lnh no t trc th x l trc. Khi 1 cu lnh mi thm vo danh sch, n s
t cui danh sch.
* Standard ACLs: Nn t gn ch ca traffic.
* Extended ACLs: Nn t gn ngun ca traffic.
* Mc nh c hai lnh the Access-Group hay the Access-Class theo chiu OUT
6. Dynamic Host Configuration Protocol (DHCP)
6.1 Mc ch v chc nng
- DHCP lm vic theo ch Client-Server. DHCP server cho php cc DHCP client
trong mt mng IP nhn cu hnh IP t mt DHCP server.
- Khi s dng DHCP th cng vic qun l mng IP s t hn v phn ln cu hnh IP

ca Client c ly v t Server.
- Mt DHCP client c th chy hu ht cc h iu hnh Windows, Netvell, Sun

Solairs, Linux v Mac OS.
- DHCP l gii php gip qun l h thng mng dng v c kh nng m rng.

Hnh 33 Hot ng ca DHCP
6.2 Gii thiu v NAT v PAT
- NAT ( Network-Address-Translation)
- L c ch chuyn i a ch IP private trong Lan sang a ch public trong WAN

nh tuyn c ra Internet.
- NAT c dng tit kim a ch IP ng k trong mt mng ln v gip n gin

ha trong vic qun l a ch IP.
- NAT mang n rt nhiu li ch cho cc cng ty v Internet.
- Thng l giao thc c p trn Firewall hoc cc Router bin.
Static NAT
- Cho php cc thit b vi mt a ch Private c nhn thy trn mt mng

Public.

- Static NAT c nhp trc tip vo cu hnh v nm trong bng translation, thng
c s dng cho cc my ch web.
Dynamic NAT
- c thit k nh x mt a ch IP ny sang mt a ch IP khc mt cch t

ng, thng thng l nh x t mt a ch private sang mt a ch public.
- Bt k mt a ch IP no nm trong di a ch IP cng cng (public) c nh

trc u c th c gn cho mt host bn trng mng (private)
Hnh 34 M hnh Dynamic NAT
6.2.1 Thut ng trong k thut NAT
- a ch inside local : l a ch IP gn cho mt host mng bn trong .
- a ch inside global : l a ch c ng k vi NIC ( Global IP Address), dng

thay th mt hay nhiu a ch IP inside local.
- a ch outside local: l a ch IP ca mt host bn ngoi khi n xut hin bn trong

mng.

- a ch outside glocal: l a ch IP gn cho mt host mng bn ngoi. a ch ny

c ly t a ch c th dng nh tuyn ton cu hay t khng gian a ch mng.
6.3 u im NAT
- Khng cn gn a ch IP mi cho tng host khi thay i sang mt ISP mi, tit kim
thi gian v tin bc.
- Tit kim a ch thng qua ng dng PAT
- Bo v mng an ton v mng ni b khng l a ch v cu trc bn trong v

ngoi .
Hnh 35 u im NAT

6.4 PAT (Port- Address- Translation)
- Cho php nhiu a ch IP private c dch chuyn sang mt a ch IP public duy

nht
- PAT s dng s PORT ngun cng vi a ch IP Private bn trong phn bit khi
chuyn i.
II. KIN THC C BN V MNG WAN

1. Cc cng ngh WAN ph bin
1.1 Cng ngh Leased Line
- Leased-Line, hay cn gi l knh thu ring, l mt hnh thc kt ni trc tip gia cc
node mng s dng knh truyn dn s liu thu ring. Knh truyn dn s liu thng
thng cung cp cho ngi s dng s la chn trong sut v giao thc u ni hay ni
cch khc, c th s dng cc giao thc khc nhau trn knh thu ring nh PPP, HDLC,
LAPB v.v
- V mt hnh thc, knh thu ring c th l cc ng cp ng trc tip kt ni gia
hai im hoc c th bao gm cc tuyn cp ng v cc mng truyn dn khc nhau. Khi
knh thu ring phi i qua cc mng khc nhau, cc quy nh v cc giao tip vi mng
truyn dn s c quy nh bi nh cung cp dch v. Do , cc thit b u cui CSU
/DSU cn thit kt ni knh thu ring s ph thuc vo nh cung cp dch v. Mt s
cc chun kt ni chnh c s dng l HDSL, G703 v.v
- Khi s dng knh thu ring, ngi s dng cn thit phi c cc giao tip trn cc
b nh tuyn sao cho c mt giao tip kt ni WAN cho mi kt ni knh thu ring ti
mi node. iu c ngha l, ti im node c kt ni knh thu ring n 10 im khc
nht thit phi c 10 giao tip WAN phc v cho cc kt ni knh thu ring. y l
mt vn hn ch v u t thit b ban u, khng linh hot trong m rng pht trin,

phc tp trong qun l, c bit l chi ph thu knh ln i vi cc yu cu kt ni xa v

khong cch a l.
- Giao thc s dng vi leased-line l HDLC, PPP, LAPB.
HDLC: l giao thc c s dng vi h b nh tuyn Cisco hay ni cch khc ch

c th s dng HDLC khi c hai pha ca kt ni leased-line u l b nh tuyn
Cisco.
PPP: l giao thc chun quc t, tng thch vi tt c cc b nh tuyn ca cc nh

sn xut khc nhau. Khi u ni knh leased-line gia mt pha l thit b ca Cisco
v mt pha l thit b ca hng th ba th nht thit phi dng giao thc u ni ny.
PPP l giao thc lp 2 cho php nhiu giao thc mng khc nhau c th chy trn
n, do vy n c s dng ph bin.
APB: l giao thc truyn thng lp 2 tng t nh giao thc mng X.25 vi y
cc th tc, qu trnh kim sot truyn dn, pht trin v sa li. LAPB t c s
dng.
1.2 Cng ngh Frame-Relay
- L chun ca t chc lin minh vin thng th gii (ITU-T) v vin tiu chun quc
gia M (ANSI)
- L cng ngh chuyn mch gi lp Data-Link theo hng kt ni. S dng mt phn
giao thc HDLC lm giao thc LADF (Link Access Procedure for Frame Relay )
- Thc hin truyn frame gia DTE v DCE ti im demarcation. Cc Router bin ca
Lan l DTE. Cc DTE s c kt ni qua ng E1/T1 vo Frame-Relay Switch l DCE.

- Tc t 64KB /s n 45MB/s, tin cy cao, tr thp v kim sot tt nghn

mng. H tr cc m hnh kt ni point to point v point to multipoint.
- c xem nh giao din gia ngi dng v thit b mng, do ISP cung cp hoc mng
do t nhn qun l, trin khai dch v Frame Relay cng cng bng vic t Frame Relay
Switch trong tng i ca ISP.
- Dng Frame Relay tit kim kt ni hn Leased Line nhng phi tn thm chi ph cho
cc Frame Relay Switch
Hnh 36 M hnh Frame-Relay

a. Qu trnh ng gi Frame Relay
- Qu trnh ng gi Frame Relay thc hin theo cc bc nh sau :
* Nhn gi d liu t lp mng, v d n IP v IPX

* ng gi thnh cu trc frame ca Frame Relay
* Chuyn frame xung tng vt l chuyn i
- Tng vt l thng l V.35, X.21, EIA/TIA-232, 449 hay 530

- Frame ca Frame Relay s dng mt phn nh dng ca HDLC nn cng c phn

flag 01111110, phn FCS c dng kim tra li ca frame. Vic kim tra li c
giao cho cc lp trn ca m hnh OSI m nhn
- Hai kiu ng gi Frame Relay trn Router Cisco
* Cisco :
- L kiu ng gi Frame Relay c quyn ca Cisco
- L mc nh ca Router Cisco khi ng gi Frame Relay
- Kiu ng gi ny s dng 2 byte phn Header, trong :
- 1 byte xc nh ch s DLCI
- 1 byte xc nh loi gi d liu
- S dng chun Cisco khi router hai u u ca Cisco. Tuy nhin mt s router ca
hng khc cng h tr chun ny.
* IETF:
- Kiu ng gi ph hp vi chun RFC 1490 ca IETF
- S dng chun IETF khi router u bn kia khng phi ca Cisco
1.3 Cng ngh DSL
- DSL ( Digital Subscriber Line) : L cng ngh cho php s dng nhng tn s cha
dng trn cp ng truyn d liu tc cao, ln n hng Megabits.
- DSL s dng k thut truyn bng thng rng ghp nhiu di tn s khc nhau trn
cng mt ng truyn vt l truyn d liu.

a. c im DSL
- Trn ng dy in thoi thng ch dng khong tn s t 0 4 KHZ truyn d

liu m thanh.
- Cng ngh DSL tn dng c im ny truyn trn cng ng dy nhng tn

s trn 4Khz n 1Mhz.
- DSL c th cho php tn hiu thoi v d liu cng truyn mt lc qua cng mt
ng cp.
- V dch v DSL lun sn sng nn ngi dng khng phi quay s dialup hoc i
cho cuc gi c thit lp.
- DSL types
Hnh 37 Tc DSL
u im v gii hn ca DSL:
Cc u im ca ADSL:
- Tc truy cp cao
- Truyn thng tin tch hp data, voice v video.

- Lun lun online (always on): gip trin khai cc dch v nh personal web.
- Chi ph bo tr thp.
Gii hn ca DSL:
- Tc truyn DSL t l nghch vi khong cch gia CPE v DSLAM.
- V l mng cng cng nn phi tn km chi ph cho vn bo mt.
Cc yu t nh hng n cht lng ca DSL l:

- S lng cc thit b gn vo line DSL.
- Bridge-tap : m rng ca CPE v CO.
1.4 Cng ngh MPLS ( Multi Protocol Label Switching )
- MPLS ( Multi Protocol Label Switching) l cng ngh chuyn mch s dng label
(nhn ) chuyn cc gi tin, s dng vi c cc giao thc Non-IP.
- Mi nhn lun c gn cho mt IP ch nht nh ( Ging bng IP Forwarding).
- Cc nhn c chn vo gia header ca lp 3 v header ca lp 2 trong trng hp

s dng k thut da trn khung lp 2. Mc tiu chnh ca MPLS l to ra mt cu trc
mng mm do cung cp cho c tnh m rng v n nh ca mng.
- MPLS h tr iu khin lu lng v kh nng hot ng ca VPN v c lin quan

n Cht lng dch v ( QoS) vi nhiu lp dch v (Cos)
- MPLS bao gm 2 thnh phn chnh l:
* Mt phng iu khin : Trao i thng tin nh tuyn v cc nhn.
* Mt phng d liu : Chuyn gi tin (packet) hoc t bo d liu (cell)
- Mi LSR ng k mt nhn cho mi ch n trong bng nh tuyn. Nhn ch c gi

tr ni b v c th c qung b trc tip vi cc neighbor.

- Cc gi tin c chuyn tip s dng nhn t bng LFIB, qu trnh cu hnh MPLS
bao gm cu hnh IP CEF, tag switching, v thit lp kch thc MTU.
- K thut MPLS VPN kt hp tnh nng tt nht cho chuyn mch mng li v nh
tuyn mng bin. Router PE chuyn cc gi tin theo ng MPLS VPN s dng chng
nhn (label stack)
Hnh 38 M hnh MPLS Topology

1.4.1 u im v ng dng ca MPLS
u im :
* MPLS nhanh hn cc giao thc kt ni WAN khc v tc v gim thi gian tr

mt cch hiu qu
* Kh nng m rng cao v s lng ngi dng
* Cng ngh tng i n gin

* MPLS cung cp tnh nng iu khin lu lng s dng hiu qu ti nguyn

mng
ng dng :
- MPLS VPN
- MPLS traffic Engineering
- MPLS QoS
- MPLS Multicast/ Unicast Routing.
2. Cng ngh mng ring o VPN (Vitural Private Network)
Mng ring o, c tn ting Anh l Virtual Private Network, vit tt l VPN. Sau y ta
thng gi ngn gn theo tn vit tt. VPN l phng php lm cho mt mng cng cng
(nh mng Internet) hot ng ging nh mng cc b, cng c cc c tnh nh bo mt
v tnh u tin m ngi dng yu thch.
Theo cch ni n gin, VPN l mt s m rng ca mng Intranet qua mt mng cng
cng (nh Internet) m m bo s bo mt v hiu qu kt ni gia 2 im truyn thng
cui. Mng Intranet ring c m rng nh s tr gip ca cc "ng hm". Cc ng
hm ny cho php cc thc th cui trao i d liu theo cch tng t nh truyn thng
im - im.
Mt bo co nghin cu v VPN cho thy: C th tit kim t 20% n 47% chi ph

mng WAN khi thay th cc ng Lease-Line truy cp mng t xa bng VPN. V vi
VPN truy cp t xa c th tit kim t 60% n 80% chi ph khi s dng ng Dial-up
truy cp t xa n Cng ty.
Mng ring o thc s chinh phc cuc sng. Vic kt ni cc mng my tnh ca
cc doanh nghip lu nay vn c thc hin trn cc ng truyn thu ring, cng c
th l kt ni Frame Relay hay ATM. Nhng, ro cn ln nht n vi cc doanh nghip

t chc l chi ph. Chi ph t nh cung cp dch v, chi ph t vic duy tr, vn hnh h
tng mng, cc thit b ring ca doanh nghip... rt ln. V vy, iu d hiu l trong thi
gian di, chng ta gn nh khng thy c nhiu ng dng, gii php hu ch trn mng
din rng WAN.
R rng, s ra i ca cng ngh mng ring o cho php cc t chc, doanh nghip
c thm s la chn mi. Khng phi v c m cc chuyn gia vin thng nhn nh:
"Mng ring o chnh l cng ngh mng WAN th h mi".
2.1 nh ngha VPN

Cng ty/doanh nghip ca bn c nhiu chi nhnh mun kt ni vi nhau trao i d
liu v s dng cc dch v trong mng ni b ca tr s chnh? Hoc bn l ngi phi
thng xuyn lm vic lu ng mun kt ni vo h thng mng ni b ca cng ty mnh
thng qua mt mi trng public nh Internet?
Vy u l gii php cho nhng yu cu trn? Cu tr li l VPN (Virtual Private

Network), mt gii php mng ring o cho php bn thc hin nhng yu cu trn.
VPN cho php cc host gia nhiu chi nhnh truyn thng vi nhau thng qua mt ng
hm o (tunnel). Khi , gia cc chi nhnh nh c kt ni trc tip vi nhau trong
cng mt mng Private.
V tuyt vi hn na l VPN m bo d liu c bo mt an ton mt cch tuyt i khi

truyn thng qua mt mi trng khng tin cy nh Internet.

Hnh 39 M hnh VPN

2.2 Lch s hnh thnh v pht trin
- Khi nim u tin v VPN c AT&T (tn 1 cng ty vin thng M) a ra
vo khong cui thp nin 80. VPN c bit n nh l mng c nh ngha bi phn
mm (Software Defined Network SDN). SDN l mng WAN vi khong cch xa, n
c thit lp dnh ring cho ngi dng. SDN da vo c s d liu truy nhp phn
loi truy nhp vo mng gn hoc t xa. Da vo thng tin, gi d liu s c nh
tuyn n ch thng qua c s h tng chuyn mch cng cng. Th h th 2 ca VPN
xut hin cng vi s ra i ca cng ngh X25 v ISDN vo u thp k 90. Trong mt
thi gian, giao thc X25 qua mng ISDN c thit lp nh l 1 giao thc ca VPN, tuy
nhin, t l sai li trong qu trnh truyn dn vt qu s cho php. Do th h th hai
ca VPN nhanh chng b lng qun trong mt thi gian ngn. Sau th h th 2, th trng
VPN b chm li cho n khi cng ngh Frame Relay v cng ngh ATM ra i - th h
th 3 ca VPN da trn 2 cng ngh ny. Nhng cng ngh ny da trn khi nim chuyn
mch knh o. Trong thi gian gn y, thng mi in t tr thnh 1 phng thc
thng mi hu hiu, nhng yu cu ca ngi s dng mng VPN cng r rng hn.
Ngi dng mong mun 1 gii php m c th d dng c thc hin, thay i, qun tr,
c kh nng truy nhp trn ton cu v c kh nng cung cp bo mt mc cao, t u
cui n u cui. Th h gn y (th h th 4) ca VPN l IP-VPN. IP-VPN p ng
c tt c nhng yu cu ny bng cch ng dng cng ngh ng hm.

2.3 Nhng li ch VPN mang li
VPN mang li nhiu li ch, nhng li ch ny bao gm:
- Gim chi ph thc thi: Chi ph cho VPN t hn rt nhiu so vi cc gii php truyn
thng da trn ng Lease-Line nh Frame Relay, ATM hay ISDN. Bi v VPN loi tr
c nhng yu t cn thit cho cc kt ni ng di bng cch thay th chng bi cc
kt ni cc b ti ISP hoc im i din ca ISP.
- Gim c chi ph thu nhn vin v qun tr: V gim c chi ph truyn thng
ng di. VPN cng lm gim c chi ph hot ng ca mng da vo WAN mt cch
ng k. Hn na, mt t chc s gim c ton b chi ph mng nu cc thit b dng
trong mng VPN c qun tr bi ISP. V lc ny, thc t l T chc khng cn thu
nhiu nhn vin mng cao cp.
- Nng cao kh nng kt ni: VPN tn dng Internet kt ni gia cc phn t xa

ca mt Intranet. V Internet c th c truy cp ton cu, nn hu ht cc nhnh vn
phng, ngi dng, ngi dng di ng t xa u c th d dng kt ni ti Intranet ca
Cng ty mnh.
- Bo mt cc giao dch: V VPN dng cng ngh ng hm truyn d liu qua

mng cng cng khng an ton. D liu ang truyn c bo mt mt mc nht
nh, Thm vo , cng ngh ng hm s dng cc bin php bo mt nh: M ho,
xc thc v cp quyn bo m an ton, tnh tin cy, tnh xc thc ca d liu c
truyn, Kt qu l VPN mang li mc bo mt cao cho vic truyn tin.
- S dng hiu qu bng thng: Trong kt ni Internet da trn ng Lease-Line, bng

thng hon ton khng c s dng trong mt kt ni Internet khng hot ng. Cc
VPN, ch to cc ng hm logic truyn d liu khi c yu cu, kt qu l bng

thng mng ch c s dng khi c mt kt ni Internet hot ng. V vy lm gim ng

k nguy c lng ph bng thng mng.
- Nng cao kh nng m rng: V VPN da trn Internet, nn cho php Intranet ca mt
cng ty c th m rng v pht trin khi cng vic kinh doanh cn phi thay i vi ph
tn ti thiu cho vic thm cc phng tin, thit b. iu ny lm cho Intranet da trn
VPN c kh nng m rng cao v d dng tng thch vi s pht trin trong tng lai.
- Nh chng ta thy, yu cu ng dng cc cng ngh mi v m rng mng i vi cc

mng ring ngy cng tr nn phc tp v tn km. Vi gii php mng ring o, chi ph
ny c tit kim do s dng c s h tng l mng truyn s liu cng cng ( Vit Nam,
thc t chi ph tn km cho mng ring l chi ph cho cc knh thu ring ng di, cc
mng ring cng khng qu ln v phc tp, gii php VPN s l gii php gip tit kim
chi ph cho knh truyn ring cng nh s dng hiu qu hn c s h tng mng truyn
s liu cng cng).
- Trn y l mt s li ch c bn m gii php VPN mang li. Tuy nhin bn cnh ,

n cng khng trnh khi mt s bt li nh: Ph thuc nhiu vo Internet. S thc thi ca
mt mng da trn VPN ph thuc nhiu vo s thc thi ca Internet. Cc ng Lease-
Line bo m bng thng c xc nh trong hp ng gia nh cung cp v Cng ty.
Tuy nhin khng c mt m bo v s thc thi ca Internet. Mt s qu ti lu lng v
tc nghn mng c th nh hng v t chi hot ng ca ton b mng da trn VPN.
- Kh nng qun l: cng l vn kh khn ca VPN. Cng vi l do l chy ngang

qua mng Internet nn kh nng qun l kt ni end to end t pha mt nh cung cp n
l l iu khng th thc hin c. V th nh cung cp dch v (ISP) khng th cung cp
cht lng 100% nh cam kt m ch c th c ht sc. Cng c mt li thot l cc nh
cung cp k kt vi nhau cc bn tho thun v cc thng s mng, m bo cht lng
dch v cho khch hng. Tuy nhin cc cam kt ny cng khng m bo 100%.

2.4 Nhng yu cu i vi VPN

- Vic trin khai h thng VPN c bn cn p ng mt s yu cu sau:
Tnh tng thch (Compatibility): Mi cng ty, mi doanh nghip u c xy
dng cc h thng mng ni b v din rng ca mnh da trn cc th tc khc
nhau v khng tun theo mt chun nht nh ca nh cung cp dch v. Rt nhiu
cc h thng mng khng s dng cc chun TCP/IP v vy khng th kt ni trc
tip vi Internet. c th s dng c IP VPN tt c cc h thng mng ring
u phi c chuyn sang mt h thng a ch theo chun s dng trong Internet
cng nh b sung cc tnh nng v to knh kt ni o, ci t cng kt ni Internet
c chc nng trong vic chuyn i cc th tc khc nhau sang chun IP. Phn ln
s lng khch hng c hi yu cu khi chn mt nh cung cp dch v IP VPN
phi tng thch vi cc thit b hin c ca h.
Tnh kh dng (Availability): Mt gii php VPN cn thit phi cung cp c tnh
bo m v cht lng, hiu sut s dng dch v cng nh dung lng truyn.
Tiu chun v cht lng dch v (QoS) mt tiu chun nh gi ca mt mng
li c kh nng m bo cht lng dch v cung cp u cui n u cui. QoS
lin quan n kh nng m bo tr dch v trong mt phm vi nht nh hoc
lin quan n c hai vn trn.
An ton d liu: Mng VPN cn cung cp 4 chc nng gii hn m bo
bo mt cho gi liu:
Xc thc (Authentication): gip m bo d liu n bt u t mt ngun theo
yu cu.
iu khin truy cp (Access control): han ch vic thng cp quyn truy cp vo
mng ca nhng ngi dng bt hp php.
Tin cy (Confidentiality): ngn khng cho tin tc c hoc sao chp d liu khi
d liu c truyn trong mng Internet.
Tnh ton vn ca d liu (Data integrity): gip cho d liu khng b thay i v
bt k l do g khi n truyn i trn mng Internet.

2.5 Cc m hnh kt ni VPN thng dng

2.5.1 VPN truy cp t xa (Remote VPN)
Hnh 40 Thit lp VPN t xa

- c gi l Mng quay s ring o (VPDN), y l dng kt ni User-to-Lan p
dng cho dnh cho cc nhn vin cng ty khi c nhu cu kt ni n mng ring t cc
a im xa v bng cc thit b khc nhau.
- Khi VPN c trin khai, cc nhn vin ch cn kt ni internet hong qua cc ISP
v s dng cc phn mm VPN truy cp n mt mng Intranet hay Extranet ca mt
t chc trn nn h tng mng cng cng. Dch v ny cho php ngi dng truy xut ti
nguyn mng ca Cng ty h nh l h ang kt ni trc tip vo mng .
- VPN Remote cung cp kh nng truy nhp t xa n intranet hay extranet ca t
chc qua c s h tng chung. Truy nhp VPN s dng k thut tng t, quay s, ISDN,
DSL, mobile IP v cp thc hin kt ni an ton cho ngi dng lu ng, ngi dng
truyn hong v cc vn phng chi nhnh.
2.5.2 VPN cc b (Intranet VPN)

Hnh 41 Thit lp Intranet VPN
- Intranet VPN c p dng thit lp cho cc cng ty khi h c nhiu chi nhnh
xa v mi chi nhnh u c mt cc b mng LAN. Lin kt cc vn phng trung
tm, cc chi nhnh ti mng intranet thng qua c s h tng dng chung bng
cc kt ni chuyn bit.
- u im:
+ V Internet hot ng nh mt phng tin kt ni, n d dng cung cp cc lin
kt ngang hng mi.
+ V kt ni ti cc ISP cc b, kh nng truy cp nhanh hn, tt hn. Cng vi vic
loi tr cc dch v ng di gip cho t chc gim c chi ph ca hot ng Intranet.
- Nhc im:
+ V d liu c nh ng hm qua mt mng chia s cng cng nn cc tn cng
mng nh: t chi dch v vn e do nghim trng n an ninh mng.
+ Kh nng mt cc gi d liu khi truyn vn cn cao.
+ ng truyn d liu u trn nh multimedia, tr truyn tin vn rt cao v
thng lng c th b gim xung rt thp di s hin din ca Internet.

+ V s hin din ca kt ni Internet s thc thi c th b gin on v QoS c th

khng c m bo.
2.5.3 VPN m rng (Extranet VPN)
Hnh 42 Thit lp mng VPN Extranet

- VPN Extranet c p dng cho cc cng ty khi h c nhu cu kt ni cng vi
nhiu i tc, khch hng thn thit kt cng nhau lm vic qua mt mng ring
o.
- Lin kt khch hng, nh cung cp, i tc hay cc cng ng quyn li ti mng
t chc thng qua c s h tng dng chung bng cc kt ni chuyn bit. Extranet
VPN khc vi intranet VPN l chng cho php truy nhp ti ngi dng bn ngoi
t chc.
- u im:
+ D thc thi, duy tr v d thay i
+ Chi ph thit lp thp
- Nhc im:

+ Tng ri ro v cc xm nhp vo Intranet ca t chc

+ tr truyn thng vn ln
2.6 Giao thc ng hm ti Layer 2 trong VPN

2.6.1 Giao thc PPTP (Point-to-Point Tunneling Protocol)
- Giao thc PPTP c s dng trn cc my client chy HH Microsoft fro NT
4.0 v Win 95+. Giao thc ny c s dng m ho d liu lu thng trn mng LAN.
Ging giao thc NETBEUI v IPX trong mt packet gi ln mng. PPTP da chun RSA
RC4 v c h tr bi s m ho 40-bits or 128-bits. Giao thc ny dng bt k c ch
thm nh quyn truy cp no c PPP h tr.
2.6.2 Giao thc chuyn tip L2F (Layer 2 Forwarding)
- L giao thc c pht trin bi Cisco System. L2F c thit k cho php to ra
ng hm gia NAS v mt thit b VPN Gateway truyn cc Frame, ngi s dng
t xa c th kt ni n NAS v truyn Fram PPP t remote user n VPN Gateway trong
ng hm c to ra.
2.6.3 Giao thc L2TP (Layer 2 Tunneling Protocol)
- L chun giao thc do IETF xut, L2TP tch hp c 2 im mnh l truy nhp
t xa ca L2F (Layer 2 Forwarding ca Cisco System) v tnh kt ni nhanh ca poinh-to-
point ca PPTP (Point to point tunneling Protocol ca Microsoft). Trong mi trng
Remote Access L2TP cho php khi to ng hm cho cc Frame v s dng giao thc
PPP truyn d liu trong ng hm. Cui cng, giao thc L2TP khng cung cp m ho.
2.7 Giao thc ng hm ti Layer 3 trong VPN (IPSec)
2.7.1 Tm hiu v IPSec
- IP Security (IPSec) l mt giao thc c chun ho bi IETF t nm 1998 nhm
mc ch nng cp cc c ch m ho v xc thc thng tin cho chui thng tin truyn i
trn mng bng giao thc IP. Hay ni cch khc, IPSec l s tp hp ca cc chun m
c thit lp m bo s cn mt d liu, m bo tnh ton vn d liu v chng thc
d liu gia cc thit b mng.

- IPSec thc hin m ha v xc thc lp mng. N cung cp mt gii php an

ton d liu t u cui-n-u cui trong bn thn cu trc mng (v d khi thc hin
mng ring o VPN). V vy vn an ton c thc hin m khng cn thay i cc ng
dng cng nh cc h thng cui. Cc gi m ha c khun dng ging nh gi tin IP
thng thng, nn chng d dng c nh tuyn qua mng Internet m khng phi thay
i cc thit b mng trung gian, qua cho php gim ng k cc chi ph cho vic trin
khai v qun tr. IPSec cung cp bn chc nng quan trng sau:
- Bo mt(m ha)- Confidentiality: Ngi gi c th m ha d liu trc khi
truyn chng qua mng. Bng cch , khng ai c th nghe trm trn ng truyn. Nu
giao tip b ngn chn, d liu khng th c c.
- Ton vn d liu- Data integrity: Ngi nhn c th xc minh cc d liu c
truyn qua mng Internet m khng b thay i. IPSec m bo ton vn d liu bng cch
s dng checksums (cng c bit n nh l mt gi tr bm).
- Xc thc- Authentication: Xc thc m bo kt ni c thc hin v cc ng
i tng. Ngi nhn c th xc thc ngun gc ca gi tin, bo m, xc thc ngun
gc ca thng tin.
- Antireplay protection: xc nhn mi gi tin l duy nht v khng trng lp.
- IPSec l mt nn(Frame work) kt hp giao thc bo mt v cung cp mng ring
o vi cc d liu bo mt, ton vn v xc thc. Lm vic vi s tp hp ca cc chun
m c thit lp m bo s bo mt d liu, m bo tnh ton vn d liu, v chng
thc d liu gia cc thit b tham gia vo mng VPN. Cc thit b ny c th l cc host
hoc l cc security gateway (routers, firewalls, VPN concentrator,...) hoc l gia 1 host
v gateway nh trong trng hp remote access VPNs.
2.7.2 Lin kt bo mt IPSec (SA-IPSec)
- Security Associations (SAs) l mt khi nim c bn ca b giao thc IPSec. SA
l mt kt ni lun l theo mt phng hng duy nht gia hai thc th s dng cc dch
v IPSec.
Cc giao thc xc nhn, cc kha, v cc thut ton.

Phng thc v cc kha cho cc thut ton xc nhn c dng bi cc giao thc
Authentication Header (AH) hay Encapsulation Security Payload (ESP) ca b IPSec.
Thut ton m ha v gii m v cc kha.
Thng tin lin quan kha nh khong thi gian thay i hay khong thi gian lm
ti ca cc kha.
Thng tin lin quan n chnh bn thn SA bao gm a ch ngun SA v khong
thi gian lm mi.
IPSec SA gm c 3 trng:
Hnh 43 Ba trng ca SA
SPI (Security Parameter Index): y l mt trng 32 bit dng nhn dng giao
thc bo mt, c nh ngha bi trng Security protocol, trong b IPSec ang dng.
SPI c mang theo nh l mt phn u ca giao thc bo mt v thng c chn bi
h thng ch trong sut qu trnh tha thun ca SA.
Destination IP address: y l a ch IP ca nt ch. Mc d n c th l a
ch broadcast, unicast, hay multicast, nhng c ch qun l hin ti ca SA ch c nh
ngha cho h thng unicast.
Security protocol: Phn ny m t giao thc bo mt IPSec, c th l AH hoc
ESP.
Ch thch:
- Broadcasts c ngha cho tt c h thng thuc cng mt mng hoc mng con. Cn
multicasts gi n nhiu (nhng khng phi tt c) nt ca mt mng hoc mng con cho
sn. Unicast c ngha cho 1 nt ch n duy nht.
- B v bn cht theo mt chiu duy nht ca SA, cho nn 2 SA phi c nh
ngha cho hai bn thng tin u cui, mt cho mi hng. Ngoi ra, SA c th cung cp

cc dch v bo mt cho mt phin VPN c bo v bi AH hoc ESP. Do vy, nu mt

phin cn bo v kp bi c hai AH v ESP, 2 SA phi c nh ngha cho mi hng.
Vic thit lp ny ca SA c gi l SA bundle.
- Mt IPSec SA dng 2 c s d liu. Security Association Database (SAD) nm
gi thng tin lin quan n mi SA. Thng tin ny bao gm thut ton kha, thi gian sng
ca SA, v chui s tun t. C s d liu thc hai ca IPSec SA, Security Policy Database
(SPD), nm gi thng tin v cc dch v bo mt km theo vi mt danh sch th t chnh
sch cc im vo v ra. Ging nh firewall rules v packet filters, nhng im truy cp
ny nh ngha lu lng no c x l v lu lng no b t chi theo tng chun ca
IPSec.
2.7.3 IPSec Security Protocols
- B IPSec a ra 3 tnh nng chnh bao gm:
Tnh xc nhn v tnh ton vn d liu (Authentication and data integrity)
IPSec cung cp mt c ch mnh m xc nhn tnh cht xc thc ca ngi gi
v kim chng bt k s sa i khng c bo v trc ca ni dung gi d liu bi
ngi nhn. Cc giao thc IPSec a ra kh nng bo v mnh chng li cc dng tn
cng gi mo, pht hin v t chi dch v.
S cn mt (Confidentiality)
Cc giao thc IPSec m ha d liu bng cch s dng k thut m ha cao cp,
gip ngn cn ngi cha chng thc truy cp d liu trn ng i ca n. IPSec cng
dng c ch to hm n a ch IP ca nt ngun (ngi gi) v nt ch (ngi nhn)
t nhng k nghe ln.
Qun l kha (Key management)
IPSec dng mt giao thc th ba, Internet Key Exchange (IKE), tha thun cc
giao thc bao mt v cc thut ton m ha trc v trong sut phin giao dch. Mt phn
quan trng na, IPSec phn phi v kim tra cc kha m v cp nht nhng kha khi
c yu cu.

Hai tnh nng u tin ca b IPSec, authentication and data integrity, v

confidentiality, c cung cp bi hai giao thc chnh ca trong b giao thc IPSec. Nhng
giao thc ny bao gm Authentication Header (AH) v Encapsulating Security Payload
(ESP). Tnh nng th ba, key management, nm trong b giao thc khc, c b IPSec
chp nhn bi n l mt dch v qun l kha mnh. Giao thc ny l IKE.

2.7.4 Cc giao thc ca IPSec
Hnh 44 Cc giao thc trong IP-Sec

- IPSec bo mt kt ni mng bng vic s dng 2 giao thc v cung cp bo mt
cho cc gi tin ca c hai phin bn IPv4 v IPv6:
IP Authentication Header m bo 3 tnh cht c bn:
o Ton vn thng tin.
o Xc thc thng tin.
o Chng pht li.

IP Encapsulating Security Payload m bo 4 tnh cht c bn:

o Ton vn thng tin.
o Xc thc thng tin.
o M ha thng tin.
o Chng pht li.
Thut ton m ho c s dng trong IPsec bao gm HMAC-SHA1 cho tnh ton
vn d liu (integrity protection), v thut ton 3DES-CBC v AES-CBC cho m m ho
v m bo an ton ca gi tin.
- Authentication Header (AH)
AH c s dng trong cc kt ni khng c tnh m bo d liu. Hn na n l
la chn nhm chng li cc tn cng replay attack bng cch s dng cng ngh chng
tn cng sliding windows v discarding older packets. AH bo v qu trnh truyn d liu
khi s dng IP. Trong IPv4, IP header c bao gm TOS, Flags, Fragment Offset, TTL, v
Header Checksum. AH thc hin trc tip trong phn u tin ca gi tin IP. di y l
m hnh ca AH header.
Hnh 45 Cu trc gi tin AH

- ngha ca tng trng:

Next header (8 Bits): Nhn dng giao thc trong s dng truyn thng tin, xc nh
loi d liu cha bn trong tiu AH.
Payload length (8 Bits): ln ca gi tin AH tnh bng n v t (32 Bits) v tr
i 2 n v. V d: ton b chiu di tiu AH l 6 th chiu di vng Payload length l
4.
RESERVED (16 Bits): S dng trong tng lai (cho ti thi im ny n c biu
din bng cc s 0).
Security parameters index (SPI 32 Bits): Nhn ra cc thng s bo mt, c tch
hp vi a ch IP, v nhn dng cc thng lng bo mt c kt hp vi gi tin.Gi
tr 1-255 c dnh ring, gi tr 0 s dng cho mc ch c bit, cc gi tr khc dng
gn cho SPI.
Sequence number (32 bits): y l mt gi tr khng du, lun tng v cho php
cung cp dch v antireplay cho mt SA. Thng tin ny khng nht thit c dng bi
bn nhn nhng n phi bao gm bi thit b gi. Ch s ny c khi ng v 0 khi SA
c thit lp. Nu dch v antireplay c dng, ch s ny khng bao gi c php lp
li. Bi v bn gi khng bit bn nhn c dng dch v antireplay, SA s c hy v mt
SA mi s c ti thit lp sau khi c 232 gi tin c truyn.
Authentication data (Chiu di khng xc nh): Trng ny cha gi tr Integrity
Check Value (ICV) cho gi tin. Trng ny phi l mt s nguyn bi s ca 32 v c th
cha cc gi tr m (padding) lp y cc bit trng cho 32 bits. Gi tr ICV ny c
tnh dng cc gii thut nh Message Authentication Code (MACs). MACs c da trn
cc gii thut m ha i xng nh DES v 3DES hoc cc hm hash mt chiu nh MD5
hoc SHA-1. Khi tnh ton ch s ICV, php tnh s tnh trn ton b gi tin mi. Mt kha
b mt dng chung s c dng trong MAC lm cho gi tr ny kh b b gy. Mi u
ca kt ni VPN s tnh ton ch s ICV ny mt cch c lp. Nu cc gi tr ny khng

trng, gi tin s b b qua. iu ny gip m bo gi tin khng b thay i trong qu

trnh truyn.
- AH cung cp tnh xc thc, tnh nguyn vn v khu lp cho ton b gi tin bao
gm c phn tiu ca IP (IP header) v cc gi d liu c chuyn trong cc gi tin.
- AH khng cung cp tnh ring t, khng m ha d liu nh vy d liu c th
c c nhng chng s c bo v chng li s thay i. AH s s dng thut ton
Key AH nh du gi d liu nhm m bo tnh ton vn ca gi d liu.
Hnh 46 Cc phn tin chng thc trong AH
Hnh 47 Qu trnh to gi tin trong AH

- Qu trnh gi AH
Khi mt AH SA c khi to ln u tin, thut ton xc thc v cc kha c
ghi li, v s chui truy cp c thit lp l 0. Khi IPsec xc nh rng mt gi tin ra bn
ngoi c AH c p dng, n nm trong SA thch hp v thc hin cc bc sau.
1. Mt tiu AH mu c chn vo gia IP Header v tiu lp trn.

2. S sequence number tng dn v c lu gi trong cc tiu AH. Vo thi gian ny,

AH kim tra m bo rng s th t s khng lp. Nu lp, AH to ra mt SA mi v
khi to dy s 0. Trong trng hp s sequence number khng lp, s th t c tng
ln v c lu gi trong cc tiu AH.
3. Phn cn li ca cc trng AH, ngoi tr ca ICV, c lm y vi chiu di qui
nh.
4. Nu cn, padding ty c thm vo tiu AH m bo rng n l mt bi s ca
32 bit (64 bit cho IPv6).
5. Cc trng c th thay i trong IP Header v trng ICV trong tiu AH c nh
0, v ICV c tnh trn ton b datagram IP. Nu c nhiu ngun nh tuyn khc trong
khi truyn (truyn qua cc thit b trung gian) trong IP header, a ch ch phi c t
l a ch ch cui cng trc khi tnh ton ICV.
6. Cc trng c th thay i c lm y, v ICV c lu tr trong tiu AH. Nu
c mt ngun nh tuyn ty chn trung gian khc, trng a ch ch ca tiu IP c
thit lp li cc im n trung gian.
7. Cc datagram IP c t vo hng i u ra cho truyn dn n ch ca n.
- Qu trnh nhn AH
Mt datagram IP xc thc c th b phn mnh trn ng ti ch. Nu vy, cc
mnh ny phi c thu thp v ti hp thnh datagram trc khi x l AH. Mt khi
datagram c ti hp, AH thc hin cc bc sau y.
1. Da trn SPI trong tiu AH v a ch ch trong IP Header, AH SA thch hp s
c xc nh. Nu mt SA p dng cho mt datagram khng th xc nh c, datagram
s b loi b.
2. Nu kch hot vic kim tra sequence number, AH xc nh s chui nh tnh ton trc
trong qu trnh gi. Nu s chui l qu c hoc l mt s trng nhau, datagram b loi
b.
3. AH sao chp IP header v AH header v lm cho cc trng c th thay i trong IP
Header cng nh ICV trong AH header tr v 0.

4. Thut ton xc thc v xc nh kha trong SA c s dng tnh ton mt ICV cho
ton b cc gi d liu, v kt qu c so snh vi gi tr ban u trong tiu AH. Nu
gi tr khng ging nhau, gi d liu b loi b. Nu gi tr ging nhau, gi tin c xc
thc l ton vn.
5. Cc tiu AH c ly ra t datagram, v cc trng IP header gc c phc hi.
Datagram c t vo hng i u vo x l cho gi tin IP bnh thng.
- Encapsulating Security Payload (ESP)
Giao thc ESP cung cp xc thc, ton vn, m bo tnh bo mt cho gi tin.
ESP cng h tr tnh nng cu hnh s dng trong tnh hung ch cn m ho hay ch cn
xc thc.
Hnh 48 Cu trc gi tin ESP
Security parameters index (SPI 32 Bits): Nhn ra cc thng s c tch hp vi

a ch IP, nhn dng lin kt SA.
Sequence number (32 Bits): T ng tng c tc dng pht li.
Payload data ( di bt k): y l gi tin IP hoc mt phn ca gi tin ban u
ty thuc vo ch (mode) ca IPSec ang c dng. Khi dng Tunnel Mode, trng
ny cha ton b gi tin IP ban u. Trong Transport Mode, n ch bao gm phn giao

thc cc lp bn trn ca gi tin ban u. Chiu di ca payload lun l mt s nguyn ca

bytes.
Padding ( di bt k) v Pad Length (8Bits): D liu chn vo di ca n.
Next header (8 Bits): Nhn ra giao thc c s dng trong qu trnh truyn thng
tin. Nu l TCP gi tr l 6, nu l UDP gi tr l 17 khi dng Transport Mode, khi dng
Tunnel mode l 4 (IP-in-IP).
Authentication data (Bi s ca 32 Bits): Bao gm d liu xc thc cho gi tin,
c tnh trn ton b gi ESP tr phn Authentication data.
- Cc thut ton m ha bao gm DES, 3DES, AES.
- Cc thut ton xc thc bao gm MD5 hoc SHA-1.
- ESP cn cung cp tnh nng anti-replay bo v cc gi tin b chnh sa.
- ESP trong trng thi vn chuyn s khng ng gi thut ton trn ton b gi tin m
ch ng gi phn thn IP, loi tr phn IP Header. ESP c th s dng c lp hay kt
hp vi AH. Di y l mt m hnh ca qu trnh thc thi ESP trn user data bo v
gia 2 IPSec Peers.

Hnh 49 Qu trnh to gi tin trong ESP

- ESP s dng mt m i xng cung cp s mt ho d liu cho cc gi tin
IPSec. Cho nn, kt ni ca c hai u cui u c bo v bi m ho ESP th hai bn
phi s dng kha ging nhau mi m ho v gii m c gi tin.
- Khi mt u cui m ho d liu, n s chia d liu thnh cc block nh, v sau
thc hin thao tc m ho nhiu ln s dng cc block d liu v kha. Thut ton m
ho hot ng trong chiu ny c xem nh Blocks Cipher Algorithms.
- Khi mt u cui khc nhn c d liu m ho, n thc hin gii m s dng
key ging nhau v qu trnh thc hin tng t, nhng trong bc ny ngc vi thao tc
m ho. ESP c ch s IP Protocol l 50.
- Qu trnh gi ESP
Khi sn sng c t trn hng i u ra, mt datagram IP c kim tra
xem c th x l bng IPSec hay khng. Nu ng gi ESP c yu cu, th cn bit
chnh xc SA hot ng trong Transport Mode hay Tunnel Mode. Qu trnh x l thc hin
cc bc sau y.
1. SPD tm kim mt SA ph hp vi cc thng tin chnh xc nh a ch ch, cng, giao
thc... Nu mt SA cha tn ti, mt cp SA c thng lng gia hai bn truyn nhn.

2. Cc s th t t SA tng dn v c t trong tiu ESP. Nu peer khng v hiu

ha chc nng anti-replay, s th t c kim tra chc chn rng n khng bng 0.
3. Nu cn thit, Padding s c thm vo cho s bit, chiu di pad v next header s
c lm y. Nu thut ton m ha yu cu, IV s c thm vo payload data (IV
Initializatin vector l mt block ty c XOR vi block d liu u tin trc khi c
m ha trnh tnh trng chui m ha ging nhau v d liu gc ging nhau), IV v
payload data cng ESP trailer s c m ha, s dng kha v thut ton m ha ch
nh trong SA.
4. ICV c tnh trn ESP header, IV, payload data, trng ESP trailer v t trong trng
Authentication data, s dng kha v thut ton m ha trong SA.
5. Nu cc gi d liu kt qu yu cu phn mnh, n c thc hin ti thi im ny.
Trong Transport Mode, ESP ch c p dng cho ton b datagrams IP. Tunnel Mode,
ESP c th c p dng cho mt mnh datagram IP.
* Ch :
- Trnh t trong qu trnh m ha v xc thc l rt quan trng. V xc thc c
thc hin cui cng, ICV s tnh ton trn d liu m ha trc , c ngha l ngi nhn
c th thc hin vic xc minh chng thc tng i nhanh chng trc khi thc hin qu
trnh gii m kh chm. iu ny c th phn no ngn cn tn cng DoS bi mt lot cc
d liu ngu nhin c m ha gi ti u nhn.
- Qu trnh nhn ESP
V d liu n c th b phn mnh do qu trnh nh tuyn, chng phi c ti
hp. V sau khi ti hp, qu trnh x l ESP s thc hin cc bc sau y:
1. SA nhn c bng cch so snh a ch ch, giao thc (ESP) v SPI ca gi n. Nu
khng c SA no tn ti, gi s b loi b.
2. Nu antireplay c kch hot, n s thc hin vic kim tra s sequence number.
3. Gi tin c xc thc bng vic tnh ton ICV da trn ESP Header, payload, v trng
ESP trailer, s dng thut ton m ha v kha trong SA, nu xc thc tht bi, gi tin ny

b loi b. Nu gi tin c xc thc, n s c chp nhn v u nhn cp nht li s

sequence number.
4. Payload v trng ESP trailer c gii m bng vic s dng thut ton v kha trong
SA. Nu Padding c thm, n cn c kim tra chc chn c nhng gi tr thch
hp cho thut ton gii m. Gi IP gc c ti hp b i cc trng ESP, vic ti hp ny
ph thuc vo vic s dng Transport Mode hay Tunnel Mode.
Hnh 50 So snh gia AH v ESP

2.7.5 Cc ch ca IPSec
SA trong IPSec hin ti c trin khai bng 2 ch . c m ti hnh di l ch
Transport v ch Tunnel. C AH v ESP u c th lm vic vi mt trong hai ch
ny.

Hnh 51 Ch Tunnel Mode v Transport Mode

Tunnel Mode
Khng ging Transport Mode, Tunnel mode bo v ton b gi d liu. Ton b
gi d liu IP c ng gi trong mt gi d liu IP khc v mt IPSec header c chn
vo gia phn u nguyn bn v phn u mi ca IP.
Hnh 52 Datagram IPSec trong Tunnel Mode

Ton b gi IP ban u s b ng gi bi AH hoc ESP v mt IP header mi s
c bao bc xung quanh gi d liu. Ton b gi IP s c m ho v tr thnh d liu

mi ca gi IP mi. ch ny cho php cc thit b mng, chng hn nh Router, hot

ng nh mt IPSec proxy thc hin chc nng m ha thay cho host. Router ngun s m
ha cc packets v truyn chng dc theo tunnel. Router ch s gii m gi IP ban u v
chuyn n v h thng cui.
Vi Tunnel hot ng gia hai Security Gateway, a ch ngun v ch c th c
m ha.
Trong AH Tunnel Mode, phn u mi (AH) c chn vo gia phn Header mi
v phn Header nguyn bn.
Trong ESP Tunnel Mode, phn ESP Header c chn vo gia New IP Header v
phn Header nguyn bn.
Transport Mode
Transport Mode bo v giao thc tng trn v cc ng dng. Trong Transport
Mode, phn IPSec header c chn vo gia phn IP header v phn header ca giao
thc tng trn. V vy, ch c ti (IP payload) l c m ha v IP header ban u l
c gi nguyn vn. Transport Mode c th c dng khi c hai host h tr IPSec.
Hnh 53 Datagram IPSec trong Transport Mode

Transport Mode thiu mt qu trnh x l phn u, do n nhanh hn, ch

Transport ny c thun li l ch thm vo vi bytes cho mi packets v n cng cho
php cc thit b trn mng thy c a ch ch cui cng ca gi. Tuy nhin, n
khng hiu qu trong trng hp ESP c kh nng khng xc nhn m cng khng m
ha phn u IP.
2.7.6 Giao thc Internet Key Exchange
V c bn c bit nh ISAKMP/Oakley, ISAKMP l ch vit tc ca Internet
Security Association and Key Management Protocol, IKE gip cc bn giao tip ha hp
cc tham s bo mt v kha xc nhn trc khi mt phin bo mt IPSec c trin khai.
Ngoi vic ha hp v thit lp cc tham s bo mt v kha m ha, IKE cng sa i
nhng tham s khi cn thit trong sut phin lm vic. IKE cng m nhim vic xo b
nhng SAs v cc kha sau khi mt phin giao dch hon thnh. Thun li chnh ca IKE
include bao gm:
IKE khng phi l mt cng ngh c lp, do n c th dng vi bt k c
ch bo mt no.
C ch IKE, mc d khng nhanh, nhng hiu qu cao bi v mt lng ln
nhng hip hi bo mt tha thun vi nhau vi mt vi thng ip kh t.
a. IKE Phases
Giai on I v II l hai giai on to nn phin lm vic da trn IKE, hnh di
trnh by mt s c im chung ca hai giai on. Trong mt phin lm vic IKE, n gi
s c mt knh bo mt c thit lp sn. Knh bo mt ny phi c thit lp trc
khi c bt k tha thun no xy ra.

Hnh 54 Cc giai on ca IKE Phases

Giai on I ca IKE
Giai on I ca IKE u tin xc nhn cc im hong tin, v sau thit lp mt
knh bo mt cho s thit lp SA. Tip , cc bn hong tin tha thun mt ISAKMP
SA ng ln nhau, bao gm cc thut ton m ha, hm bm, v cc phng php xc
nhn bo v m kha.
Sau khi c ch m ha v hm bm c ng trn, mt kha chi s b mt
c pht sinh. Theo sau l nhng thng tin c dng pht sinh kha b mt:
Gi tr Diffie-Hellman
SPI ca ISAKMP SA dng cookies
S ngu nhin known as nonces (used for signing purposes)
Nu hai bn ng s dng phng php xc nhn da trn public key, chng cng
cn trao i IDs. Sau khi trao i cc thng tin cn thit, c hai bn pht sinh nhng key
ring ca chnh mnh s dng chng chia s b mt. Theo cch ny, nhng kha m ha
c pht sinh m khng cn thc s trao i bt k kha no thng qua mng.
Giai on II ca IKE
Trong khi giai on I tha thun thit lp SA cho ISAKMP, giai on II gii quyt
bng vic thit lp Sas cho IPSec. Trong giai on ny, Sas dng nhiu dch v khc nhau
tha thun. C ch xc nhn, hm bm, v thut ton m ha bo v gi d liu IPSec tip
theo (s dng AH v ESP) di hnh thc mt phn ca giai on SA.
S tha thun ca giai on xy ra thng xuyn hn giai on I. in hnh, s tha
thun c th lp li sau 4-5 pht. S thay i thng xuyn cc m kha ngn cn cc
hacker b gy nhng kha ny v sau l ni dung ca gi d liu.

Tng qut, mt phin lm vic giai on II tng ng vi mt phin lmvic

n ca giai on I. Tuy nhin, nhiu s thay i giai on II cng c th c h tr
bi mt trng hp n giai on I. iu ny lm qua trnh giao dch chm chp ca
IKE t ra tng i nhanh hn.
Oakley l mt trong s cc giao thc ca IKE. Oakley is one of the protocols on
which IKE is based. Oakley ln lt nh ngha 4 ch ph bin IKE.
b. IKE Modes
C 4 ch IKE ph bin thng c trin khai l:
Main Mode
Main mode xc nhn v bo v tnh ng nht ca cc bn c lin quan trong qua
trnh giao dch. Trong ch ny, 6 thng ip c trao i gia cc im:
Hai thng ip u tin dng tha thun chnh sch bo mt cho s thay i.
Hai thng ip k tip phc v thay i cc kha Diffie-Hellman v nonces.
Nhng kha sau ny thc hin mt vai tro quan trng trong c ch m ha.
Hai thng ip cui cng ca ch ny dng xc nhn cc bn giao dch vi s
gip ca ch k, cc hm bm, v tu chn vi chng nhn.
Hnh 55 Cc qu trnh ca Main mode

Aggressive Mode

Aggressive mode v bn cht ging Main mode. Ch khc nhau thay v main mode
c 6 thng ip th cht ny ch c 3 thng ip c trao i. Do , Aggressive mode
nhanh hn mai mode. Cc thng ip bao gm:
Thng ip u tin dng a ra chnh sch bo mt, pass data cho kha chnh,
v trao i nonces cho vic k v xc minh tip theo.
Thng ip k tip hi p li cho thng tin u tin. N xc thc ngi nhn v
hon thnh chnh sch bo mt bng cc kha.
Thng ip cui cng dng xc nhn ngi gi (hoc b khi to ca phin
lm vic).
Hnh 56 C Main mode v Aggressive mode u thuc giai on I.

Quick Mode
Ch th ba ca IKE, Quick mode, l ch trong giai on II. N dng tha
thun SA cho cc dch v bo mt IPSec. Ngoi ra, Quick mode cng c th pht sinh
kha chnh mi. Nu chnh sch ca Perfect Forward Secrecy (PFS) c tha thun
trong giai on I, mt s thay i hon ton Diffie-Hellman key c khi to. Mt khc,
kha mi c pht sinh bng cc gi tr bm

Hnh 57 Cc qu trnh ca Quick mode
New Group Mode

New Group mode c dng tha thun mt private group mi nhm to iu
kin trao i Diffie-Hellman key c d dng. Hnh 58 m t New Group mode. Mc d
ch ny c thc hin sau giai on I, nhng n khng thuc giai on II.
Hnh 58 Cc qu trnh ca New group mode

Ngoi 4 ch IKE ph bin trn, cn c thm Informational mode. Ch ny kt
hp vi qu trnh thay ca giai on II v SAs. Ch ny cung cp cho cc bn c lin
quan mt s thng tin thm, xut pht t nhng tht bi trong qu trnh tha thun. V d,

nu vic gii m tht bi ti ngi nhn hoc ch k khng c xc minh thnh cng,
Informational mode c dng thng bo cho cc bn khc bit.
2.7.7 Qu trnh hot ng ca IPSec
Ta bit rng, mc ch chnh ca IPSec l bo v lung d liu mong mun vi cc
dch v bo mt cn thitv hot ng ca IPSec c th chia thnh 5 bc chnh nh sau:
Bc 1- Kch hot lu lng cn bo v.
Vic xc nh lu lng no cn c bo v l mt phn vic trong chnh sch an
ninh (Security Policy) ca mt mng VPN. Chnh sch c s dng quyt nh lu
lng no cn c bo v v khng cn bo v (lu lng dng bn r (clear text) khng
cn bo v).
Chnh sch sau s c thc hin giao din ca mi i tc IPSec. i vi mi
gi d liu u vo v u ra s c ba la chn: Dng IPSec, cho qua IPSec, hoc hu gi
d liu. i vi mi gi d liu c bo v bi IPSec, ngi qun tr h thng cn ch r
cc dch v bo mt c s dng cho gi d liu. Cc c s d liu, chnh sch bo mt
ch r cc giao thc IPSec, cc node, v cc thut ton c s dng cho lung lu lng.
V d: cc danh sch iu khin truy nhp (ACLs Access Control Lists) ca cc
router c s dng bit lu lng no cn mt m. ALCs nh ngha bi cc dng lnh.
Chng hn: - Lnh Permit: Xc nh lu lng phi c mt m.
- Lnh deny: Xc nh lu lng phi c gi i di dng khng mt m.
Khi pht hin ra lu lng cn bo v th mt i tc IPSec s kch hot bc tip
theo: Tho thun mt trao i IKE Phase 1.
Bc 2 IKE Phase 1
Mc ch c bn ca IKE Phase 1 l tho thun cc tp chnhsch IKE (IKE policy),
xc thc cc i tc ngang hng, v thit lp knh an ton gia cc i tc. IKE Phase 1 c
hai ch : Ch chnh (main mode) v Ch nhanh (Aggressive mode).

Hnh 59 IKE Phase 1

Ch chnh c 3 trao i hai chiu gia bn khi to v bn nhn:
- Trao i th nht Cc thut ton mt m v xc thc (s dng bo v cc trao i
thng tin IKE) s c tho thun gia cc i tc.
- Trao i th hai S dng trao i DH to cc kho b mt chung (shared secret keys),
trao i cc s ngu nhin (nonces) khng nh nhn dng ca mi i tc. Kho b mt
chung c s dng to ra tt c cc kho mt m v xc thc khc.
- Trao i th ba xc minh nhn dng ca nhau (xc thc i tc).
Kt qu ch yu ca ch chnh l mt ng truyn thng an ton cho cc trao i tip
theo ca hai i tc. Ch nhanh thc hin t trao i hn (tt nhin l t gi d liu hn).
Hu ht mi th u c thc hin trong trao i th nht: Tho thun tp chnh sch
IKE; to kho cng cng DH; v mt gi nhn dng (identify packet), c th s dng
xc nh nhn dng thng qua mt bn th ba (third party). Bn nhn gi tr li mi th
cn thit hon thnh (complete)vic trao i. cui cng bn khi to khng nh
(confirm) vic trao i.
Cc tp chnh sch IKE:
Khi thit lp mt kt ni an ton gia Host A v Host B thng qua Internet, mt
ng hm an ton c thit lp gia Router A v Router B. Thng qua ng hm, cc

giao thc mt m, xc thc v cc giao thc khc c tho thun. Thay v phi tho tng
giao thc mt, cc giao thc c nhm thnh cc tp, chnh l tp chnh sch IKE (IKE
policy set). Cc tp chnh sch IKE c trao i trong IKE Phase 1 ch chnh v
trong trao i th nht. Nu mt chnh sch thng nht (matching policy) c tm thy
hai pha th ch chnh tip tc. Nu khng tm thy chnh sch thng nht no th ng
hm s b loi b.
Hnh 60 Tp chnh sch IKE

Trao i kho Diffie-Hellman
Trao i kho Diffie-Hellman l mt phng php mt m kho cng khai cho php
hai bn thit lp mt kho b mt chung qua mt mi trng truyn thng an ton. Kho
mt m ny s c s dng to ra tt c cc kho xc thc v m ho khc.
Khi hon thnh vic hto thun cc nhm, kho b mt chung SKEYID s c
tnh. SKEYID c s dng to ra 3 kho khc SKEYID_a, SKEYID_e, SKEYID_d.
Mi kho c mt mc ch ring:
SKEYID_a oc s dng trong qu trnh xc thc.
SKEYID_e c s dng trong qu trnh mt m.

SKEYID_d c s dng to ra cc kho cho cc kt hp an ninh khng theo

giao thc ISAKMP (non-ISAKMP SAs). C bn kho trn u c tnh trong IKE Phase
1. Khi bc ny hon thnh, cc i tc ngang hng c cng mt mt m chia s nhng
cc i tng ny khng c xc thc. Qua trnh ny din ra qu trnh th 3, qu trnh
xc thc i tc.
Xc thc i tc:
Xc thc i tc l bc trao i cui cng c s dng xc thc cc i tc
ngha l thc hin kim tra xem ai ang bn kia ca ng hm. Cc thit b hai u
ng hm VPN phi c xc thc trc khi ng truyn thng c coi l an ton.
Trao i cui cng ca IKE Phase 1 c mc ch l xc thc i tc.
Hnh 61 Xc thc cc i tc
Ba phng php xc thc ngun gc d liu:
- Pre-shared keys (Cc kho chia s trc) mt gi tr kho b mt c nhp vo bng
tay xc nh i tc.
- RSA signatures (Cc ch k RSA) s dng vic trao i cc chng nhn s (digital
certificates) xc thc i tc.
- RSA encryption nonces Cc s ngu nhin (nonces_mt s ngu nhin c to ra bi
mi i tc) c m ho v sau c trao i gia cc i tc ngang hng, 2 nonce
c s dng trong sut qu trnh xc thc i tc ngang hng.
Bc 3 IKE Phase 2
Mc ch ca IKE Phase 2 l tho thun cc thng s bo mt IPSec c s
dng bo mt ng hm IPSec.

Hnh 62 Tho thun cc thng s bo mt IPSec

IKE Phase 2 thc hin cc chc nng sau:
+ Tho thun cc thng s bo mt IPSec (IPSec security parameters), cc tp chuyn i
IPSec (IPSec transform sets).
+ Thit lp cc kt hp an ninh IPSec (IPSec Security Associations).
+ nh k tho thun li IPSec SAs m bo tnh an ton ca ng hm.
+ Thc hin mt trao i DH b xung (khi cc SA v cc kho mi c to ra, lm
tng tnh an ton ca ng hm). IKE Phase 2 ch c mt ch c gi l: Quick Mode
Ch ny din ra khi IKE thit lp c ng hm an ton IKE Phase 1. IKE Phase
2 tho thun mt tp chuyn i IPSec chung, to cc kho b mt chung s dng cho cc
thut ton an ninh IPSec v thit lp cc SA IPSec. Quick mode trao i cc nonce m
c s dng to ra kho mt m chung mi v ngn cn cc tn cng Replay t vic
to ra cc SA khong c tht. Quick mode cng c s dng tho thun li mt SA
IPSec mi khi SA IPSec c ht hn.
+ Cc tp chuyn i IPSec: Mc ch cui cng ca IKE Phase 2 l thit lp mt phin
IPSec an ton gia cc im u cui. Trc khi thc hin c iu ny th mi cp im
cui cn tho thun mc an ton cn thit (v d, cc thut ton xc thc v mt m
dung trong phin ). Thay v phi tho thun tng giao thc ring l, cc giao thc c
nhm thnh cc tp, chnh l cc tp chuyn i IPSec. Cc tp chuyn i ny c trao
i gia hai pha trong Quick Mode. Nu tm thy mt tp chuyn i tng ng hai
pha th qu trnh thit lp phin tip tc, ngc li phin s b loi b.

Hnh 63 Tp chuyn i IPSec

V d: Router A gi IPSec transform set 30 v 40 ti Router B , Router B so snh vi IPSec
transform set 55 ca n v thy tng ng vi IPSec transform set 30 ca Router A, cc
thut ton xc thc v mt m trong cc tp chuyn i ny hnh thnh mt kt hp an ninh
SA.
+ Kt hp an ninh (SA): Khi mt tp chuyn i c thng nht gia hai bn, mi thit
b VPN s a thng tin ny vo mt c s d liu. Thng tin ny bao gm cc thut ton
xc thc, mt m; a ch ca i tc, Ch truyn dn, thi gian sng ca kho. v.v.
Nhng thng tin ny c bit n nh l mt kt hp an ninh SA. Mt SA l mt kt ni
logic mt chiu cung cp s bo mt cho tt c lu lng i qua kt ni. Bi v hu ht lu
lng l hai chiu nn phi cn hai SA, mt cho u vo v mt cho u ra. Thit b VPN
sau s nh s SA bng mt s SPI (Security Parameter Index ch s thng s bo
mt). Thay v gi tng thng s ca SA qua ng hm, mi pha ch n gin chn s
SPI vo ESP Header. Khi bn thu nhn c gi s tm kim a ch ch v SPI trong c
s d liu ca n SAD (Security Association database), sau x l gi theo cc thut
ton c ch nh bi SPI / ra trong SPD.

Hnh 64 Cc kt hp an ninh
IPSec SA l mt s t hp ca SAD v SPD. SAD c s dng nh ngha a

ch IP i tc ch, giao thc IPSec, s SPI. SPD nh ngha cc dch v bo mt c s
dng cho i tc SA, cc thut ton m ho v xc thc, mode, v thi gian sng ca kho.
V d: i vi mt kt ni mng Cng ty Ngn hng , mt ng hm rt an ton c
thit lp gia hai pha, ng hm ny s dng 3DES, SHA, tunnel mode, v thi hn ca
kho l 28800, gi tr SAD l 192.168.2.1, ESD v SPI l 12. Vi ngi s dng t xa truy
nhp vo e-mail th ng hm c mc bo mt thp hn c tho thun, s dng DES,
MD5, tunnel mode, thi hn ca kho l 28800, tng ng vi SPI l 39.
+ Thi hn (lifetime) ca mt kt hp an ninh Vn tng ng vi thi hn ca mt
mt khu s dng mt khu trong my tnh, thi hn cng di th nguy c mt an ton cng
ln. Cc kho v cc SA cng vy, m bo tnh an ton cao th cc kho
v cc SA phi c thay i mt cch thng xuyn. C hai thng s cn c xc nh
thay i kho v SA: Lifetime type- Xc nh kiu tnh l theo s Byte hay theo thi
gian truyn i. Duration Xc nh n v tnh l Kbs d liu hay giy.
V d: lifetime l 10000Kbs d liu truyn i hoc 28800s. Cc kho v SAs cn hiu
lc cho n khi lifetime ht hn hoc c mt nguyn nhn bn ngoi, chng hn mt bn
ngt ng hm, khi kho v SA b xo b.

Bc 4 ng hm mt m IPSec
Sau khi hon thnh IKE Phase 2 v quick mode thit lp cc kt hp an ninh
IPSec SA, lu lng trao i gia Host A v Host B thng qua mt ng hm an ton.
Lu lng c mt m v gii m theo cc thut ton xc nh trong IPSec SA.
ng hm IPSec c thit lp
Bc 5 Kt thc ng hm
Hnh 65 Kt thc ng hm
Cc kt hp an ninh IPSec SA kt thc khi b xo hoc ht hn. Mt SA ht hn khi
lng thi gian ch ra d ht hoc mt s lng Byte nht nh truyn qua ng hm.
Khi cc SA kt thc, cc kho cng b hu. Lc cc IPSec SA mi cn c thit lp,
mt IKE Phase 2 mi s c thc hin, v nu cn thit th s tho thun mt IKE Phase
1 mi. Mt ho thun thnh cng s to ra cacSA v kho mi. Cc SA mi c thit lp
trc cc SA c ht hn m bo tnh lin tc ca lung thng tin.
2.8 Mt vi giao thc an ton b sung cho VPN

phn trn, chng ta tm hiu v cc cng ngh an ton c th c dng xy
dng mng ring o. Trong khi cc cng ngh thng v hiu qu vi cc tc v n

l, nhng c nhng trng hp m mt mnh cc cng ngh khng p ng c yu

cu cho mt gii php VPN y .
Mt trong nhng trng hp nh vy l s dng chng ch s, xc thc v m ha.
Phn ny s m t v mt s cng ngh an ton c th b sung thm vo mt gii php
mng ring o hoc ng thi tn ti trong mt mi trng mng ring o di hon cnh
no .
2.8.1 Xc thc vi ngi dng quay s truy cp t xa
Quay s t xa ti Intranet ca cng ty, cng nh ti Internet to ra Server truy
cp t xa (RAS), mt phn rt quan trng ca cc dch v lin mng ngy nay. Nh chng
ta bit, cng ngy cng nhiu ngi dng di ng yu cu truy cp khng ch ti ti nguyn
mng trung tm m c vi ngun thng tin trn Internet. S ph bin ca Internet v
Intranet trong cc t chc thc y s pht trin ca cc dch v v thit b truy cp t
xa. Nhu cu kt ni mt cch n gin ti cc ti nguyn ca t chc t cc thit b my
tnh di ng nh my xch tay chng hn ngy cng tng. S xut hin ca truy cp t xa
cng l mt trong cc nguyn nhn ca s pht trin trong lnh vc bo mt. M hnh bo
mt xc thc cp quyn v kim ton(AAA) c pht trin nhm vo vn bo
mt truy cp t xa. AAA l mt b khung c dng cu hnh ba chc nng an ton c
bn: xc thc, cp quyn v kim ton. Ngy nay, m hnh an ton AAA c s dng
trong tt c cc kch bn truy cp t xa trong thc t v n cho php ngi qun tr mng
nhn dng v tr li ba cu hi quan trng sau:
Ai ang truy cp mng?
Ngi dng c php lm nhng g? V nhng hot ng no c hn ch khi
ngi dng truy cp mng thnh cng?
Ngi dng ang lm g v lc no?
AAA c m t ngn gn nh sau:
Xc thc(Authentication): Xc thc l bc u tin i vi bo mt. y l hot
ng xc nh mt ngi dng(hoc thc th) l ai trc khi anh ta c th truy cp cc ti
nguyn trong mng. Xc thc c th di nhiu dng, dng truyn thng s dng mt tn

ng nhp v mt mt khu c nh. Hu ht cc my tnh lm vic theo cch ny. Tuy

nhin, phn ln mt khu c nh c nhng gii hn nht nh trong lnh vc bo mt. Nhiu
c ch xc thc hin i s dng mt khu mt ln hay mt truy vn dng yu cu p
ng (V d cc giao thc xc thc: PAP, CHAP, EAP). Thng thng, xc thc xy ra
lc ngi dng ng nhp ln u tin vo my hoc yu cu mt dch v t n.
Cp quyn(Authorization): y l hot ng xc nh mt ngi dng c php
lm nhng g. Ngha l mun ni n vic kim sot cc hot ng m ngi dng c
php thc hin trong mng v ti nguyn m ngi dng c php truy cp. Kt qu l,
cp quyn cung cp cc c ch cho vic kim sot truy cp t xa bng cc phng tin
nh: cp quyn mt ln, cp quy cho mi dch v, trn tng danh sch ti khon ngi
dng hoc chnh sch nhm.
Thng thng cc thuc tnh, c quyn v quyn truy cp c bin dch v lu
tr ti mt c s d liu trung tm cho mc ch cp quyn. Cc thuc tnh v cc quyn
ny quyt nh nhng hot ng m mt ngi dng c php thc hin. Khi mt ngi
dng cn c cp quyn sau khi c xc thc thnh cng, cc thuc tnh v quyn
ny c xc minh da vo c s d liu vi ngi dng v chuyn tip ti Server lin
quan(v d: Server truy cp t xa). Thng thng, xc thc c thc hin trc cp quyn,
nhng iu l khng nht thit phi yu cu nh vy. Nu mt ti nguyn mng, nh
Server, nhn mt yu cu cp quyn m khng qua xc thc, Agent cp quyn trn thit b
mng phi quyt nh ngi dng c th truy cp thit b mng v c php thc hin cc
dch v xc nh trong yu cu cp quyn hay khng.
Kim ton (Accounting): y l hot ng in hnh th 3 sau xc thc v cp
quyn. Kim ton l ghi li nhng hot ng m ngi dng v ang thc hin. Kim
ton l c ch ghi li nhng hot ng m ngi dng thc hin sau khi ng nhp thnh
cng vo mng. Kim ton bao hm vic: thu thp, ghi danh sch, kim ton, ghi nht k
v bo co v cc nh danh ngi dng, cc lnh c thc hin trong mt phin, s
lng cc gi c truyn ti, v.v Lc mt hot ng ca ngi dng c ghi li, thi
gian n c thc hin, khong thi gian ca ton b phin ngi dng v khong thi

gian vi mi hot ng ring l cng c ghi li. Thng tin chi tit v ngi dng gip
ngi qun tr mng theo di c nhng hot ng ca ngi dng v a ra nhng hnh
ng ph hp duy tr an ton mng. Mc d, kim ton c xem l bc lgic tip
theo ca xc thc v cp quyn, nhng n c th thc thi khng theo tun t . Trong
thc t, kim ton c th c thc thi ngay c khi hot ng xc thc v cp quyn khng
c thc hin. Trong m hnh c s d liu bo mt Client/Server phn tn, mt s cc
Client, Server trong truyn thng xc thc mt nh danh ca ngi dng quay s qua mt
trung tm c s d liu n hoc mt Server xc thc. Server xc thc lu tr tt c thng
tin v ngi dng, cc mt khu v cc quyn u tin truy cp ca h. Phn phi bo mt
ng vai tr nh mt trung tm v d liu xc thc, n an ton hn s phn tn thng tin
ngi dng trn cc thit b khc qua mt mng. Mt Server xc thc n c th h tr c
hng trm Server truyn thng, hng nghn ngi dng. Cc Server trong qu trnh truyn
thng c th truy cp mt Server xc thc cc b hoc t xa qua kt ni mng din
rng(WAN).
Mt s i l cung cp truy cp t xa v IETF i u trong vic c gng bo m an
ton cho truy cp t xa, cc phng tin bo mt c chun ho. Dch v xc thc ngi
dng quy s t xa(RADIUS) v h thng kim sot truy cp cc thit b cui(TACACS)
nh l hai d n m ra b khung ca chun Internet v cc i l truy cp t xa.
2.8.2 Dch v xc thc ngi dng quay s t xa(RADIUS)

RADIUS l mt h thng bo mt phn tn c pht trin bi Livingston
Enterprises. RADIUS c thit k da trn nhng khuyn co trc t nhm Network
Access Server Working Requirements ca IETF. Mt nhm IETF lm vic vi RADIUS
c thnh lp vo thng 1 nm 1996 a ra cc chun cho giao thc RADIUS,
RADIUS by gi l mt gii php bo mt ng quay s c tha nhn bi IETF.

Hnh 66 Dch v xc thc ngi dng quay s t xa RADIUS.

2.8.3 H thng kim sot truy cp thit b u cui (TACACS)
Tng t vi RADIUS, TACACS l mt giao thc chun cng nghip. Nh trong hnh
4.2, lc mt Client t xa a ra mt yu cu xc thc ti NAS gn n nht, yu cu ny
c chuyn tip ti TACACS. Sau TACACS chuyn tip ID v mt khu c cung
cp ti c s d liu trung tm, c s d liu trung tm ny c th l mt c s d liu
TACACS hoc mt c s d liu bo mt m rng. Cui cng, thng tin c ly li v
chuyn tip ti TACACS, n ln lt c chp nhn hoc t chi yu cu kt ni trn c
s thng tin n nhn c t c s d liu.
Hnh 67 Xc thc t xa da trn TACACS.

Hin ti, c hai phin bn ca TACACS trn th trng, c hai phin bn ny u
c pht trin bi Cisco. l:

- XTACACS (eXtended TACACS): L mt m rng ca TACACS, n h tr cc tnh

nng cao cp.
- TACACS+: Phin bn ny ca TACACS ban u s dng mt Server truy cp ring di
dng Server TACACS+. Server ny cung cp cc dch v xc thc, cp quyn v kim ton
c lp.
NAS gi mt vai tr quan trng trong c xc thc da trn RADIUS v da trn TACACS.
L mt Client RADIUS hay TACACS, NAS m ho cc thng tin(ID/Mt khu ca ngi
dng) c cung cp bi ngi dng t xa trc khi chuyn tip n ti Server xc thc ti
mng ch cui, NAS cng c kh nng nh tuyn mt yu cu xc thc ti Server xc
thc khc nu Server xc thc ch khng n c.
Hot ng ca RADIUS:
RADIUS u tin c pht trin bi Livingston Enterprises, nhng by gi thuc
quyn s hu ca IETF v l mt giao thc m, c th c phn phi di dng m ngun
v bt k ngi no cng u c th sa i. Mc dng RADIUS ban u c pht trin
cho ngi qun tr ca NAS, cc sn phm h tr c b sung thm cc ng dng/thit
b khc nh firewall, truy cp trang web c nhn, cc ti khon Email v cc vn bo
mt Internet lin quan n xc thc khc.
RADIUS gm 2 phn: C Client RADIUS, v d: NAS hay bt k phn mm khc
nh Firewall, Client gi mt yu cu AAA ti RADIUS Server. Mt khc, c RADIUS
Server, n kim tra yu cu theo d liu c cu hnh trc.

Hnh 68 Lung thng tin trong RADIUS.

Mc d cc Server xc thc RADIUS v TACACS c th c ci t theo nhiu
cch khc nhau, tu thuc vo lc bo mt ca mng m chng phc v, nhng tin
trnh c s cho vic xc thc mt ngi dng v c bn l ging nhau. S dng mt
Moderm, mt ngi dng quay s t xa kt ni ti mt Server t xa (gi l Server truy cp
mng NAS), vi mt Moderm s hoc tng t. Lc mt kt ni Moderm c to, NAS
nhc ngi dng v tn ng nhp v mt khu. NAS sau s to ra yu cu xc thc t
gi d liu c cung cp, n bao gm c thng tin nh danh m thit b NAS xc nh
gi yu cu xc thc nh: cng ang c dng cho kt ni Moderm v Tn ng nhp/Mt
khu.
Mt vai tr rt quan trng c thc thi bi Server xc thc, n l mt Server trong
mng xc nhn tnh hp l ca ID/mt khu ngi dng cho mng. Nu mt thit b
c cu hnh cho xc thc qua mt Server xc thc v thit b nhn mt gi d liu t
mt giao thc xc thc, thit b gi qua ID v Mt khu ca ngi dng ti Server cho vic
xc thc. Nu ID/mt khu ca ngi dng l ng, Server phn hi li. Thit b sau c
th lin lc vi ngi khi to yu cu ban u. Nu Server khng tm thy ID/mt khu

ca ngi dng th n t chi thit b v gi phn hi ti thit b. Thit b sau t chi

phin vi ni m n nhn yu cu xc thc.
Server xc thc c th l chnh mt Server RADIUS hoc mt Server khc da trn
cc cng ngh xc thc trung tm khc nh Kerberos, DCE, SecureID hoc RACF. Mt
Server RADIUS c th c cu hnh chuyn tip yu cu ti mt Server xc thc trung
tm v truy cp thnh cng hoc t chi thng tin v cu hnh tr li Client.
Vi vic bo v trc cc cuc nghe ln ca hacker, NAS hot ng nh Client
RADIUS hoc TACACS, m ho mt khu trc khi n gi mt khu ti Server xc thc.
Nu Server bo mt chnh khng n c, Client bo mt hoc thit b NAS c th nh
tuyn yu cu ti mt Server thay th k tip. Lc nhn c mt yu cu xc thc, Server
xc thc s xc minh yu cu v sau gii m gi d liu truy cp thng tin tn ng
nhp/mt khu ca ngi dng. Nu tn ng nhp/mt khu ca ngi dng l ng,
Server gi mt gi d liu bo nhn xc thc. Gi d liu bo nhn ny c th gm c
thng tin lc b sung nh thng tin trn cc yu cu ti nguyn mng ca ngi dng v
cc mc cp quyn. Server bo mt c th, vi th hin di dng NAS m mt ngi
dng cn TCP/IP v/hoc Internet Packet Exchange (IPX) s dng PPP, hoc ci m ngi
dng cn SLIP kt ni ti mng. N c th gm c thng tin trn ti nguyn mng xc
nh m ngi dng c php truy cp.
ph hng vic nghe ln trn mng, Server bo mt gi mt kha xc thc hoc
ch k, nhn dng ca chnh n ti Client bo mt. Mt NAS nhn thng tin ny, n cho
php cu hnh mc cn thit cho php ngi dng quyn truy cc cp dch v v ti
nguyn mng. Nu ti bt k im no trong tt c tin trnh ng nhp m cc iu kin
xc thc cn thit khng tha mn, Server c s d liu bo mt s gi mt thng ip t
chi xc thc ti thit b NAS v ngi dng b t chi truy cp mng.
S dng RADIUS vi cc ng hm tng 2
RADIUS c th c dng xc thc cc ng hm tng 2 cng nh cc kt ni
PPP mt phn quan trng vi cc mng ring o. C 2 m hnh ng hm ti tng 2, m
hnh t nguyn v bt buc. RADIUS c th c dng trong c 2 trng hp xc thc

ngi dng v cp quyn/t chi mt thit lp ng hm hay thit lp phin. iu ny b

sung thm mt tng bo mt vi kch bn mng ring o ti tng 2 v cho n khi ng
hm c thit lp v phin c thit lp, khng c lung thng tin no c php chuyn
qua ng hm, thm vo , vic xc thc v truy cp ti cc ng hm c th c
kim sot tp trung. Hnh 4.4 minh ha cc cch s dng RADIUS khc nhau trong mt
mi trng mng ring o m trong cc ng hm bt buc c dng lin quan ti
mt ISP thit lp mt ng hm hay bt u mt phin mi qua mt ng hm ang
tn ti vi t cch l i din ca mt Client t xa. ISP c th dng mt server y quyn
RADIUS chuyn thip xc thc client tr li Server xc thc trung tm v vy khng
cn phi duy tr thng tin ngi dng ti hai v tr, ISP v Server trung tm.
Hnh 69 S dng RADIUS vi cc ng hm tng 2.

2.8.4 Giao thc SOCKS:
Mt cng mch vng tip nhn TCP cng nh cc kt ni UPD v khng cung cp
thm bt k tin trnh x l hoc lc gi no. Mt cng mch vng l mt loi c bit ca
cng ni mc ng dng. iu ny l bi cc cng ni mc ng dng c th c cu hnh
chuyn qua tt c thng tin ca mt ngi dng c xc thc, c xem nh l
cng mch vng (xem hnh ). Tuy nhin trong thc hnh, c s khc nhau ng k gia
chng:
- Cc cng mch vng c th s dng mt s ng dng TCP/IP cng nh cc ng dng
UDP m khng phi sa i g trn Client cho mi ng dng. Nh vy, iu ny lm cho
cc cng mch vng tr thnh mt la chn tt tho mn cc yu cu ca ngi dng.

- Cc cng mch vng khng cung cp x l hoc lc gi. Nh vy mt cng ni dng ny

thng xem nh mt cng ni trong sut.
- Cc cng ni mc ng dng thiu h tr UDP.
- Cc cng mch vng thng c dng cho cc kt ni hng ngoi, trong khi cc cng
ni mc ng dng thng c dng cho c kt ni hng ngoi v hng ngoi.. Thng
thng, trong trng hp s dng kt hp c 2 loi, cng mch vng thng c dng
cho cc kt ni hng ngoi cn cng ni mc ng dng c dng cho cc kt ni hng
ni tho mn yu cu bo mt v yu cu ca ngi dng.
Mt v d d hiu v cng mch vng l SOCKS. V d liu i qua SOCKS khng
c gim st hoc lc, mt vn bo mt c th ny sinh. ti thiu ho cc vn
bo mt, cc ti nguyn v dch v tin cy nn c dng cho mng ngoi (mng khng
an ton).
Hnh 70 Cng mch vng.

SOCKS l mt chun cho cc cng mch vng. N khng yu cu overhead ca
nhiu hn mt Server u quyn thng thng trong mt ngi dng phi ch kt ni
trc ht l ti firewall trc khi c yu cu th 2 l kt ni ti ch. Ngi dng khi
ng mt ng dng pha Client vi a ch IP ca Server ch. Thay v trc tip khi ng
mt phin vi Server ch, Client khi to mt phin vi Server SOCKS trn Firewall.
Server SOCKS sau xc minh a ch ngun v ID ngi dng c cho php
thit lp kt ni ti mng khng an ton, v sau to ra phin th 2. SOCKS cn c mt

phin bn m ngun Client mi v mt tp ring bit cc chnh sch cu hnh trn Firewall.
Tuy nhin, my server khng cn thay i, tht vy, n khng cn bit rng phin ang
c tip bi Server SOCKS. C Client v Server SOCKS u cn c m SOCKS. Server
SOCKS hot ng nh mt router mc ng dng gia Client v Server ng dng thc.
SOCKSv4 ch vi cc phin TCP hng ngoi. N rt n gin cho mng ring ca ngi
dng, nhng khng c phn phi mt khu an ton v vy n khng c dng cho cc
phin gia ngi dng mng cng cng v cc ng dng mng ring. SOCKSv5 vi mt
s phng php xc thc v v th c s dng cho cc kt ni hng ni, SOCKS cng
h tr cc giao thc v ng dng da trn UDP.
Phn ln cc trnh duyt Web l SOCKSified v ngi dng c th nhn c cc
ngn xp TCP/IP SOCKSified cho hu ht cc nn.
2.8.5 Giao thc SSL v TLS:
SSL l giao thc bo mt c pht trin bi hng truyn thng Netscape, cng vi
hng bo mt d liu RSA. Mc ch chnh ca giao thc SSL l cung cp mt knh ring
gia cc ng dng ang lin lc vi nhau, trong m bo tnh ring t ca d liu, tnh
ton vn v xc thc cho cc i tc. SSL cung cp mt kh nng la chn cho API socket
TCP/IP chun c thc thi bo mt bn trong n. Do , v l thuyt n c kh nng chy
vi bt k ng dng TCP/IP no theo cch an ton m khng phi thay i ng dng. Trong
thc t, SSL ch c thc thi vi cc kt ni HTTP, nhng hng truyn thng Netscape
tuyn b nh tn dng n cho cc kiu ng dng khc, nh giao thc NNTP v Telnet,
v c mt s min ph sn c trn Internet. V d, IBM ang s dng SSL nng cao tnh
bo mt cho cc phin TN3270 trong cc Host ca n, cc phng tin lin lc c nhn v
cc sn phm Server, min l cu hnh bo mt truy cp c cc Firewall.
SSL gm c 2 tng:
Ti tng thp, c mt giao thc truyn d liu s dng loi mt m c xc nh
trc v kt hp xc thc, gi l giao thc bn ghi SSL, hnh 35 minh ha giao thc ny,
v i chiu n vi mt kt ni socket HTTP chun.

Hnh 71 SSL so snh chun gia chun v phin SSL.

Ti tng trn, c mt giao thc cho vic khi to xc thc v truyn cc kha m
ha, gi l giao thc thm d trc SSL.
Mt phin SSL c thit lp nh sau:
- Mt ngi dng pha Client(Trnh duyt) yu cu mt ti liu bng mt a ch URL xc
nh bt u bng https(thay cho http).
- M pha Client nhn ra SSL yu cu v thit lp mt kt ni qua cng TCP 443 ti m
SSL trn pha Server.
- Client sau khi to pha thm d trc SSL, dng giao thc bn ghi SSL nh mt s
h tr. Ti y khng c s m ha hay kim tra tnh ton vn gn lin vi kt ni.
Giao thc SSL ra cc vn an ton sau:
+ Tnh ring t: Sau khi kha i xng c thit lp trong khi thm d trc khi to,
cc thng ip c m ha bng kha ny.
+ Tnh ton vn: Cc thng ip cha mt m xc thc thng ip(MAC).

+ Tnh xc thc: trong khi thm d trc, Client xc thc Server s dng kha cng khai.
N cng c th da trn chng ch.
TLS c pht trin nh s dng SSL, ging nh SSL, TLS cho php cc Server v
Client cui lin lc mt cch an ton qua cc mng cng cng khng an ton. Thm vo
cc kh nng bo mt c cung cp bi SSL, TLS cng ngn chn k nghe trm, gi mo,
chn bt gi tin.
TLS cng gm 2 tng: Giao thc bn ghi TLS v giao thc thm d trc TLS.
Giao thc bn ghi TLS mang li s an ton bng cch tn dng cc c ch m ha, nh
DES chng hn. Giao thc thm d trc TLS cung cp kh nng xc thc 2 chiu bng
cch cho php c Server v Client xc thc ln nhau, hn na 2 thc th mun lin lc c
th thng lng cc thut ton m ha v cc kha phc v cho vic trao i d liu v
sau gia chng.
Trong cc kch bn mng ring o, SSL v TLS c th c thc thi to Server VPN
cng nh ti Client u cui.
So snh giao thc IPSec vi SSL:
Nh m t cc phn trn, IPSec cung cp tnh nng m ho v xc thc mnh
cho lu lng IP v cng cung cp tnh nng trao i v lm ti kho da trn chng ch
nh s dng IKE.
i n kt lun mt cch thn trng, ta phi xut rng nhng tnh nng ny l
cn thit ging nh cc tnh nng m SSL v TLS cung cp. Trong phn ny chng ta lu
n s ging nhau v khc nhau c bn gia IPSec v SSL v gii thch nhng phm vi
no s dng c hai giao thc.
Nhng im ging nhau:
o IPSec(qua IKE) v SSL cung cp xc thc Client v Server.
o IPSec v SSL cung cp tnh nng m bo an ton v xc thc i vi d liu,
thm ch trn cc mc khc nhau ca chng giao thc.
o IPSec v SSL c th dng cc thut ton mt m mnh cho vic m ho v cc
hm bm, c th s dng xc thc da trn chng ch (IPSec qua IKE).

o IPSec(qua IKE) v SSL cung cp tnh nng sinh kho v lm ti kho m khng
phi truyn bt k kho no di dng r hay ngoi tuyn.
Nhng im khc nhau:
o SSL c thc thi nh mt API gia tng ng dng v tng vn ti; IPSec c
thc thi nh mt khung lm vic ti tng lin mng.
o SSL cung cp tnh nng bo mt t ng dng - ti - ng dng (v d: gia
WebBrowser v WebServer); IPSec cung cp tnh nng bo mt t thit b - ti -
thit b.
o SSL khng bo v lu lng UDP; IPSec th c.
o SSL hot ng t im cui - ti - im cui v khng c khi nim ng hm.
iu ny c th l mt vn lc lu lng cn c xem xt bng cch kim tra
ni dung v qut virus trc khi n c phn phi thnh cng n ch; IPSec c
th hot ng theo hai cch, im cui - ti - im cui v nh mt ng hm.
o SSL c th vt qua NAT hoc SOCKS, chng dng che du cu trc a ch
bn trong hoc trnh s xung t a ch IP ring; IPSec trong ch vn ti (end
to- end) khng th s dng NAT nhng n c th dng mt ng hm IPSec
t c mc tiu tng t v thm ch bo mt hn NAT v ng hm cng c
th c m ho.
o Cc ng dng cn phi sa i s dng SSL. iu ny c th l mt vn
lc ta khng truy cp c m ngun ca ng dng hoc khng c thi gian hay
kinh nghim thay i m ngun ca ng dng; IPSec hon ton trong sut vi
cc ng dng.
Thng thng SSL l tt lc ta ch c mt ng dng c bo v v n sn c
trong mt phin bn SSL-aware. y l trng hp c mt ng dng chun a dng, khng
ch vi WebBrowser v WebServer. Ngoi ra, nu c tu chn ca vic thc thi khi nim
3-tier bng cch tn dng cc cng ng dng Web ti vnh ai ca mng, SSL l mt s
la chn tt. Nu c mt s lng ln cc ng dng bo m an ton c th phi chn
gii php tt hn cho mng. Trong trng hp ny, IPSec l s la chn tt hn. Tr khi

t ta pht trin cc ng dng, IPSec mm do hn SSL thc thi mt chnh sch bo mt

yu cu nhiu mc khc nhau v s kt hp ca xc thc, m ho v ng hm.
Cui cng nhng khng km phn quan trng, s la chn mt cng ngh bo mt
thch hp cn ph thuc vo m hnh giao dch. Nu mc ch ca cc Server ng dng l
phi c kh nng truy cp mng cng cng th mt thit k da trn Web v cng ngh bo
mt da trn SSL c l l la chn ng. SSL l sn c trn bt k mt trnh duyt Web
chun no v s ch l cng c c s dng v yu cu bi ngi dng. Tuy nhin,
nhng ngi dng nn c hn ch truy cp ti Server ng dng hay mng ca chng ta,
khi mt mng ring o da trn IPSec v c th c mt s cng ngh ng hm tng
2 l gii php c a thch hn. Trong trng hp ny, nhng ngi tham gia v vai tr
ca h trong vic trao i d liu s c xc nh trc.

3. Dynamic Multipoint VPN ( DMVPN )
3.1 Gii thiu v DMVPN
Hnh 72 M hnh trin khai DMVPN
trin khai mng DMVPN, chng ta c hai cch thc trin khai. l hub-and-spoke
v spoke-and-spoke. hiu c hai khi nim ny, trc tin bn nn hiu hub l g, v
spoke l g. Hub y l trung tm (central), tc l h thng mng WAN t trung tm
ca cng ty. Cn Spoke ch chi nhnh, vn phng. Hnh 72 minh ha cho iu , Hub
chnh l phn Central Site, cn Spoke chnh l phn Branches.
Chng ta thy r ng mu xanh chnh l kt ni gia Spoke-and-Spoke, cn mu

chnh l kt ni gia Hub-and-Spoke. Nh vy, Hub-and-Spoke l kt ni t trung tm n
chi nhnh, n tng t nh khi nim trong Site-to-Site. Khi nim mi chnh l ch
Spoke-and-Spoke, l kt ni gia cc chi nhnh vi nhau.

Nu nh trong VPN, bn ch nghe nhc n kt ni mt Client n mt Site, hoc mt

Site n mt Site, th trong DMVPN, bn s tip tc c mt khi nim mi hn, l kt
ni gia nhiu Hub n nhiu Spoke, iu ny l gii ti sao n c thm ch Multipoint.
Khi ni n Hub v Spoke l ang ni n router thc hin chc nng DMVPN
trung tm v chi nhnh. Cn khi ni n Site Central v Site Branch (hay gi tc l Central
v Branch) l ni n nhiu thit b c , Hub v Spoke nm Central v Branch.
Dynamic Multipoint Virtual Private Network (DMVPN) l s kt hp ca cc cng

ngh: IPSec, mGRE v NHRP.
IPSec: M ha d liu, cung cp nhng tnh nng chng thc v ton vn d liu.
GRE: Thit lp nhng ng hm (tunnel) cho php ng gi bt k gi tin no
ca lp network. Ngoi ra GRE cn c th nh tuyn trn tunnel.
NHRP: Giao thc dng nh x a ch tunnel sang a ch trn cng vt l ca
Router. N gii quyt c vn cc spoke c th s dng a ch IP c cp
ng bi ISP.
Cc cng ngh ny kt hp li cho php trin khai IPSec trong DMVPN mt cch d dng,
linh ng v an ton.
3.2 Cc thnh phn ca DMVPN
u tin, khng cn phi tnh ton, l h thng Hub v Spoke. hai pha phi c
nhng thit b h tr tt trong vic to kt ni DMVPN. C nhiu gii php chng ta
la chn, nhng ph bin nht vn l Router ca Cisco.
Nhn vo m hnh hnh 72, chng ta nhn thy rng, kt ni c gia Hub v
Spoke n phi kt ni thng qua Cloud. Cloud y m ch nh cung cp dch v internet

(ISP). C nhiu gii php cho bn s dng cc dch v ca ISP cung cp. Cloud ny c th
l Frame-Reply, ATM, Leased Lines
3.3 K thut thit k:
Trong thit k DMVPN, c hai topology c a ra bn lun:

Dual hub-dual DMVPN cloud
Dual hub-single DMVPN cloud
Trc tin cn phi hiu DMVPN cloud l g, n l tp hp cc router c cu hnh

nh tuyn giao tip vi nhau. Bn c th dng giao thc mGRE hoc PPP hoc l
c hai cu hnh giao tip vi cc router ny, chng phi c cng subnet.
Nh vy hai k thut cp trn c th hiu l a hub a DMVPN cloud v a hub

n DMVPN cloud.

Hnh 73 Dual DMVPN Cloud Topology
Trong m hnh Dual hub dual DMVPN cloud, hnh 73, Hub 1 l trung tm chnh, n
kt ni vi cc Branch qua DMVPN cloud 1, v d nhin chng c cng subnet. N duy tr
kt ni thng xuyn hn. Trong khi , Hub 2 c khuyn co l d phng trong
trng hp Hub 1 gp cht trc trc. Gia Hub1 v Hub 2 c khuyn co kt ni vi
nhau trong mng campus v khng cng subnet (cng mt net, tc l net c chia mng
con). iu tt nhin phi m bo l c hub 1 v hub 2 u phi giao tip c vi h thng
mng bn trong. Gii php ny c bit n vi kh nng Failover, tc l hn ch s c,
lun duy tr kt ni.
Trong m hnh th hai, dual hub single DMVPN cloud, hnh 74, bn ch c mt ng
mng kt ni tt c cc hub v branch. T DMVPN Cloud bn thy chng ta c hai kt
ni v hai hub. Gii php ny c bit n vi kh nng load balanced.

DMVPN cloud h tr cho c hai m hnh trin khai hub-and-spoke v spoke-and-spoke.

Trong hub-and-spoke, mi headend cha mt interface mGRE v mi branch c cha c
p2p hoc mGRE interface. Trong m hnh spoke-and-spoke c hai u headend
v branch u c mGRE interface.
Hnh 74 Single DMVPN Cloud Topology
3.4 Dual DMVPN Cloud Topology:
Vi Dual DMVPN Cloud, ta c hai model trin khai:

Hub-and-spoke
Spoke-to-spoke

3.4.1 Hub-and-Spoke:
Hnh 75 Hub-and-Spoke Deployment Model
Vi Dual DMVPN cloud trong model hub-and-spoke, c cha hai headend (hub1 v
hub2), mi ci c mt hoc nhiu tunnel mGRE kt ni n tt c cc branch. Hnh 75
minh ha cho chng ta iu .
Mi DMVPN cloud c i din bng IP duy nht trong subnet. Mt DMVPN cloud
c gi l primary (cloud chnh), chu trch nhim cho mi lng mng ca Branch i
qua. Mi branch c cha hai interface P2P GRE kt ni n mi Hub ring l. Trong model
trin khai ny khng c tunnel no gia cc branch. Giao tip ni b gia cc branch c
cung cp thng qua hub. Thng s metric ca giao thc nh tuyn m h thng s dng,
c s dng xc nh u l primary hub.

3.4.2 Spoke-and-Spoke:
Hnh 76 Spoke-to-Spoke Deployment Model
Cng ging nh Hub-and-spoke, trong model ny cng c hai Hub trung tm, mi hub
c mt hoc nhiu tunnel kt ni n tt c cc chi nhnh. Giao tip gia cc Branch c
thc hin thng qua Hub, tr khi n c mt ng kt ni c to ra gia hai Spoke.
chnh l s khc bit ca trng hp ny. Tunnel gia Spoke and Spoke c gi l
dynamic, n phi nm trong mt single DMVPN cloud hoc cng mt subnet. Tunnel ca
spoke-and-spoke th khng gia hai DMVPN cloud.
3.5 Kin trc h thng trung tm (system headend)
C hai kin trc dnh cho h thng trung tm c a ra trin khai l:

Single Tier
Dual Tier

3.5.1 Single Tier
Trong kin trc Single Tier, v mt chc nng th mGRE v Crypto cng tn ti trong
mt CPU ca router.
Hnh 77 Single Tier Headend Architecture

Hnh 77 l gii php dual cloud vi model hud-and-spoke. Tt c cc Headend u c
tunnel mGRE v Crypto c gp chung li trong mt multiple GRE tunnel, phc v
cho cc lung d liu ca branch. Mt khc, kt thc tunnel VPN ti trung tm, headend
c th gi mt thng ip bo cho giao thc nh tuyn ang c s dng ti branch
nh EIGRP, OSPF, bt k ng no c chn trong cloud (cloud path ng kt ni
gia cc router trong cloud).

3.5.2 Dual Tier

Vi kin trc dual tier, mGRE v Crypto khng cng tn ti trong cng CPU ca router.
Hnh 78 Dual Tier Headend Architecture
Hnh 78 l gii php dual DMVPN cloud vi model hub-and-spoke. y mGRE v

Crypto ti headend nm ring l nhau , chng phc v cho nhau v cho multiple mGRE
tunnel chuyn lung lu lng mng cho branch. u cui ca VPN tunnel, Crypto s
nhn d liu gi t branch v sau chuyn tip cho mGRE, mGRE qung b cho cc
giao thc nh tuyn ti branch nh EIGRP hoc OSPF.
Router trong tt c cc m hnh ca DMVPN ng vai tr l im kt thc ca tunnel.

ng thi n cn kim theo nhiu chc nng khc nh Firewall. a ch ip mt ngoi ca
router c th l tnh hoc ng, v n phi c map trong bn ca router. Hnh ng
ny c ngha l: Mt inteface mt ngoi ca router c a ch ip public ca ring n, v mt

tunnel cng c ip (public hoc private), n phi nh x bit tunnel ny c chuyn ra

interface tng ng.
Cc Branch trong kiu trin khai ny kt ni vi nhau thng qua tunnel ring, v phi i
qua DMVPN Cloud. Giao thc thng xuyn thy gia cc tunnel ny l IPSec. giao
tip vi h thng trung tm, chng ta c giao thc Single Tier, trong cc chc nng ca
mGRE v Crypto c gi gn trong mt router.
3.6 Single DMVPN Cloud Topology
Trong m hnh ny, c hai headend c s dng, nhng chng c cng mt subnet.
Cc vn phng chi nhnh s kt ni vi trung tm thng qua giao din mGRE. V chng
cng phi c cng subnet thc hin giao tip ni b. M hnh ny khng c khuyn
co v chng khng kh dng v khng chng li c. Vi kiu trin khai Spoke-and-
Spoke th vic trin khai theo Single DMVPN ny cn c cn nhc k.
Hai headend phi c cu hnh DMVPN ging nhau, c a ch IP cng mt subnet.
Khi chng s h tr cho chng ta chc nng load balanced gia hai trung tm.
Hnh 79 Single DMVPN Cloud Topology

Nh vy khi nhc n topology trin khai cho gii php DMVPN, chng ta c s tm
tt nh sau:
- M hnh trin khai dnh cho:

Hub-and-Spoke: Gia trung tm v chi nhnh. Trong Hub-and-Spoke c hai kin
trc dnh cho cloud.
o Dual Cloud: C nhiu subnet
o Single Cloud: C mt subnet
Trong c hai kin trc th trung tm (header) c th trin khai theo hai gii php:
o Single Tier: hai giao thc mGRE v Crypto trn cng mt router.
o Dual Tier: hai giao thc mGRE v Crypto hai router khc nhau.
Spoke-and-Spoke: gia cc chi nhnh vi nhau

3.7 Cc vn khi trin khai DMVPN
3.7.1 C ch tunnel v a ch IP
Nh vy tunnel l mt c ch, m ngi ta gi l ng ng, n c chc nng che du

i d liu A no bng mt lp d liu B khc. M hnh l vy chng ta d hiu, thc
cht cng vic ny trong truyn thng l gn thm vo d liu mt header ring, bit
rng l gi d liu theo nh dng ca B.

Hnh 80: M hnh VPN vi c ch Tunnel
Hnh 81 M hnh IP
Nhn vo m hnh minh ha ny, chng ta cng thy c mt vn c cp n
chnh l a ch IP. Bn thn gi d liu gi t A, c a ch IP ca ring n v ca ch
m n cn n. Khi c tunnel ha i, n mang thm vo mt a ch IP ngun v ch
ca tunnel. Ngi ta gi y l IP tunnel, v giao tip gia hai IP tunnel ny gi l Tunnel

Interface. Nh vy, gia hai u ca tunnel, v mt lun l, bn c th hiu n l mt si

cp mng ni hai im cn giao tip vi nhau.
Mc ch ca vic to tunnel l che du a ch IP private bng a ch IP public, t
gip hai h thng mng private c th giao tip c vi nhau. Ti u gi, a ch IP
private nm trong gi d liu, c gi thnh mt gi d liu mi (ng hn l gn thm
header) mang a ch IP public, v thng qua tunnel n c gi n u nhn c a ch
IP public. Ti u nhn gi d liu c tho ra ly d liu bn trong v tr vo cho
mng private.
3.7.2 Giao thc GRE
Lm th no c c tunnel? Nh cp, tunnel thc cht l gn thm mt header
theo nh dng quy nh vo trong gi tin cn gi. Nh vy nh dng quy nh ny l g?.
Cu tr li rng n l nhng giao thc ng gi d liu trong tunnel. Mt vi giao thc c
th k tn nh PPTP (Point-to-Point Tunneling Protocol), L2TP (Layer 2 Tunneling
Protocol), L2F (Layer 2 Forwarding), GRE (Generic Routing Encapsulation). Tt c giao
thc ny u s gn vo gi tin cn gi nhng d liu ca ring n, v pha u nhn phi
hiu bc gi (Discapsulation) cho ng.
Th nhng c ba giao thc PPTP, L2TP v L2F u vng phi mt vn l khng

th nh tuyn. Khi c ch tunnel c to ra, hai site kt ni vi nhau th chng c th
nm trong cng mt mng LAN, v pha sau chng c th l hng lot cc mng LAN
khc. Hai router gi vai tr u cui ca VPN (ni to ra tunnel) phi chu trch nhim gi
cp nht nh tuyn bn trong mng cho nhau. Chng ta u bit rng, cp nht nh tuyn
ny gi theo broadcast, m a phn mi trng mng public khng cho php gi tin
broadcast i qua. GRE s gii quyt vn ny.
GRE c dng trong vic ng gi nh tuyn, dnh cho mi trng mng non-
broadcast (mng khng cho php broadcast). GRE cung cp mt c ch ng gi tt c cc
giao thc ca tng mng, gi n cho nhng giao thc ca tng mng khc. GRE s dng
truyn ti cc gi tin IP t mng private ny n mng private khc, thng qua internet.

GRE tunnel cng cho php cc giao thc nh tuyn hot ng khi n chuyn tip t mng
private n cc router khc trn mng internet. GRE cng ng gi d liu multicast
chuyn qua internet.
Hnh 82 V d v GRE
GRE khng cung cp c ch m ho, do n cn IPSEC m ho d liu trn ng

truyn. Mt gi tin khi cn chuyn ra mng public thng qua GRE, n s c ng gi
theo chun ca GRE, bng cch thm vo GRE header, c di 32 n 160 bits.
Trin khai GRE c hai gii php, gii php Point-to-Point (ppp GRE) v gii php
Multi-Point (mGRE). i vi m hinh DMVPN Hub-and-Spoke th mGRE c la
chn trong cu hnh.
3.7.3 Giao thc NHRP
Hai router ( to tunnel) kt ni vi nhau xem nhau nh trong mng LAN. iu u
tin gi c d liu gia hai router ny l xc nh a ch IP. ng kha cnh ngi
gi ti 2 router, n ch bit a ch IP private. Cng vic th hai l xc nh vi IP ny th
MAC l bao nhiu, bng giao thc ARP. Tuy nhin, giao thc ARP khng th hot ng,
v y ang dng c ch tunnel, n khng cho php gi tin ca ARP chy qua tm
MAC. V th NHRP (Next Hop Resolution Protocol) ra i.

NHRP l giao thc ging giao thc ARP (giao thc phn gii a ch) lm gim nhng
vn mng NBMA (Non-Broadcast Multiple Access). Vi NHRP, cc h thng hc a
ch ca cc h thng khc c c nh n mng NBMA mt cch linh ng. Cho php
cc mng ny thng trc tip vi nhau m traffic c dng khng cn qua hop trung gian.
NHRP c thit k tr gip IP d ng cho qu trnh truyn khi d liu trn h
thng mng NBMA. NHRP khng phi l giao thc d ng. ch l mt gii php k
thut v a ch sp xp li cc a ch ca IP trong qu trnh chuyn d liu sang cc
a ch kiu mng NBMA tri ngc li vi mng pht tn. Trn h thng mng pht tn,
nhiu my tnh cng nh cc thit b cng dng chung mt cp mng hay cc thit b truyn
thng khc. Khi mt my tnh truyn i cc frame thng tin, tt c cc nt trn mng cng
lng nghe cc frame, nhng ch nt no m a ch ca n c ch nh trn frame mi
tht s nhn c cc frame ny. Bi vy, cc frame gi l c pht tn. Mng kiu
NBMA s dng cc mch hng kt ni phn phi cc frame hay cell t u ny n
u kia ca mch. Khng c trm no khc lin quan n mch ny ngoi tr 2 nt cui
ca n. Cc dch v chuyn d liu trong IP phi kt ni (connectionless) khng phi lun
lun ph hp vi cc lin kt hng kt ni ca ATM.
3.7.4 Tunnel Protection Mode
Tiu biu vn l IPSec, chng ta c th cu hnh crypto theo kiu dynamic hoc static
c hai u router header v branch.Trong cc phin bn IOS 13 (hoc ln hn) h tr hu
ht cc cu hnh ca IPSec. Cng t phin bn 13 ny, khi nim IPSec profile c gii
thiu. IPSec Profile c p dng cho hu ht cc kt ni, chng ta khng cn phi s dng
nhiu ACL cho mi interface. Tuy nhin, ch c nhng subnet no c cu hnh giao tip
v c php giao tip vi IPSec th mi s dng c profile ny.
3.7.5 S dng giao thc nh tuyn
Trong thit k ca DMVPN khuyn co s dng cc giao thc nh tuyn ng nh
tuyn t headen n branch. Vic s dng cc giao thc nh tuyn ng c nhiu li th
hn ng gp trc tuyn bng IPSec (IPSec Direct Encapsulation). Trong VPN, giao thc
nh tuyn phi m bo cng mt li ch so vi mng truyn thng, n bao gm:

Thng tin v topology ca mng

Thng bo thay i trong cu trc ca topology
Trng thi iu khin t xa ca mi i tng
Mt s giao thc nh tuyn c th c s dng trong mt thit k DMVPN bao gm

EIGRP, OSPF, RIPv2, v ODR (ch dng trong hub-and-spoke). Giao thc EIGRP c
khuyn co s dng nhiu nht, bi v giao thc nh tuyn ng ny duy tr nh tuyn
theo chu k ca CPU v bng thng mng, cng nh thi gian hi t nhanh chng ca n.
EIGRP cung cp mt lot cc ty chn tng hp a ch (summarization) v qung b
nh tuyn mc nh (default route).
Cc giao thc nh tuyn nh OSPF cng c xc minh l d s dng, nhng khng
c tho lun rt chi tit. ODR c th khng c s dng trong m hnh trin khai spoke-
to-spoke v ODR khng h tr chia tch tunnel (split tunneling).
Giao thc nh tuyn ng lm tng vic s dng CPU trn thit b mng, do tc ng
ny phi c xem xt khi tng kch thc mng.
3.7.6 Cn nhc s dng Crypto
IPSec h tr hai c ch m ha l transport v tunnel. Vi c ch transport th ch m
ha phn d liu (payload), cn phn header c cha a ngun v ch th khng c m
ha. Vi c ch tunnel th c phn d liu v header u c m ha, gip bo v thng
tin trong phn header. C ch transport cn thm vo 20 byte m trong tng kch thc
gi tin. C hai c ch ny u c s dng trin khai trong DMVPN.
Nu crypto tunnel c s dng cho NAT hoc PAT th bt buc phi dng c ch
tunnel. Mc khc, trong trin khai DMVPN, nu trin khai dual tier vi c GRE tunnel v
crypto tunnel th cng bt buc phi dng c ch tunnel trong IPSec.
3.7.7 IKE Call Admission Control
Trc y phin bn IOS 12.3 khng c mt chng trnh no iu khin v gii hn s
lng v tc khi to cc yu cu chng thc ca ISAKMP (giao thc dng qun l

kha v khi to kt ni), u dn n s qu ti ca router v lm trn ngm bng

thng mng.
IKE Call Admission Control (CAC) c gii thiu trong phin bn 12.3 gii hn
c s lng chng thc ca ISAKMP cho php n v i t mt router. Bng cch gii
hn s lng crypto ng c to ra, chng ta c th ngn chn khng cho router b trn
ngm cc yu cu ISAKMP c to ra. Vic gii hn ny cn ph thuc vo nn tn cng
ngh, m hnh mng, ng dng v lung d liu truyn ti qua mng. Nu bn ch nh
mt gii hn IKE CAC t hn s lng hin ti ca hot ng IKE SA, mt li cnh bo
c hin th, nhng ISAKMP SA khng chm dt. Mt yu cu ISAKMP SA mi b t
chi cho n khi b m ISAKMP SA hot ng l di mc gii hn cu hnh.
CAC cung cp hai phng php tip cn hn ch IKE SA c th dng trin khai
trong mng DMVPN. u tin, CAC bnh thng l mt gim st ti nguyn ton cc,
thm d phn hi m bo rng tt c cc qu trnh bao gm IKE khng lm qu ti
CPU ca router hoc b nh m. Ngi dng c th cu hnh mt gii hn ti nguyn,
i din bi mt t l phn trm ti nguyn h thng t 0 n 100. Nu ngi dng xc
nh mt gii hn ti nguyn l 90%, sau IKE CAC loi b cc yu cu ISAKMP SA
h thng tiu th n 90% hiu sut. Tnh nng ny rt c gi tr trn cc b nh tuyn
headend, c th phn loi v m ha cc gi d liu trong cc cng c m ho phn cng
vi tc dng. iu ny hu ch trn cc b nh tuyn khi trin khai theo m hnh hub-
and-spoke, bi v cc b nh tuyn chi nhnh thng t ngng trc khi c np y
vi ISAKMP SA.
Cch tip cn th hai cho php ngi s dng cu hnh mt gii hn xc thc IKE
ISAKMP SA (IKE CAC). Khi gii hn ny c t ti, IKE CAC loi b tt c cc yu
cu ISAKMP SA mi. Cc Yu cu then cht ca IPsec SA li lun c cho php v
bo tn tnh ton vn ca phin hin ti. Chc nng ny ch yu nhm vo cc b nh
tuyn chi nhnh trong mt m hnh trin khai spoke-to-spoke. Bng cch cu hnh mt
gii hn s lng cc dynamic tunnel c th c to ra, ngi s dng c th ngn chn
mt b nh tuyn khng b trn ngp nu n t nhin trn ngp cc yu cu SA. tng

CAC IKE ph thuc rt nhiu vo cc nn tng c th v cng ngh crypto, cu trc lin
kt mng, v nhng thit lp c trin khai.
3.8 So snh gia VPN v DMVPN
3.8.1 M hnh VPN thng thng
Hnh 83 M hnh VPN thng thng

M hnh mng gm mt site trung tm (HUB) kt ni n cc site chi nhnh (SpokeA
v SpokeB) qua internet. Vi vic s dng VPN thng thng (IPSec + GRE), trn router
HUB cn cu hnh 2 tunnel n SpokeA v SpokeB.
Mt s hn ch ca m hnh trn:
-Khi to tunnel point-to-point, phi bit c a ch IP ca ngun v ch. Do , cc

spoke v HUB chng ta phi thu nhng a ch IP tnh, dn n chi ph cao.
- router HUB, chng ta phi cu hnh 2 tunnel, 1 cho spokeA v 1 cho spokeB. Gi s
mng cng ty gm rt nhiu chi nhnh th trn router HUB s phi cu hnh by nhiu
tunnel.

-Mi tunnel khi c to s c mt c s d liu i km. Nh vy trn router phi lu

tr mt c s d liu kh ln. iu ny dn n s tiu tn b nh v CPU trn router
HUB l kh ln, gy tn km.
-Khi spokeA mun giao tip vi spokeB, n phi thng qua HUB. iu ny khng linh
ng.
3.8.2 M hnh DMVPN:
Vi vic s dng DMVPN chng ta s gii quyt c nhng hn ch trn v lm cho
h thng tr nn m rng v linh ng hn, bng cch s dng cc giao thc mGRE v
NHRP
Hnh 84 M hnh DMVPN
- mi spoke, chng ta khng cn phi dng mt a ch tnh na, m c th s dng

a ch IP ng do ISP cung cp. V mGRE ch yu cu xc nh a ch ngun, cn a ch
ch th s nh mt giao thc khc xc nh. Trn router HUB cng bt buc phi l mt
a ch tnh.

-Trn router HUB, by gi ch cn cu hnh mt tunnel mGRE. Nu thm mt spoke

no na th trn HUB cng khng cn phi cu hnh thm. iu ny lm gim ti router
HUB
-Khi s dng mGRE th vic nh a ch ch s nh vo mt giao thc khc, l
NHRP.
Nh vy, vic s dng DMVPN em li nhiu thun li hn so vi VPN thng thng.
3.8.3 u im ca vic s dng DMVPN
DMVPN cho php m rng nhng mng IPSec VPN. Ngoi ra n cn c mt s thun
li nh sau:
-Gim phc tp khi cu hnh trn router hub m n cung cp kh nng thm nhiu
knh mt cch t ng m khng ng n cu hnh ca hub.
-Bo m cc packet c m ha khi truyn i
-H tr nhiu giao thc nh tuyn ng chy trn DMVPN tunnels
-Kh nng thit lp ng v trc tip gia cc knh spoke-to-spoke IPSec gia cc site
m khng cn thng qua hub (nh mGRE v NHRP)
-H tr cc spoke router vi nhng a ch IP vt l ng (c cp bi ISP)

CHNG 3. PHN TCH V THIT K TI

1. Phn tch chi tit u v nhc im ca m hnh
1.1 M hnh trin khai DMVPN, High Availability cho h thng ngn hng
Vietbank
1.1.1 M hnh :
Hnh 85 M hnh s dng DMVPN, HA

1.1.2 Phn tch cc dch v v u nhc im ca m hnh
- Dch v : M hnh trn s dng dch v DMVPN (Dynamic-Multipoint-Vitural-Private-

Network). IP ti cc chi nhnh Nng v H Ni s dng IP ng ca nh cung cp dch
v.
- u im : DMVPN vi cc tunnel s vn m bo tt cc yu cu bo mt, an ton d

liu gia cc site, ngoi ra chng ta c th tit kim ti a chi ph mua IP cc chi nhnh.
ng thi vic cu hnh s n gin hn cc Hub. Cc chi nhnh mi nu c nhu cu,
th ch cu hnh n gin ti cc router chi nhnh( Spoke). Ngoi ra cc site spoke cng s
c t ng kt ni vi nhau bng tnh nng trong DMVPN.

- Nhc im : Cc HUB router phi lun lun bt u ng tunnel DMVPN trc n

cc spoke. Cc spoke khng th bt u ng tunnel ti cc HUB trc c.
Hn ch cc gi tin Multicast.
Rt hn ch QoS gia cc spoke. V vy cc ng dng c tr nhy cm nh VoIP v

video thng khng n nh.
2. Phn tch yu cu v xc nh m hnh cn thc hin cho ngn hng Vietbank

Kt ni cc chi nhnh v tr s chnh c bo mt thng qua dch v internet
ca ISP.
Gim ti a chi ph mua IP tnh.
p dng chnh sch bo mt ln tng phng ban & nhn vin.
m bo high availability cho tr s chnh bng cch dng Router v Switch
d phng.
m bo redundancy cho tr s chnh bng cch s dng cc Switch
backup v dng VTP phn chia phng ban.
m bo kt ni gia tr s chnh v cc chi nhnh lun n nh.
C nhiu cch, tnh hung c th gii quyt c cc yu t trn. Nhng gii quyt
trit th li rt t, ng thi phi tha mt yu cu m nhiu doanh nghip mong mun
chnh l chi ph thi cng v vn hnh h thng. V th Ti la chn gii php l DMVPN.

2.1 Thit k m hnh
S KT NI MNG TNG QUT
Hnh 86 S tng quan kt ni tr s v chi nhnh
S TNG QUT TR S TP. H CH MINH

Hnh 87 S tng quan tr s TP.HCM

S TNG QUT CHI

NHNH H NI
Phng Qun L: 4PC v 8 Laptop
INTERNET Network: 192.168.2.0/28
D
M
VP
N
AD
SL
FP
T
Phng T Vn: 6PC

Network: 192.168.2.16/28
Hnh 88 S tng quan chi nhnh H Ni

S TNG QUT CHI

NHNH NNG
Phng Qun L: 4PC
INTERNET Network: 192.168.3.32/28
D
M
VP
N
AD
SL
FP
T
Phng Kinh Doanh: 12PC

Network: 192.168.3.0/28
Phng T Vn: 8PC

Network: 192.168.3.16/28
Hnh 89 S tng quan chi nhnh Nng

2.2 Bng phn hoch a ch IP
Tn Router Interface IP OSPF Note

S1/0 113.190.46.1/30
S1/1 113.190.47.1/30
ISP
S1/2 113.190.48.1/30
S1/3 113.190.49.1/30
S1/0
113.190.46.2/30 AREA
F0/0
172.16.1.2/30 1
NAT-HN F0/1
172.16.2.2/30 AREA
TUNNEL
100.100.100.1/29 1
100
S1/1
113.190.47.2/30 AREA
F0/0
172.16.3.2/30 1
NAT-DN F0/1
172.16.4.2/30 AREA
TUNNEL
200.200.200.1/29 1
200
F1/0 1 PORT CHANNEL 1
SW-CORE1 F1/2 3 PORT CHANNEL 2
SW-CORE2 F1/2 3 PORT CHANNEL 2
F1/2 3 PORTCHANNEL 2
SW- F1/4 5 PORTCHANNEL 3
ACCESS1 F1/6 7 VLAN 10
F1/8 9 GIAMDOC

F1/10 11 VLAN 20 IT
VLAN 30
F1/12 13 KINHDOANH
F1/14 15 VLAN 40 NHANSU
VLAN 50
KETOAN
PORTCHANNEL 2
F1/2 3
PORTCHANNEL 3
F1/4 5
VLAN 10
F1/6 7
GIAMDOC
SW- F1/8 9
VLAN 20 IT
ACCESS2 F1/10 11
VLAN 30
F1/12 13
KINHDOANH
VLAN 40 NHANSU
F1/14 15
VLAN 50 KETOAN
S1/3 AREA
F0/0.10 113.190.49.2/30 1
F0/0.20 192.168.2.1/28 AREA VLAN 10 QUANLY
R-HN TUNNEL 192.168.2.17/28 1 VLAN 20 TUVAN
100 100.100.100.2/29 AREA
TUNNEL 200.200.200.2/29 1
200 AREA
1
F1/1 5 VLAN 10 QUANLY
SW-HN
F1/6 10 VLAN 20 TUVAN
R-DN S1/2 113.190.48.2/30

F0/0.10 192.168.3.1/28 AREA VLAN 10

F0/0.20 192.168.3.17/28 1 KINHDOANH
F0/0.30 192.168.3.33/29 AREA VLAN 20 TUVAN
TUNNEL 100.100.100.3/29 1 VLAN 30
100 200.200.200.3/29 AREA QUANLY
TUNNEL 1
200 AREA
1
AREA
1
VLAN 10
F1/1 5 KINHDOANH
SW-DN F1/6 10 VLAN 20 TUVAN
F1/11 15 VLAN 30
QUANLY
3. Bng thng k chi ph thit b

Tn thit b M thit b S lng Gi tin $
Router cisco Cisco router 7200 4 4.400
Switch cisco L2 WS-C2960S-24TS-S 4 1.100
Switch cisco L3 WS-C3560 WS-24TS-E 2 4.000
Cable Golden Link Cat 6.SFTP 6 100
T rack 27U series 600 ECP-27W600 3 300
Tng tin 31.500

4. M hnh v cc dch v trin khai

4.1 M hnh
Hnh 90 S lab thc hin ti

4.2 Cc dch v trin khai
- Ti site H Ch Minh vng LAN ni b cc end user s kt ni vi con Core-SW thng
qua cc SW layer2 tng ng cho tng cm tng phong ban. Cc SW layer3 s lm nhim
v DHCP cp pht IP ton b cho cc phng ban trn tng VLAN khc nhau tng ng
cho cc phng ban.
- ng thi l VTP server cung cp thng tin VLAN cho cc SW layer2. SW layer2 s
gn port cho cc VLAN. SW layer3 s ghp cc cp dy li chy etherchannel nhm
tng cng bng thng cho ni b Lan, m bo s lin tc cho ton h thng.
- Hai Router bn site Thnh ph H Ch Minh s c cu hnh cc tunnel trin khai
DMVPN kt hp vi IPsec. Ngoi ra c ch HSRP c trin khai trn hai con router nhm
d phng cho ton h thng, trnh s ngng tr do h hng.
- Mi trng Wan l MPLS

- Site H Ni v Nng mi site s c mt con SW layer 2 c trin khai VLAN

ng thi gn port cho tng phng ban ti 2 site ny. Router ti 2 site l cc SPOKE trong
DMVPN.
CHNG 4. TRIN KHAI THC HIN
TRIN KHAI THC HIN
1. Cu hnh hostname, password, ip(enable console vty pass)
Router>enable
Router#configure terminal
Router(config)#hostname ISP
ISP(config)#banner motd "ROUTER ISP"
ISP(config)#line console 0
ISP (config-line)#password VietBankconsole
ISP (config-line)#login
ISP (config-line)#exit
ISP (config)#line vty 0 4
ISP (config-line)#password VietBankvty
ISP (config-line)#login
ISP (config-line)#exit
ISP (config)#enable secret VietBank
ISP (config)#service password-encryption
Gn ip cho tng interface trn ISP
Cc thit b cn li cu hnh tng t
2. Cu hnh Trunking v Etherchannel
Cu hnh Trunking :
SW-CORE1 & SW-CORE2
SW-CORE1(config)#interface range f1/0 5
SW-CORE1(config-if-range)# switchport mode trunk
SW-CORE1(config-if-range)# switchport trunk encapsulation dot1q


SW-CORE2(config-if-range)# switchport mode trunk
SW-CORE2(config-if-range)# switchport trunk encapsulation dot1q
SW-ACCESS1 & SW-ACCESS2:

SW-ACCESS1(config)#interface range f1/2 5
SW-ACCESS1(config-if-range)#switchport mode trunk
SW-ACCESS1(config-if-range)#switchport trunk encapsulation dot1q

SW-ACCESS2(config-if-range)#switchport mode trunk
SW-ACCESS2(config-if-range)#switchport trunk encapsulation dot1q
SW-HN & SW-DN:

SW-HN(config)#interface f1/0
SW-HN(config-if-range)#switchport mode trunk
SW-HN(config-if-range)#switchport trunk encapsulation dot1q
SW-DN(config)#interface f1/0
SW-DN(config-if-range)#switchport mode trunk
SW-DN(config-if-range)#switchport trunk encapsulation dot1q
Cu hnh Etherchannel:
SW-CORE1(config-if-range)#channel-group 1 mode on


Hnh 91 Etherchannel trn SW-CORE1

SW-ACCESS2(config-if-range)#channel-group 2 mode on
SW-ACCESS2(config-if-range)#channel-group 3 mode on
Hnh 92 Etherchannel trn SW-ACCESS2

Cu hnh tng t trn SW-CORE2 v SW-ACCESS1.
3. Cu hnh VTP
SW-CORE1 & SW-CORE2 lm VTP Server:
SW-CORE1(config)#vtp mode server
SW-CORE1(config)#vtp domain vietbank.com
SW-CORE1(config)#vtp password vietbank

SW-CORE1(config)#vtp pruning
Hnh 93 VTP trn SW-CORE1

SW-CORE2(config)#vtp mode server
SW-CORE2(config)#vtp domain vietbank.com
SW-CORE2(config)#vtp password vietbank
SW-CORE2(config)#vtp pruning
SW-ACCESS1 & SW-ACCESS2 lm VTP Client

SW-ACCESS1(config)#vtp mode client
SW-ACCESS1(config)#vtp domain vietbank.com
SW-ACCESS1(config)#vtp password vietbank
Hnh 94 VTP trn SW-ACCESS1

SW-ACCESS2(config)#vtp mode client
SW-ACCESS2(config)#vtp domain vietbank.com
SW-ACCESS2(config)#vtp password vietbank

4. Cu hnh VLAN v Gn Port cho tng VLAN

Chia VLAN trn SW-CORE1, SW-HN, SW-DN
SW-CORE1#vlan database
SW-CORE1(vlan)#vlan 10 name giamdoc
SW-CORE1(vlan)#vlan 20 name it
SW-CORE1(vlan)#vlan 30 name kinhdoanh
SW-CORE1(vlan)#vlan 40 name nhansu
SW-CORE1(vlan)#vlan 50 name ketoan
Hnh 95 VLAN trn SW-CORE1

SW-HN#vlan database
SW-HN(vlan)#vlan 10 name quanly
SW-HN(vlan)#vlan 20 name tuvan
SW-DN#vlan database
SW-DN(vlan)#vlan 10 name kinhdoanh
SW-DN(vlan)#vlan 20 name tuvan
SW-DN(vlan)#vlan 30 name quanly

Gn port trn SW-ACCESS1, SW-ACCESS2, SW-HN v SW-DN

SW-ACCESS1(config)# switchport mode access
SW-ACCESS1(config)# switchport access vlan 10
Hnh 96 Gn port cho VLAN trn SW-ACCESS1

Gn port cho SW-HN
SW-HN(config)#interface range f1/1 -5
SW-HN(config-if-range)#switchport mode access

SW-HN(config-if-range)#switchport access vlan 10

SW-HN(config)#interface range f1/6 -10
SW-HN(config-if-range)#switchport mode access
SW-HN(config-if-range)#switchport access vlan 20
Gn port cho SW-DN

SW-DN(config)#interface range f1/1 -5
SW-DN(config-if-range)#switchport mode access
SW-DN(config-if-range)#switchport access vlan 10
5. Cu hnh Spanning Tree
Trn SW-CORE1 cu hnh cho VLAN 10, 30, 50 lm root primary:
SW-CORE1(config)#spanning-tree vlan 10 root primary
VLAN 20, 40 lm root secondary:
SW-CORE1(config)#spanning-tree vlan 20 root secondary
Trn SW-CORE2 cu hnh cho VLAN 20, 40 lm root primary:

VLAN 10, 30, 50 lm root secondary:


6. Cu hnh HSRP
Trn SW_CORE_1
SW-CORE1(config)#interface vlan 10
SW-CORE1(config-if)#ip address 192.168.1.49 255.255.255.240
SW-CORE1(config-if)#standby 10 ip 192.168.1.50
SW-CORE1(config-if)#standby 10 priority 150
SW-CORE1(config-if)#standby 10 preempt
SW-CORE1(config-if)#standby 10 track port-channel 2 55
SW-CORE1(config-if)#standby 10 authentication 10
Hnh 97 HSRP VLAN 10 SW-CORE1

SW-CORE1(config-if)#standby 20 track port-channel 2







Trn SW-CORE2







7. Cu hnh DHCP cho tr s Tp.HCM
SW-CORE1(config)#ip dhcp pool kinhdoanh
SW-CORE1(dhcp-config)#network 192.168.1.0 255.255.255.224
SW-CORE1(dhcp-config)#default-router 192.168.1.2
SW-CORE1(dhcp-config)#dns-server 8.8.8.8
SW-CORE1(config)#ip dhcp pool giamdoc
Hnh 107 IP c cp bi DHCP Server

Hnh 108 DHCP cp cho VLAN 10 Gim c

SW-CORE1(config)#ip dhcp pool it
SW-CORE1(config)#ip dhcp pool nhansu
SW-CORE1(config)#ip dhcp pool ketoan
Cu hnh tng t cho SW-CORE2.

8. Cu hnh OSPF cho tr s Tp.HCM

NAT-HN(config)#router ospf 1
NAT-HN (config-router)#network 172.16.1.0 0.0.0.3 area 1
NAT-DN (config)#router ospf 1

NAT-DN (config-router)#network 172.16.3.0 0.0.0.3 area 1
SW-CORE1(config)#router ospf 1
SW-CORE1(config-router)#network 172.16.1.0 0.0.0.3 area 1
SW-CORE2(config)#router ospf 1
9. Cu hnh ACL ch cho phng IT telnet
NAT-HN (config)#access-list 10 permit 192.168.1.80 0.0.0.15

NAT-HN (config)#access-list 10 deny any

NAT-HN (config)#line vty 0 4
NAT-HN (config-line)#access-class 10 in
Hnh 109 K ton telnet tht bi

Hnh 110 IT Telnet thnh cng

Thc hin tng t cho router NAT-DN.
10. Cu hnh NAT ch cho php phng IT v Gim c ra internet
NAT-HN (config)#access-list 1 deny any
NAT-HN (config)#ip nat inside source list 1 interface serial 1/0 overload
NAT-HN (config)#interface serial 1/0
NAT-HN (config-if)#ip nat outside
NAT-HN (config)#interface f0/0
NAT-HN (config-if)#ip nat inside
NAT-HN (config)#interface f0/1
NAT-HN (config-if)#ip nat inside
To ng default route
NAT-HN (config)#ip route 0.0.0.0 0.0.0.0 serial 1/0
NAT-HN (config)#router ospf 1
NAT-HN (config-router)#default-information originate
Hnh 111 Kim tra NAT ti NAT-HN

Lm tng t trn Router NAT-DN.
11. Cu hnh Routing InterVLAN cho Router HN & DN
R-HN(config)#interface f0/0
R-HN(config-if)#no shutdown
R-HN(config)#interface f0/0.10
R-HN(config-subif)#encapsulation dot1Q 10
R-HN(config-subif)#ip address 192.168.2.1 255.255.255.240

R-HN(config)#interface f0/0.20
R-HN(config-subif)#encapsulation dot1Q 20
R-HN(config-subif)#ip address 192.168.2.17 255.255.255.240
R-DN(config)#interface f0/0
R-DN(config-if)#no shutdown
R-DN(config)#interface f0/0.10
R-DN(config-subif)#encapsulation dot1Q 10
R-DN(config-subif)#ip address 192.168.3.1 255.255.255.240
12. Cu hnh cp DHCP cho chi nhnh HN DN
R-HN(config)#ip dhcp pool quanly
R-HN(dhcp-config)#network 192.168.2.0 255.255.255.240
R-HN(dhcp-config)#default-router 192.168.2.1
R-HN(dhcp-config)#dns-server 8.8.8.8
R-HN(config)#ip dhcp pool tuvan
R-HN(dhcp-config)#network 192.168.2.16 255.255.255.240
R-HN(dhcp-config)#default-router 192.168.2.17
R-HN(dhcp-config)#dns-server 8.8.8.8

Hnh 112 DHCP cp cho R-HN.

R-DN(config)#ip dhcp pool kinhdoanh
R-DN(dhcp-config)#network 192.168.3.0 255.255.255.240
R-DN(dhcp-config)#default-router 192.168.3.1
R-DN(dhcp-config)#dns-server 8.8.8.8
R-DN(config)#ip dhcp pool tuvan
R-DN(config)#ip dhcp pool quanly

13. Cu hnh DMVPN Dual-Hub-Dual Layout

13.1 Trn NAT-HN to tunnel 100
NAT-HN (config)#interface tunnel 100
NAT-HN (config-if)#ip address 100.100.100.1 255.255.255.248
NAT-HN (config-if)#no ip redirects
NAT-HN (config-if)#ip nhrp network-id 100
NAT-HN (config-if)#ip ospf network non-broadcast
NAT-HN (config-if)#ip ospf cost 10
NAT-HN (config-if)#ip ospf priority 200
NAT-HN (config-if)#tunnel source serial 1/0
NAT-HN (config-if)#tunnel mode gre multipoint
NAT-HN (config-if)#tunnel key 100
Hnh 113 Tunnel trn NAT-HN

13.2 Trn NAT-DN to tunnel 200
NAT-DN (config)#interface tunnel 200
NAT-DN (config-if)#ip address 200.200.200.1 255.255.255.248
NAT-DN (config-if)#no ip redirects
NAT-DN (config-if)#ip nhrp network-id 200
NAT-DN (config-if)#ip ospf network non-broadcast
NAT-DN (config-if)#ip ospf cost 100
NAT-DN (config-if)#ip ospf priority 200
NAT-DN (config-if)#tunnel source serial 1/1

NAT-DN (config-if)#tunnel mode gre multipoint

NAT-DN (config-if)#tunnel key 200
Hnh 114 Tunnel trn NAT-DN

13.3 Trn R-HN to tunnel 100 v tunnel 200
R-HN(config)#interface tunnel 100
R-HN(config-if)#ip address 100.100.100.2 255.255.255.248
R-HN(config-if)#ip nhrp map 100.100.100.1 113.190.46.2
R-HN(config-if)#ip nhrp network-id 100
R-HN(config-if)#ip nhrp nhs 100.100.100.1
R-HN(config-if)#ip ospf network non-broadcast
R-HN(config-if)#ip ospf cost 10
R-HN(config-if)#ip ospf priority 0
R-HN(config-if)#tunnel source serial 1/3
R-HN(config-if)#tunnel destination 113.190.46.2
R-HN(config-if)#tunnel key 100

Hnh 115 Tunnel trn R-HN

R-HN(config)#interface tunnel 200
R-HN(config-if)#ip address 200.200.200.2 255.255.255.248
R-HN(config-if)#ip nhrp map 200.200.200.1 113.190.47.2
R-HN(config-if)#ip nhrp network-id 200
R-HN(config-if)#ip nhrp nhs 200.200.200.1
R-HN(config-if)#ip ospf network non-broadcast
R-HN(config-if)#ip ospf cost 100
R-HN(config-if)#ip ospf priority 0
R-HN(config-if)#tunnel source serial 1/3
R-HN(config-if)#tunnel destination 113.190.47.2
R-HN(config-if)#tunnel key 200

13.4 Trn R-DN to tunnel 100 v tunnel 200

R-DN(config)#interface tunnel 100
R-DN(config-if)#ip address 100.100.100.3 255.255.255.248
R-DN(config-if)#ip nhrp map 100.100.100.1 113.190.46.2
R-DN(config-if)#ip nhrp network-id 100
R-DN(config-if)#ip nhrp nhs 100.100.100.1
R-DN(config-if)#ip ospf network non-broadcast
R-DN(config-if)#ip ospf cost 10
R-DN(config-if)#ip ospf priority 0
R-DN(config-if)#tunnel source serial 1/2
R-DN(config-if)#tunnel destination 113.190.46.2
R-DN(config-if)#tunnel key 100
Hnh 116 Tunnel trn R-DN

R-DN(config)#interface tunnel 200
R-DN(config-if)#ip address 2000.2000.200.3 255.255.255.248
R-DN(config-if)#ip nhrp map 200.200.200.1 113.190.47.2
R-DN(config-if)#ip nhrp network-id 200
R-DN(config-if)#ip nhrp nhs 200.200.200.1

R-DN(config-if)#ip ospf network non-broadcast

R-DN(config-if)#ip ospf cost 100
R-DN(config-if)#ip ospf priority 0
R-DN(config-if)#tunnel source serial 1/2
R-DN(config-if)#tunnel destination 113.190.47.2
R-DN(config-if)#tunnel key 200
13.5 nh tuyn OSPF cc ng tunnel vi cc ng mng ni b
NAT-HN(config)#router ospf 1
NAT-HN (config-router)#neighbor 100.100.100.2
NAT-DN (config)#router ospf 1

NAT-DN (config-router)#neighbor 100.100.100.1
R-HN(config)#router ospf 1
R-HN (config-router)#network 100.100.100.0 0.0.0.7 area 1

R-HN (config)#ip route 0.0.0.0 0.0.0.0 serial 1/3
R-DN(config)#router ospf 1
R-DN (config-router)#network 100.100.100.0 0.0.0.7 area 1
R-DN (config)#ip route 0.0.0.0 0.0.0.0 serial 1/2
13.6 Cu hnh IPSec cho cc ng tunnel
NAT-HN(config)#crypto isakmp policy 1
NAT-HN (config-isakmp)#authentication pre-share
NAT-HN (config)#crypto isakmp key 6 vietbank address 0.0.0.0 0.0.0.0
NAT-HN (config)#crypto ipsec transform-set myset esp-aes esp-sha-hmac
NAT-HN (config)#crypto ipsec profile dmvpn
NAT-HN (ipsec-profile)#set security-association lifetime seconds 120
NAT-HN (ipsec-profile)#set transform-set myset
NAT-HN (ipsec-profile)#set pfs group2
NAT-HN (config)#interface tunnel 100
NAT-HN (config-if)#tunnel protection ipsec profile dmvpn
Hnh 117 Kim tra IPSec trn NAT-HN

Lm tng t cho Router NAT-DN.

R-HN(config)#crypto isakmp policy 1

R-HN (config-isakmp)#authentication pre-share
R-HN (config)#crypto isakmp key 6 vietbank address 0.0.0.0 0.0.0.0
R-HN (config)#crypto ipsec transform-set myset esp-aes esp-sha-hmac
R-HN (config)#crypto ipsec profile dmvpn
R-HN (ipsec-profile)#set security-association lifetime seconds 120
R-HN (ipsec-profile)#set transform-set myset
R-HN (ipsec-profile)#set pfs group2
R-HN (config)#interface tunnel 100
R-HN (config-if)#tunnel protection ipsec profile dmvpn
R-HN (config)#interface tunnel 200
R-HN (config-if)#tunnel protection ipsec profile dmvpn

CHNG 5. KT LUN
1. Kt qu hon thnh
Sau thi gian nghin cu v thc hin ti XY DNG H THNG H TNG
MNG DOANH NGHIP, Ngi thc hin ti p ng ng tin v t cc
yu cu ca ti.
V ti:
Thit k v cu hnh thnh cng h thng h tng mng theo yu cu ca doanh
nghip.
Thc thi cu hnh c cc chnh sch m doanh nghip yu cu, trn thit b
Cisco.
S dng cng ngh Etherchannel nhm m bo tnh HA & Redundancy cho h
thng mng, p ng lu lng bng thng cho ton b h thng.
S dng VLAN & VTP qun l v ti u ha h thng mng.
Gim thiu ti a chi ph mua IP tnh bng vic s dng DMVPN.
V ngi thc hin ti:
Nm vng kin thc mng cn bn, m hnh OSI, m hnh TCP/IP.
Nm vng kin thc cu hnh cc thit b mng. v tnh nng cc thit b mng.
Nm vng kin thc thit k mng, kin trc mng.
S dng thnh tho cc phn mm m phng cu hnh mng.
Tshoot thnh tho khi mng xy ra s c.
2. Nhng mt cn hn ch
Do thc hin ti trn phn mm m phng GNS3, GNS3 h tr nhiu trn cc
thit bi layer 3, h tr t trn thit b Layer 2 nn cu hnh lp Distribution trn
Switch nn kh khn cho vic cu hnh.
GNS3 khng h tr cc thit b Wireless nn khng thc hin cu hnh c trn
cc thit b Wireless.
Cha xy dng c h thng gim st thit b mng trong doanh nghip.

3. Hng pht trin ti

Hng pht trin ca ti khi trin khai DMVPN cho mi trng doanh nghip ti chnh
l ngn hng hay cng ty chng khon
Thc t vi m hnh trin khai c th p ng c mt phn nhu cu thit yu
v bo mt thng tin n mc ti u nht.
i vi cc doanh nghip ti chnh nh cc ngn hng hay cng ty chng khon cn
bo mt cao, c th trin khai theo hng khc l s dng cng ngh kt ni
leased line s m bo kt ni v bo mt an ton hn.
DMVPN d c nhiu ci thin so vi kt ni VPN thng thng, vn kt ni ra mi
trng public nn nhiu khi vn bo mt vn cha m bo, vn c kh nng b
tn cng, n cp d liu thng tin khch hng.
Vi kh nng c hn v kin thc thc t nn n ca ti mong mun s c
cc bn tham kho v nghin cu su hn nhng vn m n ca ti cha
thc hin c, ti hon thin hn. Xin chn thnh cm n!

TI LIU THAM KHO

I. TI LIU TING ANH

1. Cisco CCNA Routing and Switching 200-120 Official Cert Guide Library by
Wendell Odom Published by Cisco Press.
2. Cisco IOS DMVPN Overview (February 2008)
3. http://www.cisco.com
II. TI LIU TING VIT

1. Ti liu CCNA ting vit (CCNA exam Preparation ) NXB: Nh sch Minh Khai
2. CCNA Labpro - Vnpro, CCNP Labpro- Vnpro
3. http://www.thuvien-it.net
4. http://www.solarclipse.wordpress.com
5. http://www.vnpro.vn, support forum: http://www.vnpro.org

Datn XDMDN 23CCHT02

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Datn XDMDN 23CCHT02

Uploaded by

Copyright:

Available Formats

137C Nguyn Ch Thanh, P.9, Qun 5, Tp.

KHOA CNG NGH THNG TIN

Ging vin hng dn: ThS. Nguyn Phi Thi

Sinh vin thc hin

1. L Vn Thun MSSV: 93510030067

Trnh : Cao ng Chuyn ngnh: Qun tr mng my tnh

Lp: 23CCHT02 Nin kho: 2013 2015

ti: Xy dng h tng mng doanh nghip 1

ti: Xy dng h tng mng doanh nghip 2

ti: Xy dng h tng mng doanh nghip 3

NHN XT CA DOANH NGHIP

ti: Xy dng h tng mng doanh nghip 4

ti: Xy dng h tng mng doanh nghip 5

2.3.3 Cc thut ton nh tuyn ng ................................................................................38

ti: Xy dng h tng mng doanh nghip 6

ti: Xy dng h tng mng doanh nghip 7

2.5 Cc m hnh kt ni VPN thng dng .......................................................................106

ti: Xy dng h tng mng doanh nghip 8

3.4.2 Spoke-and-Spoke ....................................................................................................159

ti: Xy dng h tng mng doanh nghip 9

TRIN KHAI THC HIN ............................................................................................183

ti: Xy dng h tng mng doanh nghip 10

ti: Xy dng h tng mng doanh nghip 11

ti: Xy dng h tng mng doanh nghip 12

ti: Xy dng h tng mng doanh nghip 13

ti: Xy dng h tng mng doanh nghip 14

ti: Xy dng h tng mng doanh nghip 15

Hnh 28 Cc trng thi trong giao thc HSRP ......................................................79

ti: Xy dng h tng mng doanh nghip 16

Hnh 56 C Main mode v Aggressive mode u thuc giai on I. ...................129

ti: Xy dng h tng mng doanh nghip 17

Hnh 84 M hnh DMVPN ..................................................................................171

ti: Xy dng h tng mng doanh nghip 18

Hnh 112 DHCP cp cho R-HN............................................................................202

ti: Xy dng h tng mng doanh nghip 19

2.2 Bng phn hoch a ch IP.........................................................................179

ti: Xy dng h tng mng doanh nghip 20

CHNG 1. TNG QUAN TI

1.1 Gii thiu ti

1.2 Xu hng cng ngh

1.3 ng dng thc tin

ti: Xy dng h tng mng doanh nghip 21

ti: Xy dng h tng mng doanh nghip 22

CHNG 2. TM HIU KIN THC

I. TNG QUAN V H THNG MNG LAN

1.1 Mt s thit b cu thnh mng

ti: Xy dng h tng mng doanh nghip 23

Hnh 1 Phm vi hot ng ca b chuyn mch

ti: Xy dng h tng mng doanh nghip 24

Switch tp trung cc kt ni v quyt nh chn ng dn truyn d liu hiu qu.

Thi gian tr ca Ethernet switch

ti: Xy dng h tng mng doanh nghip 25

Hnh 2 Chuyn mch Lp 3

Khi nim v collisont domain :

Min xung t c nh ngha l vng mng m trong cc khung pht ra c th gy

Mi khi mt ng xy ra trn mt mng, tt c cc hot ng truyn dng li trong

Ethernet switch s dng b m gi v chuyn frame. B m cn c s dng khi

ti: Xy dng h tng mng doanh nghip 27

C hai phng php chuyn mch:

- Store and forward: Nhn vo ton b frame xong ri mi bt u chuyn i.

ti: Xy dng h tng mng doanh nghip 28

Thi gian tr ca mi ch chuyn mch ph thuc vo cch m switch chuyn frame

ti: Xy dng h tng mng doanh nghip 29