Scribd Logo
Upload

Welcome to Scribd!

  • Chuong 3. Thiet Ke Giai Phap Mang Logic PDF

    Uploaded by

    Tuấn Đoàn
    12 views25 pages

    Original Title

    Chuong-3.-Thiet-ke-giai-phap-mang-logic.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    12 views25 pages

    Chuong 3. Thiet Ke Giai Phap Mang Logic PDF

    Uploaded by

    Tuấn Đoàn

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 25

    Chng 3:

    1. Thit k m hnh
    2. Gn a ch v tn gi
    3. La chn cc giao thc chuyn mch v
    tm ng
    4. Thit k cc chin lc an ton mng
    5. Thit k cc chin lc qun tr mng

    Nguyn tc thit k
    M hnh phn cp v module ha
    M hnh 3 lp ca Cisco
    Tnh d tha trong thit k mng
    Thit k cc thnh phn mng
    Cc thnh phn trong m hnh Cisco
    Thit k cc thnh phn trong mng ni b
    Mt s v d thit k

    1
    M hnh mng (network topology) l s
    dng biu din v mt hnh hc cc
    thnh phn ca mng, cc im kt ni,
    cc cng ng ngi dng, ... (bn v
    kin trc)
    Thit k m hnh mng l bc u tin
    Nguyn tc thit k: phn cp v module
    ha
    Ti sao phn cp v module ha li quan
    trng trong thit k mng?

    Gim cng vic x l trn cc thit b mng


    Chia nh min broadcast
    Tng tnh n gin, d hiu
    D thay i hoc nng cp
    C kh nng co gin quy m ca h thng

    2
    Lp li (the core layer): bao gm
    cc thit b nh tuyn (router)
    hoc cc thit b chuyn mch
    (switch) cao cp c ti u ha
    cho cc yu cu v tnh sn sng v
    hiu sut cao ca h thng mng
    Lp phn phi (the distribution
    layer): bao gm cc router v cc
    switch trin khai cc chnh sch
    mng
    Lp truy xut (the access layer):
    cung cp cc kt ni vi ngi s
    dng thng qua cc thit b chuyn
    mch cp thp hoc cc im truy
    cp khng dy.

    Lp li
    L trc xng sng ca mng, quan trng, khi thit k cn m
    bo tnh d tha (redundant) v tin cy cao (highly reliable)
    Khi cu hnh router cn s dng cc tnh nng nh tuyn ti u
    ha thng lng. Trnh s dng cc b lc gi tin hoc cc tnh
    nng nh hng n tc . m bo tr thp v kh nng
    qun l tt
    Hn ch v nht qun ng knh mng m bo hiu sut
    n nh v d x l s c. Khch hng c th tng cng lp
    phn phi
    i vi cc khch hng c kt ni lin mng, extranet, internet
    Lp li bao gm c cc ng kt ni lin mng. Khuyn khch qun tr
    mng theo khu vc
    H thng pht hin xm nhp (IDS Intrusion Detection System)
    H thng chng xm nhp (IPS Intrusion Prevention System)
    H thng VPN

    Lp phn phi
    L ranh gii gia lp li v lp truy cp. m nhn
    nhiu chc nng
    m bo gi d liu n tng phn on mng thnh cng
    Kim sot truy cp vo cc ti nguyn mng v l do an ninh
    Kim sot lu lng mng v l do hiu sut
    WLAN
    nh tuyn gia cc VLAN
    m bo cht lng dch v QoS (Quality of Services)
    Kt ni nhiu mng chy cc giao thc khc nhau
    (lp truy cp s dng IGRP trong khi lp li chy
    EIGRP)
    Che du thng tin chi tit gia 2 lp li v lp truy cp

    3
    Lp Access
    Lp truy xut cung cp kh nng truy cp cho
    ngi dng cc b.
    i vi lin mng, lp truy cp dnh cho
    ngi dng t xa c th s dng cc cng
    ngh mng din rng nh ISDN, Frame
    Relay, DSL, model Analog,..

    Redundant Network Design


    Thit k mng d tha l vic sao chp
    cc thnh phn trong thit k mng nhm
    c gng loi b cc tht bi c th trong
    vn hnh mng
    C 2 loi thit k d tha
    D phng (Backup Paths): m bo tnh sn
    sng
    Chia ti (Load Sharing): m bo tnh hiu
    sut

    Cc thnh phn mng theo m hnh Cisco


    Thit k cc thnh phn mng ni b

    4
    Enterprise campus:
    L h thng kt ni v cung cp dch
    v ni b ca mt mng Campus
    Cc thit k s u tin cho vic m
    bo tnh sn sng cao cho cc im
    truy cp dch v ca ngi dng, hiu
    nng cao cho cc ng dng Intranet
    ni b, s phn b lu lng mng
    u v cn bng cho cc module khc
    nhau.
    Cc khi con:
    Module Building Access
    Module Building Distribution
    Module Core (Backbone)
    Module Server farm
    Module Edge Distribution
    Management Module

    5
    Enterprise edge: bao gm
    cc dch v ca h thng
    mng
    E-Commerce
    Internet Connectivity
    VPN/Remote access
    WAN
    Service provider edge: bao
    gm cc kt ni ra th gii
    bn ngoi
    ISP (Internet Service Provider)
    PSTN (Public Switched Telephone
    Network)
    Frame relay/ATM (Asynchronous
    Transfer Mode)
    Cc thit k s u tin cho
    tnh bo mt, tnh d phng

    Enterprise edge: bao gm


    cc dch v ca h thng
    mng
    E-Commerce
    Internet Connectivity
    VPN/Remote access
    WAN

    E-Commerce
    Web servers
    Application servers
    Database servers
    Security servers
    Internet Connectivity
    Email servers
    DNS servers
    Public web servers
    Security servers
    VPN/Remote access
    Dial-up access concentrators
    VPN concentrators
    Firewall and IDS
    WAN

    6
    7
    1. Access Layer block:
    2. Core/Distribution
    block:
    3. Server Farm block:
    4. Internet Access
    block:
    5. DMZ block:
    6. WAN block:

    1. Access Layer block:


    Cung cp kt ni cho ngi
    dng cui
    u tin: cung cp nhiu kt
    ni downlink cho ngi
    dng ng thi phi c
    uplink tc cao kt ni
    ln trn. Cc thit b ch
    cn h tr tnh nng layer 2
    2. Core/Distribution block:
    3. Server Farm block:
    4. Internet Access block:
    5. DMZ block:
    6. WAN block:

    1. Access Layer block:


    2. Core/Distribution block:
    Distribution block: phn b
    lu lng v nh tuyn
    gia cc khu vc a l
    khc nhau (gia cc ta
    nh hoc gia cc VLAN).
    Core block: chu trch
    nhim kt ni cc module
    khc, s dng cc core
    switch ln c hiu nng
    cao
    3. Server Farm block:
    4. Internet Access block:
    5. DMZ block:
    6. WAN block:

    8
    1. Access Layer block:
    2. Core/Distribution block:
    3. Server Farm block:
    Module cung cp kt ni
    cho cc my ch cung cp
    dch v cho mng ni b
    (AD, DNS, DHCP, File,
    Application, Database,...)
    C h thng Internal
    Firewall bo v
    4. Internet Access block:
    5. DMZ block:
    6. WAN block:

    1. Access Layer block:


    2. Core/Distribution
    block:
    3. Server Farm block:
    4. Internet Access block:
    Module cung cp kt ni
    Internet cho ngi dng
    ni b
    u tin: thit b h tr
    nh tuyn, NAT/PAT,
    Firewall, Remote Access
    VPN
    5. DMZ block:
    6. WAN block:

    1. Access Layer block:


    2. Core/Distribution
    block:
    3. Server Farm block:
    4. Internet Access block:
    5. DMZ block:
    Module cung cp kt
    ni trc tip vi
    Internet Access block
    cung cp cc dch
    v ca mng ni b ra
    ngoi Internet
    6. WAN block:

    9
    1. Access Layer block:
    2. Core/Distribution
    block:
    3. Server Farm block:
    4. Internet Access block:
    5. DMZ block:
    6. WAN block:
    Module cung cp kt ni
    n cc chi nhnh
    u tin: h tr giao tip
    WAN (serial, FTTH,
    ADSL,...)

    Thit k s mng tng vt l


    Thit k s mng tng lin kt d liu
    Thit k s mng tng mng

    S i dy cn phi c xem xt
    Tha mn chng loi cp
    Tha mn rng buc v bng thng v khong cch
    a l ca mng
    Cc thnh phn trong s i dy
    MDF (Main Distribution Facility) Ni phn phi
    chnh
    IDF (Intermediate Distribution Facility) Ni phn
    phi trung gian
    Horizontal Cable Cp nganh
    Vertical Cable Cp ng
    Patch Panel Bng cm dy

    10
    11
    V tr chnh xc ca cc im tp trung ni kt MDF v IDFs
    Kiu v s lng cp c s dng ni cc IDF v MDF
    Cc u dy trn cp phi c nh s v ghi nhn s ni
    kt gia cc cng trn cc patch panel (HCC v VCC)

    12
    13
    Bng phn b a ch IP
    Bng tm tt v cc mng c phn b, a ch cc giao
    din ca router v bng chn ng ca cc router

    Cng ty XYZ l mt cng ty chuyn cung cp dch v vin thng


    Minh Khai. Gn y cng ty thu 1 ta nh 2 tng Bn Thy v
    m rng hot ng ti y. Ta nh cha c h thng mng v s
    sp xp nh sau:
    Tng 1: Bo v, Tng hp, Ti chnh - K ton, K thut, VHKT, (hnh v)
    Tng 2: Gim c, Phng hp, Phng IT, (hnh v)
    Hy thit k h thng mng cho Chi nhnh vi yu cu:
    Vn bo mt phi c t ln hng u. Phi c chnh sch truy cp
    hp l
    Phng Ti chnh c tch bit vi cc phng ban khc v kt ni c
    vi Phng Ti chnh Cng ty
    m bo kt ni 24/7 vi Cng ty phc v kinh doanh
    B phn qun tr Cng ty c th qun tr cc thit b mng chi nhnh
    Khng cho nhn vin gi email ra ngoi, ch dng mail ca cng ty
    Khng cho nhn vin s dng cc phn mm chat

    14
    15
    a ch IP
    IP private
    IP public
    Dch v DHCP - Dynamic
    Host Configuration
    Protocol
    l mt giao thc cho php
    cp pht a ch IP mt
    cch t ng cng vi cc
    cu hnh lin quan khc
    mt cch mc nh

    Dch v NAT Network


    Address Translate
    L giao thc chuyn i
    cc a ch IP private
    trong mng LAN thnh
    a ch IP public ra
    ngoi Internet v ngc
    li

    16
    Tn gi
    Domain Name
    .com
    .gov
    .edu

    Dch v DNS
    l mt giao thc cho
    php thit lp tng ng
    gia a ch IP v tn
    min trn Internet

    VLAN Virtual LAN


    l mt k thut cho php
    to lp cc mng LAN
    c lp mt cch logic
    trn cng mt kin trc
    h tng vt l
    Vic to lp nhiu mng
    LAN o trong cng mt
    mng cc b gip gim
    thiu vng qung b
    cng nh to thun li
    cho vic qun l mt
    mng cc b rng ln.
    VLAN tng ng nh
    mng con.

    Thit b Port VLAN Mc ch


    Switch 24 port 1->11 101 Kt ni my tnh cc phng ban
    12 101 Kt ni cng 0/0 ca Firewall
    13->17 102 Kt ni cc my tnh Phng TC-KT
    18 102 Kt ni cng 0/2 ca Firewall
    19-20 D phng
    21 101 Modem Qun tr
    22 101 Modem Ti chnh
    23 101 Modem Kinh doanh
    24 101 Kt ni cng 0/1 ca Firewall

    17
    Thit b Port Zone Port switch VLAN Mc ch
    Firewall 6 0/0 Trust 12 101 Kt ni cc phng ban
    port 0/1 Quantri 24 102 Kt ni Cng ty
    0/2 Taichinh 18 103 Kt ni Phng Ti chnh
    0/3 DMZ 104 Kt ni my ch TC-KT
    0/4 UnTrust 105 Kt ni Internet
    0/5 Wifi 106 Wifi (cha dng)
    0/6 D phng

    Domain: @tencongty.com,
    @taichinh.tencongty.com,@quantri.tencongty.
    com
    a ch trong VLAN
    VLAN101: cc phng ban 192.168.1.0/24
    VLAN102: qun tr 192.168.2.0/24
    VLAN103: phng Ti chnh 192.168.3.0/24
    VLAN104: my ch TC-KT 192.168.4.0/24
    VLAN105: internet 192.168.5.0/24
    VLAN106:wifi 192.168.6.0/24

    a ch cho VLAN101
    192.168.1.10-192.168.1.60 dnh cho my trm
    192.168.1.1 gateway trn Firewall
    192.168.1.2 a ch qun l ca Switch
    a ch cho VLAN102
    192.168.2.1 gateway
    192.168.2.2 D phng
    192.168.2.3 Modem ADSL Qun tr
    192.168.2.4 Modem ADSL Ti chnh
    192.168.2.5 Modem ADSL Bn hng
    a ch cho VLAN103
    192.168.3.10-192.168.3.60 dnh cho my trm
    192.168.3.1 gateway trn Firewall

    18
    a ch cho VLAN104
    192.168.4.1 gateway trn firewall
    192.168.4.2 My ch ti chnh
    a ch cho VLAN105
    192.168.5.1 gateway trn firewall
    192.168.5.2 Modem ADSL internet

    Giao thc chuyn mch


    Spanning Tree Protocol
    VLAN Trunking Protocol: ISL (Inter-Switch Link)
    v 802.1Q
    Giao thc tm ng
    Static route
    Dynamic route
    IGP vs EGP (ngoi mng vs trong mng)
    Distance vector vs Link state (gi bng nh tuyn vs gi
    bng trng thi ng link)
    Classful vs Classless (khng km subnet-mask v km subnet-
    mask)

    RIP1, RIP2 (Routing Information Protocol)


    Giao thc Distance-vector
    Gi bng nh tuyn cho router lng ging 30s/ln,lp li lan truyn
    ton mng
    S dng thut ton Bellman-Ford
    S metric < 15. S dng 15 router l ti a
    OSPF (Open Shortest Path First)
    Giao thc link-state
    Cc router sau khi c thng tin ton mng s s dng thut ton
    Dijkstra tm ng i v xy dng bng nh tuyn
    IGRP, EIGRP (Enhanced Interior Gateway Routing Protocol)
    Giao thc Distance-vector ci tin (giao thc lai hybrid)
    Gi thng tin cho lng ging v ch cp nht khi c thay i
    S dng thut ton DUAL (Diffusing Update Algorithm)

    19
    Mt s khi nim
    Theo mt ngha rng th an ninh-an ton mng
    dng ring, hay mng ni b l gi khng cho ai
    lm ci m mng ni b khng mun cho lm
    Cc vn v an ninh an ton mng cn quan tm
    Tnh bo mt: Bo m ti nguyn mng khng b tip xc, b
    s dng bi nhng ngi khng c thm quyn
    Tnh ton vn: m bo khng c vic s dng, v sa i nu
    khng c php
    Tnh sn dng: Ti nguyn trn mng lun c bo m
    khng th b chim gi bi ngi khng c quyn
    Vic xc thc: Thc hin xc nh ngi dng c quyn
    dng mt ti nguyn no nh thng tin hay ti nguyn phn
    mm v phn cng trn mng

    Cc bc thit k xy dng
    Xc nh cn bo v ci g ?
    Xc nh bo v khi cc loi tn cng no ?
    Xc nh cc mi e da an ninh c th ?
    Xc nh cc cng c bo m an ninh ?
    Xy dng m hnh an ninh-an ton

    => H thng tng la (firewall), H thng pht hin


    xm nhp (IDS/IPS), H thng bo mt thng tin.

    Tng la Firewall
    Tng la l mt thut
    ng dng m t nhng
    thit b hay phn mm
    c nhim v lc nhng
    thng tin i vo hay i ra
    mt h thng mng hay
    my tnh theo nhng quy
    nh c ci t
    trc
    Tng la lun c lp
    t vng bin gii ca
    h thng mng

    20
    M hnh tng la 3 lp
    LAN hay Internal: l vng
    an ton.
    WAN hay External: l
    vng nguy him, mc
    nh b tng la cm.
    DMZ (Demilitarized zone):
    t cc my ch cung
    cp cc dch v mng,
    ngi dng c th truy
    cp vo cc my ch
    chu s kim sot ca
    tng la

    H thng pht hin xm


    nhp IDS - Intrusion
    Detection System
    l h thng phn cng
    hoc phn mm c chc
    nng gim st lu thng
    mng, tng theo di
    cc s kin xy ra trn
    h thng my tnh, phn
    tch pht hin ra cc
    vn lin quan n an
    ninh, bo mt v a ra
    cnh bo cho nh qun
    tr

    21
    Cc chc nng cn c ca IDS:
    Theo di, gim st ton mng, thu nhn thng tin t nhiu ngun khc nhau
    ca h thng
    Phn tch nhng thng tin nhn c, pht hin nhng du hiu
    phn nh s lm dng h thng hoc nhng du hiu phn nh nhng hot
    ng bt thng xy ra trong h thng
    Qun l, phn tch hot ng ca ngi s dng h thng.
    Kim tra cu hnh h thng v pht hin kh nng h thng c th b tn
    cng.
    Phn tch bng thng k pht hin nhng du hiu th hin hot ng
    bt thng ca h thng.
    Qun l nht k ca h iu hnh pht hin cc hot ng vi phm
    quyn ca cc ngi dng.
    T chc t ng phn ng li nhng hnh ng t nhp hay gy hi m
    n pht hin ra, ghi nhn nhng kt qu ca n.

    H thng bo mt thng tin


    M ha
    Kha m cng khai
    Ch k s

    Qun l hiu nng


    Qun l li
    Qun l cu hnh
    Qun l an ninh
    Qun l k ton

    22
    Mng doanh nghip vi d phng y
    Mng Trng i hc Vinh

    Core/Distribution Block:
    2 x Switch c cng kt ni tc ti thiu 1Gbps v hot ng lp 3.
    Gia 2 Core/Dist Switch c kt ni vi nhau t 6-8 links, v c chia thnh 2
    EtherChannel khc nhau: 1 group l Layer 2 EtherChannel v 1 group l Layer 3 Ether
    Channel
    Access Layer Block:
    n x Switch c cng kt ni downlink tc ti thiu 100Mbps v ti thiu 2 Uplink 1Gbps, hot
    ng lp 2.
    Cc Access Switch c kt ni ti thiu 2 Uplink ln mi Core/Dist
    Server Farm Block:
    2 x Firewall: c ti thiu 3 cng kt ni tc ti thiu 1Gbps v c Firewall Throughput ti
    thiu 1Gbps. FW c cu hnh hot ng Mode Cluster
    2 x Switch c cng kt ni downlink/uplink tc 1Gbps v hot ng lp 2. Cc Server vi
    2 NIC Port c kt ni vt l vo 2 Server Switch, cu hnh NIC Teaming
    WAN Block:
    2 x Router c cng kt ni LAN/WAN tng ng. 2 Router nn c kt ni vo 2 ISP khc
    nhau
    2 x WAN Switch tc ti thiu 100Mbps v hot ng lp 2
    DMZ Block, Internet Access Block:
    2 x Switch c tc ti thiu 100Mbps v hot ng lp 2.
    2 x Firewall: h tr IPSEC VPN hoc SSL VPN. Cu hnh chy Mode Cluster

    23
    Core Switch: 01 Cisco catalyst 6506
    Tc chuyn mch: 720Gbps
    Tch hp moduel Firewall, module IPS
    48 port RJ45 GB kt ni my ch
    Distribution Switch: 02 Cisco catalyst 4500
    Tc chuyn mch: 64Gbps
    02 ng uplink GB
    12 port SFP (Small Form-factor Pluggable) kt ni n
    Building Access Switch
    Building Access Switch: 08 Cisco catalyst 3600
    L3 switch, 2 port uplink SFP
    Firewall: 01 Cisco ASA5520

    24
    25

    You might also like