With the rapid development of information technology, the network has become an important infrastructure for modern society and economic development. In the high-tech industrial cluster of a science and technology park, the importance of network construction is even more self-evident.
Customer Background
A science and technology park in Shenzhen needs to provide a variety of different types of businesses, and the network also needs to be deployed in a centralized manner, thus requiring professional technical personnel to conduct on-site surveys and provide solutions. Based on the actual situation of the science and technology park, the park network needs to be divided into multiple different business groups, such as park business, enterprise business, and wireless business, and users are also divided into self-use, enterprises, and visitors. These users have different usage requirements for the network, have different access permissions, and there are significant differences in security, business provision levels, etc. In addition, some businesses such as video conferencing and video surveillance have unique requirements for network reliability, latency, and security.
Needs Analysis
Based on the complexity requirements of the entire science and technology park, the entire network needs to have high performance, high security, and high reliability, with the backbone and export bandwidth reaching 100G, and no bottlenecks in access. The park needs to establish a 100G network connection with the Tsinghua Network Center ISP node.
In addition, the overall network of the park needs to consider the uncertainty of the number of park users and the types of businesses, and the entire network needs to have strong expansion capabilities, which can be fully expanded with the change of demand, and can provide a wealth of broadband value-added services for different user needs.
Moreover, the overall network of the park needs to achieve dual-stack deployment of IPv4 and IPv6, support SAVI, IPv6 authentication; to make rational use of IPv6 resources and bandwidth, and further promote the promotion of IPv6 technology in the network, the overall network construction of the park can increase the deployment of IVI translation devices according to demand, to achieve mutual visits between users' IPv4 and IPv6.
In terms of managing business systems, the park business needs to provide a safe and isolated multi-business foundation support for various management business systems in the park (such as access control, monitoring, energy management, building intelligent control, and other subsystems); the network should meet the requirements of each subsystem for operation and bandwidth; each subsystem can only run within the park network and does not provide access to the external network services (but the needs of each subsystem for remote maintenance can be considered).
Project Construction Goals
According to the network requirements and overall planning of a certain science and technology park in Shenzhen, the park's basic network construction project aims to build a park's basic network that provides a safe, isolated multi-business support, involving X individual access buildings; carrying content including park business, enterprise business, etc. The network has high bandwidth, high security, and high reliability, and can meet the specific usage requirements of different units and businesses.
Basic network construction includes:
-
Park Business: Including various building management business systems within the park, its content includes: the physical layer topology structure from the front end of the business system to the back end of the management business; IP address planning, VPN division, route configuration, debugging, and optimization at the data business level.
-
Enterprise Business: Mainly provides daily office and Internet services for all employees in the park. Its content includes: according to different user needs, the construction of broadband access infrastructure for each enterprise user; the deployment and debugging of the authentication billing system; the configuration and optimization of the IPv4/IPv6 Internet export and security devices.
Design Principles
Modularity: The park network is divided into core layer, convergence layer, and access layer, and each floor, unit, or business is divided into a module. The adjustment of the module is small in scope and easy for problem location.
Redundancy: Key equipment adopts dual virtualization redundancy design; key links adopt link aggregation for redundancy backup or load sharing; key parts of key equipment such as power supply and main control board are redundantly backed up. This has improved the reliability of the entire network.
Security Isolation: The park network should have effective security control. Logical isolation is carried out according to units, businesses, and permissions, and physical isolation is taken for particularly important businesses.
Manageability and Maintainability: The network should have good manageability. To facilitate maintenance, products with high integration and general-purpose modules should be selected as much as possible.
Design Ideas
Leading High-Bandwidth Platform: The entire network achieves large-capacity business carrying, and the export bandwidth is as high as 100G, meeting the future bandwidth growth needs. Network equipment adopts high-density ports and compact design, effectively saving space.
Strong Business Support Capability: According to the network construction needs, multiple VPN tunnels are deployed at the same time, adapting to traditional access needs and emerging business needs, meeting the rich carrying needs of multi-business integration. It meets the multi-exit network needs of users.
Rich IPv6 Transition Technology: Supports a wealth of IPv6 features, including IPv6 dedicated line access, dual-stack, tunnel, and translation. Provides a complete IPv4-IPv6 solution to meet the needs of IPv6 transition in various evolution scenarios.
Efficient, Easy-to-Use, and Secure Wireless Network: The wireless business in the park building uses high-performance APs that support 802.11ac wave2 for coverage, and the wireless controller uses high-performance and high-specification products to meet data forwarding, AP management, authentication, security control, and other performance and functional needs, meeting the needs of various users for wireless business.
Comprehensive Virtualization Feature Support: Network devices support one-virtual-many and many-virtual-one virtualization features. The one-virtual-many feature virtualizes a device into multiple logical routers, and resources are isolated between each logical device, ensuring the reliability of business resource occupation; the many-virtual-one feature virtualizes multiple devices into a logical device, and each physical router backs up each other, enhancing device reliability.
Comprehensive Security Protection: Provides professional security functions such as firewalls, identity authentication, Internet behavior management, and access control. By combining six dimensions of application, content, time, user, threat, and location, it globally perceives the increasing application-layer threats and achieves application-layer security protection.
Solution
The overall basic network of Shenzhen's science and technology park adopts an MPLS VPN architecture that meets the multi-region and multi-business carrying requirements, with export links using dual 100G IPv4 and IPv6, and the overall network has high bandwidth, high reliability, and high security.
Enterprise business and park business are independent of each other, and enterprise wired and wireless are logically isolated in business, and are implemented in a unified manner in deployment, with unified authentication, to achieve the mutual backup effect of wired and wireless at the access layer.
Export Area: The export area is the overall network security control and forwarding area, where devices such as optical transmission, export routers, and firewalls are deployed to support 100G access to ISPs. It also supports multi-carrier link access.
Backbone Area: In the backbone area, PE and MCE devices are deployed, carrying the routing control forwarding of enterprise business's IPv4/IPv6 and the establishment of MPLS VPN tunnels. To ensure the stability and high-speed forwarding of the backbone area, various devices are deployed with horizontal virtualization, and devices are interconnected with 10G dual links.
Access Area: The access area is connected to the backbone area with 10G optical fibers, meeting the forwarding of wired and wireless terminal access, and ensuring the mutual isolation of various system networks.
Security Control Area: Various security control servers are deployed, such as authentication billing, behavior auditing, network servers (DHCP, DNS, network management systems, etc.).
Public Area: The public area includes places such as conference centers, lobbies, and canteens, where high-density APs are deployed as needed, and wireless network coverage is achieved.
Enterprise Business: Enterprise business provides daily office and Internet services for enterprises settled in the park, divided into enterprise wired business and enterprise wireless business, and users are also divided into XXX office networks and settled enterprise office networks; each enterprise office network runs in isolation; multiple network access methods are provided for users.
Wired business is combined with the park's comprehensive cabling system, built as needed, providing wired users with gigabit access and port isolation, supporting the needs of IPv4 and IPv6 dual-stack or pure IPv6 network access.
Wireless business is fully covered, and high-density coverage is provided for high-density areas such as conference centers, canteens, and incubators, providing a roaming wireless dedicated network. Different SSIDs are established for security isolation according to different business needs, and different welcome or authentication interfaces can be popped up for different SSIDs, such as visitor business, XXX self-use business, and enterprise customized business. Support for IPv4/IPv6 dual-stack, and pure IPv4, IPv6, or IPv4/IPv6 dual-stack wireless networks can be provided according to SSIDs. Join eduroam to achieve seamless roaming of wireless network access within the eduroam alliance institutions.
Product Recommendations
Project Highlights
The park business mainly adopts the MPLS VPN logical architecture design, and the security of MPLS VPN is achieved through route isolation technology. MPLS VPN uses two layers of labels (Lable) to automatically establish different channels between different user nodes, allowing user traffic to travel separately in different "virtual channels," achieving user traffic isolation.
At the same time, the network deployment greatly reduces the control of ACL policies
