1.0 Intelligent Campus Network Solution
2.0 IDC Data Center Network Solution
3.0 Enterprise Cloud Solutions
4.0 Overall Information Security Solution
- 4.1 Exit Security Application Solutions
- 4.2 Branch and Mobile Internet Application Solutions
- 4.3 Data Center Security Solutions
- 4.4 Level Protection Comprehensive Solution
- 4.5 Disaster Recovery and Backup Integrated Solution
- 4.0 Overall Information Security Solution
- 4.6 CDP Local Disaster Recovery Solution
- 4.7 Two-machine disaster recovery shared storage hot backup solution
- 4.8 Mirrored Hot Standby Solution for Dual-machine Disaster Recovery
- 4.9 Desktop Access Scheme
- 4.10 Anti-disclosure security management system for electronic documents
- 4.11 Email Security Overall Solution
5.0 Smart Wireless Total Solution
- 5.1 Cloud wireless solution
- 5.2 Application authentication access solution
- 5.0 Smart Wireless Total Solution
- 5.3 Smart Business Circle Solution
- 5.4 Wireless bridging solution
- 5.5 Elevator Wireless Coverage Solution
- 5.6 Hotel wireless coverage solution
- 5.7 Smart Campus Wireless Solution
- 5.8 Hospital Wireless Solution
- 5.9 Wireless retail solutions for malls
6.0 HD Video Conference Solution
7.0 IDC Computer Room Construction Solution
8.0 Intelligent Weak Current Solution
9.0 Intelligent Building Solution
10.0 Intelligent Management Center Overall Solution
1 Design principles
The safe operation of each business system places high requirements on the reliability of the network system. Therefore, the reliability of the network must be carefully considered and designed in the design and implementation of the network. The two core switches were previously interconnected using a pair of 10 Gigabit optical modules for virtualization.
In this network project, the core switch and the access switch are dual-link interconnected. Through virtualization technology, two devices are virtualized into one device. This simplifies the network topology, which facilitates network management and avoids The occurrence of a Layer 2 loop, in the specific deployment process, in order to achieve rapid link switching and ensure network stability, technologies such as port aggregation and link unidirectional detection can be integrated.
2 Highly reliable core architecture
The core layer is deployed in a virtualized manner, which simplifies the network environment and facilitates network management.
三平面安全保障机制设计 2.1 Three-plane safety guarantee mechanism design
Provide perfect security protection mechanism, which can fully guarantee network security from the three planes of control, management, and forwarding: In the control plane, a protocol packet attack identification module is built in to prevent protocol packet attacks such as TCN and ARP. OSPF / BGP / IS- The IS routing protocol uses MD5 authentication to prevent network paralysis caused by illegal route update packets. In the management plane, SNMPv3 network management protocol, SSH V2, 802.1x, AAA / Radius-based user authentication and hierarchical user rights management ensure device management In the forwarding plane, it supports fine binding of multiple combinations of IP, VLAN, MAC, and port. It supports uRPF unicast reverse path forwarding to prevent illegal traffic from accessing the network. It uses the longest matching packet-by-packet forwarding mechanism to effectively resist Virus attack. The virtualization platform S7500E also supports built-in high-performance firewalls and abnormal traffic cleaning modules, integrating professional security into the switch.
2.2 Second-generation intelligent elastic architecture
To meet the needs of horizontal business integration of the campus network, the core switch supports the second-generation intelligent elastic architecture technology, which virtualizes multiple high-end devices into one logical device. It is the industry's first core switch product that supports 4-frame virtualization. It has strong advantages in terms of distribution, manageability, and is mainly reflected in three aspects:
Reliability: Through the patented routing hot backup technology, the redundant backup and uninterrupted three-layer forwarding of all information on the control plane and data plane are implemented in the entire virtual architecture, which greatly enhances the reliability and high performance of the virtual architecture. At the same time, single point of failure is eliminated, and business interruption is avoided;
Distributed: Through distributed cross-device link aggregation technology, load sharing and backup of multiple uplinks are achieved, thereby improving the redundancy of the entire network architecture and the utilization of link resources;
Ease of management: The entire elastic architecture shares one IP management, which simplifies network equipment management, simplifies network topology management, improves operational efficiency, and reduces maintenance costs.
2.3 Multi-service integration based on open architecture
The core switch adopts the Open Application Architecture (OAA). The simple function of forwarding packets from L2 to L3 of the traditional campus network core switch is redefined as integrating deep service awareness of L2 to L7, wired and wireless integration, and active and passive integration. Multi-service bearer platform integrating IPv4 / IPv6 integration, network traffic analysis and management and other services.
Supports security control modules such as firewall modules, IPS modules, and load balancing, which can extend security protection functions to each port of the switch; supports virtual firewall functions, and can provide VPN users with network firewall lease services. Realized the seamless integration of network business and security business.
The core switch integrates a wireless control module to implement a wired and wireless integrated solution. The wireless control module provides rich business capabilities, including fine-grained user control management, perfect RF management and security mechanisms, fast roaming, strong QoS, and support for IPv6; the wireless control module achieves this through linkage with the security policy server The endpoint access defense for wireless access users improves the security of the entire network.
2.4 Comprehensive IPv6 solution
IPv6, as the basic protocol of the next generation network, has been widely recognized for its unique technical advantages. The core switches fully support the IPv6 protocol family, IPv6 static routing, RIPng, OSPFv3, IS-ISv6, BGP4 + and other IPV6 routing protocols, and support for rich IPv4 IPv6 transition technologies include: IPv6 manual tunnels, 6to4 tunnels, ISATAP tunnels, GRE tunnels, IPv4-compatible automatic configuration tunnels, and other tunnel technologies to ensure a smooth transition from IPv4 to IPv6.
3 Intelligent load sharing for dual home links
Ethernet link aggregation is called link aggregation for short. It aggregates multiple physical Ethernet ports together to form a logical aggregation group. The upper-layer entity using the link aggregation service treats multiple physical links in the same aggregation group as Is a logical link.
Link aggregation enables data traffic to be shared among member ports in an aggregation group to increase bandwidth. At the same time, each member port of the same aggregation group is dynamically backed up to each other. If one of the first links fails, all data packets can continue to be transmitted through the other link, which improves connection reliability.
智能流量调度技术 Hierarchical CAR intelligent traffic scheduling technology
CAR 作为流量监管的技术，就是对流量进行控制，通过监督进入网络的流量速率，对超出部分的流量进行“惩罚”，使进入的流量被限制在一个合理的范围之内，以保护网络资源和用户的利益。 Common CAR technology: As a technology of traffic policing, CAR is to control the flow of traffic. By monitoring the rate of traffic entering the network, "punish" the excess traffic so that the incoming traffic is limited to a reasonable range. Protect network resources and the interests of users.
技术原理： 采用令牌桶控制流量，当令牌桶中存有令牌时，可以允许报文取令牌进行传输；当令牌桶中没有令牌时，报文必须等到桶中生成了新的令牌后才可以继续发送。 CAR technology principle: Use token buckets to control traffic. When tokens are stored in the token buckets, packets can be fetched for transmission. When there are no tokens in the token buckets, the packets must wait until the buckets are generated. You can continue sending after the new token. This restricts the flow of packets from being greater than the rate of token generation, and achieves the purpose of limiting traffic and allowing burst traffic to pass through. For example, you can restrict HTTP packets from occupying more than 50% of the network bandwidth. If the traffic of a certain connection is found to be excessive, traffic policing can choose to discard the packets or reconfigure the priority of the packets.
相比单层CAR，分层CAR 是一种更灵活的流量监管策略，用户可以在为每个流单独配置单层CAR 动作的基础上，再通过分层CAR（第二次CAR）对多个业务的流量总和进行限制，实现带宽的二次分配。 Layered CAR technology: Compared with single-layer CAR, layered CAR is a more flexible traffic policing strategy. Users can configure a single-layer CAR action for each flow separately, and then use layered CAR (the second time). CAR) limits the sum of the traffic of multiple services to achieve secondary allocation of bandwidth. So, how does hierarchical CAR deal with the business flows that have already done ordinary CAR?
First, the processing objects of hierarchical CAR are: packets processed by ordinary CAR and the action is selected as continue.
Because only after the ordinary CAR processing, the packets have red and green colors; and only continue is selected instead of pass or discard, because both of these will be forwarded directly to the packet, or discarded, There is no opportunity to enter the secondary token issuance process of the layered CAR.
Second, the tiered CAR token issuance follows two principles: first, green and uncolored messages are issued first, and then red messages are issued; second, red and green messages are issued based on the first principle. They are issued in the order in which common CARs are configured for each service until they are completed.