1.0 Intelligent Campus Network Solution
2.0 IDC Data Center Network Solution
3.0 Enterprise Cloud Solutions
4.0 Overall Information Security Solution
- 4.1 Exit Security Application Solutions
- 4.2 Branch and Mobile Internet Application Solutions
- 4.3 Data Center Security Solutions
- 4.4 Level Protection Comprehensive Solution
- 4.5 Disaster Recovery and Backup Integrated Solution
- 4.0 Overall Information Security Solution
- 4.6 CDP Local Disaster Recovery Solution
- 4.7 Dual-System Disaster Recovery Shared Storage Hot Standby Solution
- 4.8 Mirrored Hot Standby Solution for Dual-machine Disaster Recovery
- 4.9 Desktop Access Scheme
- 4.10 Anti-disclosure security management system for electronic documents
- 4.11 Email Security Overall Solution
5.0 Smart Wireless Total Solution
- 5.1 Cloud wireless solution
- 5.2 Application authentication access solution
- 5.0 Smart Wireless Total Solution
- 5.3 Smart Business Circle Solution
- 5.4 Wireless bridging solution
- 5.5 Elevator Wireless Coverage Solution
- 5.6 Hotel wireless coverage solution
- 5.7 Smart Campus Wireless Solution
- 5.8 Hospital Wireless Solution
- 5.9 Wireless retail solutions for malls
6.0 HD Video Conference Solution
7.0 IDC Computer Room Construction Solution
8.0 Intelligent Weak Current Solution
9.0 Intelligent Building Solution
10.0 Intelligent Management Center Overall Solution
1 Data center network construction goals
XX 集团承载所有生产环境系统。 The XX data center will host all production environment systems in the XX group in the future . As an important part of the business network, the data center network provides a secure and reliable access platform for core business system servers and storage devices. The network construction should achieve the following goals:
――网络作为数据中心的基础设施，网络的高可用直接影响到业务系统的可用性。 High availability -The network is the infrastructure of the data center. The high availability of the network directly affects the availability of business systems. The high availability of the network layer includes at least three aspects: high reliability, high security, and advancedness:
u 应采用高可靠的产品和技术，充分考虑系统的应变能力、容错能力和纠错能力，确保整个网络基础设施运行稳定、可靠。 High reliability: Highly reliable products and technologies should be adopted, and the system's resilience, fault tolerance, and error correction capabilities should be fully considered to ensure the stability and reliability of the entire network infrastructure. Today, the availability and performance requirements of business-critical applications are more important than ever.
u 网络基础设计的安全性，涉及到 XX 业务的核心数据安全。 High security: The security of network foundation design involves the core data security of XX business. L2-L7 层安全两个维度对安全体系进行设计规划，从局部安全、全局安全到智能安全，将安全理念渗透到整个数据中心网络中。 The security system should be designed and planned according to the two dimensions of end-to-end access security and network L2-L7 layer security. From local security, global security to intelligent security, the security concept should be penetrated into the entire data center network.
u 数据中心将长期支撑 XX 集团的业务发展，而网络又是数据中心的基础支撑平台，因此数据中心网络的建设需要考虑后续的机会成本，采用主流的、先进的技术和产品（如数据中心级设备、 CEE 、 FCoE 、虚拟化支持等），保证基础支撑平台 5 ～ 10 年内不会被淘汰，从而实现投资的保护。 Advancement: The data center will support the business development of XX Group for a long time , and the network is the basic support platform of the data center. Therefore, the construction of the data center network needs to consider the subsequent opportunity cost and adopt mainstream and advanced technologies and products (such as data Center-level equipment, CEE , FCoE , virtualization support, etc.), to ensure that the basic support platform will not be eliminated within 5 to 10 years, thereby achieving investment protection.
―― XX 集团的业务目前已向多元化发展，未来的业务范围会更多更广，业务系统频繁调整与扩展再所难免，因此数据中心网络平台必须能够适应业务系统的频繁调整，同时在性能上应至少能够满足未来 5 ～ 10 年的业务发展。 Easy to expand - XX Group's business has now diversified. The scope of business in the future will be wider and wider. Frequent adjustments and expansion of business systems are inevitable. Therefore, the data center network platform must be able to adapt to frequent adjustments of business systems. The performance should be able to meet at least the business development of the next 5 to 10 years. The selection of network equipment and the deployment of protocols should follow industry standards, ensure good interoperability and interoperability, and support rapid service deployment.
――数据中心是 IT 技术最为密集的地方，数据中心的设备繁多，各种协议和应用部署越来越复杂，对运维人员的要求也越来越高，单独依赖运维人员个人的技术能力和业务能力是无法保证业务运行的持续性的。 Easy to manage -The data center is the place where the IT technology is the most dense, the data center has a large number of equipment, various protocols and application deployments are becoming more and more complex, and the requirements for operation and maintenance personnel are becoming higher and higher. Technical and business capabilities cannot guarantee the continuity of business operations. IT 资源进行全局掌控，减少日常的运维的人为故障。 Therefore, the data center needs to provide a complete operation and maintenance management platform to control the IT resources of the data center globally and reduce the daily operation and maintenance man-made faults. At the same time, if a fault occurs, the tool can be intuitively and quickly located.
2 Overall design ideas and principles
XX 集团业务网络、日常办公与外联单位提供数据访问、 OA 和视频等服务，以及各业务的安全隔离控制。 The data center provides services such as data access, OA and video for XX Group's business network, daily office and external association units , as well as security isolation control of each business. The data center does not exist in isolation, but complements the network areas such as the Dalian Center and the Network Convergence Center's external unit network. The basic network of the data center is a transmission channel for business data, which combines data calculation and data storage. To ensure the high availability, easy expansion, and easy management of the data center network, the data center network architecture must be designed in accordance with the principles of structure, modularity, and flatness:
The structured network design facilitates the deployment of upper layer protocols and network management, improves the convergence speed of the network, and achieves high reliability. The structured design of the data center network is reflected in two aspects of proper redundancy and network symmetry. As shown below:
The introduction of redundancy can eliminate single points of failure of equipment and links, but excessive redundancy will also make the network too complex and difficult to operate and maintain. Therefore, the dual-node dual-homing architecture is generally used to design the symmetry of the network structure. The simplified configuration and intuitive topology of network devices are helpful for protocol design analysis.
When building a data center basic network, a modular design method should be adopted. The data center is divided into different functional areas, which are used to implement different functions or deploy different applications, making the entire data center architecture scalable and flexible. , And high availability. The servers in the data center will be deployed in different regions according to the user access characteristics of the applications on the server and the functions of the applications. As shown below:
The data center network is divided into three functional areas: network access area, data center core switching area, and server access area. The network access area and server access area can be subdivided into sub-areas according to different service types. Details See the description in the "Business partition" section.
The core area of the data center is used to undertake data exchange between various areas and is the core hub of the entire data center. Therefore, the core switch equipment should be deployed with highly reliable data center-level equipment.
In the modular design, try to achieve loose coupling between the modules as much as possible to ensure the business scalability of the data center, and no need to change the core or other modules when expanding new business systems or modules. At the same time, the modular design can also well disperse risks. When a module (except the core area) fails, it will not affect other modules, which minimizes the impact of data center failures.
The data center network architecture is divided into a three-tier architecture and a two-tier architecture based on access density, as shown in the following figure:
The traditional data center network usually adopts a three-tier architecture for networking. The three-tier architecture can ensure the network has good scalability and high server access density in the same partition. However, there are many network devices in the three-tier architecture, which is not convenient for network management, and has a large amount of operation and maintenance workload. At the same time, networking costs are relatively high.
With the continuous development of network switching technology, the port access density of switches is also getting higher and higher, and the scalability and density of Layer 2 networking can already meet the requirements of server access in enterprise data centers. VLAN 的大二层互通，满足虚拟机的部署和迁移。 At the same time, with the increasing application of server virtualization technology, the two-tier architecture makes it easier to implement large two-tier interworking in VLANs to meet the deployment and migration of virtual machines. Compared with the three-tier architecture, the two-tier architecture can greatly simplify network operation and maintenance and management.
Based on the above factors, the network design of the data center adopts a two-tier flat architecture to meet scalability while achieving easy management.
3 Business partition design
Business systems need to be partitioned. From a technical point of view, business partitioning needs to follow the following principles:
u Partitions give priority to the security of access control. Single application access should be completed within a region as much as possible. A single region failure affects only one type of application and minimizes the degree of business coupling between regions.
u 20 个； Limitation on the total number of regions: However, the complexity of operation and maintenance management and equipment investment increases in many regions. The total number of regions has an upper limit of operation and maintenance of no more than 20 ;
u 200 台）。 Limitation of the number of servers in a single area: Limited by the room space, the size of the second-level domain, and the capacity of the access device, the number of servers in a single area is limited (usually no more than 200 ).
u Limitation of access layer equipment utilization: affected by the layout of the equipment room, if each equipment room needs to deploy multiple access switches in the security zone, it will cause waste of access switch resources and low port utilization, so the number of security zones is not appropriate excessive.
u : 区域之间的流量如果超过 10G ，则需要考虑通过防火墙横向扩容，或区域调整的方式分担流量。 Limitation of firewall performance : If the traffic between areas exceeds 10G , you need to consider sharing the traffic through the firewall's horizontal expansion or area adjustment.
In the actual data center partition design, there are usually three partition methods:
1. 根据业务系统的功能（如生产、 OA 、支撑等）或业务的实时性（实时业务、非实时业务）或者业务系统的功能（如 ERP 、营销、财务等）进行分区划分，此分区方法适合大多数企业数据中心； Partition according to business function: partition according to the function of business system (such as production, OA , support, etc.) or the real-time nature of the business (real-time business, non-real-time business) or the function of business system (such as ERP , marketing, finance, etc.) This partitioning method is suitable for most enterprise data centers;
2. 按照业务系统的安全等级定义进行划分，如“三级系统独立成域，二级系统统一成域”，此分区方法适合政府、电力等行业数据中心； Partitioning according to security and other security levels: According to the definition of the security level of the business system, such as "three-level systems are independent into a domain, and two-level systems are unified into a domain", this partitioning method is suitable for government, power and other industry data centers;
3. 一般分为 WEB 服务器区、 APP/ 中间件服务器区、 DB 服务器区。 Partition according to server type: Generally divided into WEB server area, APP / middleware server area, DB server area. This partition is suitable for data centers such as Internet enterprises.
XX 集团业务系统分布情况，结合业务系统的用户类型，数据中心的分区设计按照业务功能进行分区。 According to the distribution of the XX Group's business systems learned during the needs survey , combined with the types of users of the business systems, the partition design of the data center is partitioned according to business functions. The partition design is as follows:
The regional business system deployment is described as follows:
XX 数据中心大楼办公网络，包括终端、楼层接入与汇聚。 Office LAN area: XX data center building office network, including terminals, floor access and aggregation.
与网络汇聚中心广域网络互连，网络出口。 WAN access area: interconnect with the WAN of the network convergence center, and exit the network.
与合作单位的专线互连，此区域也包括合作单位的业务前置机服务器。 Extranet access application area: It is connected with the private line of the cooperation unit. This area also includes the business front-end server of the cooperation unit.
互联网出口，此区域也包括集团网站群 WEB 服务器、集团邮件系统、 DNS 服务器等。 Internet access application area: Internet exit, this area also includes the group website group WEB server, group mail system, DNS server, etc.
此区域部署与百货相关的应用服务器，包括百货促销、 MIS 、 BI 等应用系统。 Department Store Application Area: This area deploys application servers related to department stores, including department store promotions, MIS , BI and other application systems.
应用区： 此区域部署与 KTV 相关的应用服务器，包括 FTP 、管控、 WEB 、 DB 等应用系统。 KTV application area: This area deploys KTV- related application servers, including FTP , management, WEB , DB and other application systems.
此区域部署与院线相关的应用服务器，包括火凤凰、会员等应用系统。 Cinema Line Application Area: This area deploys application servers related to the cinema line, including application systems such as Fire Phoenix and members.
应用区： 此区域部署集团内部的 OA 应用服务器，包括 OA 、 RTX 、泛微、图档、视频会议、文件、网络教学、网上招投标等应用系统。 OA application area: This area deploys the OA application server within the group , including OA , RTX , Panwei, picture files, video conferences, documents, online teaching, online bidding and other application systems.
财务应用区： 部署集团内部的 ERP 和财务应用服务器。 ERP / financial application area: Deploy ERP and financial application servers within the group .
部署商管、地产、酒店等应用服务器。 Other application areas: Deploy application servers such as business management, real estate, and hotels.
此区域用于集团内部信息系统的开发与测试，或新系统上线前的测试部署。 Development and testing area: This area is used for the development and testing of the group's internal information system, or the test deployment before the new system goes online.
此区域与大连中心互联，实现数据级的异地灾备。 Disaster backup application area: This area is interconnected with Dalian Center to implement data-level offsite disaster recovery. At the same time, some important system backup applications can be deployed in this area.
此区域部署数据中心网络、安全、服务器、存储等 IT 资源的运维管理系统，此外包括集团内部的域管理和身份认证服务器。 Support management area: This area deploys operation and maintenance management systems for IT resources such as data center networks, security, servers, storage, etc. In addition, it includes domain management and identity authentication servers within the group.
此区域用于实现各分区之间的数据交互，是数据中心网络平台的核心枢纽，无服务器部署。 Data Center Core Area: This area is used to implement data interaction between the various partitions. It is the core hub of the data center network platform and is serverless.