Está en la página 1de 87

Bi tng hp topic Thit k mng, t l thuyt

n thc tin - li ni u ca anh binhhd


(CCIE #21256) trn din n VnPro.org.
Xem post gc ti ng link:
http://vnpro.org/forum/showthread.php/55290-Thi%E1%BA%BFt-k%E1%BA%BF-m
%E1%BA%A1ng-t%E1%BB%AB-l%C3%BD-thuy%E1%BA%BFt-%C4%91%E1%BA
%BFn-th%E1%BB%B1c-ti%E1%BB%85n-%E2%80%93-l%E1%BB%9Di-n%C3%B3i%C4%91%E1%BA%A7u

tng mt thi (cch y 5 nm), vi nhng thc mc bit hi cng ai v thit


k mng:
- H thng mng trn thc t ang hot ng c thit k nh th no?
- M hnh mng cn phi thit k ra sao cho tng i tng khch hng (SMB,
Enterprise, Banking, )?
- Phi chn thit b mng (Switch, Router, Firewall, ) ti u nht trong tng thit
k?
- ng dng nhng kin thc hc trong vic thit k mt h thng mng trong
thc t nh th no?
ti thi im , cng c cht kin thc hc c (CCNP/CCDP), tuy nhin vic
p dng cc kin thc hc p dng vo thc t ch l con s 0 trn trnh, hay
ni cch khc, l mt cm gic c v cng nhng khi gp cao th t th th
khng bit dng nh th no, mt cm gic thc s rt kh chu l:
- Hc v HSRP/VRRP/GLBP, hiu r cc giao thc ny hot ng ra sao, hiu r
phi cu hnh th no, hiu r phi troubleshoot ra sao nu c s c, nhng li
khng bit phi dng u trong m hnh mng.
- Hc v Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP),
PVST+, Rapid-PVST, MST: hiu r lm sau cu hnh Root Bridge, Root Port, Load
Sharing vi STP, s khc bit gia STP, RSTP, PVST+, Rapid-PVST, MST, u v
nhc im ca tng loi. Nhng li khng hiu phi dng nh th no trong
thc t
- Hc v thit k mng m hnh 3 lp: Core/Distribution/Access hiu r vai tr
ca tng lp, nhng li khng th design ni h thng mng cho 1 doanh nghip
va v nh (SMB), hay thm ch ngay c khi nim SMB, ENT, cng cn rt m
m h h.
- V rt nhiu nhng iu tng t
tng t hi, l do u ??? c phi l:
- Thiu kin thc v sn phm: vng, tuy rng ti c trang b 1 h thng kin
thc nn tng trong CCNP/CCDP, tuy nhin li khng bit hoc cha hiu c:
o Khi nim Modular Switch (Catalyst 6500, Catalyst 4500, Nexus 7000, ): th

no l linecard, l supervisor, l fans tray, l power supply, vv..


o Mt Switch th no c gi l mnh, cng cc khi nim nh ngha
mnh ny ca 1 thit b, v d: trn dng Switch 3750-X: 160 Gbps switching
fabric, 101.2 mpps forwarding rate, 10GbE uplinks,
Link tham kho thm:
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/data_sheet_c
78-584733.html
o Khi nim v VSS trn dng Switch 6500, Stack-Wise trn dng Switch 3750
series, Flex-Stack trn dng Switch 2960S (lu , y l nhng tnh nng cc k
quan trng trong thit k h thng mng vi nhiu c im ni tri m s c
cp chi tit trong cc bi vit sau).
o Cc tnh nng (feature) h tr trn tng dng thit b l khc nhau do c thit
k vi nhng mc ch khc nhau, nh: Switch 2960 series ch h tr cc tnh
nng Layer 3 mc rt hn ch so vi Switch 3750/4500/6500 series do 2960
c thit cho lp Access
- c trng ca tng i tng khch hng, v d: khi thit k h thng mng cho
khch hng l SMB th s rt khc vi khch hng Enterprise,
- Cha c kinh nghim thc t -> vy phi lm sao c?? Hc t ai?? Hc
u??
V ti tri qua 1 on thi gian m mm, nh bc i trong 1 ng hm ti
tm nh th, v cho n by gi, ti vn ang i trong ng hm, c khc chng
l ng hm vi mt tia sng le li dn ng .
Hiu r nhng kh khn tng tri qua cng vi mong mun c chia s, trao
i v hc hi nhm lm giu thm v k nng thit k mng.
Xin php c bt u chui bi vit chuyn Thit k mng, t l thuyt n
thc tin.

Mc lc

Post 1: Thit k h tng mng LAN khng d phng.


Xem post gc ti ng link:
http://vnpro.org/forum/showthread.php/55290-Thi%E1%BA%BFt-k%E1%BA%BF-m
%E1%BA%A1ng-t%E1%BB%AB-l%C3%BD-thuy%E1%BA%BFt-%C4%91%E1%BA
%BFn-th%E1%BB%B1c-ti%E1%BB%85n-%E2%80%93-l%E1%BB%9Di-n%C3%B3i%C4%91%E1%BA%A7u?p=188175#post188175

S Mng (Network Diagram)

H thng mng c thit k da trn nguyn tc module ha cc thnh phn.


Vic module ha khi thit k c nhng c im ni bt sau:
- n gin, r rng.
- C th m rng h thng mng d dng.

- Tch bit r rng chng nng ca tng module, t c y thng tin


chn la ng thit b mng cho tng module:
o Core/Distribution Block: l module trung tm ca h thng mng, chu trch
nhim kt ni cc module cn li vi nhau. T y c th thy u tin chn thit
b lp ny l cng nhanh cng tt.
o Access Layer Block: l module cung cp kt ni cho ngi dng cui. u tin khi
chn thit b thuc module ny l cung cp nhiu cng kt ni downlink cho
ngi dng, ng thi phi c kt ni Uplink tc cao kt ni ln module
Core/Distribution, v ti u ha ch s gi thnh / cng downlink. Thng thng
thit b s dng ti module ny ch cn h tr cc tnh nng lp 2.
o Server Farm Block: y l module cung cp kt ni cho cc my ch (Servers)
cung cp dch v trong mng ni b, v d: AD, DNS, DHCP, File, Application,
Database. Thit b chn lp ny cn c cng kt ni downlink tc ti thiu l
1Gbps v hot ng lp 2.
o WAN Block: l module cung cp kt ni n cc chi nhnh khc. Thng thng,
thit b trong module ny cn h tr:
Cc cng giao tip WAN: Serial, FTTH, ADSL,
Cc tnh nng: nh tuyn ng, m ha VPN phn cng (VPN supported in
hardward).
o Internet Access Block: l module nm ngoi cng ca h thng mng, cung
cp kt ni Internet cho ngi dng ni b. Thng thng thit b c chn
module ny cn h tr cc tnh nng:
nh tuyn.
NAT/PAT.
Firewall.
Remote Access VPN.
o DMZ Block: l module kt ni trc tip vi module Internet Access Block. Chc
nng ca module ny:
Cung cp cc dch v ra ngoi Internet: Mail, Web

S mng kt ni vt l

H thng mng c xy dng da trn tiu ch khng h tr tnh nng sng sang
cao (HA), do chi tit thit b xut cho cc module nh sau:
- Core/Distribution Block: 1 x Switch c cng kt ni tc ti thiu 1Gbps v hot
ng lp 3.
- Access Layer Block: n x Switch c cng kt ni downlink tc ti thiu
100Mbps v Uplink 1Gbps, hot ng lp 2.
- Server Farm Block:

o 1 x Firewall: c cng kt ni tc ti thiu 1Gbps v c Firewall Throughput ti


thiu 1Gbps.
o 1 x Switch c cng kt ni tc ti thiu 1Gbps v hot ng lp 2.
- WAN Block: 1 x Router c cng kt ni LAN/WAN tng ng.
- DMZ Block: 1 x Switch c tc ti thiu 100Mbps v hot ng lp 2.
- Internet Access Block:
o 1 x Firewall: h tr IPSEC VPN hoc SSL VPN (nu yu cu).
o 1 x Router (ty chn): c cng kt ni LAN/WAN tng ng.
S mng kt ni lun l

Cc tnh nng c s dng:


- Core/Distribution Switch:

o Spanning Tree: Rapid-PVST, STP Root Bridge


o Trunking: Dot1Q
o Create VLAN.
o Ether Channel.
o VTP: Mode Transparent
o InterVlan Routing.
o Static Routing.
o Device Security Hardening.
- Access Switch:
o Spanning Tree: Rapid-PVST, Portfast
o Create VLAN
o Trunking: Dot1Q
o Ether Channel.
o VTP: Mode Transparent
o Assign Port to VLAN
o Device Security Hardening.
- Internal Firewall:
o Static Routing.
o Firewall Policy.
o Device Security Hardening.
- Server Switch:
o Spanning Tree: Rapid-PVST, Portfast
o Create VLAN.
o VTP: Mode Transparent
o Assign Port to VLAN
o Device Security Hardening.
- DMZ Switch:
o Spanning Tree: Rapid-PVST, Portfast
o Create VLAN.
o Device Security Hardening.
- Internet Firewall:
o Cu hnh Interface.
o Static Routing.
o Remote Access VPN/ SSL VPN.
o Firewall Policy.
- Internet Router:
o Cu hnh LAN/Internet Interface.
o Static Routing.
- WAN Router:
o Cu hnh LAN/WAN Interface.
o Static Routing.

S nh tuyn

i vi h thng mng n gin v khng i hi tnh nng sng sng cao (HA),
vic chn v s dng nh tuyn tnh (Static Routing) l hon ton c th chp
nhn.
- Core Switch s chu trch nhim nh tuyn gia cc VLAN ngi dng v cc
module khc. Chi tit nh tuyn tham kho m hnh trn.
- External Firewall: ngoi vic nh tuyn cc traffic ra/vo Internet, thit b ny
cn c cu hnh thm:
o Firewall: lc cc packets ra/vao gia cc vng: TRUSTED (cn gi l INSIDE

Zone), DMZ v UNTRUSTED (cn gi l OUTSIDE Zone). Thng thng traffic t


Internet chi cho php truy cp vo cc ti nguyn c publich ti module DMZ,
nghim cm cc kt ni c khi to t Internet vo TRUSTED hoc t DMZ vo
TRUSTED. Chi tit cc firewall rule ny cn ph thuc c th vo tng chnh sch
bo mt ca tng cng ty.
o Remote Access VPN: phc v cho ngi dng lm vic t xa thng qua Internet.
o Dynamic NAT PAT: traffic t ngi dng truy cp Internet.
o Static NAT PAT: nhm publich dch v t DMZ ra Internet.
o NO-NAT: khng NAT cc yu cu truy cp (nu c) t mng ni b ra/vo DMZ.
Tho Lun V Thit B Mng S Dng Trong Thit K
Core/Distribution Switch:
o Cisco Catalyst 3560G, 3560-X.
- Access Switch:
o Cisco Catalyst 2960.Link:
- Internal Firewall:
o Cisco ASA5550 hoc tng ng.
- Server Switch:
o Cisco Catalyst 2960G, 2960S.
- DMZ Switch:
o Cisco Catalyst 2960.
- Internet Firewall:
o Cisco ASA5505, ASA5510 hoc ASA5520.
- Internet Router:
o Cisco Router 1900.
- WAN Router:
o Cisco Router 800, 1900, 2900.
References links:
- Cisco 3560G: http://www.cisco.com/en/US/products/...528/index.html
- Cisco 3560-X: http://www.cisco.com/en/US/products/ps10744/index.html
- Cisco 2960: http://www.cisco.com/en/US/products/ps6406/index.html
- Cisco 2960S: http://www.cisco.com/en/US/products/ps12200/index.html
- Cisco ASA5500: http://www.cisco.com/en/US/products/ps6120/index.html
- Cisco Router 800: http://www.cisco.com/en/US/products/...380/index.html
- Cisco Router 1900: http://www.cisco.com/en/US/products/ps10538/index.html
- Cisco Router 2900: http://www.cisco.com/en/US/products/ps10537/index.html

Cu Hnh Mu (Configuration Template)


(Xem post gc ti ng link:
http://vnpro.org/forum/showthread.php/55290-Thi%E1%BA%BFt-k%E1%BA%BF-m
%E1%BA%A1ng-t%E1%BB%AB-l%C3%BD-thuy%E1%BA%BFt-%C4%91%E1%BA
%BFn-th%E1%BB%B1c-ti%E1%BB%85n-%E2%80%93-l%E1%BB%9Di-n%C3%B3i%C4%91%E1%BA%A7u?p=188416#post188416

Xin cc bn lu , cu hnh di y ch tp trung cc tnh nng chnh c cp trong thit k,


v cha c test nn c th s c mt vi sai st trong c php.
Tuy nhin mc ch chnh ca Configuration Template nhm cung cp cc thc hiu tng bc
trong vic cu hnh hon chnh cc tnh nng trn tng thit b trong tng m hnh thit k.
Do tm hiu r c th tng tnh nng c minh ha bn di, khuyn khch cc bn xem li
kin thc tng module hc lin quan. C th nh sau:
- kin thc trong phn cu hnh Firewall Policy, VPN site-to-site trn Router hoc VPN Remote
Access trn ASA, c cp k trong chng trnh CCNP Security.
- Kin thc cu hnh VLAN, VTP, Trunking, STP, Ether Channel c cp trong module SWITCH
trong chng trnh CCNP.
- Kin thc cu hnh Static Routing c cp trong chng trnh CCNA R&S

Core/Distribution Switch Cisco Catalyst 3560G/3560-X


!Cu hnh VLAN
Switch(config)# vlan <Vlan-ID>
Switch(config-vlan)# name <Vlan-Name>
!Cu hnh VTP mode transparent
Switch(config)# vtp mode transparent
!Cu hnh STP
!S dng Rapid PVST+ hoc MST
Switch(config)# spanning-tree mode rapid-pvst
!Cu hnh Core/Distribution l STP Root Bridge
Switch(config)# spanning-tree vlan 1-4094 priority 8192
!Ti u ha cc tnh nng ca STP
Enable BPDU Guard, BPDU Filter mt cc t ng trn nhng port c cu hnh
Spanning-!Tree Portfast
Switch(config)# spanning-tree portfast bpduguard default
Switch(config)# spanning-tree portfast bpdufilter default
!Cu hnh UDLD
!Enable UDLD trn cc kt ni fiber nhm phng trnh hin tng unidirectional
connection
Switch(config)# udld aggressive
!Cu hnh Broadcast Storm
!Cu hnh Storm-Control (10%) trn cc cng Uplink (v Downlink i vi
Core/Dist)
Switch(config-if)# storm-control broadcast level 10

!Cu hnh Port


!Cu hnh Trunk i vi cc Port kt ni vi Access Switch
Switch(config-if)# switchport mode trunk
! Nhm phng trnh tn cng VLAN-Hopping, cu hnh native VLAN 999, l VLAN
c to ra nhng khng s dng.
Switch(config-if)# switchport trunk native vlan 999
!Cu hnh Access i vi nhng cng kt ni n WAN Router, Firewall
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan <Vlan-ID>
Switch(config-if)# spanning-tree portfast
!Shutdown nhung port khng s dng hin ti
Switch(config-if)# shutdown
!Cu hnh Ether Channel
Switch(config)# interface range Gi0/x-y
Switch(config-if)# channel-protocol lacp
Switch(config-if)# channel-group <group-number> mode active
Switch(config)# port-channel load-balance src-dst-ip
!Cu hnh InterVlan Routing and Static Routing
!Cu hnh Layer 3 Interface v InterVlan Routing
Switch(config)# Interface vlan <VLAN-ID>
Switch(config-if)# ip address x.x.x.x y.y.y.y
Switch(config-if)# no shutdown
Switch(config-if)# no ip proxy-arp
Switch(config-if)# no ip unreachables
Switch(config-if)# no ip redirects
Switch(config-if)# no ip mask-reply
Switch(config-if)# no ip directed-broadcast
!
Switch(config)# Interface loopback 0
Switch(config-if)# ip address x.x.x.x 255.255.255.255
Switch(config-if)# no ip proxy-arp
Switch(config-if)# no ip unreachables
Switch(config-if)# no ip redirects
Switch(config-if)# no ip mask-reply
Switch(config-if)# no ip directed-broadcast
!
Switch(config)# ip routing
!
Switch(config)# ip route <IP-Subnet> <IP-Subnet-Mask> <IP-Next-Hop>
[!Cu hnh Device Hardening
!Cu hnh password
Switch(config)# service password-encryption

Switch(config)# no enable password


Switch(config)# enable secret <password>
Switch(config)# username <admin user> secret <password>
!Disable cc dch v khng cn thit
Switch(config)# no service tcp-small-servers
Switch(config)# no service udp-small-servers
Switch(config)# no ip bootp server
Switch(config)# no ip finger
Switch(config)# no service finger
Switch(config)# no service config
Switch(config)# no boot host
Switch(config)# no boot network
Switch(config)# no boot system
Switch(config)# no service pad
Switch(config-if)# no ip proxy-arp
Switch(config-if)# no ip unreachables
Switch(config-if)# no ip redirects
Switch(config-if)# no ip mask-reply
Switch(config-if)# no ip directed-broadcast
Switch(config)# no ip domain-lookup
!Disable ip source-route trong IP header
Switch(config)# no ip source-route
!Set timeout cho console laf 5 pht
Switch(config)# line console 0
Switch(config-line)# exec-time 5 0
!Ch cho php truy cp vo Switch thng qua SSH
Switch(config)# access-list 11 permit x.x.x.x y.y.y.y
Switch(config)# access-list 11 deny any log
Switch(config)# line vty 0 4
Switch(config-line)# transport input ssh
Switch(config-line)# transport output none
Switch(config-line)# privilege level 1
Switch(config-line)# exec-timeout 5 0
Switch(config-line)# access-class 11 in
Switch(config-line)# login local
Switch(config)# line vty 0 15
Switch(config-line)# transport input none
!Tt dch v HTTP Server
Switch(config)# no ip http server
!Ngn chn tn cng vo t chi dch v vo Switch Processor lm Switch khng
th x l cc management traffic hp l (STP, VTP, DTP, CDP, Routing, )
Switch(config)# scheduler interval 500

!Cu hnh Management


!Cu hnh Syslog
Switch(config)# no logging console
Switch(config)# logging buffered 128000
!Cu hnh NTP
Switch(config)#
Switch(config)#
Switch(config)#
Switch(config)#
Switch(config)#
timezone

ntp server <IP Address> key <Secret-key>


ntp source loopback 0
clock timezone GMT +7
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-

!Cu hnh CDP


!Mc nh CDP c t ng bt trn trn Switch.
!Cu hnh SNMP
Cu hnh SNMP Community Read-Only string cc Management Server
(SolarWind, WhatsUpGold, ) c th truy xut vo thit b nhm mc ch !
monitor.
Switch(config)# snmp-server community <SNMP-String> RO 10
Switch(config)# access-list 10 remark Permit Read-Only SNMP Access from NMS
only
Switch(config)# access-list 10 permit x.x.x.x y.y.y.y
Switch(config)# access-list 10 deny any log
Switch(config)# snmp-server location <Server Room A> <5th Floor>
!Cu hnh Banner
!cu hnh banner cnh bo mi khi c ngi truy cp vo thit b
Switch(config)# banner motd ^
**************************** NOTICE *******************************
This is a private network facility protected by a security system.
Access to and use of this facility requires explicit written,
current authorisation and is strictly limited to the purposes of
this organization's business.
Unauthorised or any attempt at unauthorised access, use, copying,
alteration, destruction, or damage to its data, program, or
equipment may result in criminal or civil liability or both.
************************************************** *******************
^

Access/DMZ/Server Switch Cisco Catalyst 2960/2960S


!Cu hnh VLAN
Switch(config)# vlan <Vlan-ID>

Switch(config-vlan)# name <Vlan-Name>


!Cu hnh VTP mode transparent
Switch(config)# vtp mode transparent
!Cu hnh STP
!S dng Rapid PVST+ hoc MST
Switch(config)# spanning-tree mode rapid-pvst
!Ti u ha cc tnh nng ca STP
Enable BPDU Guard, BPDU Filter mt cc t ng trn nhng port c cu hnh
Spanning-!Tree Portfast
Switch(config)# spanning-tree portfast bpduguard default
Switch(config)# spanning-tree portfast bpdufilter default
!Cu hnh UDLD
!Enable UDLD trn cc kt ni fiber nhm phng trnh hin tng unidirectional
connection
Switch(config)# udld aggressive
!Cu hnh Broadcast Storm
!Cu hnh Storm-Control (10%) trn cc cng Uplink (v Downlink i vi
Core/Dist)
Switch(config-if)# storm-control broadcast level 10
!Cu hnh Layer 2 Port
!Cu hnh Trunk i vi cc Port kt ni vi Access Switch
Switch(config-if)# switchport mode trunk
! Nhm phng trnh tn cng VLAN-Hopping, cu hnh native VLAN 999, l VLAN
c to ra nhng khng s dng.
Switch(config-if)# switchport trunk native vlan 999
!Cu hnh Access i vi nhng cng kt ni n WAN Router, Firewall
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan <Vlan-ID>
Switch(config-if)# spanning-tree portfast
!Shutdown nhung port khng s dng hin ti
Switch(config-if)# shutdown
!Cu hnh Ether Channel
Switch(config)# interface range Gi0/x-y
Switch(config-if)# channel-protocol lacp
Switch(config-if)# channel-group <group-number> mode active
Switch(config)# port-channel load-balance src-dst-ip
!Cu hnh Device Hardening

!Cu hnh password


Switch(config)# service password-encryption
Switch(config)# no enable password
Switch(config)# enable secret <password>
Switch(config)# username <admin user> secret <password>
!Disable cc dch v khng cn thit
Switch(config)# no service tcp-small-servers
Switch(config)# no service udp-small-servers
Switch(config)# no ip bootp server
Switch(config)# no ip finger
Switch(config)# no service finger
Switch(config)# no service config
Switch(config)# no boot host
Switch(config)# no boot network
Switch(config)# no boot system
Switch(config)# no service pad
Switch(config)# no ip domain-lookup
Switch(config-if)# no ip proxy-arp
Switch(config-if)# no ip unreachables
Switch(config-if)# no ip redirects
Switch(config-if)# no ip mask-reply
Switch(config-if)# no ip directed-broadcast
!Disable ip source-route trong IP header
Switch(config)# no ip source-route
!Set timeout cho console laf 5 pht
Switch(config)# line console 0
Switch(config-line)# exec-time 5 0
!Ch cho php truy cp vo Switch thng qua SSH
Switch(config)# access-list 11 permit x.x.x.x y.y.y.y
Switch(config)# access-list 11 deny any log
Switch(config)# line vty 0 4
Switch(config-line)# transport input ssh
Switch(config-line)# transport output none
Switch(config-line)# privilege level 1
Switch(config-line)# exec-timeout 5 0
Switch(config-line)# access-class 11 in
Switch(config-line)# login local
Switch(config)# line vty 0 15
Switch(config-line)# transport input none
!Tt dch v HTTP Server
Switch(config)# no ip http server
!Ngn chn tn cng vo t chi dch v vo Switch Processor lm Switch khng

th x l cc management traffic hp l (STP, VTP, DTP, CDP, Routing, )


Switch(config)# scheduler interval 500
!Cu hnh Management
!Cu hnh Syslog
Switch(config)# no logging console
Switch(config)# logging buffered 128000
!Cu hnh NTP
Switch(config)#
Switch(config)#
Switch(config)#
Switch(config)#
Switch(config)#
timezone

ntp server <IP Address> key <Secret-key>


ntp source loopback 0
clock timezone GMT +7
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-

!Cu hnh CDP


!Mc nh CDP c t ng bt trn trn Switch.
!Cu hnh SNMP
Cu hnh SNMP Community Read-Only string cc Management Server
(SolarWind, WhatsUpGold, ) c th truy xut vo thit b nhm mc ch !
monitor.
Switch(config)# snmp-server community <SNMP-String> RO 10
Switch(config)# access-list 10 remark Permit Read-Only SNMP Access from NMS
only
Switch(config)# access-list 10 permit x.x.x.x y.y.y.y
Switch(config)# access-list 10 deny any log
Switch(config)# snmp-server location <Server Room A> <5th Floor>
!Cu hnh Banner
!cu hnh banner cnh bo mi khi c ngi truy cp vo thit b
Switch(config)# banner motd ^
**************************** NOTICE *******************************
This is a private network facility protected by a security system.
Access to and use of this facility requires explicit written,
current authorisation and is strictly limited to the purposes of
this organization's business.
Unauthorised or any attempt at unauthorised access, use, copying,
alteration, destruction, or damage to its data, program, or
equipment may result in criminal or civil liability or both.
************************************************** *******************
^

WAN Router Cisco 2900 ISR2


!Cu hnh WAN Interface

Router(config-if)#
Router(config-if)#
Router(config-if)#
Router(config-if)#
Router(config-if)#
Router(config-if)#
Router(config-if)#
Router(config-if)#

encapsulation ppp
no cdp enable
ip address x.x.x.x y.y.y.y
no ip proxy-arp
no ip unreachables
no ip redirects
no ip mask-reply
no ip directed-broadcast

!Cu hnh LAN Interface


Router(config-if)# ip address x.x.x.x y.y.y.y
Router(config-if)# no ip proxy-arp
Router(config-if)# no ip proxy-arp
Router(config-if)# no ip unreachables
Router(config-if)# no ip redirects
Router(config-if)# no ip mask-reply
Router(config-if)# no ip directed-broadcast
!Cu hnh Static Route
Router(config)# ip route <IP-Subnet> <IP-Subnet-Mask> <IP-Next-Hop>
!Cu hnh VTI IPSEC VPN Site-to-Site

!Cu hnh VPN Policy Phase 1 (ISAKMP)


Router(config)# crypto isakmp policy 1
Router(config-isakmp)# encr 3des
Router(config-isakmp)# authentication pre-share
Router(config-isakmp)# group 2
Router(config)# crypto isakmp key <secret-key> address <IP-Address> <SubnetMask>
Router(config)# crypto isakmp keepalive 10
!Cu hnh VPN Policy Phase 2 (IPSEC)
Router(config)# crypto ipsec transform-set TRAN_TEST esp-3des esp-sha-hmac
Router(config)# crypto ipsec profile VTI
Router(config-vti)# set transform-set TRAN_TEST
!Cu hnh Interface VTI v apply IPSEC profile
Router(config)# interface tunnel 0
Router(config-if)# ip address x.x.x.x y.y.y.y
Router(config-if)# tunnel source <IP-WAN-Interface> <SubnetMask>
Router(config-if)# tunnel destination <IP-Router-Next-Hop> <SubnetMask>
Router(config-if)# tunnel protection ipsec ipv4
Router(config-if)# tunnel protection ipsec profile VTI
!Cu hnh Device Hardening

!Cu hnh password


Router(config)# service password-encryption
Router(config)# no enable password
Router(config)# enable secret <password>
Router(config)# username <admin user> secret <password>
!Disable cc dch
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no

v khng cn thit
service tcp-small-servers
service udp-small-servers
ip bootp server
ip finger
service finger
service config
boot host
boot network
boot system
service pad
ip domain-lookup

!Disable ip source-route trong IP header


Router(config)# no ip source-route
!Set timeout cho console la 5 pht
Router(config)# line console 0
Router(config-line)# exec-time 5 0
!Ch cho php truy cp vo Router thng qua SSH
Router(config)# access-list 11 permit x.x.x.x y.y.y.y
Router(config)# access-list 11 deny any log
Router(config)# line vty 0 4
Router(config-line)# transport input ssh
Router(config-line)# transport output none
Router(config-line)# privilege level 1
Router(config-line)# exec-timeout 5 0
Router(config-line)# access-class 11 in
Router(config-line)# login local
Router(config)# line vty 0 15
Router(config-line)# transport input none
!Tt dch v HTTP Server
Router(config)# no ip http server
!Cu hnh Device Management

!Cu hnh Syslog


Router(config)# no logging console
Router(config)# logging buffered 128000
!Cu hnh NTP

Router(config)#
Router(config)#
Router(config)#
Router(config)#
Router(config)#
timezone

ntp server <IP Address> key <Secret-key>


ntp source loopback 0
clock timezone GMT +7
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-

!Cu hnh CDP


!Mc nh CDP c t ng bt trn trn Router.
!Cu hnh SNMP
Cu hnh SNMP Community Read-Only string cc Management Server
(SolarWind, WhatsUpGold, ) c th truy xut vo thit b nhm mc ch !
monitor.
Router(config)# snmp-server community <SNMP-String> RO 10
Router(config)# access-list 10 remark Permit Read-Only SNMP Access from NMS
only
Router(config)# access-list 10 permit x.x.x.x y.y.y.y
Router(config)# access-list 10 deny any log
Router(config)# snmp-server location <Server Room A> <5th Floor>
!Cu hnh Banner
!cu hnh banner cnh bo mi khi c ngi truy cp vo thit b
Router(config)# banner motd ^
**************************** NOTICE *******************************
This is a private network facility protected by a security system.
Access to and use of this facility requires explicit written,
current authorisation and is strictly limited to the purposes of
this organization's business.
Unauthorised or any attempt at unauthorised access, use, copying,
alteration, destruction, or damage to its data, program, or
equipment may result in criminal or civil liability or both.
************************************************** *******************
^

Internet Router Cisco 1900 ISR2


!Cu hnh Internet Interface
Router(config# interface Gi0/1
Router(config-if)# no cdp enable
Router(config-if)# ip address 203.162.123.2 255.255.255.252
Router(config-if)# no ip proxy-arp
Router(config-if)# no ip unreachables
Router(config-if)# no ip redirects
Router(config-if)# no ip mask-reply
Router(config-if)# no ip directed-broadcast

!Cu hnh LAN Interface


Router(config)# interface Gi0/0
Router(config-if)# ip address 203.162.100.1 255.255.255.240
Router(config-if)# no ip proxy-arp
Router(config-if)# no ip proxy-arp
Router(config-if)# no ip unreachables
Router(config-if)# no ip redirects
Router(config-if)# no ip mask-reply
Router(config-if)# no ip directed-broadcast
!Cu hnh Static Route
Router(config)# ip route 0.0.0.0 0.0.0.0 203.162.123.1
!Cu hnh Device Hardening
!Cu hnh password
Router(config)# service password-encryption
Router(config)# no enable password
Router(config)# enable secret <password>
Router(config)# username <admin user> secret <password>
!Disable cc dch
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no

v khng cn thit
service tcp-small-servers
service udp-small-servers
ip bootp server
ip finger
service finger
service config
boot host
boot network
boot system
service pad
ip domain-lookup

!Disable ip source-route trong IP header


Router(config)# no ip source-route
!Set timeout cho console la 5 pht
Router(config)# line console 0
Router(config-line)# exec-time 5 0
!Ch cho php truy cp vo Router thng qua SSH
Router(config)# access-list 11 permit x.x.x.x y.y.y.y
Router(config)# access-list 11 deny any log
Router(config)# line vty 0 4

Router(config-line)# transport input ssh


Router(config-line)# transport output none
Router(config-line)# privilege level 1
Router(config-line)# exec-timeout 5 0
Router(config-line)# access-class 11 in
Router(config-line)# login local
Router(config)# line vty 0 15
Router(config-line)# transport input none
!Tt dch v HTTP Server
Router(config)# no ip http server
!Cu hnh Device Management
!Cu hnh Syslog
Router(config)# no logging console
Router(config)# logging buffered 128000
!Cu hnh NTP
Router(config)#
Router(config)#
Router(config)#
Router(config)#
Router(config)#
timezone

ntp server <IP Address> key <Secret-key>


ntp source loopback 0
clock timezone GMT +7
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-

!Cu hnh CDP


!Mc nh CDP c t ng bt trn trn Router.
!Cu hnh SNMP
Cu hnh SNMP Community Read-Only string cc Management Server
(SolarWind, WhatsUpGold, ) c th truy xut vo thit b nhm mc ch !
monitor.
Router(config)# snmp-server community <SNMP-String> RO 10
Router(config)# access-list 10 remark Permit Read-Only SNMP Access from NMS
only
Router(config)# access-list 10 permit x.x.x.x y.y.y.y
Router(config)# access-list 10 deny any log
Router(config)# snmp-server location <Server Room A> <5th Floor>
!Cu hnh Banner
!cu hnh banner cnh bo mi khi c ngi truy cp vo thit b
Router(config)# banner motd ^
**************************** NOTICE *******************************
This is a private network facility protected by a security system.
Access to and use of this facility requires explicit written,
current authorisation and is strictly limited to the purposes of
this organization's business.
Unauthorised or any attempt at unauthorised access, use, copying,

alteration, destruction, or damage to its data, program, or


equipment may result in criminal or civil liability or both.
************************************************** *******************
^

Internet Firewall ASA5510


!Cu hnh Interface
ASA5510(config)# interface Gi0/0
ASA5510(config-if)# nameif TRUSTED
ASA5510(config-if)# ip address 192.168.10.1 255.255.255.0
ASA5510(config-if)# security-level 100
!
ASA5510(config)# interface Gi0/1
ASA5510(config-if)# nameif DMZ
ASA5510(config-if)# ip address 192.168.20.1 255.255.255.0
ASA5510(config-if)# security-level 50
!
ASA5510(config)# interface Gi0/2
ASA5510(config-if)# nameif UNTRUSTED
ASA5510(config-if)# ip address 203.162.100.2 255.255.255.240
ASA5510(config-if)# security-level 0
!Cu hnh Static Route
ASA5510(config)# route UNTRUSTED 0.0.0.0 0.0.0.0 203.162.100.1
ASA5510(config)# route TRUSTED 192.168.0.0 255.255.0.0 192.168.10.2
!Cu hnh Remote Access VPN
!Cu hnh VPN policy phase 1 (ISAKMP)
ASA5510(config)# crypto isakmp policy 1
ASA5510(config-isakmp)# authentication pre-share
ASA5510(config-isakmp)# encryption 3des
ASA5510(config-isakmp)# group 2
!Cu hnh VPN policy phase 2 (IPSEC)
ASA5510(config)# crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
ASA5510(config)# crypto dynamic-map DYMAP 1 set transform-set 3DES-SHA
ASA5510(config)# crypto dynamic-map DYMAP 1 set reserve-route
ASA5510(config)# crypto map CRYPMAP ipsec-isakmp dynamic DYMAP
!Apply VPN policy phase 1 v phase 2 vo Interface UNTRUSTED
ASA5510(config)# crypto isakmp enable UNTRUSTED
ASA5510(config)# crypto map interface UNTRUSTED
!Cu hnh VPN Group Policy cho Group IT Admin
ASA5510(config)# access-list ACL_SPLIT_TUNNEL standard permit 192.168.0.0
255.255.0.0
ASA5510(config)# access-list ACL_VPN_IT extended permit ip any 192.168.0.0

255.255.0.0
ASA5510(config)# ip local pool VPN_IPPOOL_IT 192.168.50.21-192.168.50.254
mask 255.255.255.0
ASA5510(config)# group-policy VPN_IT internal
ASA5510(config)# group-policy VPN_IT attributes
ASA5510(config-vpn-att)# dns-server value 192.168.11.11 192.168.11.12
ASA5510(config-vpn-att)# vpn-filter value ACL_VPN_IT
ASA5510(config-vpn-att)# ip-comp enable
ASA5510(config-vpn-att)# split-tunnel-policy tunnelspecified
ASA5510(config-vpn-att)# split-tunnel-network-list value ACL_SPLIT_TUNNEL
ASA5510(config-vpn-att)# address-pools value VPN_IPPOOL_IT
!Cu hnh VPN tunnel-group
ASA5510(config)# tunnel-group TG_IT type remote-access
ASA5510(config)# tunnel-group TG_IT general-attributes
ASA5510(config-vpn-tunnel-ge)# address-pool VPN_IPPOOL_IT
ASA5510(config-vpn-tunnel-ge)# default-group-policy VPN_IT
ASA5510(config)# tunnel-group TG_IT ipsec-attributes
ASA5510(config-vpn-tunnel-att)# pre-shared-key 123456
!To VPN user
ASA5510(config)# Username vpn-user1 password <password>
ASA5510(config)# Username vpn-user1 attributes
ASA5510(config-user-att)# vpn-group-policy TG_IT
ASA5510(config-user-att)# service-type remote-access
!Cu hnh NAT Publich Web (TCP:80) va Mail (POP3) ra ngoi Internet
ASA5510(config)# static (DMZ,UNTRUSTED) tcp interface 80 192.168.20.20 80
netmask 255.255.255.255
ASA5510(config)# static (DMZ,UNTRUSTED) tcp interface 110 192.168.20.20 110
netmask 255.255.255.255
!Cu hnh NAT n-1 cho php ngi dng c th truy cp Internet
ASA5510(config)# global (UNTRUSTED) 1 interface
!Cu hnh NAT Exempt traffic tu DMZ->TRUSTED, DMZ->VPN, TRUSTED>DMZ, TRUSTED->VPN
ASA5510(config)# access-list DMZ_nat0 remark NO NAT Traffic DMZ->VPN, DMZ>TRUSTED
ASA5510(config)# access-list DMZ_nat0 extended permit ip 192.168.20.0
192.168.10.0 255.255.255.0
ASA5510(config)# access-list DMZ_nat0 extended permit ip 192.168.20.0
192.168.50.0 255.255.255.0
!
ASA5510(config)# access-list TRUSTED_nat0 remark NO NAT Traffic TRUSTED>DMZ, TRUSTED->VPN
ASA5510(config)# access-list TRUSTED_nat0 extended permit ip 192.168.10.0
192.168.20.0 255.255.255.0

ASA5510(config)# access-list TRUSTED_nat0 extended permit ip 192.168.10.0


192.168.50.0 255.255.255.0
ASA5510(config)# nat (DMZ) 0 access-list DMZ_nat0
ASA5510(config)# nat (TRUSTED) 0 access-list TRUSTED_nat0
!Cu hnh Firewall Policy
!Cu hnh ACL
ASA5510(config)# access-list TRUSTED_IN remark Permit traffic from Internal
Network access Internet
ASA5510(config)# access-list TRUSTED_IN extended permit ip any any
!
ASA5510(config)# access-list DMZ_IN remark Permit Servers from DMZ zone to
access Internet and Internal IP Address 192.168.11.11
ASA5510(config)# access-list DMZ_IN extended permit ip any host 192.168.11.11
ASA5510(config)# access-list DMZ_IN extended deny ip any 192.168.0.0
255.255.0.0 log
ASA5510(config)# access-list DMZ_IN extended permit ip any any
!
ASA5510(config)# access-list UNTRUSTED_IN remark Permit Some traffic
(mail,web) access to DMZ Zone from Internet
ASA5510(config)# access-list DMZ_IN extended permit tcp any host
203.162.100.2 eq 80
ASA5510(config)# access-list DMZ_IN extended permit tcp any host
203.162.100.2 eq 110
!Apply ACL to Interface
ASA5510(config)# access-group TRUSTED_IN in interface TRUSTED
ASA5510(config)# access-group DMZ_IN interface DMZ
ASA5510(config)# access-group UNTRUSTED_IN interface UNTRUSTED
!Cu hnh Management
!Cho php ping n TRUSTED interface troubleshoot
ASA5510(config)# icmp permit any TRUSTED
!Cu hnh PC c IP 192.168.44.44 c php telnet vo ASA
ASA5510(config)# telnet 192.168.44.44 255.255.255.255 TRUSTED
!Cu hnh cho php PC c IP 192.168.44.44 qun l ASA thng qua ASDM
(TCP port 4443)
ASA5510(config)# http server enable 4443
ASA5510(config)# http 192.168.44.44 255.255.255.255 TRUSTED

Internal Firewall ASA5550

!Cu hnh Interface


ASA5550(config)# interface Gi0/0
ASA5550(config-if)# nameif TRUSTED
ASA5550(config-if)# ip address 192.168.100.1 255.255.255.0
ASA5550(config-if)# security-level 100
!
ASA5550(config)# interface Gi0/1
ASA5550(config-if)# nameif UNTRUSTED
ASA5550(config-if)# ip address 192.168.101.1 255.255.255.0
ASA5550(config-if)# security-level 0
!Cu hnh Static Route
ASA5550(config)# route UNTRUSTED 0.0.0.0 0.0.0.0 192.168.101.2
!Cu hnh no NAT-Control
ASA5550(config)# no nat-control
!Cu hnh Firewall Policy
!Cu hnh ACL
ASA5550(config)# access-list TRUSTED_IN remark Permit traffic from Server Farrm
access outside network
ASA5550(config)# access-list TRUSTED_IN extended permit ip any any
!
ASA5550(config)# access-list UNTRUSTED_IN remark Permit traffic access from
outside to some Servers in Server Farm
ASA5550(config)# access-list UNTRUSTED_IN extended permit tcp any host
192.168.100.10 eq 443
ASA5550(config)# access-list UNTRUSTED_IN extended permit tcp any host
192.168.100.10 eq 445
ASA5550(config)# access-list UNTRUSTED_IN extended deny ip any any
!Apply ACL to Interface
ASA5550(config)# access-group TRUSTED_IN in interface TRUSTED
ASA5550(config)# access-group UNTRUSTED_IN in interface UNTRUSTED
!Cu hnh Management
!Cho php ping n TRUSTED interface troubleshoot
ASA5550(config)# icmp permit any TRUSTED
!Cu hnh PC c IP 192.168.44.44 c php telnet vo ASA
ASA5550(config)# telnet 192.168.44.44 255.255.255.255 TRUSTED
!Cu hnh cho php PC c IP 192.168.44.44 qun l ASA thng qua ASDM
(TCP port 4443)
ASA5550(config)# http server enable 4443
ASA5550(config)# http 192.168.44.44 255.255.255.255 TRUSTED

Tho Lun V u / Khuyt im Trong Thit K K Trn


u im:
- Chi ph u t thp nht.
- Thch hp cho SMB chp nhn downtime khi h thng c s c: thit b h hng,
mt kt ni vt l.
Khuyt im:
- Khng c tnh d phng.

Post 2: Thit k h tng mng LAN d phng y s dng STP


(Legacy Model).
(Xem post gc ti ng link:
http://vnpro.org/forum/showthread.php/55290-Thi%E1%BA%BFt-k%E1%BA%BF-m
%E1%BA%A1ng-t%E1%BB%AB-l%C3%BD-thuy%E1%BA%BFt-%C4%91%E1%BA
%BFn-th%E1%BB%B1c-ti%E1%BB%85n-%E2%80%93-l%E1%BB%9Di-n%C3%B3i%C4%91%E1%BA%A7u?p=188244#post188244
)
Nhm gip cc bn hiu r hn trong cc chng thit k v sau (cng v sau s
cng phc tp), do s tm thi dng post phn thit k, tp trung vo phn
gii thch cc thut ng c s dng trong thit k.
Tt c cc bi vit v thit k u ngm nh rng cc bn c chng ch hoc
kin thc tng ng CCNA/CCDA/CCNA-Security (i vi phn thit k
LAN/WAN) v CCNA-Wireless (i vi phn thit k WLAN) c th nm bt tt
nht ni dung ca bi vit.
Xin c lit k cc thut ng c s dng Nhm gip cc bn nghin cu su
hn qua cc ti liu ting anh, ti xin php gi nguyn cc thut ng ny
English m khng dch sang ting vit.
Cc Thut Ng Trong Switching
V kin trc ca Switch: thng thng c 2 dng thit k l Modular v Fix.
Kin trc Modular cho php h tr nhiu khe cm nn cho php m rng s cng
kt ni nhiu hn, hn na c th chn cc loi linecard ph hp cho tng thit
k, h tr cc tnh nng d phng trn cng 1 Switch, do kin trc Modular
c ng dng cho cc Switch lp Core/Distribution (cc dng Switch c thit
k dng Modular: Catalyst 6500/4500, Nexus 7000). Ngc li thit k dng
Fix khng cho php thay i hay nng cp cc thnh phn trn Switch, mun thay
i hay nng cp phi thay Switch (cc dng Switch thit k dng Fix: Catalyst
Switch 3750/3750-X/3750-E/3560/3560-X/3560-E/2960/2960S/IE3000/IE3010,
Nexus 5000/4000/3000/2000).
Chi tit v cc thnh phn Modular Switch:
Chassis: l thnh phn kt ni tt c cc module cn li vi nhau, nu so snh
mt cch gn ng th Chassis tng t vi PC case gn sn Mainboard.
Example: Cisco Catalyst 6500 Series Chassis

Super Visor: l thnh phn trung tm iu khin hot ng ton b Switch,


quyt nh mnh (switching performance) v tnh nng ca Switch. Nu so
snh mt cch gn ng th Super Visor tng t vi CPU trn PC.
Example: Supervisor Engine 2T

Line Card: l thnh


phn cung cp cc giao din (Interface) kt ni vo mng, c phn thnh
cc loi Ethernet (LAN) Module v WAN Module, trong Ethernet Module h tr
cc chun kt ni Ethernet trong LAN, ngc li WAN Module h tr cc chun kt
ni trn WAN (SONET, HSSI, T1/T3, ).
Example: Cisco Catalyst 6500 16-Port 10 Gigabit Ethernet Copper Module

Service Card: l tn gi c bit ca Line Card, khc vi LAN/WAN Line Card,


Service Card cung cp Dch V cho mng nh: Firewall (Firewall Service Module
FWSM), Wireless (Wireless Service Module WiSM), IDS/IPS (Intrusion Detection
System Services Module IDSM-2), Server Loadbalancing (Application Control
Engine Module ACE), VPN (SSL Service Module).
Example: Cisco Catalyst 6500 Series WLSM

Power Supply: cung cp ngun cho ton b Switch, thng thng 1 Chassis s
h tr t 2 n 3 Power Supply thit lp d phng trong trng hp 1 Power
Supply h hng hoc 1 Power Grid gp s c. Thng thng thc tn Power
Supply s c kt ni vo UPS (Uninterrupt Power Supply) nhm cung cp ngun
tm thi cho Switch khi ngun in chnh gp s c.
Example: Cisco Catalyst 6500 Series Chassis

Fans Tray: lm mt
ton b Switch, thng
thng 1 Chassis s c 1 hoc vi Fans Tray vi nhiu Fans lm mt, cung cp kh
nng d phng trong trng hp 1 Fans h hng.
Example: WS-C6509-E-FAN Catalyst 6500 Fan tray

V performance ca Switch: performance (hiu nn na l mnh m) ca

Switch ph thuc vo cc ch s sau:


Switching Capacity: Switching capacity hoc Switching Fabric (i vi Fixed
Switch) , Centralized Switching Capacity, Distributed Switching Capacity, Per-Slot
Switching Capacity (i vi Modular Switch 4500, 6500) => n v tnh ca cc
thng s ny l Gigabit per second (Gbps). Thng s ny c hiu l kh nng
chuyn mch NI TI ca Switch . d hiu, c th so snh v von vi 1
chic xe hi th thng s ny tng ng vi cng sut my ca t (v d
Camry 2.4L c cng sut my (xi lanh) l 2.4 lt).
Forwarding Rate / Through: Forwarding rate (c dng vi Fixed Switch). IPv4
Throughput v IPv6 Throughput (c dng vi Modular Switch) => n v tnh
ca cc thng s ny l Mega packet per second (Mpps). Thng s ny c hiu
l kh nng chuyn mch THC S i vi tng loi packet ra/vo cc cng kt
ni trn Switch. d hiu, c th so snh v von vi 1 chic xe hi th thng s
ny tng ng vi tc cn trc ca xe, tc quay cng cao th xe chy
cng nhanh. V tc cn trc xe li ph thuc vo cng sut my ca chic xe,
thung thng, cng sut my cng ln th s h tr tc quay ca cn trc xe
cng cao, dn n chic xe chy cng nhanh.
Hardware Forwarding: l kh nng chuyn mch (switching) gi tin vi tc
rt cao, do c phn cng chuyn dng thc hin, tc thng ln n hng
vi chc, vi trm Gigabit per second (Gbps) thm ch l vi Tetra bit per second
(Tbps). Ni tm li ci g c h tr trc tip t phn cng th s rt nhanh. V
d: trn Switch 3560, tt c tnh nng Routing/QoS/ACL u c h tr t phn
cng (Hardware Forwarding), do tc chuyn mch rt cao vi chc Gbps.
Tuy nhin c vi tnh nng khng c h tr t phn cng, vi tc chuyn
mch ch vi chc n vi trm Mbps (v d: Policy-Based Routing), do nu cu
hnh cc tnh nng ny, cn phi cn trng Switch khng b qu ti CPU cho
cc mc ch khc (chy nh tuyn, Spanning-tree, arp, )
Software Forwarding: ngc li vi Hardware Forwarding, y l chuyn
mch gi tin da hon ton vo CPU trung tm ca Switch/Router forward gi
tin, y l tnh nng thng thng trn nhng thit b khng h tr Hardware
Forwarding, mt v d trn Router 2800, packets c chuyn mch nh vo
phn cng chuyn dng gi l CEF, do packet c forward vi tc rt
nhanh (vi trm Mbps), tuy nhin trong 1 vi trng hp yu cu mun xem
debug xem gi tin c x l ra sao, lc ny c th tm thi tt tnh nng CEF
(no ip cef t global configure mode, hoc no ip route-cache cef t Interface
configure mode).
V cc feature:
Virtual Switching System (VSS): l cng ngh gip o ha, gip 2 Switch 6500
khi c cu hnh VSS s hot ng nh 1 Switch o (Unified control plane) v c
throughput bng tng throughput ca 2 Switch, Switch c kt ni vi nhau qua
cng kt ni 10Gbps VSL (Virtual Switch Link).T uy nhin tnh nng ny ch c
h tr trn nhng Supervisor nht nh sau: Sup720-10G-3C, Sup720-10G-3C-XL,
Sup2T-10G, Sup2T-10G-XL. Vi tnh nng ny Kt ni t Distribution Switch hoc
Access Switch ln 2 Switch 6500 cu hnh VSS c th c cu hnh Ether Channel
v Cisco gi l Multichassis Ether Channel (MEC). Gip tng bng thng kt ni t
Access/Ditribution ln 6500-VSS Switch (vi thit k c, ch c 1 Uplink c
active do Uplink cn li b block bi Spanning:

VSS Conceptual Diagram

MECPhysical vs. Logical Topology

Stack-Wise Plus (StackWise+): l cng ngh cho php lien kt 9 Switch


Catalyst 3750-X hoc 3750-E li vi nhau v hot ng nh 1 Switch o thng qua
lien kt c bit gi l Stack-Ring, dng cng ngh c quyn ca Cisco c tc
ln n 64Gbps (full-duplex), cng ngh StackWise+ cho php packet trong StackRing di chuyn theo 2 hng (thun v ngc chiu kim ng h) ng thi, gip
tng hiu qu forward packet trong stack-ring. Trong nhm Stack, s c 1 Switch
ng vai tr l Master Switch, y l Switch chu trch nhim control t Layer 2
(hardware) n Layer 3 (hardware) ca Stack, gn ging nh chc nng ca
SuperVisor trong kin trc Modular Switch, cc Switch cn li trong Stack gi l
Member Switch, mt iu quan trng l nu Master Switch b h hng v l do no
, ton b switch trong Stack s t ng reboot bu chn Master Switch mi,
Stack khng b nh hng nu 1 Member Switch b h hng. Cng ging vi cng
ngh VSS, Catalyst 3750 Stack h tr MEC. Ch c h tr trn dng Switch
Catalyst 3750-X, 3750-E.
Stack-Wise: l phin bn u tin, ging vi Stack-Wise+, tuy nhin c mt vi
hn ch sau so vi Stack-Wise+: tc Stack-Ring l 32Gbps (full-duplex), ch cho
php packet trong Stack-Ring di chuyn theo 1 hng nht nh. Ch c h tr
trn dng Switch Catalyst 3750 series.
Flex-Stack: l cng ngh cho php lin kt 4 Switch Catalyst 2960S li vi nhau
v hot ng nh 1 Switch o thng qua lin kt c bit gi l Stack-Ring, dng
cng ngh c quyn ca Cisco c tc ln n 20Gbps (full-duplex). Trong
stack s c 1 Switch ng vai tr l Master Switch, y l Switch chu trch nhim

control t Layer 2 (hardware) n Layer 3 (software) ca Stack, gn ging nh


chc nng ca SuperVisor trong kin trc Modular Switch, cc Switch cn li trong
Stack gi l Member Switch, mt iu quan trng l nu Master Switch b h hng
v l do no , ton b switch trong Stack s t ng reboot bu chn Master
Switch mi, Stack khng b nh hng nu 1 Member Switch b h hng. Cng
ging vi cng ngh Stack-Wise+ trn 3750X, Catalyst 2960S Flex-Stack h tr
MEC. Ch c h tr trn dng Switch Catalyst 2960S series.

Post 3: Phn loi Cisco IOS v IOSS license lin quan


Xem post gc ti ng link:
http://vnpro.org/forum/showthread.php/55290-Thi%E1%BA%BFt-k%E1%BA%BF-m
%E1%BA%A1ng-t%E1%BB%AB-l%C3%BD-thuy%E1%BA%BFt-%C4%91%E1%BA
%BFn-th%E1%BB%B1c-ti%E1%BB%85n-%E2%80%93-l%E1%BB%9Di-n%C3%B3i%C4%91%E1%BA%A7u?p=188322#post188322

Hin ti Cisco pht trin cc dng IOS nh sau:


Cisco IOS Software: l th h IOS c thit k chy trn nhng dng sn
phm thng dng ca Cisco v s dng chnh cho mi trng Enterprise.
Chi tit c th tham kho link sau:
http://www.cisco.com/en/US/products/..._releases.html
Cisco IOS XE Software: l th h IOS c pht trin sau ny, mc ch s dng
trn cc dng thit b mi vi nhng i hi kht khe: nng cao kh nng tch hp
dch v (VPN/Firewall/Routing/Switching/...), h tr kh nng sn sng cao (High
Availability) t hardware/software (c dng trn th h Catalyst Switch 4500
Series vi SuperVisor7-E v Cisco ASR 1000 Series), h tr kh nng trin khai
nhanh chng 1 dch v mi v c ng gi dng Universal Image. C 2 phin
bn trong dng ny: Cisco IOS XE 3S (c s dng cho Cisco Router ASR 1000
Series) v Cisco IOS XE 3GS (c s dng cho Cisco Switch 4500 Series
SuperVisor7-E).
Chi tit c th tham kho link sau:
http://www.cisco.com/en/US/products/...gory_Home.html
Cisco IOS XR Software: l th h IOS c pht trin hot ng trn thit b
Router Cisco Carrier Routing System dng trong mi trng mng nh cung cp
dch v (ISP).
Chi tit c th tham kho link
sau:http://www.cisco.com/en/US/products/ps5845/index.html
Cisco NX-OS Software: l th h IOS c pht trin hot ng trn dng
thit b SAN Switch MDS 9500/9200 Series v DataCenter Switch Nexus Series,
Chi tit c th tham kho link sau:
http://www.cisco.com/en/US/products/...gory_Home.html
Trong ti liu thit k s tp trung vo dng Cisco IOS Software, cc dng cn li

s c cp trong cc chuyn khc. Chi tit cc dng Cisco IOS Software


c cp nh di y:
Cisco IOS Software Release 15.2 M&T, 15.1 M&T, 15.0 M, 12.4 M&T: l
dng IOS c thit k chy trn cc thit b Cisco Router Integrated Services
Router - ISR ( 800, 1800, 2800, 3800 Series) v ISR-2 (Cisco Router 1900, 2900,
3900 Series). c i ca dng IOS ny l c thit k h tr a dch v
nh: Routing, Switching, VPN, Firewall, IPS, QoS, Wireless, Unified Communication.
Trong mi dng s chia ra k hiu M v T, trong cc Version (phin bn) c
mang k hiu M l nhng phin bn c pht hnh fix bugs (v cc li
version IOS hin ti) m khng h tr thm tnh nng hoc phn cng no mi,
Version mang k hiu T c pht hnh vi mc ch chnh h tr thm tnh
nng/ phn cng mi v fix bugs. Nh vy s thay i (h tr thm phn cng,
tnh nng mi) s rt ln nu nng cp t 15.0 M ln 15.2 T, do khi mun nng
cp IOS cho thit b, cn lu mc ch khi nng cp: fix bugs => nn nng
cp ln dng M trong cng phin bn (v d: 15.1(3)M ln 15.1(7)M). Cn h tr
thm hardware hoc feature mi => cn nng cp ln dng T cao hn, c th
s dng Cisco Features Navigator tm IOS ph hp. Trong series ny, phin bn
mi nht l 15.2 M&T, phin bn 15.0 M l phin bn nng cp trc tip t 12.4
M&T.
Chi tit c th tham kho link sau:
15.2 M&T : http://www.cisco.com/en/US/products/ps11746/index.html
15.1 M&T : http://www.cisco.com/en/US/products/ps10592/index.html
15.0 M : http://www.cisco.com/en/US/products/ps10591/index.html
Feature Navigator: http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
Cisco IOS Software Release 15.1 S, 15.0 S: l dng IOS c thit k chy
trn dng thit b nh tuyn Cisco Router 7600 Series, h tr cc features c
s dng trong h thng mng ca ISP nh: MPLS encapsulation, Multicast Label
Distribution Protocol (MLDP), Multicast VPN (MVPN), Virtual Private LAN Service
(VPLS)... Trong version mi nht trong series ny l 15.1 S
Chi tit c th tham kho link sau:
15.1 S: http://www.cisco.com/en/US/products/ps11280/index.html
15.0 S: http://www.cisco.com/en/US/products/ps10890/index.html
Cisco IOS Software Release 15.0 SY: l dng IOS c thit k chy trn
Catalyst Switch 6500 vi SuperVisor Engine 2T, y l version nng cp ca 12.2
SX, h tr kh nng chuyn mch t phn cng vi cc feature sau: IP Address
version 6 (IPv6), Multiprotocol Label Switching (MPLS) and VPN, Generic Routing
Encapsulation (GRE), Advanced IP Routing and Multicast, Bidirectional Protocol
Independent Multicast (Bidirectional PIM), Nonstop Forwarding with Statefull
Switch Over (NSF/SSO).
Chi tit c th tham kho link sau:
http://www.cisco.com/en/US/products/ps11845/index.html
Cisco IOS Software Release 12.2 SX: l dng IOS c thit k chy trn
Catalyst Switch 6500 vi cc SuperVisor Engine: Sup-32, Sup-720, Sup-7203B/3BXL, Sup720-3C/3CXL, c s dng trong mng Campus v Service Provider

Edge vi cc feature c h tr trc tip t Hardware: MPLS and VPN, IPv6,


Advanced IP Routing and Multicast, Integrated Security, NAT/PAT, GRE,
Bidirectional PIM, NSF/SSO. Phin bn mi nht hin ti ang c s dng l
12.2(33)SXI.
Chi tit c th tham kho link sau:
http://www.cisco.com/en/US/products/ps6017/index.html
Cu Trc ng Gi ca Cisco IOS Software:
Cch thc ng gi cc tnh nng IOS (IOS Feature Package) c th phn loi nh
sau:
i vi 12.2 SX v 15.0 SY:
Phin bn IP Base: h tr cc tnh nng c bn: RIP, EIGRP Stub, PIM Stub, cc
Layer 2 feature, cc tnh nng qun l (SSH, Telnet, SNMP, ...), cc tnh nng
bo mt c bn, QoS v IPv6 host.
Phin bn IP Services: c y cc feature h tr trong phin bn IP base v
h tr y cc giao thc nh tuyn (OSPF, EIGRP, BGP, PIM), Cisco TrustSec
Security, Control and Monitoring Processor (CMP), Web Cache Communication
Protocol (WCCP).
Phin bn Advanced IP Services: c y cc feature h tr trong phin bn
IP Services v h tr thm Advanced IPv4 / IPv6, Secure group ACL, Layer 3 VPN
and MPLS.
Phin bn Advanced Enterprise Services: h tr y cc feature c trong
cc phin bn trc, v h tr thm Ethernet over MPLS (EoMPLS) v Virtual
Private LAN Services (VPLS).
Chi tit c th tham kho link sau:
http://www.cisco.com/en/US/prod/coll...d80281b17.html
i vi 15.0M, 15.1M&T and 15.2M&T:
Phin bn IP Base / IP Base without Crypto: l dng thp nht c cung cp
mc nh trn Router v min ph. Cung cp cc tnh nng c bn nht nh: SSH,
Static Routing, RIP, OSPF, SNMP, ...
IP Voice / IP Voice without Crypto: c y cc feature h tr trong phin bn IP
Base v c thm cc feature h tr x l Voice (Example: FXS, FXO, H323,...)
Advanced Security: bao gm y cc feature h tr trong IP Base v b xung
thm cc tnh nng bo mt (Example: IPSEC VPN, SSL VPN, IOS Firewall, IPS/IDS,
NAC)
SP Services: bao gm y cc feature h tr trong phin bn IP Voice v b
xung thm cc tnh nng dng trong mng ca ISP (Example: ATM, VoATM,
MPLS, ...)
Enterprise Base / Enterprise Base without Crypto: bao gm y cc
feature h tr trong phin bn IP Base v b sung thm cc giao thc khc: IPX,
Apple Talk, IBM.
Advanced IP Services: Bao gm y cc tnh nng c trong phin bn
Advanced Security v SP Services v h tr thm giao thc IPv6.
Enterprise Services: bao gm cc tnh nng c trong phin bn SP Services v
Enterprise Base
Advanced Enterprise Services: bao gm y tt c tnh nng h tr trong
cc phin bn trn.

http://www.cisco.com/image/jpg/en/us...186a0080843375
Chi tit c th tham kho link sau:
http://www.cisco.com/en/US/products/...801af2c6.shtml
Khai nim IOS Universal Image
Trong qu kh, mi khi mun nng cp feature cho Switch / Router nhm h tr
cc tnh nng mi, cch duy nht l phi nng cp IOS (v d: t IP Base ln
Advanced IP Service), ngha l phi Copy IOS mi vo Flash: ca Router/Switch,
i khi phi delete IOS c do khng ch cha cng lc IOS c v mi, sau
cn phi reboot li Router/Switch vi IOS mi, iu ny tng chng rt n
gin khi thc hin vi vi thit b. Nhng hy tng tng, iu g s sy ra nu s
lng thit b cn nng cp ln n hng trm, thm ch hng nghn... r rng vic
ny s i hi v tiu tn rt nhiu thi gian v nhn lc. Do cc phin bn v
sau (t IOS version 15.0 tr v sau), Cisco h tr ng gi tt c cc feature vo 1
phin bn IOS duy nht gi l Universal IOS Image, v c active sng cc
feature c trong phin bn IP Base, lc ny khi khch hng cn s dng thm cc
tnh nng no khc (v d: cn s dng thm IPSEC VPN) th ch cn install
license cho phin bn Advanced Security active cc feature c trong phin
bn Advanced Security ny.
http://www.cisco.com/en/US/i/200001-...000/202464.jpg
Example of Universal Image Components
Tham kho thm link sau:
http://www.cisco.com/en/US/docs/ios/..._overview.html

Post 4: Phn Loi V Tm Hiu Cc Chng Loi Cisco Switch


Xem post gc ti ng link:
http://vnpro.org/forum/showthread.php/55290-Thi%E1%BA%BFt-k%E1%BA%BF-m
%E1%BA%A1ng-t%E1%BB%AB-l%C3%BD-thuy%E1%BA%BFt-%C4%91%E1%BA
%BFn-th%E1%BB%B1c-ti%E1%BB%85n-%E2%80%93-l%E1%BB%9Di-n%C3%B3i%C4%91%E1%BA%A7u?p=188509#post188509

Nhn chung c th phn Cisco Switch thnh 2 nhm chnh:


Cisco Nexus Series Family: y l th h Switch mi c pht minh trong thi
gian vi nm tr li y v c thit k hot ng trong cc trung tm d liu
th h mi (Next Generation Data Center), Cisco rt u i cho dng Switch ny
vi kin trc hon ton mi v khc bit so vi series Catalyst Switch, nh vy
dng Nexus h tr rt nhiu tnh nng mi cng nh h tr tc chuyn mch
ln n hng chc Tbps (1 Tbps = 1000 Gbps). C th nu 1 vi c im ni bt
ca dng Nexus nh sau:
- H tr full range product family, bao gm: Nexus 7000 Series Switch
(Core/Distribution Layer), Nexus 5000 Series, 2000 Series Fabric Extend (dng cho
m hnh ToR: Top of Rack trong Data Center), Nexus 3000 Series Switch (dng
trong High Frequency Trading HFT vn i hi delay cc thp), Nexus 4000
Series (l IO module dng cho cc my ch IBM Blade Center) v Nexus 1000V (l
gii php Software Switch dng trong mi trng o ha VMWare).
- Tc chuyn mch cc cao (v d: dng Switch Nexus 7000: h tr n 17+
Tbps, 550Gbps per Slot, h tr cng 10Gbps, 40Gbps, 100Gbps).
- H tr nhiu tnh nng tin tin nh: Fabric-Path (tng ng vi chun m l
TRILL), OTV, FCoE (cung cp kh nng encapsulation FC frame trong Ethernet
frame v vn chuyn trong mi trng mng LAN), Unified Ports (h tr FCoE
frame v Standard Ethernet frame trn cng 1 cng kt ni vt l), Data Center
Bridging DCB (dng bridging frame t Native-FC sang FCoE v ngc li)
- V nhiu tnh nng khc na, khi c iu kin ti s c 1 bi vit chi tit hn v
dng sn phm ny.
Cisco Catalyst Switch Series Family: l dng Switch c thit k cho h
thng mng Enterprise, v y l dng Switch c cp chnh trong series bi
vit, nn s c cp chi tit.
C th lit k tt c cc dng Switch trong Family ny nh di y:
- Cisco Catalyst 6500 Series: c thit k dng Modular (gm c: Chassis,
SuperVisor, Linecard, Service Module, Power Supply, Fans Tray) hot ng lp
Core/Distribution, h tr tc chuyn mch 2Tbps (vi Sup-2T) hoc 720Gbps
(vi Sup-720) hoc 32Gbps (vi Sup-32) tt c t Hardware, h tr Service Module
(FWSM, WiSM, NAM, IDSM, ACE,) y l c im duy nht trn dng thit b
ny, c bit h tr cng ngh VSS (Virtual Switch System) gip o ha 2 Switch

6500 hot ng nh 1 Switch vi tc chuyn mch gp 2 ln binh thng v h


tr MEC (Multichasis Etherchannel) gip loi b hon ton STP, c im ny s
c cp chi tit trong cc series bi vit thit k h thng mng d phng
y cho Enterprise.
Chi tit: http://www.cisco.com/en/US/products/...omparison.html
- Cisco Catalyst 4500 Series: c thit k dng Modular (gm c: Chassis,
SuperVisor, Linecard, Power Supply, Fans Tray), h tr chuyn mch lp 3
Hardware, hot ng lp Core/Distribution, h tr tc chuyn mch 848Gbps
(vi Sup-7E), 520Gbps (vi Sup-7LE), 320Gbps (vi Sup-6E), 280Gbps (vi Sup6LE) v 136 Gbps (vi Sup-V-10GE) tt c t Hardware. im khc bit ca dng
Switch ny so vi 6500 Series l: yu hn, khng h tr Service Module, cha h
tr cng ngh tng t VSS.
Chi tit: http://www.cisco.com/en/US/products/...omparison.html
- Cisco Catalyst 3750-X: y l phin bn nng cp ca 3750-E v 3750. c
thit k dng Fix 1U, hot ng m hnh Collapse Core/Distribution (thng
dng trong SMB), hoc Access trong Enterprise, h tr tc chuyn mch
160Gbps Hardware lp 3, PoE+ (30W per port), cng Uplink 10Gbps chun SFP,
v downlink port 1Gbps, v c bit h tr cng ngh StackWise+ vi tc
StackRing ln n 64Gbps, nhm o ha n 9 Switch 3750 trong 1 Stack hot
ng nh 1 Switch o, y l 1 c im gn ging vi VSS s c cp chi tit
trong cc series bi vit thit k sau.
Chi tit:
http://www.cisco.com/en/US/prod/coll...78-584733.html
- Cisco Catalyst 3750-E: tnh nng ging vi Catalyst 3750-X, tuy nhin y l
dng Switch c hn Catalyst 3750-X, tng lai s c thay th bi Catalyst 3750X, nn s khng c cp chi tit.
- Cisco Catalyst 3750: tnh nng ging vi Catalyst 3750-X, tuy nhin c mt vi
khc bit nh: khng h tr cng uplink tc 10Gbps, ch h tr StackWise
(khng phi StackWise+) vi tc StackRing 32Gbps v h tr tc downlink
port l 100Mbps.
Chi tit:
http://www.cisco.com/en/US/prod/coll...78-531031.html
- Cisco Catalyst 3560-X: l phin bn nng cp ca Catalyst 3560-E v Catalyst
3560, tnh nng ging vi Catalyst 3750-X (c thit k dng Fix 1U, hot ng
m hnh Collapse Core/Distribution (thng dng trong SMB), hoc Access trong
Enterprise, h tr tc chuyn mch 160Gbps Hardware, PoE+ (30W per port),
cng Uplink 10Gbps chun SFP, v downlink port 1Gbps) im khc bit duy nht
ca dng ny so vi Catalyst 3750-X l khng h tr cng ngh StackWise hay
StackWise+, do khng th dng tnh nng MEC trn dng Switch ny, tuy
nhin gi thnh r hn so vi Catalyst 3750-X cng model.
Chi tit:
http://www.cisco.com/en/US/products/ps10744/index.html

- Cisco Catalyst 3560-E: tng t vi Catalyst 3750-E, dng Switch s c thay


th bi Catalyst 3560-X, nn s khng c cp chi tit.
- Cisco Catalyst 3560: tnh nng ging vi Catalyst 3560-X, tuy nhin c mt vi
khc bit nh: khng h tr cng uplink tc 10Gbps, h tr tc downlink
port l 100Mbps.
Chi tit:
http://www.cisco.com/en/US/products/...528/index.html
- Cisco Catalyst 3550: dng Switch ny c thay th bi Catalyst 3560 Series
nn s khng c cp chi tit.
- Cisco Catalyst 2975: dng Switch ny c thay th bi Catalyst 2960-S series
- Cisco Catalyst 2960-S: l phin bn nng cao ca dong Catalyst 2960, dng
Switch ny c thit k cho lp Access trong m hnh thit k 2 lp, h tr
chuyn mch lp 2 t Hardware tc 88Gbps v mt vi tnh nng hn ch
lp 3 t software. H tr tc chuyn mch uplink port 1Gbps hoc 10Gbps,
downlink port tc 1Gbps, PoE+ (30W per port), Full PoE (15.4W per port) trn
model 48 Ports. c bit thit b ny h tr cng ngh Flex-Stack vi tc FlexPort 20Gbps (tng t Stack-Wise) cho php gom n 4 Catalyst 2960-S trong 1
nhm v hot ng nh 2 Switch o, y l tnh nng quan trng nhm thit k
h thng mng mi (loi b hon ton STP) vi nhiu u im ni tri lp
Access.
Chi tit:
http://www.cisco.com/en/US/products/ps12200/index.html
- Cisco Catalyst 2960: l phin bn nng cp ca Catalyst 2950, c thit k
hot ng lp 2, vi tc uplink port 1Gbps v downlink port 100Mbps (i
vi 2960) v 1Gbps (i vi 2960G), h tr chuyn mch lp 2 t Hardware tc
16Gbps (i vi 2960) v 32Gbps (i vi 2960G).
Chi tit:
http://www.cisco.com/en/US/products/ps6406/index.html
- Cisco Catalyst 2955: tnh nng tng t vi 2960, tuy nhin c thit k
dng rt gn (ch bng 1/3 so vi 2960) v c kh nng chng chu tt trong iu
kin thi tit kht nghit (nhit , m cao, ), thng c dng trong mi
trng: nh my, bn cng, gin khoang, Tuy nhin dng Switch ny s c
thay th bi IE3000 nn s khng c cp chi tit.
- Cisco Catalyst 2950: l Switch i u so vi 2960 v c thay th bi
2960, nn s khng c cp chi tit.
- Cisco Catalyst 3560-C Series: tnh nng tng t vi catalyst 3560 (lp 3),
tuy nhin y l phin bn thu gn v kch c so vi 3560 (ch bng 3560) v
hot ng khng cn qut tn nhit, h tr t 8 n 12 downlink port. Mt c
im l l dng switch ny c th hot ng khng cn ngun in t bn ngoi
(Adapter), m thay vo n s nhn ngun thng qua cng Uplink PoE+ c

cung cp t Switch khc c h tr PoE+ (nh Catalyst 3560-X, 3750-X, 4500,


6500).
Chi tit:
http://www.cisco.com/en/US/products/ps11290/index.html
- Cisco Catalyst 2960-C Series: tnh nng tng t vi Catalyst 2960 (h tr
cc tnh nng lp 2), tuy nhin ging vi Catalyst 3560-C l phin bn thu gn
v kch c ca 2960 (ch bng 2960) v hot ng khng cn qut tn nhit, h
tr t 8 n 12 downlink port. Tng t vi Catalyst 3560-C, dng switch ny cng
c th hot ng da trn ngun cung cp t Switch khc thng qua cng Uplink
PoE+.
Chi tit:
http://www.cisco.com/en/US/products/ps11289/index.html
- Cisco IE 3000: l phin bn hot ng Layer 2 vi cc tnh nng tng t
Catalyst 2960, tuy nhin y l dng Switch c thit k hot ng trong mi
trng khc nghit: nhit cao, m ln, khng cn qut tn nhit, Nn
c la chn khi s dng : nh my, bn cng, gin khoan du ngoi bin,
Chi tit:
http://www.cisco.com/en/US/products/ps9703/index.html
- Cisco IE 3100: l phin bo hot ng Layer 3 vi cc tnh nng tng t
Catalyst 3560, ging vi IE3000, dng Switch ny c thit k hot ng
trong mi trng khc nghit: nhit cao, m ln, khng cn qut tn nhit,
Nn c la chn khi s dng : nh my, bn cng, gin khoan du ngoi
bin,
Chi tit:
http://www.cisco.com/en/US/products/ps11245/index.html
Catalyst Switch Product Buyer Guide:
http://www.cisco.com/en/US/products/...ers_guide.html
n y chng ta c kin thc yn tm i tip phn thit k h tng mng
LAN !
K ti: "Thit K H Tng Mng LAN D Phng y S Dng STP
(Legacy Design Model)" to be continue...
Do trong tun ti cng vic hi nhiu, nn bi vit ny s c delay sang tun
tip theo, mong cc bn thng cm nh!

Post 5:Thit K H Tng Mng LAN D Phng y S Dng STP


(Legacy Design Model)
Xem post gc ti ng link:
http://vnpro.org/forum/showthread.php/55290-Thi%E1%BA%BFt-k%E1%BA%BF-m
%E1%BA%A1ng-t%E1%BB%AB-l%C3%BD-thuy%E1%BA%BFt-%C4%91%E1%BA
%BFn-th%E1%BB%B1c-ti%E1%BB%85n-%E2%80%93-l%E1%BB%9Di-n%C3%B3i%C4%91%E1%BA%A7u?p=188947#post188947

Hm nay, xin gii thiu n cc bn phng thc thit k h thng mng LAN cho
SMB vi d phng y da trn STP.
Tuy nhin, thit k da trn STP c t rt lu, cng vi nhng hn ch vn c,
thit k ny khng p ng c cc yu cu kht khe ngy nay v s c thay
th bng cc cng ngh mi hn (s c cp trong bi "D phng y s
dng Virtualize Switch, loi b STP").

S Mng (Network Diagram)


S kt ni tng quan

V nguyn tc tng quan khi thit k h thng mng LAN d phng y cng
tng bao gm cc module nh trong phn thit k h thng mng LAN khng d
phng. Tuy nhin, im khc bit l, cc module c thit k d phng, kt ni
gia cc module cng c thit k d phng nhm m bo kh nng High
Availability (HA) ca h thng mng. Tnh nng chnh c s dng trong m hnh
thit k ny l Spanning Tree Protocol (STP) Layer 2 v Dynamic Routing Layer
3. Chi tit c cp nh bn di:
H thng mng c thit k da trn nguyn tc module ha cc thnh phn.
Vic module ha khi thit k c nhng c im ni bt sau:
S dng STP Layer 2 v Dynamic Routing Layer 3 cung cp HA.
n gin, r rng.
C th m rng h thng mng d dng.
Tch bit r rng chng nng ca tng module, t c y thng tin chn
la ng thit b mng cho tng module:
Core/Distribution Block: l module trung tm ca h thng mng, chu trch
nhim kt ni cc module cn li vi nhau. T y c th thy u tin chn thit
b lp ny l cng nhanh cng tt.
Access Layer Block: l module cung cp kt ni cho ngi dng cui. u tin
khi chn thit b thuc module ny l cung cp nhiu cng kt ni downlink cho
ngi dng, ng thi phi c kt ni Uplink tc cao kt ni ln module
Core/Distribution, v ti u ha ch s gi thnh / cng downlink. Thng thng
thit b s dng ti module ny ch cn h tr cc tnh nng lp 2.
Server Farm Block: y l module cung cp kt ni cho cc my ch (Servers)
cung cp dch v trong mng ni b, v d: AD, DNS, DHCP, File, Application,
Database. Thit b chn lp ny cn c cng kt ni downlink tc ti thiu l
1Gbps v hot ng lp 2.
WAN Block: l module cung cp kt ni n cc chi nhnh khc. Thng thng,
thit b trong module ny cn h tr:
Cc cng giao tip WAN: Serial, FTTH, ADSL,
Cc tnh nng: nh tuyn ng, m ha VPN phn cng (VPN supported in
hardward).
Internet Access Block: l module nm ngoi cng ca h thng mng, cung
cp kt ni Internet cho ngi dng ni b. Thng thng thit b c chn
module ny cn h tr cc tnh nng:
nh tuyn.
NAT/PAT.
Firewall.
Remote Access VPN.
DMZ Block: l module kt ni trc tip vi module Internet Access Block. Chc
nng ca module ny:
Cung cp cc dch v ra ngoi Internet: Mail, Web.

S mng kt ni vt l

Nhm t c tiu ch xy dng h thng mng m hnh SMB m bo tnh HA,


do chi tit thit b xut cho cc module nh sau:
Core/Distribution Block: 2 x Switch c cng kt ni tc ti thiu 1Gbps v
hot ng lp 3. y l khi trung tm vn chuyn traffic gia cc khi cn li,
gia 2 Core/Dist Switch c kt ni vi nhau t 6-8 links, v c chia thnh 2
EtherChannel khc nhau: 1 group l Layer 2 EtherChannel v 1 group l Layer 3
Ether Channel, c th s c cp trong phn Logical Diagram.
Access Layer Block: n x Switch c cng kt ni downlink tc ti thiu
100Mbps v ti thiu 2 Uplink 1Gbps, hot ng lp 2. Cc Access Switch c
kt ni ti thiu 2 Uplink ln mi Core/Dist nh m hnh. m bo nu 1 Core/Dist
gp s c, traffic t ng c chuyn sang Core/Dist cn li.
Server Farm Block:
2 x Firewall: c ti thiu 3 cng kt ni tc ti thiu 1Gbps v c Firewall
Throughput ti thiu 1Gbps. FW c cu hnh hot ng Mode Cluster, m
bo nu 1 FW gp s c, FW cn li s t ng c active. FW c kt ni vo
Core/Dist Switch v Server Switch nh m hnh, y l m hnh FW c kt ni
vt l gia Core/Dist v Server Farm, nhm s dng ti a throughput cao ca

Internal FW.
2 x Switch c cng kt ni downlink/uplink tc 1Gbps v hot ng lp 2. Cc
Server vi 2 NIC Port c kt ni vt l vo 2 Server Switch nh m hnh v c
cu hnh NIC Teaming nhm m bo nu 1 Server Switch gp s c, traffic s
c t ng chuyn sang Server Switch cn li.
WAN Block:
2 x Router c cng kt ni LAN/WAN tng ng. Nhm m bo tnh HA, 2 Router
nn c kt ni vo 2 ISP khc nhau v 1 iu quan trng l nn yu cu 2 ISP
ny s dng 2 ng kt ni vt l ring bit (v d: khng i chung tr in, u
chung ODF, m thng thng iu ny rt kh c p ng).
2 x WAN Switch tc ti thiu 100Mbps v hot ng lp 2. 2 WAN Switch ny
cung cp kt ni lp 2 thun ty v c kt ni nh m hnh, (c th dng
chung vi DMZ Switch bng cch chia 1 VLAN ring bit trn DMZ Switch v c
ch nh dng ring cho WAN Router)
DMZ Block, Internet Access Block:
2 x Switch c tc ti thiu 100Mbps v hot ng lp 2.
2 x Firewall: h tr IPSEC VPN hoc SSL VPN (nu yu cu). Tng t nh Internal
FW, 2 External FW cng c cu hnh chy Mode Cluster, nhm n gin
trong thit k, v thng thng kt ni Internet tc khng ln, do 2 External
FW s c thit k dng Firewall on a Stick. Trong 1 cng c kt ni
gia 2 FW c s dng lm Heartbeat traffic, 2 cng cn li c kt ni vo mi
Core/Dist Switching nh m hnh trn, nu s dng Cisco ASA5500, 2 cng ny s
c cu hnh Mode Interface Redundant (tc l 1 cng s hot ng Mode
Active, cng cn li hot ng Mode Standby trong Interface Redundant). V
Interface Redundant ny c cu hnh 3 SubInterface bao gm: TRUSTED (facing
to LAN), UNTRUSTED (facing to Internet) v DMZ.
2 x Router: c cng kt ni LAN/WAN tng ng. Chi tit c cp trong m
hnh kt ni lun l bn di.

S mng kt ni lun l

Chi tit hot ng:


Core/Distribution Switch: 1 Switch c cu hnh l STP Root Bridge v HSRP
active, Switch cn li s c cu hnh l STP Backup Root Bridge v HSRP
standby. Cu hnh 2 EtherChannel Group gia 2 Switch: 1 Group Ether Channel

Layer 2 Trunking Dot1Q hot ng Layer 2 v 1 group EtherChannel Layer 3


Routed Port c cu hnh thit lp OSPF neighbor gia 2 Core/Dist Switch.
Access Switch: Cu hnh 2 Uplink Port l Layer 2 Trunking Dot1Q. Nh vy ti 1
thi im, s c 1 Uplink Port kt ni trc tip vi Core/Dist Switch STP Root
Bridge l trng thi Forwarding, Uplink Port cn li s trng thi Blocking.( lu
, bi sau cp n VSS/Stack-Wise/Flex-Stack, Access Switch c th cu hnh
EtherChannel cho c 2 Uplink Port ln 2 Core/Dist, v nh vy, tc ca Uplink
s l 2Gbps v khng cn dng STP thay v 1Gbps khi dng STP)
Internal Firewall: FW c cu hnh FW Cluster v c 2 Zone: TRUSTED (facing
to Servers Farm) v UNTRUSTED (facing to LAN). FW c nhim v filter traffic t
ngi dng ni b truy cp vo cc ng dng c trin khai trong Server Farm.
Server Switch: ch hot ng Layer 2 v c cu hnh cc tnh nng Layer 2
(VLAN, Trunking, )
DMZ Switch: ch cu hnh cc tnh nng Layer 2 tng t vi Server Switching.
Internet Firewall: c thit cu hnh vi 3 zone: UNTRUSTED (facing to
Internet), DMZ v TRUSTED (facing to LAN). FW c nhim v filter cc yu cu
truy cp t Internet vo DMZ, t DMZ vo Internal, cung cp chc nng NAT t
Internet v DMZ (NAT/PAT 1-1), Internal Users to Internet (Dynamic NAT/PAT n-1).
V c cu hnh nh VPN Server (IPSEC VPN hoc SSL VPN) gip ngi c th
truy cp ti nguyn ni b an ton t Internet.
Internet Router: cung cp WAN port v nh tuyn gip Internet FW c th
forward traffic ra/vo Internet, trong 1 vi trng hp, nu Internet connection l
RJ45 (FTTH,), c b qua Internet Router kt ni Internet link trc tip vo
External Switch.
WAN Router: cung cp cc kt ni WAN (Serial, T3, ), Dynamic Routing (OSPF,
EIGRP) v Site-to-Site IPSEC VPN (hoc DMVPN, GetVPN) nhm kt ni n cc
site khc ca doanh nghip.

Spanning Tree Diagram

i vi cc dng thit b t Access Layer (Catalyst 3560, 2960,) n


Core/Distribution Layer (6500, 4500, 3750-X) u h tr Rapid STP vi 2 phin
bn l: Rapid-PVST v MST. Thng thng Traditional STP (802.1D) c thi gian hi
t l 30->50 giy, l qu chm so vi Rapid STP vi thi gian hi t thng thng
< 2 giy. Do trong bi ny Rapid-PVST s c s dng, c th thit k c
cp nh bn di.
Root Bridge / HSRP Active: 1 Switch s c cu hnh l Root Bridge 1 dy cc
VLAN v ng thi cng l HSRP Active cho cc Interface VLAN ny. C th cu
hnh LoadSharing bng cch cu hnh Core/Dist Switch th 1 l Root STp/HSRP
Active cho 1 dy VLAN th 1, Core/Dist Switch th 2 l Root STP/HSRP Active cho
dy VLAN th 2. Phng thc LoadSharing ny c 2 im li l: chia s ti gia 2
Core/Dist Switch v chia s ti cho 2 Uplink trn cc Access Switch.
Backup Root Bridge / HSRP Standby: y l Switch s khng m nhn
forward traffic trong iu kin binh thng (Root Bridge/HSRP Active Switch vn
cn hot ng) v s c t ng chuyn vo trng thi Root Bridge/HSRP Active
khi Switch kia gp s c.
STP BPDU Guard: c cu hnh trn cc cng downlink ca Access Switch.
STP Root Guard: c cu hnh trn cc cng downlink ca Core/Dist Switch.
STP Loop Guard: c cu hnh trn cc STP Blocking Port v Root Port.
STP Portfast: c cu hnh trn cc cng downlink ca Access Switch.

Logical Diagram for External Firewall

i vi Cisco Firewall ASA5500, khi cu hnh Cluster cho 2 FW, 2 FW s hot ng


Logic nh 1 FW, 2 cng kt ni vt l t mi FW vo 2 Core/Dist Switch s c
cu hnh Mode Interface Redundant (1 port s Active, port cn li Standby). Do
chng ta cn chia 3 Zone (TRUSTED, DMZ v UNTRUSTED), do trn Interface
Redundant s c cu hnh 3 SubInterface vi cc VLAN ln lt thuc:
TRUSTED, DMZ v UNTRUSTED nh m hnh trn.
Trn m hnh l 1 v d traffic flow khi Users mun truy cp Internet:
Example: Traffice flow from USERS to INTERNET:
Users ==(user vlan)==> Access Switch ==(trunking)==> Core Switch
====(trusted vlan)====> External Firewall ==(untrusted vlan) ==> Core
Switch ==(untrusted vlan)==> External Switch ==(untrusted vlan)==> Router
====> INTERNET.

S nh tuyn

Gi s y l Tr S chnh ca doanh nghip. OSPF c s dng v thit k nh


m hnh trn:
OSPF Area 0 (Backbone Area): bao gm cc thit b: Core/Dist Switch, WAN
Router, Internal FW. Cu hnh OSPF ch qung b default route hoc summary
route cc Stub Area cc site khc. Lu v kt ni gia 2 Core/Dist Switch,
ch dng Layer 3 Ether Channel gia 2 Switch ny to OSPF neighbor, cc
Interface VLAN Routing cho End Users c cu hnh Mode Passive.
OSPF Area N (Stub or Totally Stub Area): mi Site c thit k thuc v 1
Stub Area, cc site ny ch nhn default route (nu l totally stub area) hoc cc

summary route (nu l stub area) t Backbone Area.


thit k trn thc s ti u, i hi ngi thit k phi lm tht tt cng vic
phn hoch a ch IP cho tng chi nhnh. Mi chi nhnh phi c ln k hoch
c th s s dng range IP no, nn assign 1 range IP Address lin tc ln, p
ng nhu cu pht trin / m rng s lng ngi dng ca chi nhnh trong tng
lai, trnh vic assign nhiu Rang IP Address khng lin tc, s lm gim hiu qu
vic vic Route Summary.

Tho Lun V u v Khuyt im Trong Thit K


u im: h thng mng h tr y HA.
Khuyt im:
S dng STP/HSRP lm nn tng h tr HA nn h thng mng d gp cc s c
lin quan n STP (broadcast storm, STP loop, ). ri ro ca cc s c ny
cng nhiu nu h thng mng c m rng cng ln.
Khng th s dng Ether Channel cho cc kt ni t Access Switch ln 2 Core/Dist
Switch khc nhau.
STP khng c recommend trong cc thit k mi v ang c xu hng s b loi
b trong cc thit k v sau, do tnh bt n ca STP c th gy ra cc hu qu
nghim trng cho h thng mng.

Tho Lun V Thit B Mng S Dng Trong Thit K


Core/Distribution Switch: Cisco Catalyst 3560G, 3560-X.
Access Switch: Cisco Catalyst 2960.
Internal Firewall: Cisco ASA5550 hoc tng ng.
Server Switch: Cisco Catalyst 2960G, 2960S.
DMZ Switch: Cisco Catalyst 2960.
Internet Firewall: Cisco ASA5505, ASA5510 hoc ASA5520.
Internet Router: Cisco Router 1900.
WAN Router: Cisco Router 800, 1900, 2900.
References links:
- Cisco 3560G: http://www.cisco.com/en/US/products/...528/index.html
- Cisco 3560-X: http://www.cisco.com/en/US/products/ps10744/index.html
- Cisco 2960: http://www.cisco.com/en/US/products/ps6406/index.html
- Cisco 2960S: http://www.cisco.com/en/US/products/ps12200/index.html
- Cisco ASA5500: http://www.cisco.com/en/US/products/ps6120/index.html
- Cisco Router 800: http://www.cisco.com/en/US/products/...380/index.html
- Cisco Router 1900: http://www.cisco.com/en/US/products/ps10538/index.html
- Cisco Router 2900: http://www.cisco.com/en/US/products/ps10537/index.html

Cu Hnh Mu (Configuration Template)

Post 6: Cu Hnh Mu (Configuration Template) phn " Thit k h tng


mng lan d phng y dng stp"
Xem post gc ti ng link:
http://vnpro.org/forum/showthread.php/55290-Thi%E1%BA%BFt-k%E1%BA%BF-m
%E1%BA%A1ng-t%E1%BB%AB-l%C3%BD-thuy%E1%BA%BFt-%C4%91%E1%BA
%BFn-th%E1%BB%B1c-ti%E1%BB%85n-%E2%80%93-l%E1%BB%9Di-n%C3%B3i%C4%91%E1%BA%A7u?p=189275#post189275

Cho cc bn.
Thi gian ny cui nm nn cng bn qu, tranh th vit phn "configuration
template" cho phn " Thit k h tng mng lan d phng y dng stp".
V c bn, phn cu hnh ny c mt s im khc so vi phn configuration
template cho phn " Thit k h tng mng lan khng d phng" nh sau:
- S dung OSPF Routing lm nh tuyn.
- Cu hnh HSRP trn Core/Dist Switch m bo kh nng HA cho ngi dng
Switch Access Layer.
- Cu hnh Failover cho Internal Firewall (ASA5550) v External Firewall (ASA5510).
- Cu hnh Redundant Interface cho Internal v External FW.

Cu Hnh Mu (Configuration Template) phn " Thit k h


tng mng lan d phng y dng stp"
Core/Distribution Switch Cisco Catalyst 3560G/3560-X
!Cu hnh VLAN
Switch(config)# vlan <Vlan-ID>
Switch(config-vlan)# name <Vlan-Name>
!Cu hnh VTP mode transparent
Switch(config)# vtp mode transparent
!Cu hnh STP
!S dng Rapid PVST+ hoc MST
Switch(config)# spanning-tree mode rapid-pvst
!Cu hnh Core/Distribution l STP Root Bridge
Switch(config)# spanning-tree vlan 1-4094 priority 8192
!Ti u ha cc tnh nng ca STP

Enable BPDU Guard, BPDU Filter mt cc t ng trn nhng port c cu hnh


Spanning-Tree Portfast
Switch(config)# spanning-tree portfast bpduguard default
Switch(config)# spanning-tree portfast bpdufilter default
!Cu hnh UDLD
!Enable UDLD trn cc kt ni fiber nhm phng trnh hin tng unidirectional
connection
Switch(config)# udld aggressive
!Cu hnh Broadcast Storm
!Cu hnh Storm-Control (10%) trn cc cng Uplink (v Downlink i vi
Core/Dist)
Switch(config-if)# storm-control broadcast level 10
!Cu hnh Port
!Cu hnh Trunk i vi cc Port kt ni vi Access Switch
Switch(config-if)# switchport mode trunk
! Nhm phng trnh tn cng VLAN-Hopping, cu hnh native VLAN 999,
l VLAN c to ra nhng khng s dng.
Switch(config-if)# switchport trunk native vlan 999
!Cu hnh Access i vi nhng cng kt ni n WAN Router
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan <Vlan-ID>
Switch(config-if)# spanning-tree portfast
!Cu hnh Trunk Dot1Q trn cc cng kt ni n External Firewall
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allow vlan <TRUSTED,UNTRUSTED,DMZ>
Switch(config-if)# switchport nonegotiate
!Shutdown nhung port khng s dng hin ti
Switch(config-if)# shutdown
!Cu hnh L2 Ether Channel gia 2 Core/Dist Switch
Switch(config)# interface range Gi0/x-y
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport nonegotiate
Switch(config-if)# channel-protocol lacp
Switch(config-if)# channel-group <group-number> mode active
Switch(config)# port-channel load-balance src-dst-ip
!Cu hnh L3 Ether Channel gia 2 Core/Dist Switch
Switch(config)# interface range Gi0/x-y
Switch(config-if)# no switchport
Switch(config-if)# channel-protocol lacp
Switch(config-if)# channel-group <group-number> mode active

!Cu hnh InterVlan Routing v HSRP


!Cu hnh Layer 3 Interface v InterVlan Routing
Switch(config)# Interface vlan <VLAN-ID>
Switch(config-if)# ip address x.x.x.x y.y.y.y
Switch(config-if)# standby <HSRP-Group-ID> ip <x1.x1.x1.x1> <y1.y1.y1.y1>
Switch(config-if)# standby <HSRP-Group-ID> priority <Priority-Number>
Switch(config-if)# standby <HSRP-Group-ID> preempt
Switch(config-if)# no shutdown
Switch(config-if)# no ip proxy-arp
Switch(config-if)# no ip unreachables
Switch(config-if)# no ip redirects
Switch(config-if)# no ip mask-reply
Switch(config-if)# no ip directed-broadcast
!
!Cu hnh interface L3 port-channel gia 2 core/dist switch
Switch(config)# interface port-channel <group-number>
Switch(config-if)# ip address x.x.x.x y.y.y.y
Switch(config-if)# no shutdown
Switch(config-if)# no ip proxy-arp
Switch(config-if)# no ip unreachables
Switch(config-if)# no ip redirects
Switch(config-if)# no ip mask-reply
Switch(config-if)# no ip directed-broadcast
!
Switch(config)# Interface loopback 0
Switch(config-if)# ip address x.x.x.x 255.255.255.255
Switch(config-if)# no ip proxy-arp
Switch(config-if)# no ip unreachables
Switch(config-if)# no ip redirects
Switch(config-if)# no ip mask-reply
Switch(config-if)# no ip directed-broadcast
!
Switch(config)# ip routing

!Cu hnh OSPF v Static Routing


Ip route 0.0.0.0 0.0.0.0 <External-FW>
!
Switch(config)# router ospf 1
Switch(config-router)# router-id <x.x.x.x>
Switch(config-router)# network <x.x.x.x> <y.y.y.y> area 0
Switch(config-router)# default-information originate always
Switch(config-router)# auto-cost reference-bandwidth 10000
Switch(config-router)# passive-interface vlan <User-VLAN-ID>
!
Switch(config-if)# interface port-channel <group-number>

Switch(config-if)# ip ospf authentication message-digest


Switch(config-if)# ip ospf message-digest-key <key-id> md5 <key>
Switch(config-if)# ip ospf network point-to-point
!
Switch(config)# interface vlan <WAN-VLAN-ID>
Switch(config-if)# ip ospf authentication message-digest
Switch(config-if)# ip ospf message-digest-key <key-id> md5 <key>
!
Switch(config)# interface vlan <TRUSTED-VLAN-ID>
Switch(config-if)# ip ospf authentication message-digest
Switch(config-if)# ip ospf message-digest-key <key-id> md5 <key>
!
Switch(config)# interface vlan <INTERNAL-FW-UNTRUSTED-VLAN-ID>
Switch(config-if)# ip ospf authentication message-digest
Switch(config-if)# ip ospf message-digest-key <key-id> md5 <key>
!

!OSPF Routing cho WAN Router cc chi nhnh


Router(config)# router ospf 1
Router(config-router)# router-id <x.x.x.x>
Router(config-router)# network <x.x.x.x> <y.y.y.y> area <n>
Router(config-router)# area <n> stub
Router(config-router)# auto-cost reference-bandwidth 10000
!
Router(config)# interface Fa x/y
Router(config-if)# description connect to peer WAN Router
Router(config-if)# ip ospf authentication message-digest
Router(config-if)# ip ospf message-digest-key <key-id> md5 <key>
Router(config-if)# ip ospf network point-to-point
!
Router(config)# interface tunnel 0
Router(config-if)# description connect to peer WAN Router in HQ
Router(config-if)# ip ospf authentication message-digest
Router(config-if)# ip ospf message-digest-key <key-id> md5 <key>
Router(config-if)# ip ospf network point-to-point
!Cu hnh Device Hardening
!Cu hnh password
Switch(config)# service password-encryption
Switch(config)# no enable password
Switch(config)# enable secret <password>
Switch(config)# username <admin user> secret <password>
!Disable cc dch v khng cn thit

Switch(config)# no service tcp-small-servers


Switch(config)# no service udp-small-servers
Switch(config)# no ip bootp server
Switch(config)# no ip finger
Switch(config)# no service finger
Switch(config)# no service config
Switch(config)# no boot host
Switch(config)# no boot network
Switch(config)# no boot system
Switch(config)# no service pad
Switch(config-if)# no ip proxy-arp
Switch(config-if)# no ip unreachables
Switch(config-if)# no ip redirects
Switch(config-if)# no ip mask-reply
Switch(config-if)# no ip directed-broadcast
Switch(config)# no ip domain-lookup
!Disable ip source-route trong IP header
Switch(config)# no ip source-route
!Set timeout cho console laf 5 pht
Switch(config)# line console 0
Switch(config-line)# exec-time 5 0
!Ch cho php truy cp vo Switch thng qua SSH
Switch(config)# access-list 11 permit x.x.x.x y.y.y.y
Switch(config)# access-list 11 deny any log
Switch(config)# line vty 0 4
Switch(config-line)# transport input ssh
Switch(config-line)# transport output none
Switch(config-line)# privilege level 1
Switch(config-line)# exec-timeout 5 0
Switch(config-line)# access-class 11 in
Switch(config-line)# login local
Switch(config)# line vty 0 15
Switch(config-line)# transport input none
!Tt dch v HTTP Server
Switch(config)# no ip http server
!Ngn chn tn cng vo t chi dch v vo Switch Processor lm Switch khng
th x l cc management traffic hp l (STP, VTP, DTP, CDP, Routing, )
Switch(config)# scheduler interval 500
!Cu hnh Management
!Cu hnh Syslog
Switch(config)# no logging console
Switch(config)# logging buffered 128000

!Cu hnh NTP


Switch(config)#
Switch(config)#
Switch(config)#
Switch(config)#
Switch(config)#
timezone

ntp server <IP Address> key <Secret-key>


ntp source loopback 0
clock timezone GMT +7
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-

!Cu hnh CDP


!Mc nh CDP c t ng bt trn trn Switch.
!Cu hnh SNMP
Cu hnh SNMP Community Read-Only string cc Management Server
(SolarWind, WhatsUpGold, ) c th truy xut vo thit b nhm mc ch !
monitor.
Switch(config)# snmp-server community <SNMP-String> RO 10
Switch(config)# access-list 10 remark Permit Read-Only SNMP Access from NMS
only
Switch(config)# access-list 10 permit x.x.x.x y.y.y.y
Switch(config)# access-list 10 deny any log
Switch(config)# snmp-server location <Server Room A> <5th Floor>
!Cu hnh Banner
!cu hnh banner cnh bo mi khi c ngi truy cp vo thit b
Switch(config)# banner motd ^
**************************** NOTICE *******************************
This is a private network facility protected by a security system.
Access to and use of this facility requires explicit written,
current authorisation and is strictly limited to the purposes of
this organization's business.
Unauthorised or any attempt at unauthorised access, use, copying,
alteration, destruction, or damage to its data, program, or
equipment may result in criminal or civil liability or both.
************************************************** *******************
^

Access/DMZ/Server Switch Cisco Catalyst 2960/2960S


!Cu hnh VLAN
Switch(config)# vlan <Vlan-ID>
Switch(config-vlan)# name <Vlan-Name>
!Cu hnh VTP mode transparent
Switch(config)# vtp mode transparent
!Cu hnh STP

!S dng Rapid PVST+ hoc MST


Switch(config)# spanning-tree mode rapid-pvst
!Ti u ha cc tnh nng ca STP
Enable BPDU Guard, BPDU Filter mt cc t ng trn nhng port c cu hnh
Spanning-!Tree Portfast
Switch(config)# spanning-tree portfast bpduguard default
Switch(config)# spanning-tree portfast bpdufilter default
!Cu hnh UDLD
!Enable UDLD trn cc kt ni fiber nhm phng trnh hin tng unidirectional
connection
Switch(config)# udld aggressive
!Cu hnh Broadcast Storm
!Cu hnh Storm-Control (10%) trn cc cng Uplink (v Downlink i vi
Core/Dist)
Switch(config-if)# storm-control broadcast level 10
!Cu hnh Layer 2 Port
!Cu hnh Trunk i vi cc Port kt ni vi Access Switch
Switch(config-if)# switchport mode trunk
! Nhm phng trnh tn cng VLAN-Hopping, cu hnh native VLAN 999,
l VLAN c to ra nhng khng s dng.
Switch(config-if)# switchport trunk native vlan 999
!Cu hnh Access i vi nhng cng kt ni n WAN Router
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan <Vlan-ID>
Switch(config-if)# spanning-tree portfast
!Shutdown nhung port khng s dng hin ti
Switch(config-if)# shutdown
!Cu hnh Ether Channel
Switch(config)# interface range Gi0/x-y
Switch(config-if)# channel-protocol lacp
Switch(config-if)# channel-group <group-number> mode active
Switch(config)# port-channel load-balance src-dst-ip
!Cu hnh Device Hardening
!Cu hnh password
Switch(config)# service password-encryption
Switch(config)# no enable password
Switch(config)# enable secret <password>
Switch(config)# username <admin user> secret <password>

!Disable cc dch v khng cn thit


Switch(config)# no service tcp-small-servers
Switch(config)# no service udp-small-servers
Switch(config)# no ip bootp server
Switch(config)# no ip finger
Switch(config)# no service finger
Switch(config)# no service config
Switch(config)# no boot host
Switch(config)# no boot network
Switch(config)# no boot system
Switch(config)# no service pad
Switch(config)# no ip domain-lookup
Switch(config-if)# no ip proxy-arp
Switch(config-if)# no ip unreachables
Switch(config-if)# no ip redirects
Switch(config-if)# no ip mask-reply
Switch(config-if)# no ip directed-broadcast
!Disable ip source-route trong IP header
Switch(config)# no ip source-route
!Set timeout cho console laf 5 pht
Switch(config)# line console 0
Switch(config-line)# exec-time 5 0
!Ch cho php truy cp vo Switch thng qua SSH
Switch(config)# access-list 11 permit x.x.x.x y.y.y.y
Switch(config)# access-list 11 deny any log
Switch(config)# line vty 0 4
Switch(config-line)# transport input ssh
Switch(config-line)# transport output none
Switch(config-line)# privilege level 1
Switch(config-line)# exec-timeout 5 0
Switch(config-line)# access-class 11 in
Switch(config-line)# login local
Switch(config)# line vty 0 15
Switch(config-line)# transport input none
!Tt dch v HTTP Server
Switch(config)# no ip http server
!Ngn chn tn cng vo t chi dch v vo Switch Processor lm Switch khng
th x l cc management traffic hp l (STP, VTP, DTP, CDP, Routing, )
Switch(config)# scheduler interval 500
!Cu hnh Management
!Cu hnh Syslog
Switch(config)# no logging console

Switch(config)# logging buffered 128000


!Cu hnh NTP
Switch(config)#
Switch(config)#
Switch(config)#
Switch(config)#
Switch(config)#
timezone

ntp server <IP Address> key <Secret-key>


ntp source loopback 0
clock timezone GMT +7
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-

!Cu hnh CDP


!Mc nh CDP c t ng bt trn trn Switch.
!Cu hnh SNMP
Cu hnh SNMP Community Read-Only string cc Management Server
(SolarWind, WhatsUpGold, ) c th truy xut vo thit b nhm mc ch !
monitor.
Switch(config)# snmp-server community <SNMP-String> RO 10
Switch(config)# access-list 10 remark Permit Read-Only SNMP Access from NMS
only
Switch(config)# access-list 10 permit x.x.x.x y.y.y.y
Switch(config)# access-list 10 deny any log
Switch(config)# snmp-server location <Server Room A> <5th Floor>
!Cu hnh Banner
!cu hnh banner cnh bo mi khi c ngi truy cp vo thit b
Switch(config)# banner motd ^
**************************** NOTICE *******************************
This is a private network facility protected by a security system.
Access to and use of this facility requires explicit written,
current authorisation and is strictly limited to the purposes of
this organization's business.
Unauthorised or any attempt at unauthorised access, use, copying,
alteration, destruction, or damage to its data, program, or
equipment may result in criminal or civil liability or both.
************************************************** *******************
^

WAN Router Cisco 2900 ISR2


!Cu hnh WAN Interface
Router(config-if)# encapsulation ppp
Router(config-if)# no cdp enable
Router(config-if)# ip address x.x.x.x y.y.y.y
Router(config-if)# no ip proxy-arp
Router(config-if)# no ip unreachables
Router(config-if)# no ip redirects

Router(config-if)# no ip mask-reply
Router(config-if)# no ip directed-broadcast
!Cu hnh LAN Interface
Router(config-if)# ip address x.x.x.x y.y.y.y
Router(config-if)# no ip proxy-arp
Router(config-if)# no ip proxy-arp
Router(config-if)# no ip unreachables
Router(config-if)# no ip redirects
Router(config-if)# no ip mask-reply
Router(config-if)# no ip directed-broadcast
!Cu hnh VTI IPSEC VPN Site-to-Site
!Cu hnh VPN Policy Phase 1 (ISAKMP)
Router(config)# crypto isakmp policy 1
Router(config-isakmp)# encr 3des
Router(config-isakmp)# authentication pre-share
Router(config-isakmp)# group 2
Router(config)# crypto isakmp key <secret-key> address <IP-Address> <SubnetMask>
Router(config)# crypto isakmp keepalive 10
!Cu hnh VPN Policy Phase 2 (IPSEC)
Router(config)# crypto ipsec transform-set TRAN_TEST esp-3des esp-sha-hmac
Router(config)# crypto ipsec profile VTI
Router(config-vti)# set transform-set TRAN_TEST
!Cu hnh Interface VTI v apply IPSEC profile
Router(config)# interface tunnel 0
Router(config-if)# ip address x.x.x.x y.y.y.y
Router(config-if)# tunnel source <IP-WAN-Interface> <SubnetMask>
Router(config-if)# tunnel destination <IP-Router-Next-Hop> <SubnetMask>
Router(config-if)# tunnel protection ipsec ipv4
Router(config-if)# tunnel protection ipsec profile VTI
!Cu hnh OSPF Routing
Router(config)# router ospf 1
Router(config-router)# router-id <x.x.x.x>
Router(config-router)# network <x.x.x.x> <y.y.y.y> area 0
Router(config-router)# network <x.x.x.x> <y.y.y.y> area <n>
Router(config-router)# area <n> stub no-summary
Router(config-router)# area <n> range <ip-subnet> <subnet-mask>
Router(config-router)# auto-cost reference-bandwidth 10000
!
Router(config)# interface Fa x/y
Router(config-if)# description connect to peer WAN Router
Router(config-if)# ip ospf authentication message-digest

Router(config-if)# ip ospf message-digest-key <key-id> md5 <key>


Router(config-if)# ip ospf network point-to-point
!
Router(config)# interface Tunnel 0
Router(config-if)# description connect to peer WAN Router in Branch
Router(config-if)# ip ospf authentication message-digest
Router(config-if)# ip ospf message-digest-key <key-id> md5 <key>
Router(config-if)# ip ospf network point-to-point

!Cu hnh Device Hardening


!Cu hnh password
Router(config)# service password-encryption
Router(config)# no enable password
Router(config)# enable secret <password>
Router(config)# username <admin user> secret <password>
!Disable cc dch
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no

v khng cn thit
service tcp-small-servers
service udp-small-servers
ip bootp server
ip finger
service finger
service config
boot host
boot network
boot system
service pad
ip domain-lookup

!Disable ip source-route trong IP header


Router(config)# no ip source-route
!Set timeout cho console la 5 pht
Router(config)# line console 0
Router(config-line)# exec-time 5 0
!Ch cho php truy cp vo Router thng qua SSH
Router(config)# access-list 11 permit x.x.x.x y.y.y.y
Router(config)# access-list 11 deny any log
Router(config)# line vty 0 4
Router(config-line)# transport input ssh
Router(config-line)# transport output none
Router(config-line)# privilege level 1
Router(config-line)# exec-timeout 5 0
Router(config-line)# access-class 11 in
Router(config-line)# login local

Router(config)# line vty 0 15


Router(config-line)# transport input none
!Tt dch v HTTP Server
Router(config)# no ip http server
!Cu hnh Device Management
!Cu hnh Syslog
Router(config)# no logging console
Router(config)# logging buffered 128000
!Cu hnh NTP
Router(config)#
Router(config)#
Router(config)#
Router(config)#
Router(config)#
timezone

ntp server <IP Address> key <Secret-key>


ntp source loopback 0
clock timezone GMT +7
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-

!Cu hnh Management


!Cu hnh CDP
!Mc nh CDP c t ng bt trn trn Router.
!Cu hnh SNMP
Cu hnh SNMP Community Read-Only string cc Management Server
(SolarWind, WhatsUpGold, ) c th truy xut vo thit b nhm mc ch !
monitor.
Router(config)# snmp-server community <SNMP-String> RO 10
Router(config)# access-list 10 remark Permit Read-Only SNMP Access from NMS
only
Router(config)# access-list 10 permit x.x.x.x y.y.y.y
Router(config)# access-list 10 deny any log
Router(config)# snmp-server location <Server Room A> <5th Floor>
!Cu hnh Banner
!cu hnh banner cnh bo mi khi c ngi truy cp vo thit b
Router(config)# banner motd ^
**************************** NOTICE *******************************
This is a private network facility protected by a security system.
Access to and use of this facility requires explicit written,
current authorisation and is strictly limited to the purposes of
this organization's business.
Unauthorised or any attempt at unauthorised access, use, copying,
alteration, destruction, or damage to its data, program, or
equipment may result in criminal or civil liability or both.
************************************************** *******************
^

Internet Router Cisco 1900 ISR2


!Cu hnh Internet Interface
Router(config# interface Gi0/1
Router(config-if)# no cdp enable
Router(config-if)# ip address 203.162.123.2 255.255.255.252
Router(config-if)# no ip proxy-arp
Router(config-if)# no ip unreachables
Router(config-if)# no ip redirects
Router(config-if)# no ip mask-reply
Router(config-if)# no ip directed-broadcast
!Cu hnh LAN Interface
Router(config)# interface Gi0/0
Router(config-if)# ip address 203.162.100.1 255.255.255.240
Router(config-if)# no ip proxy-arp
Router(config-if)# no ip proxy-arp
Router(config-if)# no ip unreachables
Router(config-if)# no ip redirects
Router(config-if)# no ip mask-reply
Router(config-if)# no ip directed-broadcast
!Cu hnh Static Route
Router(config)# ip route 0.0.0.0 0.0.0.0 203.162.123.1
!Cu hnh Device Hardening
!Cu hnh password
Router(config)# service password-encryption
Router(config)# no enable password
Router(config)# enable secret <password>
Router(config)# username <admin user> secret <password>
!Disable cc dch
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no
Router(config)# no

v khng cn thit
service tcp-small-servers
service udp-small-servers
ip bootp server
ip finger
service finger
service config
boot host
boot network
boot system
service pad
ip domain-lookup

!Disable ip source-route trong IP header


Router(config)# no ip source-route
!Set timeout cho console la 5 pht
Router(config)# line console 0
Router(config-line)# exec-time 5 0
!Ch cho php truy cp vo Router thng qua SSH
Router(config)# access-list 11 permit x.x.x.x y.y.y.y
Router(config)# access-list 11 deny any log
Router(config)# line vty 0 4
Router(config-line)# transport input ssh
Router(config-line)# transport output none
Router(config-line)# privilege level 1
Router(config-line)# exec-timeout 5 0
Router(config-line)# access-class 11 in
Router(config-line)# login local
Router(config)# line vty 0 15
Router(config-line)# transport input none
!Tt dch v HTTP Server
Router(config)# no ip http server
!Cu hnh Device Management
!Cu hnh Syslog
Router(config)# no logging console
Router(config)# logging buffered 128000
!Cu hnh NTP
Router(config)#
Router(config)#
Router(config)#
Router(config)#
Router(config)#
timezone

ntp server <IP Address> key <Secret-key>


ntp source loopback 0
clock timezone GMT +7
service timestamps log datetime msec localtime show-timezone
service timestamps debug datetime msec localtime show-

!Cu hnh CDP


!Mc nh CDP c t ng bt trn trn Router.
!Cu hnh SNMP
Cu hnh SNMP Community Read-Only string cc Management Server
(SolarWind, WhatsUpGold, ) c th truy xut vo thit b nhm mc ch !
monitor.
Router(config)# snmp-server community <SNMP-String> RO 10
Router(config)# access-list 10 remark Permit Read-Only SNMP Access from NMS
only
Router(config)# access-list 10 permit x.x.x.x y.y.y.y

Router(config)# access-list 10 deny any log


Router(config)# snmp-server location <Server Room A> <5th Floor>
!Cu hnh Banner
!cu hnh banner cnh bo mi khi c ngi truy cp vo thit b
Router(config)# banner motd ^
**************************** NOTICE *******************************
This is a private network facility protected by a security system.
Access to and use of this facility requires explicit written,
current authorisation and is strictly limited to the purposes of
this organization's business.
Unauthorised or any attempt at unauthorised access, use, copying,
alteration, destruction, or damage to its data, program, or
equipment may result in criminal or civil liability or both.
************************************************** *******************
^

Internet Firewall ASA5510


!Cu hnh Failover cho ASA5510 Active
ASA5510(config)# interface redundant 2
ASA5510(config-if)# member-interface Fa0/2
ASA5510(config-if)# member-interface Fa0/3
!
ASA5510(config)# interface Fa0/2
ASA5510(config-if)# no shutdown
ASA5510(config)# interface Fa0/3
ASA5510(config-if)# no shutdown
!
ASA5510(config)# failover lan unit primary
ASA5510(config)# failover lan interface FOLINK redundant 2
ASA5510(config)# failover interface ip FOLINK 10.1.1.1 255.255.255.252 standby
10.1.1.2
ASA5510(config)# failover link STATELINK redundant 2
ASA5510(config)# failover replication http
ASA5510(config)# failover
!Cu hnh Failover cho ASA5510 Standby
ASA5510(config)# interface redundant 2
ASA5510(config-if)# member-interface Fa0/2
ASA5510(config-if)# member-interface Fa0/3
!
ASA5510(config)# interface Fa0/2
ASA5510(config-if)# no shutdown
ASA5510(config)# interface Fa0/3
ASA5510(config-if)# no shutdown
!

ASA5510(config)#
ASA5510(config)#
ASA5510(config)#
10.1.1.2
ASA5510(config)#
ASA5510(config)#
ASA5510(config)#

failover lan unit secondary


failover lan interface FOLINK redundant 2
failover interface ip FOLINK 10.1.1.1 255.255.255.252 standby
failover link STATELINK redundant 2
failover replication http
failover

!Cu hnh Interface


ASA5510(config)# interface redundant 1
ASA5510(config-if)# member-interface Fa0/0
ASA5510(config-if)# member-interface Fa0/1
!
ASA5510(config)# interface Fa0/0
ASA5510(config-if)# no shutdown
ASA5510(config)# interface Fa0/1
ASA5510(config-if)# no shutdown
!
ASA5510(config)# interface redundant 1.1
ASA5510(config-subif)# vlan <TRUSTED-VLAN-ID>
ASA5510(config-subif)# nameif TRUSTED
ASA5510(config-subif)# ip address 192.168.10.1 255.255.255.0 standby
192.168.10.2
ASA5510(config-subif)# security-level 100
!
ASA5510(config)# interface redundant 1.2
ASA5510(config-subif)# vlan <DMZ-VLAN-ID>
ASA5510(config-subif)# nameif DMZ
ASA5510(config-subif)# ip address 192.168.20.1 255.255.255.0 standby
192.168.20.2
ASA5510(config-subif)# security-level 50
!
ASA5510(config)# interface redundant 1.3
ASA5510(config-subif)# vlan <UNTRUSTED-VLAN-ID>
ASA5510(config-subif)# nameif UNTRUSTED
ASA5510(config-subif)# ip address 203.162.100.2 255.255.255.240 standby
203.162.100.3
ASA5510(config-subif)# security-level 0
!
!Cu hnh Static Route
ASA5510(config)# route UNTRUSTED 0.0.0.0 0.0.0.0 203.162.100.1
ASA5510(config)# route TRUSTED <x.x.x.x> <y.y.y.y> <Core/Dist Switch>
!Cu hnh Remote Access VPN
!Cu hnh VPN policy phase 1 (ISAKMP)
ASA5510(config)# crypto isakmp policy 1

ASA5510(config-isakmp)# authentication pre-share


ASA5510(config-isakmp)# encryption 3des
ASA5510(config-isakmp)# group 2
!Cu hnh VPN policy phase 2 (IPSEC)
ASA5510(config)# crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
ASA5510(config)# crypto dynamic-map DYMAP 1 set transform-set 3DES-SHA
ASA5510(config)# crypto dynamic-map DYMAP 1 set reserve-route
ASA5510(config)# crypto map CRYPMAP ipsec-isakmp dynamic DYMAP
!Apply VPN policy phase 1 v phase 2 vo Interface UNTRUSTED
ASA5510(config)# crypto isakmp enable UNTRUSTED
ASA5510(config)# crypto map interface UNTRUSTED
!Cu hnh VPN Group Policy cho Group IT Admin
ASA5510(config)# access-list ACL_SPLIT_TUNNEL standard permit 192.168.0.0
255.255.0.0
ASA5510(config)# access-list ACL_VPN_IT extended permit ip any 192.168.0.0
255.255.0.0
ASA5510(config)# ip local pool VPN_IPPOOL_IT 192.168.50.21-192.168.50.254
mask 255.255.255.0
ASA5510(config)# group-policy VPN_IT internal
ASA5510(config)# group-policy VPN_IT attributes
ASA5510(config-vpn-att)# dns-server value 192.168.11.11 192.168.11.12
ASA5510(config-vpn-att)# vpn-filter value ACL_VPN_IT
ASA5510(config-vpn-att)# ip-comp enable
ASA5510(config-vpn-att)# split-tunnel-policy tunnelspecified
ASA5510(config-vpn-att)# split-tunnel-network-list value ACL_SPLIT_TUNNEL
ASA5510(config-vpn-att)# address-pools value VPN_IPPOOL_IT
!Cu hnh VPN tunnel-group
ASA5510(config)# tunnel-group TG_IT type remote-access
ASA5510(config)# tunnel-group TG_IT general-attributes
ASA5510(config-vpn-tunnel-ge)# address-pool VPN_IPPOOL_IT
ASA5510(config-vpn-tunnel-ge)# default-group-policy VPN_IT
ASA5510(config)# tunnel-group TG_IT ipsec-attributes
ASA5510(config-vpn-tunnel-att)# pre-shared-key 123456
!To VPN user
ASA5510(config)# Username vpn-user1 password <password>
ASA5510(config)# Username vpn-user1 attributes
ASA5510(config-user-att)# vpn-group-policy TG_IT
ASA5510(config-user-att)# service-type remote-access
!Cu hnh NAT Publich Web (TCP:80) va Mail (POP3) ra ngoi Internet
ASA5510(config)# static (DMZ,UNTRUSTED) tcp interface 80 192.168.20.20 80
netmask 255.255.255.255
ASA5510(config)# static (DMZ,UNTRUSTED) tcp interface 110 192.168.20.20 110

netmask 255.255.255.255
!Cu hnh NAT n-1 cho php ngi dng c th truy cp Internet
ASA5510(config)# global (UNTRUSTED) 1 interface
!Cu hnh NAT Exempt traffic tu DMZ->TRUSTED, DMZ->VPN, TRUSTED>DMZ, TRUSTED->VPN
ASA5510(config)# access-list DMZ_nat0 remark NO NAT Traffic DMZ->VPN, DMZ>TRUSTED
ASA5510(config)# access-list DMZ_nat0 extended permit ip 192.168.20.0
192.168.10.0 255.255.255.0
ASA5510(config)# access-list DMZ_nat0 extended permit ip 192.168.20.0
192.168.50.0 255.255.255.0
!
ASA5510(config)# access-list TRUSTED_nat0 remark NO NAT Traffic TRUSTED>DMZ, TRUSTED->VPN
ASA5510(config)# access-list TRUSTED_nat0 extended permit ip 192.168.10.0
192.168.20.0 255.255.255.0
ASA5510(config)# access-list TRUSTED_nat0 extended permit ip 192.168.10.0
192.168.50.0 255.255.255.0
ASA5510(config)# nat (DMZ) 0 access-list DMZ_nat0
ASA5510(config)# nat (TRUSTED) 0 access-list TRUSTED_nat0
!Cu hnh Firewall Policy
!Cu hnh ACL
ASA5510(config)# access-list TRUSTED_IN remark Permit traffic from Internal
Network access Internet
ASA5510(config)# access-list TRUSTED_IN extended permit ip any any
!
ASA5510(config)# access-list DMZ_IN remark Permit Servers from DMZ zone to
access Internet and Internal IP Address 192.168.11.11
ASA5510(config)# access-list DMZ_IN extended permit ip any host 192.168.11.11
ASA5510(config)# access-list DMZ_IN extended deny ip any 192.168.0.0
255.255.0.0 log
ASA5510(config)# access-list DMZ_IN extended permit ip any any
!
ASA5510(config)# access-list UNTRUSTED_IN remark Permit Some traffic
(mail,web) access to DMZ Zone from Internet
ASA5510(config)# access-list DMZ_IN extended permit tcp any host
203.162.100.2 eq 80
ASA5510(config)# access-list DMZ_IN extended permit tcp any host
203.162.100.2 eq 110
!Apply ACL to Interface
ASA5510(config)# access-group TRUSTED_IN in interface TRUSTED
ASA5510(config)# access-group DMZ_IN interface DMZ
ASA5510(config)# access-group UNTRUSTED_IN interface UNTRUSTED

!Cu hnh Management


!Cho php ping n TRUSTED interface troubleshoot
ASA5510(config)# icmp permit any TRUSTED
!Cu hnh PC c IP 192.168.44.44 c php telnet vo ASA
ASA5510(config)# telnet 192.168.44.44 255.255.255.255 TRUSTED
!Cu hnh cho php PC c IP 192.168.44.44 qun l ASA thng qua ASDM
(TCP port 4443)
ASA5510(config)# http server enable 4443
ASA5510(config)# http 192.168.44.44 255.255.255.255 TRUSTED

Internal Firewall ASA5550


!Cu hnh Failover cho ASA5550 Active
ASA5550(config)# interface redundant 2
ASA5550(config-if)# member-interface Gi0/2
ASA5550(config-if)# member-interface Gi0/3
!
ASA5550(config)# interface Gi0/2
ASA5550(config-if)# no shutdown
ASA5550(config)# interface GI0/3
ASA5550(config-if)# no shutdown
!
ASA5550(config)# failover lan unit primary
ASA5550(config)# failover lan interface FOLINK redundant 2
ASA5550(config)# failover interface ip FOLINK 10.2.2.1 255.255.255.252 standby
10.2.2.2
ASA5550(config)# failover link STATELINK redundant 2
ASA5550(config)# failover replication http
ASA5550(config)# failover
!Cu hnh Failover cho ASA5550 Standby
ASA5550(config)# interface redundant 2
ASA5550(config-if)# member-interface Gi0/2
ASA5550(config-if)# member-interface Gi0/3
!
ASA5550(config)# interface Gi0/2
ASA5550(config-if)# no shutdown
ASA5550(config)# interface Gi0/3
ASA5550(config-if)# no shutdown
!
ASA5550(config)# failover lan unit secondary
ASA5550(config)# failover lan interface FOLINK redundant 2
ASA5550(config)# failover interface ip FOLINK 10.2.2.1 255.255.255.252 standby
10.2.2.2
ASA5550(config)# failover link STATELINK redundant 2

ASA5550(config)# failover replication http


ASA5550(config)# failover
!Cu hnh Interface
ASA5550(config)# interface redundant 1
ASA5550(config-if)# member-interface Gi0/0
ASA5550(config-if)# member-interface Gi0/1
!
ASA5550(config)# interface Gi0/0
ASA5550(config-if)# no shutdown
ASA5550(config)# interface Gi0/1
ASA5550(config-if)# no shutdown
!
ASA5550(config)# interface redundant 1.1
ASA5550(config-if)# vlan <TRUSTED-VLAN-ID>
ASA5550(config-if)# nameif TRUSTED
ASA5550(config-if)# ip address 192.168.100.1 255.255.255.0
ASA5550(config-if)# security-level 100
!
ASA5550(config)# interface redundant 1.2
ASA5550(config-if)# vlan <UNTRUSTED-VLAN-ID>
ASA5550(config-if)# nameif UNTRUSTED
ASA5550(config-if)# ip address 192.168.101.1 255.255.255.0
ASA5550(config-if)# security-level 0
!Cu hnh OSPF Routing
ASA5550(config)# router ospf 1
ASA5550(config-router)# network <x.x.x.x> <y.y.y.y> area 0
ASA5550(config-router)# auto-cost reference-bandwidth 10000
!
ASA5550(config)# interface redundant 1.1
ASA5550(config-if)# ospf authentication message-digest
ASA5550(config-if)# ospf authentication-key <key>
!
ASA5550(config)# interface redundant 1.2
ASA5550(config-if)# ospf authentication message-digest
ASA5550(config-if)# ospf authentication-key <key>
!Cu hnh no NAT-Control
ASA5550(config)# no nat-control
!Cu hnh Firewall Policy
ASA5550(config)# access-list TRUSTED_IN remark Permit traffic from Server Farrm
access outside network
ASA5550(config)# access-list TRUSTED_IN extended permit ip any any
!
ASA5550(config)# access-list UNTRUSTED_IN remark Permit traffic access from
outside to some Servers in Server Farm

ASA5550(config)# access-list UNTRUSTED_IN extended permit tcp any host


192.168.100.10 eq 443
ASA5550(config)# access-list UNTRUSTED_IN extended permit tcp any host
192.168.100.10 eq 445
ASA5550(config)# access-list UNTRUSTED_IN extended deny ip any any
!Apply ACL to Interface
ASA5550(config)# access-group TRUSTED_IN in interface TRUSTED
ASA5550(config)# access-group UNTRUSTED_IN in interface UNTRUSTED
!Cu hnh Management
!Cho php ping n TRUSTED interface troubleshoot
ASA5550(config)# icmp permit any TRUSTED
!Cu hnh PC c IP 192.168.44.44 c php telnet vo ASA
ASA5550(config)# telnet 192.168.44.44 255.255.255.255 TRUSTED
!Cu hnh cho php PC c IP 192.168.44.44 qun l ASA thng qua ASDM
(TCP port 4443)
ASA5550(config)# http server enable 4443
ASA5550(config)# http 192.168.44.44 255.255.255.255 TRUSTED

Tho Lun V u / Khuyt im Trong Thit K K Trn


u im:
- H thng mng c tnh d phng cao.
- Thch hp cho SMB khng chp nhn downtime, hoc downtime rt ngn (vi
pht n vi giy), khi h thng c s c: thit b h hng, mt kt ni vt l.
Khuyt im:
- Chi ph u t cao do phi thit k d phng.
- Vn da trn STP m bo tnh d phng, nn khng loadbalance 2 ng
Uplink Port (1 uplink active, uplink cn li standby).
Phn ti: Thit k h thng mng LAN d phng y s dng Virtualize
Switch, loi b STP ... To be continue

Post 7: Thit k h tng mng lan d phng y s dng virtual


switch, loi b stp
Xem post gc ti ng link:
http://vnpro.org/forum/showthread.php/55290-Thi%E1%BA%BFt-k%E1%BA%BF-m
%E1%BA%A1ng-t%E1%BB%AB-l%C3%BD-thuy%E1%BA%BFt-%C4%91%E1%BA
%BFn-th%E1%BB%B1c-ti%E1%BB%85n-%E2%80%93-l%E1%BB%9Di-n%C3%B3i%C4%91%E1%BA%A7u?p=189735#post189735

Cho cc bn, hm nay chng ta cng tho lun v ch : THIT K H TNG


MNG LAN D PHNG Y S DNG VIRTUAL SWITCH, LOI B STP.
V nguyn tc thit k d phng trong bi ny, tng t nh bi trc thit k h
tng mng LAN d phng y s dng STP. Tuy nhin im khc bit duy
nht trong thit k ny l s dng Virtual Switch (s dng StackWise hoc
FlexStack) thay v s dng STP m bo tnh HA ca h thng mng. vi vic
ng dng Virtual Switch, mang li rt nhiu u im vt tri m khng th tm
thy trong bi trc, chi tit s c cp trong ni dung di y.

S Mng (Network Diagram)


S kt ni tng quan

V nguyn tc tng quan khi thit k h thng mng LAN d phng y s


dng Cisco StackWise/StackWise+ (gi chung l StackWise) cng tng bao gm
cc module nh trong phn thit k h thng mng LAN d phng y s dng
STP. Tuy nhin, im khc bit l, thay v s dng STP t kh nng d phng,
trong thit k ny s dng Multichassis EtherChannel (MEC - xem li phn thut
ng phn trc) kt ni cc module nhm m bo kh nng High
Availability (HA) ca h thng mng. Tnh nng chnh c s dng trong m hnh
thit k ny l MEC Layer 2 v Dynamic Routing Layer 3. Chi tit c cp
nh bn di:
- H thng mng c thit k da trn nguyn tc module ha cc thnh phn.
- Vic module ha khi thit k c nhng c im ni bt sau:
o S dng MEC Layer 2 v Dynamic Routing Layer 3 cung cp HA.
o n gin, r rng.
o C th m rng h thng mng d dng.
o Tch bit r rng chng nng ca tng module, t c y thng tin
chn la ng thit b mng cho tng module:
Core/Distribution Block: l module trung tm ca h thng mng, chu trch
nhim kt ni cc module cn li vi nhau. T y c th thy u tin chn thit
b lp ny l cng nhanh cng tt.
Access Layer Block: l module cung cp kt ni cho ngi dng cui. u tin
khi chn thit b thuc module ny l cung cp nhiu cng kt ni downlink cho
ngi dng, ng thi phi c kt ni Uplink tc cao kt ni ln module
Core/Distribution, v ti u ha ch s gi thnh / cng downlink. Thng thng
thit b s dng ti module ny ch cn h tr cc tnh nng lp 2.

Server Farm Block: y l module cung cp kt ni cho cc my ch (Servers)


cung cp dch v trong mng ni b, v d: AD, DNS, DHCP, File, Application,
Database. Thit b chn lp ny cn c cng kt ni downlink tc ti thiu l
1Gbps v hot ng lp 2.
WAN Block: l module cung cp kt ni n cc chi nhnh khc. Thng thng,
thit b trong module ny cn h tr:
Cc cng giao tip WAN: Serial, FTTH, ADSL,
Cc tnh nng: nh tuyn ng, m ha VPN phn cng (VPN supported in
hardward).
Internet Access Block: l module nm ngoi cng ca h thng mng, cung
cp kt ni Internet cho ngi dng ni b. Thng thng thit b c chn
module ny cn h tr cc tnh nng:
nh tuyn.
NAT/PAT.
Firewall.
Remote Access VPN.
DMZ Block: l module kt ni trc tip vi module Internet Access Block. Chc
nng ca module ny:
Cung cp cc dch v ra ngoi Internet: Mail, Web.

S mng kt ni vt l

S mng virtual switch

Nhm t c tiu ch xy dng h thng mng m hnh SMB m bo tnh HA,


do chi tit thit b xut cho cc module nh sau:
Core/Distribution Block: 2 x Cisco Catalyst 3750-X (c h tr cng ngh
StackWise+) vi cng kt ni tc ti thiu 1Gbps v hot ng lp 3. y l
khi trung tm vn chuyn traffic gia cc khi cn li, gia 2 Core/Dist Switch
c kt ni vi nhau thng qua cable c bit gi l Stack Cable (km theo khi
mua Switch) vi tc kt ni l 64Gbps (Full Duplex), c th s c cp
trong phn Logical Diagram.
Access Layer Block: n x Switch c cng kt ni downlink tc ti thiu
100Mbps v ti thiu 2 Uplink 1Gbps, hot ng lp 2. Cc Access Switch c
kt ni ti thiu 2 Uplink ln mi Core/Dist nh m hnh. m bo nu 1 Core/Dist
gp s c, traffic t ng c chuyn sang Core/Dist cn li.
Server Farm Block:
2 x Firewall: c ti thiu 3 cng kt ni tc ti thiu 1Gbps v c Firewall
Throughput ti thiu 1Gbps. FW c cu hnh hot ng Mode Cluster, m
bo nu 1 FW gp s c, FW cn li s t ng c active. FW c kt ni vo
Core/Dist Switch v Server Switch nh m hnh, y l m hnh FW c kt ni
vt l gia Core/Dist v Server Farm, nhm s dng ti a throughput cao ca
Internal FW.
2 x Switch h tr Flex Stack (Catalyst 2960S) hoc StackWise+ (Catalyst 3750-X)

vi cng kt ni downlink/uplink tc 1Gbps v hot ng lp 2. Cc Server


vi 2 NIC Port c kt ni vt l vo 2 Server Switch nh m hnh v c cu
hnh NIC Teaming nhm m bo nu 1 Server Switch gp s c, traffic s c t
ng chuyn sang Server Switch cn li.
Lu : Catalyst 2960S ch h tr ti a 6 EtherChannel Group trong khi Catalyst
3750-X h tr s lng EtherChannel Group ln n 48. Do nu s lng Server
cn kt ni vo Server Switch s dng LACP l nhiu th nn chn Catalyst 3750X, ngc li c th chn Catalyst 2960S gim chi ph.
WAN Block:
2 x Router c cng kt ni LAN/WAN tng ng. Nhm m bo tnh HA, 2 Router
nn c kt ni vo 2 ISP khc nhau v 1 iu quan trng l nn yu cu 2 ISP
ny s dng 2 ng kt ni vt l ring bit (v d: khng i chung tr in, u
chung ODF, m thng thng iu ny rt kh c p ng).
2 x WAN Switch h tr Flex Stack (Catalyst 2960S) v hot ng lp 2. 2 WAN
Switch ny cung cp kt ni lp 2 thun ty v c kt ni nh m hnh, (c
th dng chung vi DMZ Switch bng cch chia 1 VLAN ring bit trn DMZ
Switch v c ch nh dng ring cho WAN Router)
DMZ Block, Internet Access Block:
2 x Switch h tr Flex Stack (Catalyst 2960S) c tc ti thiu 100Mbps v hot
ng lp 2.
Lu : c th s dng 2 Switch c h tr StackWise (Catalyst 3750) s dng
chung cho WAN Block v DMZ Block, bng cch chia VLAN.
2 x Firewall: h tr IPSEC VPN hoc SSL VPN (nu yu cu). Tng t nh Internal
FW, 2 External FW cng c cu hnh chy Mode Cluster, nhm n gin
trong thit k, v thng thng kt ni Internet tc khng ln, do 2 External
FW s c thit k dng Firewall on a Stick. Trong 1 cng c kt ni
gia 2 FW c s dng lm Heartbeat traffic, 2 cng cn li c kt ni vo mi
Core/Dist Switching nh m hnh trn, nu s dng Cisco ASA5500, 2 cng ny s
c cu hnh Mode Channel (2 cng s hot ng Mode Active theo k thut
EtherChannel). V Interface Channel ny c cu hnh 3 SubInterface bao gm:
TRUSTED (facing to LAN), UNTRUSTED (facing to Internet) v DMZ.
2 x Router: c cng kt ni LAN/WAN tng ng.
Chi tit c cp trong m hnh kt ni lun l bn di.

S mng kt ni lun l

Core/Distribution Switch: Do 2 Switch c kt ni Stack vi nhau, do v


mt hot ng, s ging nh 1 Switch (v d: 2 Switch 3750-X c 48 port 1G, khi
kt ni vi nhau qua kt ni Stack, khi login vo Switch s thy 1 Switch vi 96
port 1G). Switch c cu hnh l STP Root Bridge (lu , mc d thit k ny
khng cn STP nhng recommend l vn enable STP). Cu hnh Interface VLAN
InterVLAN Routing v chy OSPF Routing. Cu hnh EtherChannel vi FW v cc
Access Switch.
Access Switch: Cu hnh 2 Uplink Port l Layer 2 Trunking Dot1Q EtherChannel.
Nh vy ti 1 thi im, c 2 Uplink Port kt ni trc tip vi 2 Core/Dist Switch s
c active, gip tc ca Uplink s l 2Gbps.
Internal Firewall: Mi FW c cu hnh Interface Channel LACP vi 2 Core/Dist
Switch v Interface Channel LACP vi 2 Server Switch. 2 FW c cu hnh FW

Cluster v c 2 Zone: TRUSTED (facing to Servers Farm), UNTRUSTED (facing to


LAN). FW c nhim v filter traffic t ngi dng ni b truy cp vo cc ng dng
c trin khai trong Server Farm.
Server Switch: hot ng nh 1 Switch (do s dng FlexStack trong 2960S hoc
StackWise+ trong 3750-X) ch hot ng Layer 2, c cu hnh cc tnh nng
Layer 2 (EtherChannel, VLAN, Trunking, )
DMZ Switch: hot ng nh 1 Switch (do s dng FlexStack trong 2960S) ch cu
hnh cc tnh nng Layer 2 tng t vi Server Switching.
Internet Firewall: c thit cu hnh vi 3 zone: UNTRUSTED (facing to
Internet), DMZ v TRUSTED (facing to LAN). FW c nhim v filter cc yu cu
truy cp t Internet vo DMZ, t DMZ vo Internal, cung cp chc nng NAT t
Internet v DMZ (NAT/PAT 1-1), Internal Users to Internet (Dynamic NAT/PAT n-1).
V c cu hnh nh VPN Server (IPSEC VPN hoc SSL VPN) gip ngi c th
truy cp ti nguyn ni b an ton t Internet.
Internet Router: cung cp WAN port v nh tuyn gip Internet FW c th
forward traffic ra/vo Internet, trong 1 vi trng hp, nu Internet connection l
RJ45 (FTTH,), c b qua Internet Router kt ni Internet link trc tip vo
External Switch.
WAN Router: cung cp cc kt ni WAN (Serial, T3, ), Dynamic Routing (OSPF,
EIGRP) v Site-to-Site IPSEC VPN (hoc DMVPN, GetVPN) nhm kt ni n cc
site khc ca doanh nghip.

Spanning Tree Diagram

Khng c loop trong m hnh thit k s dng Stack, tuy nhin cn thc hin cu

hnh ti u ha cho STP nh sau: s dng Rapid-PVST trn tt c cc Switch, cu


hnh Core/Dist l STP Root Bridge, cu hnh STP Portfast, BPDU Guard, BPDU Filter
trn cc cng downlink ca Access Switch.
Logical Diagram for External Firewall

V traffic flow khi User truy cp Internet hon ton ging nh trong m hnh thit
k h thng mng d phng y s dng STP, tuy nhin iu khc bit y
l bng thng trn kt ni gia FW v Core/Dist c nng ln gp 2 ln v h
thng mng s phc hi nhanh hn (n v tnh l ms).
i vi Cisco Firewall ASA5500, khi cu hnh Cluster cho 2 FW, 2 FW s hot ng
Logic nh 1 FW, 2 cng kt ni vt l t mi FW vo 2 Core/Dist Switch s c
cu hnh Mode Channel s dng LACP (c 2 port u hot ng mode Active).
Do chng ta cn chia 3 Zone (TRUSTED, DMZ v UNTRUSTED), do trn
Interface Channel s c cu hnh 3 SubInterface vi cc VLAN ln lt thuc:
TRUSTED, DMZ v UNTRUSTED nh m hnh trn.
Trn m hnh l 1 v d traffic flow khi Users mun truy cp Internet:
Example: Traffice flow from USERS to INTERNET:
Users ==(user vlan)==> Access Switch ==(trunking)==> Core Switch
====(trusted vlan)====> External Firewall ==(untrusted vlan) ==> Core
Switch ==(untrusted vlan)==> External Switch ==(untrusted vlan)==> Router
====> INTERNET.
S nh tuyn

V hot ng nh tuyn trong thit k ny, im khc bit duy nht so vi thit
k trc l khng cn s dng OSPF trn 2 Core/Dist Switch na, m thay vo
OSPF c cu hnh trn 1 Switch Stack, gip n gin ha hn rt nhiu trong
vic cu hnh, ti u cng nh troubleshoot li.
Gi s y l Tr S chnh ca doanh nghip. OSPF c s dng v thit k nh
m hnh trn:

OSPF Area 0 (Backbone Area): bao gm cc thit b: Core/Dist Switch, WAN


Router, Internal FW. Cu hnh OSPF ch qung b default route hoc summary
route cc Stub Area cc site khc. Lu v kt ni gia 2 Core/Dist Switch,
ch dng Layer 3 Ether Channel gia 2 Switch ny to OSPF neighbor, cc
Interface VLAN Routing cho End Users c cu hnh Mode Passive.
OSPF Area N (Stub or Totally Stub Area): mi Site c thit k thuc v 1
Stub Area, cc site ny ch nhn default route (nu l totally stub area) hoc cc
summary route (nu l stub area) t Backbone Area.
thit k trn thc s ti u, i hi ngi thit k phi lm tht tt cng vic
phn hoch a ch IP cho tng chi nhnh. Mi chi nhnh phi c ln k hoch
c th s s dng range IP no, nn assign 1 range IP Address lin tc ln, p
ng nhu cu pht trin / m rng s lng ngi dng ca chi nhnh trong tng
lai, trnh vic assign nhiu Rang IP Address khng lin tc, s lm gim hiu qu
vic vic Route Summary.

Tho Lun V u v Khuyt im Trong Thit K


u im:
- H thng mng h tr y HA.
- Khng s dng STP nh mt giao thc phng trnh loop Layer 2, do loi b
hon ton nhng vn nghim trng c th gp phi khi s dng STP, nh:
broadcast storm do STP hot ng khng ng,
- 2 cng Uplink c s dng ng thi do c cu hnh EtherChannel v MEC.
- H thng mng hi t nhanh hn (n v tnh l milisecond) khi 1 thit b hoc
uplink port gp s c.
- Core/Dist Catalyst 3750-X (StackWise+), hoc cc Server/WAN/DMZ Switch
Catalyst 2960S (FlexStack) c kt ni vi nhau thng qua Stack Port vi tc
rt cao (64Gbps trong StackWIse+ v 20Gbps trong FlexStack). Hon ton Unified
Control Plane (cc giao thc: STP, VTP, OSPF Routing, EtherChannel, c cu
hnh, qun l nh trn 1 Switch).
Khuyt im:
- Chi ph cao hn gii php s dng d phng vi STP do cc Switch h tr
StackWise+ (Catalyst 3750-X) hoc FlexStack (Catalyst 2960S) c chi ph cao hn
(t 1.5 n 2 ln) so vi cc Switch cng loi khng h tr Stack.
Tuy nhin vi nhng li th mang li ca Switch h tr Stack, vic ng dng uyn
chuyn c th t c hiu nng / chi ph u t mc hp l.
(v d: ch s dng 2 Switch 3750-X lm Core, cc Switch khc ch s dng Switch
bnh thng khng h tr Stack, )

Tho Lun V Thit B Mng S Dng Trong Thit K


Core/Distribution Switch: Cisco Catalyst 3750-X.
Access Switch: Cisco Catalyst 2960.
Internal Firewall: Cisco ASA5550 hoc tng ng.
Server Switch: Cisco Catalyst 3750-X hoc 2960S.
DMZ/WAN Switch: Cisco Catalyst 2960S.

Internet Firewall: Cisco ASA5505, ASA5510 hoc ASA5520.


Internet Router: Cisco Router 1900.
WAN Router: Cisco Router 800, 1900, 2900.
References links:
- Cisco 3750-X: http://www.cisco.com/en/US/products/ps10745/index.html
- Cisco 2960: http://www.cisco.com/en/US/products/ps6406/index.html
- Cisco 2960S: http://www.cisco.com/en/US/products/ps12200/index.html
- Cisco ASA5500: http://www.cisco.com/en/US/products/ps6120/index.html
- Cisco Router 800: http://www.cisco.com/en/US/products/...380/index.html
- Cisco Router 1900: http://www.cisco.com/en/US/products/ps10538/index.html
- Cisco Router 2900: http://www.cisco.com/en/US/products/ps10537/index.html

Cu Hnh Mu (Configuration Template) To be continue ...

Phn II: Cc comment ng ch trong


topic
HIn ti (Fri Jun 22 23:54:25 ICT 2012 ) th khng thy Mr.Binhhd update
thm v topic na. Ti s thm mt vi comment ng ch vo trong ti liu
ny tham kho thm.
1.Comment ca bn NDNghia:
http://vnpro.org/forum/showthread.php/55290-Thi%E1%BA%BFt-k%E1%BA%BF-m
%E1%BA%A1ng-t%E1%BB%AB-l%C3%BD-thuy%E1%BA%BFt-%C4%91%E1%BA
%BFn-th%E1%BB%B1c-ti%E1%BB%85n-%E2%80%93-l%E1%BB%9Di-n%C3%B3i%C4%91%E1%BA%A7u/page2?p=188252#post188252
Vi kin th thin, c g anh em ng gp thm ...
Tho lun thm v vai tr ca SuperVisor Card (SUP).
- Lu cu hnh
- Lu gi bng nh tuyn (routing-table), bng a ch ARP, bng a ch MAC
- Xy dng bng nh tuyn, chy cc giao thc nh tuyn
- Chy cc cng ngh lp 2 (STP, VSS ...)
- Chy cc ng dng phc v cho vic iu hnh, vn hnh v theo di h thng
(SNMP service, Netflow, AAA ...)
- iu khin qu trnh chuyn mch ca cc line-card trong h thng, a ra
quyt nh xy dng bng CAM entry cho line-card
- Lin h vi cc service modules
C th coi Supervisor l no b ca ton b h thng, a ra quyt nh v
chuyn mch gi tin. Cc cng ngh chuyn mch phn cng hin ti ph thuc
vo bng CAM (Content Addressable Memory). Cc thit b chuyn mch tc
cao, thng thng kim tra v so snh thng tin chuyn mch (a ch lp 2) trong
gi tin vi gi tr trong bng CAM, chuyn mch. Ch khi no khng tm c
gi tr tng ng trong CAM hoc trng hp bt buc (gi tin cha a ch MAC
mi hay thuc v giao thc nh tuyn ...), mi chuyn ln SUP x l. Bng CAM
cng c th ng dng cho cc lp trn (lp 3, lp 4 hoc lp 7) thc hin
chuyn mch ( Cisco Express Forwarding, Application Switching - thit b chuyn
mch, phn ti da vo thng tin lp 7 ... etc).
Vy khi p dng mt cu lnh trn supervisor, IOS s p dng cu lnh ny xung
line-card thay i CAM-entry trn line-card. Chnh m hnh ny tng tc x
l v cng sut chuyn mch, v ton b qu trnh chuyn mch c thc hin
LINE-CARD, qua phn cng (hardware-forwarding), m khng phi thng qua x l
CPU SUP.
V d nu p dng mt cu lnh access-list, SUP s gi cu lnh xung di linecard tng ng, v Forwarding-CAM-entry ca line-card s c thay i. Vic

thay i CAM-entry th no ? giao thc lin h gia SUP v Line-Card ra sao ?


cch xy dng CAM entry nh th no ? ti u ha thut ton tm kim trong CAM
ra sao ? ... l b mt cng ngh ca CISCO (ch c i pht trin phn cng v h
tr k thut khch hng ca h mi nm r c). C l s cnh tranh gia cc
hng sn xut thit b mng ln ch yu nm y, khi h a ra cng ngh
ring ti u ha chuyn mch trn thit b ca h. Vic chuyn mch gia cc
line-cards ca Cisco chc chn s khc hon ton vi Juniper, Extreme, Force 10,
Brocade/Foundry ...
Cc line-card ny, bn thn n l mt bng mch ASIC (Application Specific
Intergrated Circuit), c CPU, CAM-memory, phn mm ring; tng hiu sut
chuyn mch v x l thng tin lp-1 (tn hiu u vo). Mt khi line-card xy
dng c bng CAM-entry, line-card s t ng chuyn mch m khng cn phi
gi ln SUP. Tuy vy line-card vn phi lin h v ph thuc vo SUP xy dng
bng CAM-Forwarding Entry.
Response:
http://vnpro.org/forum/showthread.php/55290-Thi%E1%BA%BFt-k%E1%BA%BF-m
%E1%BA%A1ng-t%E1%BB%AB-l%C3%BD-thuy%E1%BA%BFt-%C4%91%E1%BA
%BFn-th%E1%BB%B1c-ti%E1%BB%85n-%E2%80%93-l%E1%BB%9Di-n%C3%B3i%C4%91%E1%BA%A7u?p=188254#post188254
Cam on nhung bo sung cua ban
Supervisor va Linecard

, rat day du va chinh xac cho 2 phan:

2.Comment ca bn dante04:
http://vnpro.org/forum/showthread.php/55290-Thi%E1%BA%BFt-k%E1%BA%BF-m
%E1%BA%A1ng-t%E1%BB%AB-l%C3%BD-thuy%E1%BA%BFt-%C4%91%E1%BA
%BFn-th%E1%BB%B1c-ti%E1%BB%85n-%E2%80%93-l%E1%BB%9Di-n%C3%B3i%C4%91%E1%BA%A7u?p=188186#post188186
cho mnh hi 1 cht l vi Internal Firewall sao li chon dng asa cao hn so vi
internet firewall, v mnh ngh internet firewall chu lu lng cao hn internal
firewall, c lu lng VPN v internet
Response:
http://vnpro.org/forum/showthread.php/55290-Thi%E1%BA%BFt-k%E1%BA%BF-m
%E1%BA%A1ng-t%E1%BB%AB-l%C3%BD-thuy%E1%BA%BFt-%C4%91%E1%BA
%BFn-th%E1%BB%B1c-ti%E1%BB%85n-%E2%80%93-l%E1%BB%9Di-n%C3%B3i%C4%91%E1%BA%A7u?p=188210#post188210
Chao ban,
Nguyen nhau chinh la Internal FW phai bao ve nhung may chu ung dung trong
mang noi bo, thong thuong nhu cap truy cap tu nguoi dung noi bo vao cac may

chu nay se qua cac ket noi LAN toc do cao (1 Gbps hoac hon). Do do, neu FW kg
du manh se tao thanh nghen co chai khi nguoi dung truy cap cc ung dung nay.
Voi Internet FW, do toc do duong truyen Internet thuong khong cao (vai Mbps den
khoang vai chuc Mbps), nen FW kg can phai manh me nhu Internal FW. Tuy nhien
can quan tam den cac thong so khac khi chon Internet FW nhu: max concurrent
connects, connection per-second, VPN througut, ho tro them Anti-x (anti-Virus,
spyware,...).
3.Comment ca bn homeless (c nhn ti cm thy rt hay)
http://vnpro.org/forum/showthread.php/55290-Thi%E1%BA%BFt-k%E1%BA%BF-m
%E1%BA%A1ng-t%E1%BB%AB-l%C3%BD-thuy%E1%BA%BFt-%C4%91%E1%BA
%BFn-th%E1%BB%B1c-ti%E1%BB%85n-%E2%80%93-l%E1%BB%9Di-n%C3%B3i%C4%91%E1%BA%A7u?p=192864#post192864
C thc s hay nh cc bn ni hay khng? Bi vit l i v hng thc tin
nhng mnh thy c g khng tho ng cho lm. V d bi cui HA + No STP,
1/ nhn vo physical topology thy c 2 WAN switches + 2 External Switches v 2
switches trong server farm. Liu thc t c cn 2 WAN switch khng? mt SMB c
bao nhiu branch offices, gi s 5 remote offices i th mnh cn 2x5 (to WAN
router links) + 2 uplink to cores = 12 ports. Nu dng 2 x24 ports switches cho
WAN switches th minh cn d 36 ports. hi ph. Ti sao khng kt ni vo core
switches hoc external ones.
2/ Vi SMB, liu dng 4 con firewall c overkill khng? nu dng virtual context c
tt hn khng?
3/ Sau khi dng staking(virtual switch) tt c cc kt ni gia cc "Block" u l
single link (etherchannel) , khng c alternative link, vy chy OSPF c tht s l
tt nht khng?
4/ Vi SMB, kh nng dng VOIP l ln. Nhng access switch c nn support PoE
khng?
5/nhin vao physical diagram, can co ( vi du 5 remote offices cho SMB)
12 ports for remote offices + 8 ports for 2 ASA (dung virtual context) + 10 ports
for 5 access switces + 4 ports for internet routers = 34 ports nh vy cn 14 ports
cho servers. Vi cng ngh VM, bn c th c 100+ servers tre6n 14 ports nay.
Vy ch dung 2 x 3750 c phi l thoa khng?( Vi staking, bn luon c th thm
switch th 3 va stack vo core. Nh vy tnh scalability vn bo m.)
Liu m hnh 3 layers Core/Dist/Access c cn thch hp khng khi m VM/ cloud
ang pht trin mnh? HP c m hnh 2 layers v mt s vendor khac c m hnh
1 layer. Cng ng tham kho.
Ch suy ngh chut thi, mi ngi mi
Taolao
Response: cha thy Mr.Binhhd response

4.Comment ca bn homeless (comment th 2)


http://vnpro.org/forum/showthread.php/55290-Thi%E1%BA%BFt-k%E1%BA%BF-m
%E1%BA%A1ng-t%E1%BB%AB-l%C3%BD-thuy%E1%BA%BFt-%C4%91%E1%BA
%BFn-th%E1%BB%B1c-ti%E1%BB%85n-%E2%80%93-l%E1%BB%9Di-n%C3%B3i%C4%91%E1%BA%A7u?p=192989#post192989
Hm trc hi v phn thit k, nay xin nu thm 1 s vn cha c thng v
technology dng trong thit k ny.
Bt u t Internet vo nh. Trong thit k dng 2 internet links + 2 con routers
bo m HA, nhng li dng static default route tren 2 con routers ny. Mnh
ngh i ngh li ngh di ngh kh cng khng hiu sao c th t c "z ng
ng i" (redanduncy).
Thng thng th ngi ta dng static route + object tracking hoc dynamic
routing t mc ch ny. Cn ch dng static route khng thi th cha thy.
Dynamic routing th thuo7ng2 l RIP hoc BGP.
Ri chy active/active hay chay active/standby links? dng 1 ISP hay 2 ISP cho 2
links? dng static + tracking hay dng RIP hay dng BGP?
Ni v phn config template. khng bit khi config internet edge router tc gi c
tham kho cac best practice khng m hi b unsecure. Vi d BGP c RFC 3682
(best practice), edge router ACL co RFC 2827 (best practice). IP services c "Cisco
Guide to Harden Cisco IOS Devices".
C nn dng FHRP giua hai internet edge routers? cng l 1 yu t m bo
h thng resilience
Lan sau hoi ve firewall
Thm mt cht suy ngh, mi ngi mi
Taolao
Response: cha thy Mr.Binhhd response
Updating...