Can the office network be built like this? From entry to mastery, see here

2022.10.23

At the most basic level, you need to master VLAN division, routing selection, and egress NAT processing; you may also need to understand regional border road security, mstp, and network management protocols... These contents are covered in the Cisco/Huawei certification elementary and intermediate courses.

So today, I specially arranged a moderately difficult network deployment case to taste it with you.

The selection of such cases must also be particular, and you must conform to the usual working environment of most network workers, such as offices or office buildings. 

In this environment, you may need to design wired network systems and wireless coverage systems.

Sometimes, the network system of the security system is also designed separately and shares the local area network with the computer network system.

Today's case focuses on the networking methods and options of computer networks and video surveillance.

Deployment environment: The planned total construction area of ​​an office building is about 7500 square meters; the building type is a high-rise building with 1-6 floors above ground.

01 Computer Network System Construction Architecture

The computer network system is mainly the network application of various departments in the building and builds a flexible, safe and reliable hardware platform for the management and various applications of the building.

Here, the network of the building is divided into several logical network segments according to departments, and various PCs, workstations, terminal equipment and local area networks of the building are connected, and connected to the wide area network to form a computer network system with reasonable structure and internal and external communication.

And on this basis, establish a software and hardware environment that can meet the needs of business, office automation and management, develop various information bases and application systems, and provide sufficient and convenient network information services for the staff and visitors in the building.

02 Data exchange network construction architecture

The computer network system is divided into internal office network and external network.

Each network topology is a star structure and adopts a layered design. The layered network structure includes: access layer, core layer and other two layers, and establishes network applications from gigabit network backbone and 100M to desktop.

1. Physical network description

According to the characteristics of the operation data of the building business network, the internal office network and the external network are logically isolated from each other.

The central network adopts multi-link 100M optical fiber link INTERNET access, with large-capacity high-speed backbone switching as the network core, gigabit optical fiber downlinks to the full gigabit access layer 2 switching of small computer rooms on each floor, and wireless switches are used to connect the entire wireless network. Unified management of the network.

The terminal adopts wireless or wired mode to realize user network access, ensuring the flexibility and scalability of the network in the building. At the same time, an independent DMZ area is opened out of the network border firewall, which serves as the central core data management and storage center, providing different services inside and outside.

Relying on the physical platform, fully considering the current various applications and the transmission quality of network data, using virtual local area network technology to divide independent subnets according to different application directions, effectively preventing the spread of broadcast storms and various security risks in the network, ensuring that each subnet Data operates independently and efficiently.

2. Intranet description

The internal office network faces the internal users of the center and is mainly used to carry various applications within the center, such as: OA, multimedia, network management and other services that do not require Internet access.

In the subnet, by deploying security products such as firewalls, auditing, and behavior management, internal users can control and manage access to various application data to ensure the efficiency of daily office applications and local data exchange in the center. The specific deployment uses VLANs according to actual needs. A variety of technical means to achieve management and differentiation.

The OA office system is applied to the internal information system, providing complete office automation services for the entire center, realizing paperless office and improving work efficiency.

The functions include sending and receiving documents management, office management, information collection and editing, public information management, personal affairs management, internal mail, instant messaging, information retrieval and other modules.

Fully realize the global paperless online office, and the realized functions include administrative office and public information.

3. External network description

The office extranet mainly includes: central data, Internet access service for logistics query function, remote resource sharing, information flow, system remote video conference, etc., providing a comprehensive and efficient data access and interaction platform for various internal and mobile users of the center.

03 Video Surveillance Network Construction Architecture

The video surveillance network is a subnet of the data network. The front-end access layer is independent of the data network. The aggregation layer is used to focus on monitoring data transmission, and finally merges into the core layer.

The network topology is a star structure and adopts a layered design. The layered network structure includes three layers: access layer, aggregation layer, and core layer, and establishes network applications with gigabit network backbone and 100M to terminal.

1. Terminal signal acquisition

The terminal network camera is used to collect video signals, and the collected data is digital signals, so there is no need to deploy conversion equipment such as video servers in the terminal, which reduces investment costs.

And through the network camera, it can achieve linkage with other security monitoring systems, further improve product utilization, and make the application more efficient. And the network camera is based on IP architecture, and all monitoring devices are connected through IP links, which is convenient for management.

2. Monitor data transmission

By deploying IP-based network cameras, the terminal directly aggregates video signals in digital form through IP links at the monitoring core exchange.

Considering the high requirements of data transmission quality and real-time performance, large-capacity high-speed backbone switching is used to distribute and exchange data at the core switching position.

3. Monitoring data storage

All monitoring terminal monitoring video data will be aggregated through IP links and then centralized, using IP-SAN mode to achieve high-speed real-time storage, and a large-capacity storage array is deployed to store and backup all monitoring data within a specified period of time, ready for follow-up queries.

4. Real-time monitoring and management

The monitoring management server is deployed in bypass mode at the core switch, automatically scans and discovers all the devices under monitoring, and forms the corresponding topology, and uses the monitoring management server to maintain the monitoring terminal and control the data collection and transmission.

At the same time, the data is transmitted to the security monitoring center using a gigabit optical link, and displayed in real time through the video wall.

04 Construction and deployment of data exchange network

1. Core Switch Deployment

There are about 500 terminal nodes, and gigabit core switches are deployed, which are installed in the network equipment cabinet of the mainframe room of the 2nd floor information center.

Two high-performance core switches that support Layer 3 switching and routing functions are used for dual-center redundancy. All access layer switches are connected to the two core switches using two gigabit fiber links to ensure link redundancy.

The server farm is redundantly connected to 2 core switches via 2 Gigabit links.

Use VLAN division strategy to divide VLANs for network terminals in the building, terminals in different departments, video conferencing applications, and intelligent subsystems;

The same department can access each other across floors, and different departments cannot access without permission. The communication between different VLANs is realized through the core switch, which is responsible for the forwarding of the internal network.

Using modular core switches, the core switches have a backplane switching capacity of more than 1Tbps, support the routing function of Layer 3 switching, realize high-performance core forwarding, and support IPv4, IPv6, MPLS, NAT, multicast, QoS, bandwidth control and other services function, to ensure the high stability and scalability of the network core.

Each core switch is equipped with 2 power supplies to realize power redundancy backup;

Configure gigabit optical port/electrical port card, responsible for server farm, network management, network security system, link hot backup and load balancing network access.

2. Floor access deployment

Deploy 100M access switches and set up network equipment cabinets in small computer rooms on each floor and network equipment cabinets in security monitoring rooms, responsible for accessing terminal computers, wireless APs, etc.

Each access switch adopts network management layer 2 switch, supports port aggregation, VLAN, STP, SNMP and other features; configure 24/48 10M/100M electrical ports, 2 Gigabit optical ports, realize 10M/100M to desktop, Gigabit Upstream to the core switch.

3. Wireless access deployment

Deploy 100M wireless access switches, set up in the information center room on the 1st floor, support gigabit uplink ports, and realize controllable and manageable wireless APs. The wireless AP cooperates with the wireless controller\wireless switch to form a network (Fit AP), which is convenient for centralized management.

Use the partial coverage of the wireless network to fill the network blind spots, and log in freely within the effective coverage range without being limited by time and space. This project sets up wireless routers in the public areas of each floor to achieve full coverage of the office area.

Each wireless router is connected to the external network. Equipped with high-performance 100M wireless LAN access equipment, wireless AP uplink interface uses 100M Ethernet interface access, wireless router supports 802.11abgn, dual-band single-mode, integrated antenna, supports working in 2.4Ghz and 5.8Ghz frequency bands, can provide 20M/40M channel technology.

05 Video surveillance LAN:

1. Aggregation switching deployment

There are about 60 terminal nodes, and gigabit core switches are deployed, which are installed in the network equipment cabinet of the mainframe room of the 1st floor information center. A high-performance aggregation switch that supports Layer 3 switching and routing functions is used. The server farm is connected to the core switch via 1 Gigabit link.

Using modular core switches, the core switches have a backplane switching capacity of more than 1Tbps, support the routing function of Layer 3 switching, realize high-performance core forwarding, and support IPv4, IPv6, MPLS, NAT, multicast, QoS, bandwidth control and other services function, to ensure the high stability and scalability of the network core.

The core switch is equipped with 2 power supplies to realize power redundancy backup; it is equipped with gigabit optical port/electrical port board cards, which are responsible for the connection of front-end video terminals, server groups, network management, network security system, link hot backup and load balancing network. enter.

2. Floor access deployment

Deploy 100M access switches and set up network equipment cabinets in small computer rooms on each floor and network equipment cabinets in security monitoring rooms, responsible for accessing terminal computers, wireless APs, etc.

Each access switch adopts network management layer 2 switch, supports port aggregation, VLAN, STP, SNMP and other features; configure 8/16 10M/100M electrical ports, 2 Gigabit optical ports, realize 10M/100M to desktop, Gigabit Upstream to the core switch.

06 Server and storage deployment

Two business informatization database servers (one main and one standby) are set up in the intranet network, using the X86 model, and setting two optical fiber network cards as storage ports;

Other servers are configured separately according to application requirements.

Two sets of optical disk arrays are set up for business informatization data, and a data mirroring system is deployed at the same time to maintain the synchronization of the two sets of array data.

The optical disk array adopts FC-SAN network, configures two 8-port SAN switches (considering redundancy), and connects the front-end file information database server.

Considering the importance and real-time nature of the company's informatization-related data, an online disaster recovery backup system is deployed for the business informatization database server. By deploying the database online disaster recovery backup software on the server, the important data that the application system depends on is backed up to the storage device in real time. 

Intranet is also configured with server groups such as smart card server, OA server and FTP server;

Configure the network edge WEB server, anti-virus server and mail server on the external network; configure the video storage server on the monitoring network.

07 Network Security Deployment

Taking into account the subsequent operation stability and data security of the entire network, firewalls, intrusion prevention, anti-virus wall and other security products will be deployed in the central network to effectively control, manage and authorize data access in and out of the network and DMZ area.

1. Network management system deployment

Network management platforms are deployed on the internal, external, and monitoring networks to detect problems, track and locate, and prevent flooding in a timely manner, providing network operators with the necessary information to monitor and prevent network attacks.

Realize the alarm of each network operation and generate reports; centrally manage network equipment, servers and security equipment; automatically generate the network topology of the entire network equipment; display traffic; have a graphical configuration method.

2. Firewall system deployment

At the network access boundary, a gigabit high-performance firewall is deployed as a security boundary to effectively filter and protect data entering and leaving the external network.

The firewall is required to support at least two gigabit electrical ports and at least two gigabit optical ports, and the device is required to support the bypass function to prevent network interruption caused by a single point of failure.

The device access mode is required to support routing mode, transparent mode, NAT mode, promiscuous mode and other modes. It is required to support the establishment of security policies based on information such as domains, interfaces, and Alias ​​aliases. It can control HTTP services based on file size, content, and url. At the same time, it is required to support mail filtering, Bayesian filtering, self-learning, and RBL real-time blacklist address management.

It can effectively filter and control various applications, such as games, chats, downloads, etc.

3. Antivirus system deployment

Deploy one antivirus system in the Internet access area to support 500 users. Realize the security policy when accessing the network from the Internet, scan and kill various forms of viruses such as web, mail, ftp, qq, msn, etc. on the Internet, and support the shelling technology.

One set of network version antivirus software that supports 500 users is configured on the external network.

4. Intrusion Prevention System Deployment

Deploy an intrusion prevention system in the Internet access area, and the intrusion prevention system can effectively defend and guarantee from three aspects: 

Active protection: Actively protect against the spread of malicious traffic such as network worms, Trojan horses, hacker attacks, and network viruses to protect user network resources; 

System vulnerability blocking: Provide an effective system vulnerability protection scheme for the hosts in the network to make up for the system vulnerability caused by the patch being unable to be updated in time; 

Application access control: effectively control the abuse of network bandwidth by sensitive applications such as IM, P2P, and VoIP; 

Business-critical system assurance: Through intelligent security defense, the threat of various malicious behaviors to critical business services and equipment is minimized.