Beijing Normal University Information Background Program
Beijing Synthetic Network Technology Company
System Integration Department
July 2003
First, the overall architecture of the North Normal University
The transformation of Beijing Normal University is the key project of Beijing University's information. It provides advanced, reliable network platforms for the application system of the North Normal University, including ERP, online teaching, educational resource sharing and other systems.
The Normal University Danger.com is a Gigabit Ethernet of the two-layer full-optical fiber exchange between all teaching buildings in the school network center. The main use of fiber optic access, the fiber access has a length of length, large capacity, and is not easily electromagnetic interference, and can provide high-speed broadband data transmission, which can fully satisfy data, voice, video applications. There are 6 optical cable distribution points, namely math buildings, chemical buildings, physics buildings, electronic buildings, libraries and dormitory buildings. The main unit is centered on the center, laying a large number of single-mode optical cables to 6 optical cable assets, and the fiber optic distribution frame is set up in the nearby teaching building to lay a small-to-digital cable (8-core). The cable laying in the campus is all (1 1) 2 way. Among them, the two-way fibers are main fibers. There is a problem when there is a problem in one way, and the backup state is immediately turned to the thermal spare of the activation state; the third road, the fourth road is a backup line; the redundancy used in the main line Rest.
The overall structure of the Normal University Master Dry Network adopts a tightening core method. That is, the core layer and the aggregation layer are located on the core switch. The network structure is divided into core layers and access layers. The core layer network switching equipment is located in the school network center computer room, and the network switching equipment of the access layer is scattered in each teaching building and student building, and the library.
The main functions of each layer are as follows:
The core layer adopts high-speed routing exchange equipment, providing high-speed routing and data exchange for the entire campus network, and connects through fiber and teaching buildings, student dormitory and libraries, all virtual subnets are terminated in the core switch, and through the hot spare routing protocol ( HSRP) Provides a reliable connection.
Access layers include math buildings, chemical, physics, electronic buildings, libraries and dormitory buildings, access to desktop computer and teaching servers, providing high-speed data exchange for local local area networks.
The main trunk network topology of the Beijing Normal University is shown below.
Second, the main network technology of Beijing Normal University
The Northern Normal University Danjie has adopted a variety of advanced network technologies. Using Gigabit Ethernet technology, the trunk high-speed interconnection is realized, and the reliability of network connection is realized using redundant technology. Using subnet and VLAN technology realize the different site connection of the same campus, and use firewall and access control technology to ensure information network. Safe, using three-layer exchange technology to achieve high-speed routes between VLANs.
1, Gigabit Ethernet Technology
At present, network technology has developed rapidly, and users have a quicker, manufacturers' products are colorful. However, in terms of the development of network technology, the development level of network technology is usually four kinds of technical strategies in the main network, namely: Fast Ethernet; FDDI; ATM; Gigabit Ethernet. Fast Ethernet and FDDI main bandwidth is limited to 100m, and it is not considered for campus LAN mains. ATM exchange backbone (OC-3 155MBPS or OC-12 622Mbps) The price of network devices is usually relatively high, and the ATM will need to use ATM Ethernet simulation technology, which will increase the switching delay and affect the guarantee of multimedia on service quality. The technical features of the Gigabit Ethernet exchange are: high-speed data transmission bandwidth (1Gbps), providing high-speed exchange capabilities and multimedia applications on service quality requirements; easy to network transplantation, easy maintenance; simple and easy management; good performance ratio.
2, redundant technology
The use of redundant technology is reflected in two aspects: line redundancy and equipment redundancy. Both Normal University Dragon Networks lay two large-logged cables from the central computer room to each fiber-optic co-access point, from the offset point to each access switch, there is a backup line, thus online. Redundant device redundancy is to achieve redundant configurations in the core device. The central computer room has two Cisco 6509, each access layer switch or a gathering layer switch is connected to the two Cisco 6509, respectively, by configuring the Cisco 6509 HSRP (thermal route backup protocol) and spanning trees, implementation The redundancy of the exchange, routing, improves the reliability of the system. 3, subnet and VLAN technology
The Normal University Dragon Network uses a unified IP technology, and all network devices in the IP network are identified with an IP address. Since the network is large, there are many network devices, so use 172.16.0.0/16 This B-class retention address segment is used as the school local area network address, allocated to different teaching buildings and student dorms by dividing VLAN and subnets.
The number of equipment for each teaching building generally does not exceed 1 Class Class Class Class Class, that is to say that each teaching building can have up to 250 computers for simultaneous use, for a relatively large teaching building, more than 1 Class Class Class unit Then allocate a multi-segment address. Also reserved the address for network management. The main work function of network management reserved address is to manage the normal operation and equipment commissioning of network equipment of the Normal University Masternet, and all network devices and server equipment in the central computer room.
VLAN (Virtual LAN) is a logical segment of the network user of the access layer switch port, which is not subject to network user requirements based on user needs. A VLAN can be implemented in a switch or crossover. The VLAN can group based on the location, role, department or application and protocol used by the network user. The switch-based virtual local area network can solve conflict domains, broadcast domains, and bandwidth problems for local area networks.
4, three-layer exchange technology
The three-layer exchange technology is: Layer 2 exchange technology plus three-layer forwarding technology. It solves the division of the network segment in the LAN, the subnet must be managed by the router, solve the network bottleneck problem caused by the low speed and complex of the traditional router.
The Normal University Dragon Network adopts the three-layer exchange module of Cisco 6509 MSFC to implement high-speed routing between VLANs.
Third, the North Normal University Dry Network Network Center
The network center is the management control center of the entire main network, located in the center of the network. The system is located in the network center, such as Email, WWW, DNS system, etc. The key devices of the network center have realized redundant backups, and strict security for critical servers.
The device of the network center is divided into internal, external and DMZ three parts. Among them, the internal network security level is the highest, the DMZ is second, and the external network security level is the lowest. In the policy, the security level is high can access the level of low levels.
Network management system, internal network access, and web servers are placed inside the firewall, WWW server, DNS server, and email servers are placed in the DMZ area, and the external port of the firewall is directly connected to the Internet. The topology of the network center is shown in the figure.
As can be seen from the figure, the network center is the core part of the main network of the North Normal University. The network center is divided into three areas through firewall (Cisco Pix): Safety Zone, Public Access Zone, and Non-Safety Area. The address conversion function of the firewall allows the internal network to access the Internet, which is the proxy server function (Proxy). The security area campus has two core switches Catalyst 6509, a firewall (Cisco PIX525) device. The core switch provides a network data transmission redundancy mechanism for the main information of the Beijing Normal University. The two core switches are hot backup to ensure that the network environment can be operated uninterrupted. The firewall divides the campus internal network security zone, the public access area, and the non-safety zone, and establish a whole campus network security mechanism. The internal billing server provides Internet services for campus internal users, and sets a secure authentication mechanism (CA) to ensure legal user access and user billing systems. The public access area consists of web, mail, and DNS servers. The web server provides the school's Web site. Mail service provides forwarding for school external mail. The DNS server provides domain name resolution services to the intranet. Non-safe exports are connected to the Internet, to meet the needs of students, teachers. Fourth, Beijing Normal University main trunk network equipment
Northern Normal University Dange Network Equipment is selected from Cisco System, Inc. Cisco's world-leading intranet and Internet network internet manufacturers, its equipment and software products are mainly used to connect computer network systems. Cisco has become a leading manufacturer of recognized network interconnection solutions. The solution provided is the foundation of thousands of companies, universities, enterprises, and government departments around the world, and users have access to telecommunications, finance, service, retail and other industries and government departments and educational institutions. More than 80% of the routers on the Internet are the products of Cisco.
The Normal University Dragon Network selection Cisco's Catalyst 6509 core switch, Catalyst 4006 aggregation layer switch, Catalyst 3500XL and Catalyst 2900XL access layer switches. Firewall product is Cisco Pix 525, core switch Catalyst 6509
The Catalyst 6509 switch provides a high-performance, multi-layer exchange solution for the campus network or enterprise network, designed for the application environment for the server concentration, and the application environment of the server. Its design aim is to meet centralized main trunk / distributed backbone and server group applications and demand for increasing demand for Gigabit density, data and speech integration, scaling, high availability, and multi-layer exchange. Catalyst 6509 Switch As a Catalyst 5000 Series and 8500 Series Switches, Catalyst 5000 Series and 8500 Series Switches continue to provide primary wiring and network trunk solutions to meet the internal network of campus, demanding network services (such as ERP) and network voice applications. If combined with Cisco iOS, use the Cisco iOS vast service function, Catalyst 6509 has powerful network management, user mobile, security, high practicality, and support for multimedia, providing high-capacity Gigabit exchange and more The infrastructure required for layers intelligence, which effectively manages network traffic.
Catalyst 6509 switch backplane exchange bandwidth up to 256 Gbps, multi-layer exchange capacity up to 150 mpps, with 9 slots, up to 384 10 / 100Mbps Ethernet, 192 100FX fast Ethernet or 130 Gigabit Ethernet exchange port.
Effective internal network multi-media and multi-point transfer support are provided through the Multi-Distance (PIM), Internet Group Management Protocol (IGMP), Cisco Group Management Protocol (IGMP), and GARP Multi-Distance Registration Protocol (GMRP), and GARP Multi-Distance Registration Protocol (GMRP). Support for a wide range of service quality (QoS) features for critical task applications.
2, aggregation layer switch Catalyst 4006
The Cisco Catalyst 4006 switch provides high performance, medium density, 10/100 / 1000m Ethernet module exchange platform for the wiring room and data center. Using the industry's leading 5500/5000 series of software code libraries, providing customers with rich and practical proven features required by customers to get a solution of university network. Economically effective modular 6 slot chassis, providing the benefits of the coordination between each user of the school or branch.
The function of Catalyst 4006 includes a scalable exchange, up to 10/100 density of 240 ports, multi-protocol third layer IP, IPX, and IP multi-point transmission exchange. The new Catalyst 4908G-L3 switch provides the high-performance third layer required for the park's main network in a fixed configuration product package.
Catalyst 4006 cabinet provides a modular cabinet of six slots, one of which is reserved for the switching engine, five left to exchange modules; two power hoses can support redundant (optional), load sharing, fault tolerance AC power; a hot swap fan bracket.
Configuring flexibility and modular advantage makes the Catalyst 4006 switch with a comprehensive, scalable 10/100 / 1000MBT Ethernet switch module, which currently provides hot-swappable, ie, ready-to-use campus network intelligence, can be easily , Flexibly expanded to adapt to future network needs in the future. There are currently four different Catalyst 4000 series modules available, which can be mixed and matched to each other, adapt to a wide range of wiring chambers or data center applications.
1, access layer switch Catalyst 3500
Catalyst 3500 XL Series is a scalable-stacked 10/100 and Gigabit Ethernet switch series, providing first-class performance, manageability, and flexibility and unparalleled investment protection. This series of low-cost, high-performance switching solutions provide next-generation stacked exchanges integrated with voice and IP telephony. It allows all Cisco exchange ports from a single IP address, and provides an independent high-speed stacking bus that protects the precious desktop port for the interconnected switches.
The product characteristics of the Catalyst 3500 XL series are as follows:
l 10.8 GBPS exchange backward, the maximum forwarding rate of 7.4 million packets per second, maximum forwarding bandwidth 5.4 Gbps, provides linear speed across all 10/100 ports.
l The built-in Gigabit Ethernet port is suitable for inserting a variety of GBIC transceivers, including Cisco GigaStack GBIC, 1000BASESX, and 1000BASELX / LH GBIC.
l Low-cost 2-port Cisco GigaStack GBIC provides a wide highly configurable stacking and performance options by providing 1 Gbps connection in the daisy chain connection, or providing 2 Gbps connections in a dedicated switch to switch connections.
l Cisco switch cluster technology allows users to build a single IP address management network consisting of 16 Catalyst 3500 XL, 2900 XL, and 1900 switches based on standard Ethernet, fast Ethernet and Gigabit Ethernet media, not subject to them The location of geographic locations.
l 250 ports-based VLAN or ISL / 802.1Q relay
l Support Fast EtherChannel
l Support SNMP, Telnet, RMON (History, Event, Alarm, Statistics), CWSI NANT and (CII)-based, embedded Cisco Visual Switch Manager, web-based interface management
4, firewall Cisco PIX 525
The Cisco Secure PIX firewall is a special firewall facility in the Cisco firewall family. The Cisco Secure PIX firewall provides powerful security without affecting network performance. The product line can expand a wide range of customer needs and 3 capacity license levels. The Cisco Secure PIX firewall is a leading product in its firewall market. The Cisco Secure PIX firewall provides comprehensive firewall protection, which completely hides the internal network architecture in the external world. A virtual private network (VPN) connection using the IPSec standard can be established through the Cisco Secure PIX firewall. Cisco Secure PIX firewall enhances security access between internal networks, external network links, and Internet. The product characteristics of Cisco PIX are as follows:
l real-time embedded operating system
l between intranet and Internet access routers, including Ethernet, fast Ethernet, token ring network or FDDI LAN connection options
l Protection Scheme Based on Adaptive Safety Algorithm (ASA) to ensure maximum security
l Supports up to 250,000 simultaneous connections.
l URL filter
l Direct agent, improve processing speed
l HP OpenView integration
l Graphical user interface simplifies configuration and management
l Provides an alarm and alarm notification via email and pager
l Provides VPN support by dedicated link encryption card
l Combine the Principal Technical Assessment Plan (TTAP), through the Certification of the US Safety Affairs (NSA), and passed the certification of the China Public Security Security Testing Center
5. Beijing Normal University Master Network Management System
The Northern Normal University Dragon Network adopts the Cisco's network management products Cisco Works2000. It mainly manages the configuration parameters of the Cisco device in the network. Back up all network device configurations on the NMS workstation. Once the device fails, the configuration is lost, it can quickly recover Configure, shorten troubleshooting time.
The main functions and features of CiscoWorks2000 are as follows:
l Easy to use graphical user interface
l Concessive centralized graphical configuration Cisco's network equipment
l Performance monitoring of real-time network equipment
l Cisco Works 2000 can be used alone as a network management product, or a network management platform such as HP OpenView NetWork Node Manager: CiscoWorks2000's graphical user interface (GUI) is integrated over the NNM's GUI, can be on the NNM menu window The functionality of all CiscoWorks2000 is directly called; the CiscoWorks2000's event handle is integrated in an EventBrowser in an NNM.
CiscoWorks is a SNMP-based network management application that integrates several popular network management platforms such as the IBM NetView for AIX, Sun Works (SUNO and Solaris) Sun Domain Manager, and HP on the Sun or HP system. OpenView. CiscoWorks is based on the industrial standard platform that monitors the device status, easy to maintain configuration information, and finds trouble.
The CiscoWorks function is as follows:
1, Auto Install Manager (AutoInstall Manager)
This feature is more automated by using adjacent routers to remotely install a new router. This feature makes installation tasks more automated, making it easier.
Interface with NetView
CiscoWorks NetView Interface is a separate product that provides two-way communication between the CiscoWorks network management system and IBM NetView, and can access CiscoWorks apparatus via Runcmd. 2, configuration management (Configuration Management)
You can access the profile of local and remote Cisco devices in the network and analyze and edit them if necessary. At the same time, it is possible to compare the contents of the two profiles in the database, and compare the configuration of the device and the previous configuration in the database.
Device Management
Create and maintain a database, including all network hardware, software, operational levels, responsible for maintaining the equipment and related venues.
Device Monitor
Monitor network devices to obtain information about the network status. The polling obtained information is stored in the database and can be used for future evaluation and analysis.
General Command Manager (Global Command Manager) and General Command Scheduler (GLOBAL Command Scheduler)
By scheduler, you can create and execute system commands to a set of devices at any time.
3, Performance Monitor)
Check the status information about the device, including buffers, CPU loads, available memory, and use of protocols and interfaces.
4, offline network analysis (Off-line network analyysis)
Collect the historical data of the network, used to perform performance and traffic analysis. The integrated Sybase SQL relational database server stores SNMP MIB variables, users can use these variables to create queries and generate charts.
5, Path Tool (Path Tool)
View and analyze the path between any two devices, analyze the use efficiency of the path, collect the error data.
6. Process Manager
Start or stop the process associated with CiscoWorks, including the following wizard processes (daemon): log (nmlogd), Polling (NMPOLLD), Event Logger (NMEVENTD), Device Monitor (Nmdevmond). Check out the status of the following elf processes: System log (syslogd), Sybase Server (DataserVer), TACACS (XTACCSD).
7, real-time graphics (Real-Time Graph)
View the status information of the device, such as the performance indicators of the router (buffer space, CPU load, available memory), protocol communication (IP, ICMP, DECNET IV, IPX, VIN, DECN, IV, IPX, VIN) XNS).
8, security manager (Security Manager)
By setting permissions to prevent unauthorized people from accessing the CiscoWorks system and network devices, such only legal users can perform similar configuration routers, delete database device information, define the polling process, etc.
9. Software Device Manager
Dynamically update the system software or microCode of the Cisco router.
10. Show commands simulation exec Exec to display the command of the Cisco router. Through these commands, you can see SNMP device data including Cisco routers, communication servers, including software versions, buffers, equipment interfaces, traffic, ARP, IP routes, etc.
11. Users use Internet management
The control and management of school employees and students use Internet through proxy server user account management system and network management system IP management.
Sixth, main network security strategy
With the openness and commercialization of the Internet, it has prompted the internet to develop rapidly. However, openness has brought more and more security issues such as system invasion, and network security has received more and more attention. Based on TCP / IP protocols and uses Internet network (Intranet), which uses Internet information and web information circulation mode, therefore people need a more secure Internet. As an Internet technology-based information platform, the security issues of the North Normal University network are very important.
Network security issues mainly include the following levels:
Level 1: Physical Safety
Physical security mainly includes security issues for host hardware and physical lines, mainly by hardware devices and machine rooms to ensure that critical equipment or components take redundancy design.
Level 2: Network Security
Network security refers to the security of the network level. The level of security is mainly due to the selection of network topology design and network protocols. By designing dual links or redundant network structures, the entire network will not cause the entire network from partial failure. Palsy
Level 3: System Security
System security refers to the security of the host operating system level. This level of security issues comes from the various operating systems used in the network, such as system directory settings, account password settings, security management settings, etc., such as the system of operating systems running various UNIX The problem, as well as the threat to the operating system itself and the hacker program that may reside within the operating system.
Hierarchy 4: Application Safety
Application security refers to the security of the application level on the host system. The level of security threats from the configuration of the network itself, the service, E-mail service, and the protection of the database inside and outside the web site.
Level 5: Information Security
The security of data information transmitted or stored online is guaranteed, so that even if the data is stolen, the contents and meaning of the data cannot be disclosed, thereby playing the role of protection information.
1. Key equipment to get the maximum reliability, network redundancy and reliability
Through a series of redundant configurations, networks and critical applications have higher levels of reliability, and any single point failure will not cause the whole network.
2, device network monitoring, analysis and automatic response function
The network key index is monitored via the network management platform Cisco Works. Control a variety of network security hazards.
3, Cisco PIX firewall
With Cisco PIX firewall technology, the billing server, NMS workstation, and E-mail servers are safeguard.
4. Using access control technology
By dividing the VLAN and configuring the VLAN's access list to ensure the security of each VLAN.
5, automatic backup redundancy in application system
For the application system, the local automatic backup system is used, and the server uses two servers to do redundant backups. The database server uses QHA high availability dual hot split scheme to ensure the reliability of important data and the continuity of the business.
6. Establish a security system
According to the actual workflow and requirements, the comprehensive and strict security system has been developed in accordance with relevant national standards and regulations, and the "Interim Measures for the Safety System", "Campus Main Network Management", "Campus Main Network IP Address and Broadband A series of operability management systems such as Internet Management, to a large extent, to avoid accidents caused by artificial reasons.
7, virus protection
McAfee anti-virus software using the US Network Alliance (NAI) allows the network system to resist the invasion of viruses. Seven, backbone network server system
The main network server system mainly has a proxy server, a billing server, an OA server, an antivirus server, a video server, an ERP server, and the like.
1, agent and billing server
The proxy and billing servers have Dell rack servers, install the Linux operating system and the ACSTAR park management service system, providing proxy and billing services for the main network office Internet.
ACSTAR Campus Network Management Service System is a very powerful management, service and billing system. It is based on contemporary network environment to choose Internet High-performance free service software and database software. Side guarantees to provide a variety of network services to network users. On the one hand, it is possible to charge and control the traffic generated by the user using the service.
2, OA (Office Automation) Application Server System
OA Application Server and Mail Server use Dell High Performance Rack Servers, install Windows 2000 Server and Domino databases, providing office automation applications and internal mail services.
3, anti-virus server
Antivirus Server Installs US Nai's McAfee antivirus software, providing antivirus and killing virus services for the main network server and user computers.
4, video surveillance server
The video server will monitor real-time monitoring of the situation in the campus and the situation in the teaching building.
5, ERP server
The ERP server includes an ERP application server and an ERP database server. ERP Application Server uses Sun's F3800 server, install Sun Solaris 8 operating system and Oracle application, providing Web services for ERP applications. ERP Database Server uses Sun's two F4800 servers, install Sun Solaris 8 operating systems and Oracle 9i database systems, providing high-performance applications and database services for school ERP projects.
