First, network foundation
1. The network consists of three elements
[Network cable + network card + protocol stack] three elements are the basis of “minimum network unit”, one of which is indispensable.
- The network cable provides the physical medium for carrying bitstreams/electrical signals (similar to telephone lines carrying voice streams/analog signals)
- The nic processes data, for example, converting the data/byte of the computer disk into the current/bit of the network cable, and converting the bit stream into data
- As a communication language, protocol stack implements data parsing, address addressing, flow control, etc
2. Three elements of network communication
[IP address + port number + Transport protocol] The three elements are essential for network communication.
- The IP address determines which host to communicate with
- Ports are classified into physical ports and logical ports. Physical ports are mainly dead network interface (such as router and switch). Logical ports are used to determine processes (applications).
- There are two transport protocols, TCP/UDP
3. Repeater
- A connected device that works at the physical level. Two identical networks can be connected to relay and amplify data signals.
- The disadvantage is that the repeater has only two interfaces and can only connect to two terminal hosts.
4. Hub
- Hubs may be understood as “multi-port Repeaters”. Hubs are physical layers that operate in the OSI model, and data received from any one interface can be flooded to all other interfaces.
- The disadvantage is that the hub cannot recognize the addressing information and upper content of the packet, and cannot isolate the terminal host. Multiple hosts are in conflict domains, resulting in low utilization rate of band chaos
5, the bridge
- Bridge: a link-layer product that records MAC addresses of terminal hosts and generates A MAC table (CAM table), and forwards data flows between hosts according to the MAC table.
- The bridge can isolate conflicting domains, effectively improving network bandwidth utilization, and preventing data conflicts between different interfaces.
- The disadvantage is that the interface of the bridge is limited, the default is two interfaces, the isolation conflict of the network is limited, there is no dedicated hardware to process data, but the CPU leads to a slightly slower processing speed
6. Switch
- Switch: a link-layer product that records the MAC addresses of terminal hosts and generates a MAC table (CAM table) to forward data flows between hosts according to the MAC table.
- The upgrade and extension of the switch on the basis of the bridge has the following advantages compared with the bridge: – The number of interfaces is more dense, independent conflict domains, and bandwidth utilization is greatly increased – The dedicated ASIC hardware chip is used for high-speed forwarding – VLAN isolation (not only conflict domains can be isolated, but also broadcast domains can be isolated by VLAN)
7. Router
- Router: network layer product, based on IP address, using routing table to achieve data forwarding
- Routers are mainly used to connect different Lans (can be different media, such as token network and Ethernet communication) to achieve broadcast domain isolation, and can also be used for remote communication (wan connection).
- IP logical protocol addressing mechanism is the key to realize the connectivity of different types of Lans. Hosts of different Lans can communicate with each other as long as they have IP addresses and reasonable network segment planning. Routers can realize “media flipping” and “routing and forwarding” during the communication between Lans.
8. Wireless AC/AP
- A wireless Access point (AP) can be regarded as a switch or router with wireless functions. Any device that converts wired signals to wireless devices can be called a wireless AP. Refers to 802.11 protocol wireless AP, also known as WIFI.
- Fat aps and thin aps can be deployed in different modes. That is, the Wireless Access Point Controller (AC) manages thin aps and the rest are fat aps.
- In the fat AP solution, the wireless AP has an independent operating system and independently debugs all configurations of wireless hotspots. In thin aps, wireless aps can only transmit wireless signals, and all command debugging is centralized in the AC/ wireless controller in the background.
- Small wireless networks (home and small enterprise) adopt fat AP, and large wireless networks (wireless city and wireless campus network) adopt thin AP scheme (AP+AC).
9. Firewall
- Firewall: a network security product that restricts access to the network and is generally used at the edge of the Internet to prevent hacker attacks
- According to the technical characteristics of firewall, it can be divided into packet filtering, application proxy and state detection firewall. According to the product form is divided into software and hardware firewall.
- Routers focus on address flipping and routing policies, while firewalls focus on security isolation
- A firewall is like a router, as shown above:
- Generally, small and medium-sized enterprises use firewalls or only routers for Internet egress, which has many functions and is cheap
- Routers must be used for Intranet egress in specific industries, such as public security, court, and finance
- Large network firewalls are separated from routers. If both firewalls are used, the performance may fail to be supported
- If both routers and firewalls exist, the router is in the outermost layer of the firewall, and the firewall is connected to the server, that is, the DMZ. In the first architecture, the server is in the PRIVATE IP domain, which is relatively secure. A hacker attack must penetrate the ROUTER’s NAT and bypass the firewall’s detection.
10. Home network topology
- Note: Typical home network topology edition only requires a router, which connects to the Internet and provides wifi
- Device: Wireless router
- Technology: NAT(Network Address Translation), PPPOE (point-to-point protocol on Ethernet, that is, wireless router dial-up protocol), DHCP (Dynamic host setting protocol for internal networks or NETWORK service providers to automatically assign IP addresses)
11. Network architecture of small and medium-sized enterprises
- Note: The headquarters belongs to the mid-sized enterprise architecture, and the branch belongs to the small-sized enterprise architecture
- Equipment:
- Headquarters: Routers, switches, firewalls, thin aps (wireless AC+AP), and servers
- Distribution: Routers and switches
- Technology:
- Headquarters: VLAN, MSTP, VRRP, WIFI, NAT, VPN, TRUNK, DHCP, and ACL
- Branch: VLAN, VPN, and WIFI
- Solution:
- Use subnet division to plan each department, and each department has a separate 24-bit subnet to ensure continuity. Even if there are new employees, the 24-bit subnet has 254 addresses, which can ensure normal use. Continuity can facilitate summary and control of some policies.
- To achieve redundancy, MSTP+VRRP technology can be used to achieve link redundancy and hot backup of the gateway, and link aggregation between cores can be implemented to improve bandwidth.
- Security can be implemented using the ACL and port isolation technology, or advanced technologies such as dot1x, DHCP snooping+DAI+IPSGD. In general, the ACL and port isolation technology can be used, unless there is a special need to use the subsequent.
- Using AC+AP three-layer off-line architecture component wireless network, the internal network uses 5G access network, and access uses 2.4g frequency, and realize that visitors can only access the WEB page provided by the company and Internet access, and require isolation between wireless visitor areas.
- Use the floating route +NQA or IP-link technology to implement automatic switchover
- IPSEC is used to implement communication between the headquarters and branches, and encryption and authentication are used to ensure data security
- L2TP Over IPSEC is deployed to enable employees on the move to dial up to the Intranet and access specific resources.
- Enable the Telnet or SSH function to implement access and use acLs to restrict access to only specific hosts.
11. Carrier network context
- Note: Carrier networks are the most central bearer networks of the Internet based on man architecture. Carriers use AS to isolate and connect to each other, exchange routes through BGP, and implement label switching through MPLS
- Devices: switches and routers
- Technology: OSPE/ISIS, BGP, MPLS, Multicast, TE/Qos, SNMP, etc
Explanation of nouns
MSTP: a multi-service transmission platform (MSTP) based on SDH technology. DHCP is a LAN network protocol. It uses UDP to automatically assign IP addresses to Intranet or network service providers. To the user for an Intranet administrator VRRP for all computers AS the central management means: virtual router redundancy protocol, solving static gateway configured in the local area network (LAN) a single point failure phenomenon of routing protocol OSPE: routing protocol, a kind of open shortest path first, for use in decision-making within a single autonomous system (AS) routing ISIS: A hierarchical link-state routing protocol, similar to OSPF, that uses The Hello protocol to find adjacent nodes and uses a propagation protocol to send link information. It is the main technology of network-level QOS guarantee, requiring network equipment to have DS-TE function, that is, flow control technology. Qos: The quality of service (Qos) refers to the ability of a network to provide better service for specified network communication by using various basic technologies. It is a network security mechanism and a technology used to solve problems such as network delay and congestion. Under normal circumstances, QoS is not required if the network is only used for specific applications with no time limit, such as Web applications, or E-mail Settings. ACL: an access control list (ACL) is an instruction list on the interfaces of routers and switches. It is used to control the packets sent to and from the ports. The ACL applies to all routing protocols, such as IP, IPX, and AppleTalk.
Ii. Introduction to SDN
1. Problems existing in traditional networks
1.1 Hardware Upgrade Difficulties
Throughout the birth of network equipment, the traditional network industry develops on demand, that is, according to the exposed problem and then to develop and solve the problem. At the same time, the network hardware development cycle is long, iteration and upgrade are far behind the software. In the traditional network industry, the power of discourse is in the hands of network equipment vendors, such as Cisco, Huawei, Xinhua, etc. The bottom layer is completely closed to the user, like a black box, out of control.
1.2 Shortcomings of network management System
In traditional mainstream network solutions, network management servers are configured, network devices (such as routers, switches, and firewalls) and network management systems are deployed with the SNMP protocol, and the network management system is used to visually discover topology, manage configurations, and detect link quality on the entire network. However, AS a simple network management protocol, SNMP focuses more on monitoring network devices. Rather than deploy and configure. Generally, alarms are generated only for IDC equipment room faults and cannot be automatically configured on the ISM server.
1.3 Unbalanced Traffic Distribution
At the same time, there is no good solution for the unbalanced allocation of link traffic of Internet companies. One of the major difficulties of allocation balance lies in the visualization of traffic.
- Conventional flow control products can only visualize part of the bandwidth allocation, and conventional network management systems can only detect link faults, but cannot visualize the bandwidth
- Traffic visualization is the basis of intelligent bandwidth allocation
1.4 Network device Faults
Network devices communicate with each other through network protocols, such as OSPF, BGP, MPLS, and MSTP. A connection is established through three steps: neighbor establishment, information sharing, and path selection. Most network devices use the distributed architecture, and each interaction selects the optimal path based on the path algorithm (such as the SPF algorithm).
2. SDN Definition
- SDN: Software defined network (SDN) is a network design concept
- Network devices can be centrally managed, programmable, controlled and forwarded separately. It can be defined as SDN
- SDN forward framework of application layer, control layer, layer (layer infrastructure), including the application layer to provide applications and services (network management, security, flow control, etc.), control layer and unified management and control (agreement, policy issued, link information, etc.), forwarding layer provides hardware equipment (switches, routers, firewalls,) for data forwarding
- The NORTHbound interface based on REST API is responsible for application-oriented, providing network abstraction and enabling network software programming capabilities. The southbound interface is mainly responsible for the infrastructure layer and provides Openflow flow.
Note: The control layer interface is also a northbound interface
3. SDN vs traditional network
I will not elaborate on the first one, the basis of SDN. The second one is shown below.
The third is that SDN can implement the forwarding strategy by writing scripts, such as C/JAVA/Python. The fourth open interface is also easy to understand. The scheme based on open protocol is the mainstream scheme of CURRENT SDN implementation. Article 5 Network virtualization, namely, the virtualization platform is the middle layer between the data network topology and tenant controller. In order to realize virtualization, the virtualization platform needs to abstract virtualization of physical network resources, including topology virtualization, node virtualization and link virtualization.
4. SDN case —- Google B4
- Purpose: To distinguish between high-priority and low-priority traffic and then allocate bandwidth.
- Note: The system that controls this network is divided into three layers: Switch Hardware, Site Controller and Global. A Site is a data center. Layer 1 hardware switches and Layer 2 controllers are deployed at the internal exits of each data center, while layer 3 SDN gateways and TE servers are in a globally unified Controller.
- A:
- The first layer of hardware switches is Google’s own design. The switch runs the OpenFlow protocol, but it uses Table Typing Patterns (TTP), including ACL tables, routing tables, Tunnel tables, etc., instead of just using the ACL tables most commonly used by OpenFlow switches. But what is provided up is the OpenFlow interface. These switches send BGP/IS-IS packets to the Controller for processing.
- The second layer is the most complex. There is not only one server at the exit of each data center, but one server cluster, and each server runs a Controller. The Controller used by Google is modified based on the distributed Onix Controller. A switch can be connected to multiple controllers, but only one of them is active (Master). One Controller controls multiple switches. A program called Paxos is used to elect the leader (Master).
- At layer 3, the global TE server collects link information from controllers of each data center through the SDN Gateway to master path information. These paths are created In the mode of ip-in-IP Tunnel instead of MPLS Tunnel, which is commonly used by TE. Through the Gateway to the Onix Controller, and finally to the switch. When to start a new business data transmission, the application will be needed to evaluate the application amount of bandwidth, select a optimal path for it (such as load is the lightest but not the shortest path is not packet loss but big time delay), then apply the circulation of the corresponding Controller issued to the switch, and a whole link to reach the optimal bandwidth utilization.
Iii. Expansion: The relationship between NVF, NV and SDN
First understand the definition between the three concepts.
- NVF: virtualizes network devices
- NV: network virtualization
- SDN: software defined network
NFV is the European Telecommunications Standardization Association (ETSI), which aims to reduce the cost of network construction by using common hardware and popular virtualization technology instead of the proprietary hardware currently provided by telecom equipment manufacturers to operators. The goal of NFV is to replace dedicated telecommunications equipment (routers, switches, and so on) with generic servers. NV is an inevitable technology arising from the development of cloud computing, that is, rapid deployment, automation and self-service in public cloud have become inevitable requirements:
- Multi-tenant Isolation
- Security must be ensured between applications of a single tenant
- Network policies are configured based on cloud platform application requirements and are automatically migrated during migration.
In SDN, the virtualization platform is the middle layer between the data network topology and the tenant controller. To achieve virtualization, the virtualization platform needs to perform abstract virtualization on physical network resources, including topology virtualization, node virtualization, and link virtualization.
Conclusion: SDN = NV > NVF refers to the virtual network of cloud computing using the idea of SDN. At the same time, SDN is for the surface, while NVF is for the point. In the future, both SDN and NFV are the general trend, and the network may be formed under the control of Controller with the general server as the network element. NFV again.
Iv. Reference resources
1. 51CTO course ———— “SDN from Beginner to Master” 2. “Concrete Implementation of Google Data Center B4 Network” 3