摘要

某学院现有多个教室和实验室没用达到全互联是服务器的冗余、资源浪费的现象严重。现对该环境进行优化，对现有的拓扑环境进行整改，使网络环境中加入PIX防火墙和在出口路由器做必要的IOS防火墙的设置，对IP地址进行一个整体的划分，使得IP地址可以得到一个统一的管理，使得IP没有浪费且每个教室和实验室有足够得IP地址可以分配，对VLAN进行整体的从新划分，根据各个实验室和教室的情况给与分配，每个实验室或教室或者一个隔离区给予一个VLAN，方便管理、提高安全性。将防火墙设三个区域：Outside区、DMZ区、inside区，接外网的为ouside区域，接内网的为inside区域。核心设备为三层的cisco3550交换机，将服务器放在防火墙三个区中的DMZ区，每个节点都有到服务器的路由，保证其可访问。

关键字：IP；VLAN；Cisco；路由器；交换机；防火墙
 
Abstract

Institute a number of existing classrooms and laboratories is useless to the entire Internet server redundancy, the phenomenon of serious waste of resources. Is to optimize the environment, the topology of the existing environment for the conduct of rectification so that the network environment by adding PIX firewalls and routers to do the necessary export in the IOS firewall settings, the IP address a whole division, making IP addresses can be Have a unified management, making IP not wasted and each classroom and the laboratory have enough IP addresses can be allocated in the VLAN of the new division as a whole, according to various laboratories and classrooms of the allocation given to each laboratory or Classroom or an area of separation to give a VLAN, to facilitate management and improve security. Firewall will have three regions: Outside the District, DMZ area, inside, then outside the network for ouside the region, then the net for the inside of the region. Core equipment for the three-tier cisco3550 switches, firewall server on the DMZ in the three districts, each node has to the server routing to ensure that their visit.

Keyword: IP； VLAN； Cisco； Routers； Switches； Firewalls
 
目    录

摘要 I
Abstract II
1. 前言 1
1.1 方案背景 1
1.2 实施要求 1
1.3 要求达到的目标 1
2．网络架构的技术基础 2
2.1 网络技术基础原理 2
2.1.1 认识OSI模型 2
2.1.2 介绍以太网的四种帧类型 3
2.1.3 以交换机工作原理为例进行详解 3
2.2网络模型 3
2.2.1网络层次模型 3
2.2.2 核心层功能 4
2.3路由器介绍、工作方式及协议 4
2.3.1互连方式 5
2.3.2 网络互连 5
2.3.3 网桥互连的网络 5
2.3.4 路由器互连网络 5
2.3.5 路由原理 6
2.3.6 路由协议 7
2.3.6.1 RIP路由协议 8
2.3.6.2 OSPF路由协议 8
2.3.6.3 BGP和BGP-4路由协议 9
2.3.6.4 路由表项的优先问题 9
2.3.7 路由算法 9
2.3.8 新一代路由器 10
2.4 交换机交换技术介绍 11
2.4.1 从网桥、多端口网桥到交换机 11
2.4.2 交换式以太网的工作原理 11
2.4.3 交换式以太网技术的优点 12
2.4.4 直通式、存储转发(store-and-forward)的比较 12
2.4.5 第二层和第三层交换及其与路由器方案的竞争 12
2.4.6 虚拟局域网技术 13
2.5 防火墙介绍 13
2.5.1 什么是防火墙 13
2.5.2 防火墙能做什么 13
2.5.3 防火墙的种类 14
2.5.4 分组过滤型防火墙 15
2.5.5 应用代理型防火墙 15
2.5.6 复合型防火墙 15
2.5.7 防火墙操作系统 16
2.5.8 NAT技术 16
2.5.9 防火墙的抗攻击能力 16
2.5.10 防火墙的局限性 16
2.5.11 PIX的区域划分 16
3. 方案实现 18
3.1 所需设备清单 18
3.2网络拓扑 18
4. 网络信息 20
4.1 设备命名及密码规划 20
4.2网段划分 20
4.3路由规划 20
5.功能实现说明 21
5.1 安全实现 21
5.2 网络管理规划 22
5.3 网络连通性测试 22
6. 主要配置 23
6.1 PIX初始化 23
6.2 PIX failover 配置 24
6.2.1 PIX1全局配置 24
6.2.2 PIX2全局配置 24
结束语 26
致  谢 27
参考文献 28

摘要

某学院现有多个教室和实验室没用达到全互联是服务器的冗余、资源浪费的现象严重。现对该环境进行优化，对现有的拓扑环境进行整改，使网络环境中加入PIX防火墙和在出口路由器做必要的IOS防火墙的设置，对IP地址进行一个整体的划分，使得IP地址可以得到一个统一的管理，使得IP没有浪费且每个教室和实验室有足够得IP地址可以分配，对VLAN进行整体的从新划分，根据各个实验室和教室的情况给与分配，每个实验室或教室或者一个隔离区给予一个VLAN，方便管理、提高安全性。将防火墙设三个区域：Outside区、DMZ区、inside区，接外网的为ouside区域，接内网的为inside区域。核心设备为三层的cisco3550交换机，将服务器放在防火墙三个区中的DMZ区，每个节点都有到服务器的路由，保证其可访问。

关键字：IP；VLAN；Cisco；路由器；交换机；防火墙
 
1. 前言
1.1 方案背景
信息技术作为现代化技术的研究工具极大推进了技术的进步，在国民经济建设的各个领域有着广泛的应用，信息技术成为推动第四次产业革命的技术核心，稳速发展的中国经济和正在崛起的江西经济需要更多的计算机专业人才服务社会，因此培养掌握先进计算机技术的人才成为高校人才培养的重任之一。学科发展速度快是计算机学科的特点，但也带来了实验设备相对滞后的问题，存在着实验教学与理论教学不能同步的实际困难。信息学科对相关学科的发展起到了支撑作用。
另外因为该学院的学生人数较多，设备数量很难满足实际需要。因此加强实验室的建设势在必行。
实验室的建设将为培养学生掌握先进的信息技术和培养学生的实践和创新能力提供平台，培养适应社会需求和技术发展的创新型人才。同时对我校信息学科的学科建设、师资队伍建设也会起到积极的推动作用，同时使教学科研水平达到省内先进水平乃至国内领先水平， 使我院信息学科的教学条件和水平上台阶、上层次，更好的为国防工业和地方经济建设服务。
针对我实验室现状与发展思路，突出特色与拟补不足，进一步加强实验室的硬件和软件建设势在必行。
1.2 实施要求
为了能够最大限度的发挥目前网络设备的性能，通过校园网一期网络优化建设以后，需要改建现有校园网系统。改建后的校园网络系统主要是扩展接入交换机的数目，将更多的用户接入校园网。
核心层——使用核心交换机Cisco3550，因为在目前的负载情况下，通过一期的网络优化，发现该核心交换机的CPU利用率不足5％，完全满足目前的网络需求，同时具有相当的扩展能力，能够满足目前和今后相当长时间校园网网络需求。
分发层——在各个楼层各有一台cisco2950交换机。
接入层——全部采用cisco1900入层交换机。分布在各个实验室。
1.3 要求达到的目标
在校园网出口采用思科路由系统，对非法访问进行隔离及检测，同时与网络防病毒系统共同构建校园网安全防御体系。并可以根据以后应用及发展的需求，逐步增加部署远程接入安全验证系统，客户端安全系统，安全管理平台，安全策略平台，系统修平台，VPN安全接入等相关子系统。
 
2．网络架构的技术基础
2.1 网络技术基础原理
2.1.1 认识OSI模型
OSI模型共分为七层，从下到上分别是：
第一层：物理层
第二层：数据链路层
第三层：网络层
第四层：传输层
第五层：会话层
第六层：表示层
第七层：应用层
应用层：为用户提供一个接口界面，让用户可以直接进行网络应用，例如telnet、ftp；
表示层：负责将数据进行编码转换，也就是翻译数据格式还要进行数据加密，数据压缩；
会话层：在应用程序间建立会话、管理会话、终止会话，也就是在两台主机的应用程式之间实现同步，一个网络工程师的主要工作范围是在下面四层，所有我们把上三层作为一个整体来看，统一为一个上层系统；
物理层：定义了电气规范，bit位的传输，指定电压标准，网络速度,接口标准，线缆类型；
数据链路层：主要有三个功能--为上层提供服务，和物理层通信，定义了物理地址MAC，在二层通信用的，在本链路有效，将数据封装成帧媒介访问控制方法--定义了网络上的计算机如何获得物理通道的使用权，常用的方法有CSMA/CD；
网络层：定义了逻辑地址，IP地址进行路由选择；
传输层：提供端到端的可靠传输以及差错校验也提供不可靠传输UDP，数据的封装PDU--协议数据单元，在OSI参考模型中.两个设备的对等层之间的协议交换信息.称之为:协议数据单元
上层将数据交给传输层：传输层将数据封装为segment,并加上一个头部，例如TCP头网络层接由传输层传来的数据，封装为packet，并加上一个三层的头部，例如IP数据链路层接收数据包，封装为帧frame，加上帧头，物理层将每一个帧转换为bit在线路上传输，当数据传输到对端之后再解封装；
详解物理层：以HUB的工作原理为例进行详，HUB属于一层设备，解释什么是广播网，以太网为啥被称为广播网，什么是冲突域、什么是广播域，解释CSMA/CD载波侦听多路访问/冲突检测，回退算法；
详解数据链路层：解释MAC地址，数据链路层又细分为MAC子层（802.3）和LLC子层(802.2)，802.3是跨越物理层和数据链路层的。
2.1.2 介绍以太网的四种帧类型
1、ethernetII现在的主流格式 TYPE=0x0800表示上层是IP
2、IEEE 802.3 应该只能用在novell网中。Length字段，它没有考虑到IP，是专为IPX开发的，
3、IEEE 802.3+802.2 在802.2中完成对上层协议的标识,在data字段前加SAP来标识 改进了第二种， 可以为IP服务，BPDU采用
4、IEEE 802.3+802.2+SNAP(子网访问协议)一种特殊的形式，增加了一个TYPE字段来标识上层协议CDP采用
2.1.3 以交换机工作原理为例进行详解
交换机每一个端口都是一个冲突域，所有端口同在一个广播域
交换机可以学习MAC地址，工作原理：基于源MAC地址学习，基于目标MAC地址转发
每一个端口可以学习多个MAC地址
FFFF.FFFF.FFFF是MAC层的广播地址。
详解网络层：
网络层定义了逻辑地址，IP地址，32个Bit,点分十进制。
路由器属于三层设备，分隔广播域
掩码能区分出一个IP的网络号和主机号，IP与掩码做与运算。
路由器广播域指的是二层的，但是三层广播它也是隔离的，在三层一个网段的广播是不能隔离的。
2.2网络模型
2.2.1网络层次模型
1、接入层
2、分布层
3、核心层

接入层的功能
是为用户提供一个接入点，接入网络。
同时VLAN的划分也是在这一层完成
接入层控制用户和工作组对网络资源的访问。
分布层的功能
分布层是接入层和核心层之间的通信点，主要功能是提供路由、过滤和WAN接入。
分布层是实现网络策略的地方
1、作为接入层设备的集结点
2、路由选择---现在分布层都是用的三层交换机，要起路由协议的，才能将下面的各VLAN连在一起，因为VLAN之间是不能直接通信的。
3、将网络划分成多个广播/组播域
4、介质转换，兼容不同的介质类型
5、提供安全性服务
6、远程接入
*路由
*工具的实现，比如访问列表、包过滤和排序
*网络安全和网络策略的实现，包括地址翻译和firewall
*重分布路由协议
*在VLAN之间进行路由
*定义广播域和组播域
2.2.2 核心层功能
1、快速的传输数据
*在设计核心层时一定要实现高可靠性
*在设计时一定要时刻想着传输速率、核心层的延迟应当非常小
*选择收敛时间短的路由协议
2.3 路由器介绍、工作方式及协议
路由器是一种连接多个网络或网段的网络设备，它能将不同网络或网段之间的数据信息进行“翻译”，以使它们能够相互“读”懂对方的数据，从而构成一个更大的网络。
路由器有两大主要功能，即数据通道功能和控制功能。数据通道功能包括转发决定、背板转发以及输出链路调度等，一般由特定的硬件来完成；控制功能一般用软件来实现，包括与相邻路由器之间的信息交换、系统配置、系统管理等。
2.3.1 互连方式
随着计算机网络规模的不断扩大，大型互联网络（如Internet）的迅猛发展，路由技术在网络技术中已逐渐成为关键部分，路由器也随之成为最重要的网络设备。用户的需求推动着路由技术的发展和路由器的普及，人们已经不满足于仅在本地网络上共享信息，而希望最大限度地利用全球各个地区、各种类型的网络资源。而在目前的情况下，任何一个有一定规模的计算机网络（如企业网、校园网、智能大厦等），无论采用的是快速以大网技术、FDDI技术，还是ATM技术，都离不开路由器，否则就无法正常运作和管理。
2.3.2 网络互连
把自己的网络同其它的网络互连起来，从网络中获取更多的信息和向网络发布自己的消息，是网络互连的最主要的动力。网络的互连有多种方式，其中使用最多的是网桥互连和路由器互连。
2.3.3 网桥互连的网络
网桥工作在OSI模型中的第二层，即链路层。完成数据帧（frame）的转发，主要目的是在连接的网络间提供透明的通信。网桥的转发是依据数据帧中的源地址和目的地址来判断一个帧是否应转发和转发到哪个端口。帧中的地址称为“MAC”地址或“硬件”地址，一般就是网卡所带的地址。
网桥的作用是把两个或多个网络互连起来，提供透明的通信。网络上的设备看不到网桥的存在，设备之间的通信就如同在一个网上一样方便。由于网桥是在数据帧上进行转发的，因此只能连接相同或相似的网络（相同或相似结构的数据帧），如以太网之间、以太网与令牌环（token ring）之间的互连，对于不同类型的网络（数据帧结构不同），如以太网与X.25之间，网桥就无能为力了。
网桥扩大了网络的规模，提高了网络的性能，给网络应用带来了方便，在以前的网络中，网桥的应用较为广泛。但网桥互连也带来了不少问题：一个是广播风暴，网桥不阻挡网络中广播消息，当网络的规模较大时（几个网桥，多个以太网段），有可能引起广播风暴（broadcasting storm），导致整个网络全被广播信息充满，直至完全瘫痪。第二个问题是，当与外部网络互连时，网桥会把内部和外部网络合二为一，成为一个网，双方都自动向对方完全开放自己的网络资源。这种互连方式在与外部网络互连时显然是难以接受的。问题的主要根源是网桥只是最大限度地把网络沟通，而不管传送的信息是什么。
2.3.4 路由器互连网络
路由器互连与网络的协议有关，因此讨论限于TCP／IP网络的情况。

3. 方案实现

3.1 所需设备清单

由于学院现有网络环境没有全互联，且没有什么安全设备，现采用如下设备给予基本的配备，可以完成基本的需求：（如表3-1）

表3-1

(Table 3-1 List of Equipment)

3.2网络拓扑

根据学院的现有环境和欲采购设备根据需求，现规划出如下拓扑：（如图3-1）

Abstract

A College of the existing number of classrooms and laboratories, the Internet is the server is useless to full redundancy and waste of resources is serious. Is optimized for the environment, the topology of the existing environment rectification, so that the network environment by adding PIX firewalls and routers in the export and make the necessary IOS firewall settings, IP address of a whole division, making IP address can be a a unified management, making IP not wasted and each must have sufficient classrooms and labs can be assigned IP addresses on the VLAN to a whole new division, according to the situation in various laboratories and classrooms given to the allocation of each laboratory or classroom, or an area of separation for a VLAN, to facilitate management and improve security. Firewall set up three areas: Outside Zone, DMZ zone, inside zone, then outside the network for the ouside area, then inside the region for the intranet. Core equipment for the three-tier cisco3550 switch the server on the firewall in the DMZ area in three zones, each node has a route to the server to ensure its accessibility.

Keywords: IP; VLAN; Cisco; router; switch; Firewall
 
Abstract

Institute a number of existing classrooms and laboratories is useless to the entire Internet server redundancy, the phenomenon of serious waste of resources. Is to optimize the environment, the topology of the existing environment for the conduct of rectification so that the network environment by adding PIX firewalls and routers to do the necessary export in the IOS firewall settings, the IP address a whole division, making IP addresses can be Have a unified management, making IP not wasted and each classroom and the laboratory have enough IP addresses can be allocated in the VLAN of the new division as a whole, according to various laboratories and classrooms of the allocation given to each laboratory or Classroom or an area of separation to give a VLAN, to facilitate management and improve security. Firewall will have three regions: Outside the District , DMZ area, inside, then outside the network for ouside the region, then the net for the inside of the region. Core equipment for the three-tier cisco3550 switches, firewall server on the DMZ in the three districts, each node has to the server routing to ensure that their visit.

Keyword: IP; VLAN; Cisco; Routers; Switches; Firewalls
 
Directory

Summary I
Abstract II
1. Introduction 1
1.1 Program Background 1
1.2 implementation requires a
1.3 required to achieve a
2. Network architecture of the technical base 2
2.1 Network Technology Fundamentals 2
2.1.1 understanding of OSI Model 2
2.1.2 Description of the four Ethernet frame type 3
2.1.3 works with the switch as an example Xiangjie 3
2.2 Network Model 3
2.2.1 Network layer model 3
2.2.2 Core layer functions 4
2.3 Router presentations, working methods and protocols 4
2.3.1 interconnect 5
2.3.2 Network Interconnection 5
2.3.3 bridge interconnection network 5
2.3.4 Interconnection Network 5 routers
2.3.5 Routing Principle 6
2.3.6 Routing Protocol 7
2.3.6.1 RIP Routing Protocol 8
2.3.6.2 OSPF Routing Protocol 8
2.3.6.3 BGP and BGP-4 routing protocol 9
2.3.6.4 routing table entry a priority issue 9
2.3.7 Routing Algorithm 9
2.3.8 a new generation of routers, 10
2.4 Introduction 11 switches switching technology
2.4.1 From the bridge, multi-port bridge to switch 11
2.4.2 Switched Ethernet works 11
2.4.3 Switched Ethernet technology, the advantages of 12
2.4.4 straight-through processing, store and forward (store-and-forward) Comparison of 12
2.4.5 The second and third tiers to exchange and its relationship with the router program to compete 12
2.4.6 Virtual LAN technology 13
2.5 Firewall Introduction 13
2.5.1 What is a firewall 13
2.5.2 firewall can do 13
2.5.3 Firewall Types 14
2.5.4 Packet Filter Type Firewall 15
2.5.5 Application Proxy Firewall 15
2.5.6 Composite Firewall 15
2.5.7 Firewall Operating System 16
2.5.8 NAT technology, 16
2.5.9 firewall, anti-attack capability 16
2.5.10 Firewall Limitations 16
2.5.11 PIX region of 16
3. Programs to achieve 18
3.1 The list of needed equipment 18
3.2 Network Topology 18
4. Network Information 20
4.1 Device naming and password Planning 20
4.2 segment divided 20
4.3 Route Planning 20
5. Function realization note 21
5.1 Security Implementation 21
5.2 Network Management Planning 22
5.3 Network connectivity test 22
6. The main configuration 23
6.1 PIX initialization 23
6.2 PIX failover configuration 24
6.2.1 PIX1 global configuration 24
6.2.2 PIX2 global configuration 24
Conclusion 26
Thanks 27
References 28


Abstract

A College of the existing number of classrooms and laboratories, the Internet is the server is useless to full redundancy and waste of resources is serious. Is optimized for the environment, the topology of the existing environment rectification, so that the network environment by adding PIX firewalls and routers in the export and make the necessary IOS firewall settings, IP address of a whole division, making IP address can be a a unified management, making IP not wasted and each must have sufficient classrooms and labs can be assigned IP addresses on the VLAN to a whole new division, according to the situation in various laboratories and classrooms given to the allocation of each laboratory or classroom, or an area of separation for a VLAN, to facilitate management and improve security. Firewall set up three areas: Outside Zone, DMZ zone, inside zone, then outside the network for the ouside area, then inside the region for the intranet. Core equipment for the three-tier cisco3550 switch the server on the firewall in the DMZ area in three zones, each node has a route to the server to ensure its accessibility.

Keywords: IP; VLAN; Cisco; router; switch; Firewall
 
1. Foreword
1.1 Program Background
Information technology as a research tool of modern technology significantly advanced the technological advances in all fields of national economic construction has a wide range of applications, information technology as the fourth industrial revolution of technology to promote the core, stable and rapid development of China''s economy is on the rise Jiangxi''s economy needs more computer professionals to serve the community, Therefore, the cultivation of talent to master advanced computer technology to the important task of personnel training to become one of the colleges and universities. Development of academic disciplines of computer science is fast and features, but also brought the issue laboratory equipment is lagging behind, there is experimental and theoretical teaching of the practical difficulties of teaching can not be synchronized. Information science for the development of related disciplines have played a supportive role.
Also because the number of students in college are more number of devices it is difficult to meet the actual needs. Therefore, it is imperative to strengthen the construction of laboratories.
Laboratory construction will train students to master advanced information technology and to develop students practice and innovation to provide a platform to develop to adapt to social needs and technological development of innovative talents. The same time, our school disciplines, disciplines, teacher ranks will play a positive role in promoting, while making the level of teaching and research to reach the advanced level in the province as well as the leading domestic level, so that our hospital information science teaching conditions and the level of steps, on the level, and better for the defense industry and local economic construction.
Against my situation and development lab ideas, highlighting features and intended to fill the gap, and further strengthen the laboratory hardware and software necessary to build.
1.2 implementation requirements
In order to maximize the performance of current network equipment, through the campus after the building of a network optimization, is necessary to redevelop the existing campus network system. Reconstruction after the campus network system is mainly to expand the number of access switch will be more users access to campus network.
Core layer - the use of the core switch Cisco3550, because in the present load conditions, through a network optimization, found that the core switch CPU utilization is less than 5%, fully meet the current network requirements, while a considerable expansion of capacity, able to meet current and future demand for quite a long time Campus Network.
Distribution layer - in all floors have a cisco2950 switch.
Access layer - used in all cisco1900 switch into the layer. Distributed in various laboratories.
1.3 required to achieve
Export of the campus network using Cisco''s routing system for the isolation and detection of illegal access to the same time, anti-virus systems and network together to build the campus network security defense system. And may the light of future applications and development needs, gradually increasing the deployment of remote access security verification system, the client security systems, security management platform, security policy platform, system repair platform, VPN secure access and other related subsystems.
 
2. The technical basis of network architecture
2.1 Fundamentals of Network Technology
2.1.1 understanding of OSI Model
OSI model is divided into seven, from bottom to top are:
First layer: Physical layer
Second layer: Data Link Layer
The third layer: network layer
The fourth layer: Transport Layer
5th layer: Session Layer
6th layer: Presentation Layer
7th layer: Application layer
Application Layer: to provide users with an interface to interface, allowing users to directly network applications such as telnet, ftp;
Presentation Layer: responsible for converting the data is encoded, that is, data format translation but also for data encryption, data compression;
Session layer: establish a session between the application and management sessions, the termination of the session, that is, two hosts to synchronize between applications, a network engineer''s major areas of work in the following four, all of us to the three as a a whole, a unified system for an upper;
Physical layer: defines the electrical specifications, bit-bit transfer, the designated voltage standard, network speed, interface standards, cable types;
Data link layer: There are three major functions - to provide services for the upper, and the physical layer communications, defines the physical address of the MAC, in the second floor of Communication, in this link are valid, the data encapsulation framing media access control method -- - defines a computer on the network how to obtain the right to use the physical channel, commonly used methods are CSMA / CD;
Network layer: Defines the logical address, IP address routing;
Transport Layer: Provides end to end reliable transmission, and error checking also provides unreliable transfer UDP, data encapsulation PDU - protocol data unit, in the OSI reference model. Right equipment, such as two-layer protocol between the exchange of information. call: Protocol Data Unit
The upper data to the transport layer: Transport layer data encapsulation for the segment, and add a head, such as TCP header Network layer access the data transmitted by the transport layer, packaging for the packet, plus a three-head , for example, IP data link layer receives the packet, encapsulated as frame frame, add header, the physical layer of each frame is converted to bit-line on the road transport, when data is transmitted to the right side after decapsulation;
Xiangjie Physical Layer: The HUB works as an example in detail, HUB belongs to a layer of equipment, explain what is a broadcast network, Ethernet, so why is called broadcast network, what is a collision domain, what is the broadcast domain to explain the CSMA / CD Carrier Sense Multiple Access / Collision detection, back-off algorithm;
Xiangjie data link layer: interpretation of MAC address, data link layer subdivided into MAC sub-layer (802.3) and the LLC sublayer (802.2), 802.3 across the physical layer and data link layer.
2.1.2 describes the four Ethernet frame type
1, ethernetII is now the mainstream format for TYPE = 0x0800, said the upper level is IP
2, IEEE 802.3 should only be used in novell network. Length field, it does not take into account the IP, is designed for IPX developed
3, IEEE 802.3 +802.2 be completed in the 802.2 logo on the upper protocols, in front of the field data to identify improved second SAP, for IP services, BPDU use
4, IEEE 802.3 +802.2 + SNAP (Subnetwork Access Protocol) a special form of the addition of a TYPE field is used to identify the upper protocol CDP
2.1.3 works with the switch as an example Xiangjie
Each switch port is a collision domain, all the ports as in a broadcast domain
Switches can learn MAC addresses, the working principle: Based on the source MAC address learning, object-based MAC address forwarding
Each port can learn from multiple MAC addresses
FFFF.FFFF.FFFF is a MAC layer broadcast address.
Xiang Jie network layer:
The network layer defines logical addresses, IP addresses, 32 Bit, dotted decimal.
Router belonging to three devices, separate broadcast domain
Mask can differentiate between an IP network number and host ID, IP and mask to do with computing.
Routers broadcast domain refers to the second floor, but it is also isolated three-tier broadcasting, in a three-segment broadcasting is not isolated.
2.2 Network Model
2.2.1 Network layer model
1, access layer
2, distribution layer
3, the core layer

Access layer functions
Is to provide users with an access point, network access.
At the same time the division of VLAN is also completed in this layer
Access layer controls user and workgroup access to network resources.
Distribution layer functions
Distribution layer is the access layer and the core layer of the communication points between the main function is to provide routing, filtering, and WAN access.
The distribution layer is where the strategy to achieve network
1, as the assembly point of access layer devices
2, routing --- are now used in the three-tier distribution layer switch, to play a routing protocol, can be linked following the VLAN as VLAN can not be direct communication between the.
3, the network is divided into multiple broadcast / multicast domain
4, media conversion, compatible with the different media types
5, to provide security services
6, remote access
* Routing
* Tools for implementation, such as access lists, packet filtering and sorting
* Network security and network policy implementation, including address translation and firewall
* The re-distribution of routing protocols
* In the VLAN routing between the
* The definition of broadcast and multicast domain domain
2.2.2 Core layer function
1, fast transmission of data
* In the design of the core layer must be to achieve high reliability
* In the design must always think of transfer rates, the core layer should be very small delay
* Select a short convergence time of routing protocols
2.3 Router presentations, working methods and protocols
Router is a network segment to connect multiple networks or network equipment, it can be different networks or network segments of data information between the "translation" in order to enable them to each other "read" to understand each other''s data, so as to constitute an even more large network.
Router has two main functions, namely, data path functions and control functions. Data-path functions include forwarding decision, forwarding backplane and output link scheduling, usually by a specific hardware to complete; control functions to achieve the general software, including the exchange of information between neighboring routers, system configuration, system management, etc. .
2.3.1 interconnect
With the continuous expansion of the size of computer networks, large Internet network (such as the Internet) the rapid development of routing in the network technology has gradually become a key part of the router also will become the most important network equipment. The user''s demand-driven routing technology with the development and popularization of the router, it has not satisfied only in the local network to share information, but hopes to make maximum use of the world''s various regions, various types of network resources. In the present circumstances, any one of a certain scale computer networks (such as enterprise network, campus network, intelligent building, etc.), regardless of the fast the big network technology, FDDI technology, or ATM technology, the router can not be separated Otherwise, not a normal operation and management.
2.3.2 Network Interconnection
Their own networks to interconnect with other networks, from the network to get more information and to publish their own news network, is the most important driving force for network interconnection. There are many ways of interconnection networks, which is the most used bridges and routers interconnect interconnect.
2.3.3 bridge interconnection network
Bridge work in the OSI model, the second layer, that is, the link layer. Completion of data frame (frame) forwarding, the main aim is to provide transparent connectivity between networks of communication. Bridge forwarding is based on the data frame in the source address and destination address to determine whether a frame should be forwarded, and forwarded to which port. Frame in the address referred to as "MAC" address or "hardware" address, the general is a card carried by address.
The role of bridge is to interconnect two or more networks together, providing transparent communication. Devices on the network bridge can not see the existence of communication between devices on the Internet as easy as in a. As the bridge is a data frame transmitted on, so you just connect the same or similar network (the same or similar structure, the data frame), such as Ethernet, between Ethernet and Token Ring (token ring) of the interconnection, for different types of networks (data frame structure is different), such as Ethernet and X.25 between the bridge can not do anything.
Bridge to expand the size of the network, improve network performance, network applications to bring convenience, in the previous network, the bridge is of more widespread. But the bridge interconnect has also brought a lot of problems: one is the broadcast storm, the bridge does not block the network broadcast the message, when the network size is large (several bridges, multiple Ethernet segments), it is possible cause broadcast storms (broadcasting storm), leading to broadcast messages across the network were all filled up completely paralyzed. The second question is, when the interconnection with external networks, the bridge will combine internal and external networks into a network, both automatically to each other completely open their network resources. This interconnect interconnection with external networks is clearly unacceptable. Source of the problem is simply to maximize the network bridges to communicate, regardless of what the information is transmitted.
2.3.4 Interconnection Network Router
Routers interconnect and network protocols, and therefore confine the discussion to TCP / IP network situation.

3. Programs to achieve
3.1 The list of needed equipment
As the College of the existing network environment has not the whole Internet, and there is no safety equipment, is using the following equipment to the basic equipment, you can complete the basic requirements: (Table 3-1)

Table 3-1

(Table 3-1 List of Equipment)

 

No.
 Equipment Type
 Basic parameters
 Units
 Amount
 Notes
 
1
 Cisco 3700
  
 Taiwan
 1
  
 
2
 Cisco PIX 515E
  
 Taiwan
 2
  
 
3
 Cisco2950Switch
  
 Taiwan
 4
  
 
4
 Cisco IDS 4215
  
 Taiwan
 1
  
 
5
 Cisco3550Switch
  
 Taiwan
 2
  
 
6
 Server, host
  
 Taiwan
 Several
  
 


 

3.2 Network Topology
The college''s existing environment and wish to purchase equipment according to needs, are making plans to the following topology: (Figure 3-1