Modular Network Design: A Scalable Architecture Framework
Deseño de rede modular: un marco de arquitectura escalable
Introdución ao deseño de rede modular
A modularidade de rede é a práctica de deseñar redes como segmentos interconectados e construídos especificamente en vez de estruturas monolíticas. Cada módulo serve unha función específica, ten límites definidos e conéctase a módulos adxacentes a través de interfaces ben coñecidas. Este enfoque transforma o deseño de rede dunha arte nunha disciplina de enxeñaría repetible.
O poder da modularidade radica na súa capacidade de crearpatróns prediciblesisto pódese aplicar de forma consistente a través de toda a pegada de infraestrutura dunha organización, xa sexa que abarca decenas de miles de pequenos sitios, miles de sitios medios ou centos de grandes campus empresariais.
Por que a modulación importa
Beneficios en todas as escalas de rede
|apelidos | Sitios pequenos | Sitios medios | Grandes Sitios | —––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––– |Problemas simplificadosUn enxeñeiro único pode entender a topoloxía completa | Os equipos poden especializarse por módulo | Limpar camiños de escalada entre os propietarios de módulos |Predicible ScalingEngadir módulos segundo sexa necesario | Clone proven patterns | Amplía sen redeseño |Seguridade coherenteAs mesmas políticas en todas partes | Posición de cumprimento uniforme | Límites auditables |Eficiencia operativa|Despregue baseado en modelos | Disposición automática | Xestión de cambios estandarizada | |Control de custos| tamaño dereito cada módulo | Compra de balde por tipo de módulo | Xestión do ciclo de vida por tier |
O desafío Scaling
As organizacións raramente permanecen estáticas. Un deseño modular debe ser:
- 000 000 000 sitios pequenosOficinas de oficinas, lugares de venda polo miúdo, instalacións remotas
- 1 000 000 sitios multimediaOficinas rexionais, centros de distribución, plantas de fabricación
- 100+ grandes sitiosSede, centros de datos, campus principais
Sen modularidade, cada sitio convértese nunha única folerpa de neve que require documentación personalizada, formación especializada e resolución de problemas. Con modularidade, un enxeñeiro que entende o patrón pode funcionar de forma eficaz en calquera sitio.
Principais módulos de rede
Módulo 1: Internet Edge Segmento
Internet Edge é o lugar onde a súa organización se atopa co mundo exterior. Este módulo contén:
- Circuítos WAN / Internet(MPLS, DIA, banda larga, LTE/5G)
- Edge routers(Redirixido desde "WAN termination")
- Firewalls(Inspección estatal, NAT, VPN de terminación)
- Segmentación VLANseparación funcional
@startuml Internet Edge Module
!define ICONURL https://raw.githubusercontent.com/Roemer/plantuml-office/master/office2014
skinparam backgroundColor #FEFEFE
skinparam handwritten false
nwdiag {
internet [shape = cloud, description = "Internet"];
network ISP_Transit {
address = "VLAN 10-12"
color = "#FFE4E1"
description = "ISP/MPLS Transit"
internet;
ISP_A [description = "ISP-A\nCircuit"];
ISP_B [description = "ISP-B\nCircuit"];
MPLS [description = "MPLS\nCircuit"];
}
network Edge_Router_Segment {
address = "VLAN 10,11,12"
color = "#E6E6FA"
description = "Edge Router Aggregation"
ISP_A;
ISP_B;
MPLS;
Edge_Router [description = "Edge Router\n(BGP Peering)"];
}
network FW_Outside {
address = "VLAN 100"
color = "#FFFACD"
description = "Firewall Outside"
Edge_Router;
FW_Primary [description = "Firewall\nPrimary"];
FW_Secondary [description = "Firewall\nSecondary"];
}
network FW_HA_Sync {
address = "VLAN 101"
color = "#F0FFF0"
description = "HA Sync Link"
FW_Primary;
FW_Secondary;
}
network FW_Inside {
address = "VLAN 102"
color = "#E0FFFF"
description = "To Internal Edge"
FW_Primary;
FW_Secondary;
}
}
@enduml
Principios básicos de deseño:
- Circuítos de rede de diferentes provedores
- Pares de alta dispoñibilidade de Firewall
- Límites VLAN entre zonas de confianza
- L3 puntos a punto entre router e firewall
Módulo 2: Edge interno / DMZ Tier
Para sitios de tamaño medio e grande, o límite interno proporciona unha capa de agregación de servizos que requiren exposición controlada ou serven como puntos de transición entre zonas de seguridade.
@startuml Internal Edge Module
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Internet_Edge {
address = "VLAN 102"
color = "#E0FFFF"
description = "From Firewall Inside"
IntEdge_A [description = "Internal Edge\nSwitch A"];
IntEdge_B [description = "Internal Edge\nSwitch B"];
}
network MCLAG_Peer {
address = "Peer-Link"
color = "#DDA0DD"
description = "MCLAG/vPC Peer"
IntEdge_A;
IntEdge_B;
}
network WLC_Mgmt {
address = "VLAN 200 - 10.x.200.0/24"
color = "#FFE4B5"
description = "WLC Management"
IntEdge_A;
IntEdge_B;
WLC [description = "Wireless LAN\nController"];
}
network Proxy_Farm {
address = "VLAN 201 - 10.x.201.0/24"
color = "#FFDAB9"
description = "Proxy Services"
IntEdge_A;
IntEdge_B;
Proxy [description = "Web Proxy\nServers"];
}
network VPN_Services {
address = "VLAN 202 - 10.x.202.0/24"
color = "#E6E6FA"
description = "VPN Termination"
IntEdge_A;
IntEdge_B;
VPN [description = "VPN\nConcentrator"];
}
network Infrastructure {
address = "VLAN 204 - 10.x.204.0/24"
color = "#F0FFF0"
description = "Infrastructure Services"
IntEdge_A;
IntEdge_B;
DNS_DHCP [description = "DNS/DHCP\nServers"];
}
network To_Core {
address = "VLAN 205"
color = "#B0E0E6"
description = "Core Transit"
IntEdge_A;
IntEdge_B;
}
}
@enduml
Comentarios en Internal Edge:
- Controladores LAN sen fíos (WLC)
- Proxies web e filtros de contido
- Concentradores VPN
- Infraestrutura DNS/DHCP
- Carga balanceadores
- Jump hosts / servidores de bastion
Módulo 3: Core Layer
O núcleo é a columna vertebral de alta velocidade que conecta todos os outros módulos. Debe optimizarse para:
- Máximo rendemento
- Latencia mínima
- Alta dispoñibilidade
- Simple, rápido reenvío
@startuml Core Module
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Internal_Edge {
address = "L3 Routed"
color = "#B0E0E6"
description = "From Internal Edge"
Core_A [description = "Core Switch A\n100G Backbone"];
Core_B [description = "Core Switch B\n100G Backbone"];
}
network Core_Interconnect {
address = "100G+ ISL"
color = "#FFB6C1"
description = "High-Speed Interconnect\nOSPF/IS-IS/BGP"
Core_A;
Core_B;
}
network To_Distribution_1 {
address = "L3 P2P"
color = "#98FB98"
description = "Building A"
Core_A;
Core_B;
Dist_1 [description = "Distribution 1\n(L3 Adjacent)"];
}
network To_Distribution_2 {
address = "L3 P2P"
color = "#DDA0DD"
description = "Building B"
Core_A;
Core_B;
Dist_2 [description = "Distribution 2\n(MCLAG)"];
}
network To_Distribution_3 {
address = "L3 P2P"
color = "#FFDAB9"
description = "Building C"
Core_A;
Core_B;
Dist_3 [description = "Distribution 3\n(MCLAG)"];
}
network To_DC_Border {
address = "L3 Routed"
color = "#87CEEB"
description = "Datacenter"
Core_A;
Core_B;
Border_Leaf [description = "Border Leaf\n(DC Fabric)"];
}
}
@enduml
Principios básicos de deseño:
- Ningún dispositivo de usuario final conectado
- L3 enrutamento entre interruptores centrais (sen árbore en curso)
- Multipatía de igual custo (ECMP)
- Protocolos de converxencia rápida
Módulo 4: Distribución
A capa de distribución agrega interruptores de acceso e fai cumprir a política. Aquí é onde as opcións de deseño de rede teñen máis variación en función dos requisitos do sitio.
Distribución Variacións
Variación 1: L3 Adjacent (acceso corrixido)
Neste deseño, as capas de distribución e acceso sonL3 adxacenteCada interruptor de acceso ten o seu propio subnet IP e rutas directamente á súa distribución.
@startuml Distribution Variation 1 - L3 Adjacent
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Core {
address = "L3 ECMP"
color = "#B0E0E6"
description = "From Core Layer"
Dist_A [description = "Distribution A\n(L3 Router)"];
Dist_B [description = "Distribution B\n(L3 Router)"];
}
network Dist_iBGP {
address = "iBGP Peering"
color = "#DDA0DD"
description = "ECMP/iBGP"
Dist_A;
Dist_B;
}
network P2P_Access_1 {
address = "10.x.2.0/30"
color = "#98FB98"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_1 [description = "Access SW-1\n(L3 Gateway)"];
}
network P2P_Access_2 {
address = "10.x.2.8/30"
color = "#FFE4B5"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_2 [description = "Access SW-2\n(L3 Gateway)"];
}
network P2P_Access_3 {
address = "10.x.2.16/30"
color = "#FFDAB9"
description = "L3 Point-to-Point"
Dist_A;
Dist_B;
Access_3 [description = "Access SW-3\n(L3 Gateway)"];
}
network User_VLAN_1 {
address = "10.x.32.0/24"
color = "#F0FFF0"
description = "Users - SW1"
Access_1;
Laptop_1 [description = "Laptops"];
Phone_1 [description = "Phones"];
}
network User_VLAN_2 {
address = "10.x.33.0/24"
color = "#FFF0F5"
description = "Users - SW2"
Access_2;
Laptop_2 [description = "Laptops"];
Camera_2 [description = "Cameras"];
}
network User_VLAN_3 {
address = "10.x.34.0/24"
color = "#F5FFFA"
description = "Users - SW3"
Access_3;
Laptop_3 [description = "Workstations"];
Camera_3 [description = "Cameras"];
}
}
@enduml
Exemplo de asignación de Subnet:
Link | Subnet |---------------------- | Distribución ao núcleo | 10.x.1.0/30, 10.x.1.4/30 | | Dist-A to Access-1 | 10.x.2.0/30 | | Dist-B para Access-1 | 10.x.2.4/30 Acceso-1 Usuario VLAN | 10.x.32.0/24 Acceso-2 Usuario VLAN | 10.x.33.0/24
Beneficios:
- O illamento do dominio en cada interruptor de acceso
- Resolución de problemas simplificados (números contidos a subnet)
- Non hai árbore entre distribución e acceso
- Resumo posible na capa de distribución
Consideracións:
- Require interruptores de acceso L3
- DHCP configuración de relé en cada interruptor de acceso
- Dirección IP máis complexa
Variación 2: MCLAG con Trunks LACP
Este deseño utilizaAgregación de enlaces multi-Chassis (MCLAG)distribución conBonos LACPacceso a interruptores que transportan VLANs.
Vendo TerminoloxíaCisco chama este vPC (Virtual Port Channel), Arista usa MLAG, Juniper usa MC-LAG e HPE/Aruba usa VSX. O comportamento funcional é similar ao dos vendedores.
@startuml Distribution Variation 2 - MCLAG
skinparam backgroundColor #FEFEFE
nwdiag {
network From_Core {
address = "L3 Routed Uplinks"
color = "#B0E0E6"
description = "From Core Layer"
Dist_A [description = "Distribution A\n(MCLAG Member)"];
Dist_B [description = "Distribution B\n(MCLAG Member)"];
}
network MCLAG_Peer_Link {
address = "Peer-Link"
color = "#FFB6C1"
description = "MCLAG/vPC Peer-Link"
Dist_A;
Dist_B;
}
network LACP_To_Access {
address = "Po1 - LACP Trunk"
color = "#DDA0DD"
description = "VLANs 100,110,120 Trunked"
Dist_A;
Dist_B;
Access_1 [description = "Access SW-1\n(L2 Switch)"];
}
network Data_VLAN {
address = "VLAN 100 - 10.x.32.0/24"
color = "#98FB98"
description = "Data VLAN"
Access_1;
Laptops [description = "Laptops\nWorkstations"];
}
network Voice_VLAN {
address = "VLAN 110 - 10.x.64.0/24"
color = "#FFE4B5"
description = "Voice VLAN"
Access_1;
Phones [description = "IP Phones"];
}
network Security_VLAN {
address = "VLAN 120 - 10.x.96.0/24"
color = "#FFDAB9"
description = "Security VLAN"
Access_1;
Cameras [description = "Cameras\nBadge Readers"];
}
}
@enduml
SVI Placement (VRRP VIP na distribución de pagamento):
- VLAN 100: 10.x.32.1/24
- VLAN 110: 10.x.64.1/24
- VLAN 120: 10.x.96.1/24
Configuración de VLAN Trunk:
Port-Channel | VLANs | Destino —––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––– | Po1 (MCLAG) | 100,110,120 | Acceso-1 | | Po2 (MCLAG) | 100,110,120,130 | Acceso-2 | Po3 (MCLAG) | 100.110 | Acceso-3 | |data de nacemento | 999 |
Beneficios MCLAG:
- Reenvío activo (ambas ligazóns utilizadas)
- Sub-segundo failover
- Cambio lóxico desde a perspectiva de acceso
- Non hai bloqueo de árbores
Consideracións:
- VLANs abarca múltiples interruptores de acceso (dominios de transmisión máis grandes)
- MCLAG peer-link pode ser embotellado
- STP aínda necesario como soporte de prevención de bucle
Variación 3: Frecha para Spine/Leaf Datacenter
En ambientes de centro de datos, a capa de distribución convértese enFronteira Leafconectar a columna vertebral co resto da rede empresarial.
@startuml Distribution Variation 3 - Border Leaf Datacenter
skinparam backgroundColor #FEFEFE
nwdiag {
network Enterprise_Core {
address = "L3 Routed (eBGP/OSPF)"
color = "#B0E0E6"
description = "From Enterprise Core"
Border_A [description = "Border Leaf A\nVXLAN Gateway"];
Border_B [description = "Border Leaf B\nVXLAN Gateway"];
}
network Border_EVPN {
address = "VXLAN EVPN"
color = "#DDA0DD"
description = "EVPN Type-5 Routes"
Border_A;
Border_B;
Spine_1 [description = "Spine 1"];
Spine_2 [description = "Spine 2"];
}
network Spine_Fabric {
address = "eBGP Underlay"
color = "#FFB6C1"
description = "Spine Layer"
Spine_1;
Spine_2;
}
network Leaf_Tier_1 {
address = "VTEP"
color = "#98FB98"
description = "Compute Rack 1"
Spine_1;
Spine_2;
Leaf_1 [description = "Leaf 1"];
Leaf_2 [description = "Leaf 2"];
}
network Leaf_Tier_2 {
address = "VTEP"
color = "#FFE4B5"
description = "Storage/Services"
Spine_1;
Spine_2;
Leaf_3 [description = "Leaf 3"];
Leaf_4 [description = "Leaf 4"];
}
network Server_Rack_1 {
address = "VNI 10001"
color = "#F0FFF0"
description = "Compute Servers"
Leaf_1;
Leaf_2;
Servers_1 [description = "Rack Servers\nVMs/Containers"];
}
network Storage_Network {
address = "VNI 10002"
color = "#FFDAB9"
description = "Storage Arrays"
Leaf_3;
Storage [description = "SAN/NAS\nStorage"];
}
network Voice_Services {
address = "VNI 10003"
color = "#E6E6FA"
description = "UC Systems"
Leaf_4;
PBX [description = "PBX/UC\nSystems"];
}
}
@enduml
Datacenter Fabric Detalles:
| Compoñentes | Funcións | —––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––– |Underlay| eBGP (ASN por switch) ou OSPF |OverlayVXLAN con avión de control EVPN |Fronteira Leafpasarela VXLAN-VLAN, rutas externas, enrutamento Inter-VRF |Leaf Workloads| Computación, Almacenamento, Voz/UC, Infraestrutura
Beneficios:
- Escala horizontal masiva (segundo os pares de follas)
- Arquitectura sen bloques
- Conexión a través de VRF/VNI
- Patróns de tráfico óptimos leste-oeste
Consideracións:
- Complexidade operativa de VXLAN/EVPN
- Habilidades especializadas necesarias
- Maiores custos de equipamento
Módulo 5: Capa de acceso
A capa de acceso é onde se conectan os dispositivos finais. Independentemente da topoloxía de distribución, os interruptores de acceso proporcionan:
@startuml Access Layer Module
skinparam backgroundColor #FEFEFE
nwdiag {
network Distribution_Uplink {
address = "L3 or LACP Trunk"
color = "#B0E0E6"
description = "Uplinks to Distribution"
Access_SW [description = "48-Port Access Switch\nPoE+ Capable"];
}
network Data_VLAN {
address = "VLAN 100 - Ports 1-8, 25-32"
color = "#98FB98"
description = "Data VLAN"
Access_SW;
Laptops [description = "Laptops\nWorkstations"];
}
network Voice_VLAN {
address = "VLAN 110 - Ports 9-16"
color = "#FFE4B5"
description = "Voice VLAN"
Access_SW;
Phones [description = "IP Phones"];
}
network Camera_VLAN {
address = "VLAN 120 - Ports 17-24"
color = "#FFDAB9"
description = "Security VLAN"
Access_SW;
Cameras [description = "IP Cameras"];
}
network Wireless_VLAN {
address = "VLAN 130 - Ports 33-40"
color = "#DDA0DD"
description = "Wireless AP VLAN"
Access_SW;
APs [description = "Wireless APs"];
}
network Mgmt_VLAN {
address = "VLAN 999 - Ports 41-44"
color = "#F0FFF0"
description = "Management VLAN"
Access_SW;
}
}
@enduml
Comentarios sobre Access Layer Security:
- 802.1X / autenticación MAB
- Dynamic VLAN
- Porto Seguridade
- DHCP snooping
- Inspección dinámica ARP
- IP Source Guard
Topoloxía modular completa
Así conectan todos os módulos para formar unha rede corporativa completa:
@startuml Complete Modular Network Topology
skinparam backgroundColor #FEFEFE
title Complete Enterprise Modular Network
nwdiag {
internet [shape = cloud, description = "Internet/WAN"];
network Internet_Edge {
address = "Module 1"
color = "#FFE4E1"
description = "INTERNET EDGE MODULE"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B"];
MPLS [description = "MPLS"];
Edge_RTR [description = "Edge Router"];
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Internal_Edge {
address = "Module 2"
color = "#E6E6FA"
description = "INTERNAL EDGE / DMZ MODULE"
FW_A;
FW_B;
IntEdge_A [description = "IntEdge-A"];
IntEdge_B [description = "IntEdge-B"];
WLC [description = "WLC"];
Proxy [description = "Proxy"];
VPN [description = "VPN"];
DNS [description = "DNS/DHCP"];
}
network Core {
address = "Module 3"
color = "#B0E0E6"
description = "CORE MODULE"
IntEdge_A;
IntEdge_B;
Core_A [description = "Core-A"];
Core_B [description = "Core-B"];
}
network Distribution_L3 {
address = "Variation 1"
color = "#98FB98"
description = "DIST - L3 Adjacent\n(Building A)"
Core_A;
Core_B;
Dist_1A [description = "Dist-1A"];
Dist_1B [description = "Dist-1B"];
Access_L3 [description = "Access\n(L3)"];
}
network Distribution_MCLAG {
address = "Variation 2"
color = "#DDA0DD"
description = "DIST - MCLAG\n(Building B)"
Core_A;
Core_B;
Dist_2A [description = "Dist-2A"];
Dist_2B [description = "Dist-2B"];
Access_L2 [description = "Access\n(L2)"];
}
network Datacenter {
address = "Variation 3"
color = "#FFE4B5"
description = "DATACENTER\n(Spine/Leaf)"
Core_A;
Core_B;
Border_Leaf [description = "Border\nLeaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
Servers [description = "Servers\nStorage\nPBX"];
}
network Campus_Users {
address = "End Devices"
color = "#F0FFF0"
description = "Campus Users"
Access_L3;
Access_L2;
Users [description = "Laptops\nPhones\nCameras"];
}
}
@enduml
Estratexia de dirección IP con Isolación VRF
O reto do deseño multi-VRF
Cando as redes medran para incluír varias zonas de seguridade, unidades empresariais ou límites de cumprimento,VRF (rexistro e reenvío virtual)ofrece a mesa de ruta de illamento. Con todo, estender VRF a través de varios niveis engade complexidade:
- Cada salto L3 require un subnet de tránsito
- Multiplique a complexidade da configuración
- Troubleshooting abarca varias táboas de enrutamento
- A documentación debe seguir a adhesión de VRF en todos os niveis
Estratexia de Subnet Schema
Un esquema de subrede ben deseñado fai que os patróns sexan recoñecibles, reducindo a carga cognitiva e os erros de configuración.
Gran sitio de fabricación (10.0/13)
Localización do sitio:10.0.0.0/13 (Manufacturing Site Alpha) - 524.286 hosts utilizables
@startuml VRF Subnet Schema
skinparam backgroundColor #FEFEFE
title Large Site VRF Allocation Schema (10.0.0.0/13)
nwdiag {
network Corporate_VRF {
address = "VRF: CORPORATE\n10.0.0.0/17"
color = "#98FB98"
description = "Production Users"
Corp_Transit [description = "Transit\n10.0.0.0/23"];
Corp_Users [description = "Users\n10.0.32.0/19"];
Corp_Voice [description = "Voice\n10.0.64.0/19"];
Corp_Wireless [description = "Wireless\n10.0.96.0/19"];
Corp_Server [description = "Servers\n10.0.112.0/20"];
}
network Guest_VRF {
address = "VRF: GUEST\n10.1.0.0/17"
color = "#FFE4B5"
description = "Visitor Network"
Guest_Transit [description = "Transit\n10.1.0.0/23"];
Guest_Users [description = "Users\n10.1.32.0/19"];
}
network Security_VRF {
address = "VRF: SECURITY\n10.2.0.0/17"
color = "#FFDAB9"
description = "Physical Security"
Sec_Transit [description = "Transit\n10.2.0.0/23"];
Sec_Camera [description = "Cameras\n10.2.32.0/19"];
Sec_Badge [description = "Badge Readers\n10.2.64.0/19"];
Sec_NVR [description = "NVR/VMS\n10.2.96.0/20"];
}
network IOT_VRF {
address = "VRF: IOT\n10.3.0.0/17"
color = "#E6E6FA"
description = "Manufacturing OT"
IOT_Transit [description = "Transit\n10.3.0.0/23"];
IOT_PLC [description = "PLCs\n10.3.32.0/19"];
IOT_HMI [description = "HMIs\n10.3.64.0/19"];
IOT_SCADA [description = "SCADA\n10.3.96.0/20"];
}
}
@enduml
Detalle do segmento de tránsito (10.0.0.0/23 - 510 IPs utilizables):
| Ligazón descrición | —––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––– | 10.0/30 | Inside → Formación interna | 10.0.0.4/30 | Inside → Formación interna | 10.0.0.8/30 | Formación interna-A → Core-A | 10.0.0.12/30 | Formación interna-A → Core-B | 10.0.0.16/30 | Formación interna-B → Core-A | 10.0.0.20/30 | Formación interna-B → Core-B | 10.0.0.24/30 | Core-A → Distribución-A | 10.0.0.28/30 | Core-A → Distribución-B | 10.0.0.32/30 | Core-B → Distribución-A | 10.0.0.36/30 | Core-B → Distribución-B 10.0.0.40/30 | Distribución-A → Acceso-SW-1 | 10.0.0.44/30 | Distribución-B → Acceso-SW-1 | @ (Pattern continúa)
Nota:/31 subnets (RFC 3021) tamén pode ser usado para conexións punto a punto, conservando espazo de enderezos.
Beneficios de recoñecemento de patróns
Cando os patróns de subrede son consistentes en VRFs:
Que sabes, que podes inferir —––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––– | ligazón de tránsito en empresas usa 10.0.0.40/30 | equivalente de convidado é 10.1.0.40/30 | Os usuarios de Access-SW-5 están en 10.0.36.0/24 | As cámaras de seguridade no mesmo interruptor son 10.2.36.0/24 | Site Alpha é 10.0.0.0/13 | Site Beta podería ser 10.8.0.0/13
Isto permite aos enxeñeiros:
- Predicir direccións IP sen consultar documentación
- Recoñecer subnets mal configurados inmediatamente
- Crear modelos de automatización que funcionan a través de VRFs
- Adestrar novo persoal no patrón, non memorización
Site Size Templates
Sitio pequeno (Branch Office)
@startuml Small Site Template
skinparam backgroundColor #FEFEFE
title Small Site Template (< 50 users)
nwdiag {
internet [shape = cloud];
network WAN {
color = "#FFE4E1"
description = "ISP/MPLS Circuit"
internet;
UTM [description = "UTM/SD-WAN\nAppliance\n(Router+FW+VPN+WLC)"];
}
network LAN {
address = "10.100.x.0/24"
color = "#98FB98"
description = "Single Subnet"
UTM;
Access [description = "Access Switch\n(or UTM ports)"];
}
network Endpoints {
color = "#F0FFF0"
description = "End Devices"
Access;
AP [description = "WiFi AP"];
Users [description = "Users"];
Phones [description = "Phones"];
}
}
@enduml
Pequenas notas de deseño web:
- Deseño colapsadoTodas as funcións no hardware mínimo
- Subnet/24 ou /23 por páxina
- Exemplo10.100.1.0/24 (site 001)
Modelo do sitio medio (Oficina rexional)
@startuml Medium Site Template
skinparam backgroundColor #FEFEFE
title Medium Site Template (50-500 users)
nwdiag {
internet [shape = cloud];
network WAN_Edge {
color = "#FFE4E1"
description = "Internet Edge"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B/MPLS"];
Edge_RTR [description = "Edge Router"];
}
network Firewall_Tier {
color = "#FFDAB9"
description = "Firewall HA Pair"
Edge_RTR;
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Distribution {
address = "10.50.x.0/21"
color = "#DDA0DD"
description = "MCLAG Distribution\n(Dist/Core Combined)"
FW_A;
FW_B;
Dist_A [description = "Dist-A"];
Dist_B [description = "Dist-B"];
}
network Access_Tier {
color = "#98FB98"
description = "Access Switches (LACP)"
Dist_A;
Dist_B;
Acc1 [description = "Acc1"];
Acc2 [description = "Acc2"];
Acc3 [description = "Acc3"];
Acc4 [description = "Acc4"];
Acc5 [description = "Acc5"];
}
network Users {
color = "#F0FFF0"
description = "End Devices"
Acc1;
Acc2;
Acc3;
Acc4;
Acc5;
Endpoints [description = "Laptops/Phones\nCameras/APs"];
}
}
@enduml
Notas de deseño web medio:
- Modulación parcialBordes distintivos e niveis de acceso
- Subnet/21 por páxina (2.046 IPs)
- Exemplo10.50.0.0/21 (Sitio 050)
Gran Sitio Web Template (Headquarters/Campus)
@startuml Large Site Template
skinparam backgroundColor #FEFEFE
title Large Site Template (500+ users)
nwdiag {
internet [shape = cloud];
network Internet_Edge {
color = "#FFE4E1"
description = "INTERNET EDGE MODULE"
internet;
ISP_A [description = "ISP-A"];
ISP_B [description = "ISP-B"];
MPLS [description = "MPLS"];
Edge_RTR [description = "Edge-RTR"];
FW_A [description = "FW-A"];
FW_B [description = "FW-B"];
}
network Internal_Edge {
color = "#E6E6FA"
description = "INTERNAL EDGE MODULE"
FW_A;
FW_B;
IntEdge_A [description = "IntEdge-A"];
IntEdge_B [description = "IntEdge-B"];
WLC [description = "WLC"];
Proxy [description = "Proxy"];
VPN [description = "VPN"];
DNS [description = "DNS"];
}
network Core {
color = "#B0E0E6"
description = "CORE MODULE"
IntEdge_A;
IntEdge_B;
Core_A [description = "Core-A"];
Core_B [description = "Core-B"];
}
network Dist_Var1 {
color = "#98FB98"
description = "L3 Adjacent"
Core_A;
Core_B;
Dist_1 [description = "Dist-1"];
Access_1 [description = "Access"];
}
network Dist_Var2 {
color = "#DDA0DD"
description = "MCLAG Trunk"
Core_A;
Core_B;
Dist_2 [description = "Dist-2"];
Access_2 [description = "Access"];
}
network Dist_Var3 {
color = "#FFE4B5"
description = "MCLAG Trunk"
Core_A;
Core_B;
Dist_3 [description = "Dist-3"];
Access_3 [description = "Access"];
}
network Datacenter {
color = "#87CEEB"
description = "SPINE/LEAF DC"
Core_A;
Core_B;
Border [description = "Border-Leaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
Servers [description = "Servers"];
}
}
@enduml
Notas de deseño web:
- Modulación completaTodos os corpos están fisicamente separados
- Subnet/13 para /15 por sitio (baseado en conta VRF)
- Exemplo10.0/13 (HQ) - 524.286 IPs
Segmentación L3 e VRF: beneficios e complexidade
Segmentación L3 con sub-interfaces
- Isolación de seguridadeO tráfico entre VRFs debe atravesar un firewall ou dispositivo de política
- Contención de radioOs segmentos comprometidos non poden chegar directamente a outros VRF
- Límites de cumprimentoPCI, HIPAA ou OT en dominios de enrutamento separados
- Enxeñería do tráficoDiferentes políticas de enrutamento por VRF
Complexidade Tradeoff
Cando os segmentos deben estenderse a través de varios niveis, cada fronteira L3 engade configuración superior á cabeza:
@startuml Multi-VRF Path Through Tiers
skinparam backgroundColor #FEFEFE
title Multi-VRF Traffic Path: Camera to NVR
nwdiag {
network Camera_Segment {
address = "VLAN 120\n10.2.36.0/24"
color = "#FFDAB9"
description = "VRF: SECURITY"
Camera [description = "Camera"];
Access_SW [description = "Access-SW\nSub-int: 10.2.0.40/30"];
}
network Access_to_Dist {
address = "10.2.0.40/30"
color = "#DDA0DD"
description = "VRF: SECURITY"
Access_SW;
Distribution [description = "Distribution\nSub-int: 10.2.0.24/30"];
}
network Dist_to_Core {
address = "10.2.0.24/30"
color = "#B0E0E6"
description = "VRF: SECURITY"
Distribution;
Core [description = "Core\nSub-int: 10.2.0.8/30"];
}
network Core_to_IntEdge {
address = "10.2.0.8/30"
color = "#E6E6FA"
description = "VRF: SECURITY"
Core;
Internal_Edge [description = "Internal-Edge\nSub-int: 10.2.0.0/30"];
}
network IntEdge_to_FW {
address = "10.2.0.0/30"
color = "#FFE4E1"
description = "VRF: SECURITY"
Internal_Edge;
Firewall [description = "Firewall\nInter-VRF Policy"];
}
network DC_Path {
address = "VXLAN/EVPN"
color = "#87CEEB"
description = "Datacenter Fabric"
Firewall;
Border_Leaf [description = "Border-Leaf"];
Spine [description = "Spine"];
Leaf [description = "Leaf"];
NVR [description = "NVR"];
}
}
@enduml
Configuración Overhead:
- 5 sub-interfaces por VRF
- 4 VRFs × 5 sub-ints = 20 sub-interfaces por switch
- Protocolo de enrutamento en cada VRF
- Regras de control ou firewall para o tráfico inter-VRF
Estratexias de mitigación
- Baixar VRF CountCrear VRFs para requisitos de illamento xenuínos
- Enrutamento inter-VRFÚnico punto de política de firewall vs. distribuído
- Usando VXLAN/EVPNO Overlay reduce a expansión física subinterface
- Disposición automáticaModelos que garanten unha configuración consistente
- Documentar o patrónUnha vez aprendido, os patróns son máis rápidos que o lookup
Creación dun patrón de rede escalable
O obxectivo do deseño de rede modular é crearpatrón repetidoisto permite:
| páxinas | patrón | —––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––– | Pequenos | 10.000 + | Colapso UTM + interruptor único, /24 por sitio | medio | + 1+ | Distribución Edge + MCLAG + acceso, /21 por sitio | Large | 100+ | Total modular (Edge, Internal Edge, Core, variantes de distribución, tecido DC), /13-/15 por sitio
Key Takeaways
- Os módulos crean límitesCada módulo ten un propósito definido e unha interface
- Os patróns permiten a escalaO mesmo deseño en cada sitio reduce a formación e os erros
- VRF ofrece illamentoEngade complexidade de configuración en cada nivel
- Schemas SubnetA prevención reduce a carga cognitiva
- A distribución varía segundo a necesidadeL3 adxacente, MCLAG/LACP, ou columna vertebral / folla
- Tamaño correcto para o sitioNon empregue sitios máis pequenos
Ao establecer estes patróns e aplicalos de forma consistente, as organizacións poden construír redes que escalan desde unha soa oficina a unha empresa global, mantendo a simplicidade operacional e a postura de seguridade.
Versión 2.0 | Publicado 2026-02 | Actualizado con diagramas de PlantUML nwdiag