Cisco城域接入网络解决方案Ethernet

1、 2 Li Jian Hua 2001 CiscoCisco技术解决方案技术解决方案 CiscoCisco接入产品接入产品 3 Li Jian Hua 2001 商用大楼设计商用大楼设计 个人小区接入设计个人小区接入设计 机场酒店接入设计机场酒店接入设计 4 Li Jian Hua 2001 IP+Optical COCOCOCO POPPOPPOPPOPPOPPOP ZANZAN RegionalRegional CoreCore BANBAN CommercialCommercial BuildingBuilding ResidentialResidential BuildingBuild

2、ingCommercialCommercial BuildingBuilding DATA PathDATA Path DATA PathDATA Path DATA Path&DATA Path& TDM pathTDM path 5 Li Jian Hua 2001 Basement Floor 1 Floor 2 Floor n MUX+数据交换+光耦合 IP+Optical接入环 IP汇接TDM汇接光耦合 实现宽带数据，实现宽带数据，TDMTDM一线通一线通 节省线路投资，充分利用光纤带宽节省线路投资，充分利用光纤带宽 充分发挥充分发挥IP VPNIP VPN的灵活性及的灵活性及TDM

3、TDM 透传特性透传特性 6 Li Jian Hua 2001 Dimensions: 17.25” W x 18.25” D x 3.5” H (2U) Rack Mounting Options: 19” EIA, 23” EIA, ETSI, NEBS Input Power: Option 1: 115/230 VAC, 50/60 Hz, 300 Watts (Dual) Option 2: 48 VDC, 300 Watts (Dual) Uplink Interface: 2 Ports, OC-48 DPT, Duplex LC Fiber (Long reach 40/80k

4、m Post FCS) Option 1: Short reach (2km) Option 2: Intermediate reach (15km) Access Interface: Option 1: 24 Ports, 10/100 Mbps Ethernet, RJ-45 Copper (100m) Option 2: 24 Ports, 100 Mbps Ethernet, MT-RJ Fiber (1000m) 7 Li Jian Hua 2001 VoIPVoIP 1072010720 VoIPVoIP VoIPVoIP OC48 DPTOC48 DPT VoIPVoIP 10

5、72010720 VoIPVoIP VoIPVoIP 高密度商业大楼高密度商业大楼 #1 #1 PoPPoP Cat 5 orCat 5 or FiberFiber FiberFiber Hub, Router or SwitchHub, Router or Switch Floors 25-28Floors 25-28 Floors 1-24Floors 1-24 高密度商业大楼高密度商业大楼 #2 #2 1072010720 8 Li Jian Hua 2001 TDM/Voice TDM/Voice MPLS VPNMPLS VPN IP VPN/IP VPN/Ethernet over

6、 MPLS/UTIEthernet over MPLS/UTI IP Sec IP Sec QoSQoS CDNCDN 9 Li Jian Hua 2001 Routed IP CoreRouted IP CoreCorporate LANCorporate LANBranch OfficeBranch Office LocalLocal AccessAccess Lease Line/Lease Line/ Frame Relay/ATM/Frame Relay/ATM/ DSL accessDSL access POPPOP 基于纯基于纯IPIP核心的核心的MPLS Intranets/E

7、xtranets MPLS Intranets/Extranets MPLS Label Switch PathsMPLS Label Switch PathsCE-PE PeeringCE-PE PeeringPE-CE PeeringPE-CE Peering Edge Label Switch Router Edge Label Switch Router (ELSR)(ELSR) Label Switch Router Label Switch Router (LSR)(LSR) Must have “Provider Edge” Functionality:Must have “Pr

8、ovider Edge” Functionality: BGP v4 w/ BGP v4 w/ MultiprotocolMultiprotocol Ext. Ext. MPLS Edge LSRMPLS Edge LSR LSP Identification via LDPLSP Identification via LDP Initial labeling (2x labels)Initial labeling (2x labels) Core LSR functionality:Core LSR functionality: LDPLDP Label switching along LS

9、PLabel switching along LSP MPLS-aware networkMPLS-aware network 10 Li Jian Hua 2001 GSRGSRGSRGSRGSRGSR EthernetEthernet VLAN A VLAN A EthernetEthernet VLAN A VLAN A RRR TunnelRRR Tunnel Label 1Label 1Label 2Label 2Original Ethernet FrameOriginal Ethernet FrameL2 HeaderL2 Header 7600 OSR7600 OSR7600

10、OSR7600 OSR Tunnel Label VLAN Label 11 Li Jian Hua 2001 可以做到任何流量传输在可以做到任何流量传输在 MPLSMPLS之上之上 draft-martini-l2circuit-trans-draft-martini-l2circuit-trans-mplsmpls-05.txt-05.txt 该功能目前只在该功能目前只在 GE OSM GE OSM 用作上行时支持用作上行时支持 Currently beta, target Q3CY01Currently beta, target Q3CY01 对于那些不愿意由对于那些不愿意由 SP SP

11、提供路由功能的大企业非常有用提供路由功能的大企业非常有用 12 Li Jian Hua 2001 The Cisco 10720 Internet router will initially provide ISO Layer 2 (Datalink) to Layer 2 connectivity across a Layer 3 network. Future developments will provide for L2-L3 interworking and L3-L3 transport. IP NetworkIP Network UTI tunnelled LANUTI tunn

12、elled LAN UTI L2 tunnelUTI L2 tunnel R1 R2 LAN1 LAN2 tu1 tu2 e1 e2 13 Li Jian Hua 2001 interface Loopback0 ip address 8 55 no ip directed-broadcast ! interface Tunnel1 no ip address no ip directed-broadcast load-interval 30 tunnel source Loopback0 tunnel destination - m

13、ust be reachable via IP routing tunnel mode uti raw tunnel key 4294- must match key on tunnel 1 for Cisco10720#2 tunnel uti high-key 42949- must match high-key on tunnel 1 for Cisco10720#2 tunnel uti local-session 1 - must be unique on the local router tunnel uti remote-session 3- must match local s

14、ession on tunnel 1 for Cisco10720#2 ! interface FastEthernet2/1 no ip address no ip directed-broadcast load-interval 30 no keepalive duplex auto speed auto media-type auto ! interface FastEthernet2/1.1 encapsulation dot1Q 2 no ip directed-broadcast uti-tunnel Tunnel1- binding the sub-interface to tu

15、nnel 1 ! interface Loopback0 ip address 55 no ip directed-broadcast ! interface Tunnel1 no ip address no ip directed-broadcast load-interval 30 tunnel source Loopback0 tunnel destination 8 tunnel mode uti raw tunnel key 4294 tunnel uti high-key 42949 tunnel uti local-s

16、ession 3 tunnel uti remote-session 1- must match local session on tunnel 1 for Cisco10720#1 ! interface FastEthernet2/1 no ip address no ip directed-broadcast load-interval 30 no keepalive duplex auto speed auto media-type auto ! interface FastEthernet2/1.1 encapsulation dot1Q 2 no ip directed-broad

17、cast uti-tunnel Tunnel1- binding the sub-interface to tunnel 1 14 Li Jian Hua 2001 MobileMobile WorkersWorkers SP Shared MPLS SP Shared MPLS VPN NetworkVPN Network BranchBranch OfficeOffice IPsecIPsec Tunnel Tunnel IPsecIPsec Tunnel Tunnel PE PE Cisco Cisco VPNVPN 50005000 802.1Q 802.1Q VLANsVLANs P

18、E PE PE PE 通过多自制域通过多自制域 MPLS VPNMPLS VPN技术技术 和将和将 IPSecIPSec 映射到映射到 MPLS VPN, MPLS VPN, VPN VPN 的覆盖面将会跨越世界范围的覆盖面将会跨越世界范围 ! ! 15 Li Jian Hua 2001 Internet VPN POP DSL Cable Central Site Remote Access Client Cisco VPN Clients Microsoft Win 2000 (IPSec) Microsoft Win 9x/NT (PPTP) Enterprise - Central S

19、ite Cisco VPN Concentrator Mobile POP Extranet Consumer-to-Business Telecommuter High performance High performance Scalable and managableScalable and managable Standards-based interoperabilityStandards-based interoperability 基于带宽管理的控制机制基于带宽管理的控制机制 IP IP 等级来划分服务等级的优先级等级来划分服务等级的优先级 CARCAR区分区分 packets,

20、 packets, 设优先级设优先级, , 管理带宽管理带宽 WRED WRED 避免拥塞和实施服务等级避免拥塞和实施服务等级 16 1323_06F8_c1 1998, Cisco Systems, Inc. 17 Li Jian Hua 2001 不同业务或不同用户的数据的分类不同业务或不同用户的数据的分类 ( (CoSCoS/ /ToSToS) ) 接入带宽的控制和管理接入带宽的控制和管理 ( (CAR)CAR) 拥塞控制拥塞控制 ( (WRED)WRED) 队列和带宽管理队列和带宽管理 ( (WFQ)WFQ) 资源预留资源预留 ( (RSVP)RSVP) 流量分析和规划流量分析和规划

21、( (NetFlowNetFlow) ) 流量工程技术流量工程技术 ( (MPLS TE)MPLS TE) 18 Li Jian Hua 2001 数据内容数据内容 Content Engine Content Engine Management Console ATM/FR or DSL Backbone ISP 服务提供商服务提供商 T1 Corporate Branch #2 远程办公远程办公 室室 CDM CDM 服务提供商数据中心服务提供商数据中心 19 Li Jian Hua 2001 VPNSC Policy Manager Cisco works 2000 CIC ACS 20

22、 Li Jian Hua 2001 典型小区网络设计 业务描述 用户管理及控制 21 Li Jian Hua 2001 IP 汇接层汇接层 VOD ServerAAA Server Catalyst switch Internet B1 用户接入层 小区网络核心层 汇接层汇接层 B2 Bn 22 Li Jian Hua 2001 Catalyst 6500/4000Catalyst 6500/4000 Gigabit 光纤 3500堆叠 3500堆叠 3500堆叠3500堆叠 中心路由器中心路由器74007400 - 提供PPPoE/SSG认证、计费 - 提供URT认证、计费 - 设置静态AR

23、P防止IP地址盗用 中心交换机中心交换机Catalyst 6500/4000Catalyst 6500/4000 - 千兆以太网下连区域中心3500 区域中心区域中心Catalyst3548/2950Catalyst3548/2950 - 3500/2950堆叠提供10/100M端口 - 五类线到用户 Cisco 7400Cisco 7400 认证计费中心认证计费中心 内容服务器内容服务器 楼群1 楼群2 楼群3 楼群n 大区中心 23 Li Jian Hua 2001 Catalyst 2900 100M光纤 Catalyst 6500/4000 Cisco 7400 Catalyst 29

24、00Catalyst 2900 认证计费中心/内容 服务器 B1 B2Bn 大区中心 24 Li Jian Hua 2001 PPPoE PPPoE ( (以太网上的以太网上的PPPPPP拨号拨号) ) SSG SSG（服务选择网关）服务选择网关） URTURT（用户注册工具）用户注册工具） BBSBBSMM（宽带社区业务管理器）宽带社区业务管理器） 25 Li Jian Hua 2001 PPPoE L2 L3 MAN PPPoE Acting as an uplink aggregator, Any cheap switch can do the job ! 在在 RFC 2516中定义，

25、中定义， 在二层包头和在二层包头和ppp负荷中间增加负荷中间增加 6 bytes 在被终结前不能跨越第在被终结前不能跨越第3层层 pppoe汇聚设备的端口密度通常都非常低，需要额外的汇聚设备的端口密度通常都非常低，需要额外的 L2 交换机配合使用。交换机配合使用。 PPPoE server PPPoE Client 26 Li Jian Hua 2001 硬件硬件: :RouterRouter支持支持PPPoEPPPoE, ,客户端客户端OSOS无所谓无所谓 优点优点 用户广泛接受用户广泛接受 互操作的标准互操作的标准 习惯的拨号用户操作界面习惯的拨号用户操作界面 缺点缺点 需要客户端软件支持

26、需要客户端软件支持 缺乏足够的带宽用于组播应用，需配置多个汇聚设缺乏足够的带宽用于组播应用，需配置多个汇聚设 备备 27 Li Jian Hua 2001 COCO COCO POPPOP DistributionDistribution POPPOP RegionalRegional CoreCore AccessAccess Large Residential ComplexLarge Residential Complex ResidentialResidential BuildingBuilding ResidentialResidential BuildingBuilding POP

27、POP CAT2900CAT2900CAT3500CAT3500CAT3500CAT3500CAT2900CAT2900 CAT 6500CAT 6500CAT 6500CAT 6500CAT 6500CAT 6500CAT 6500CAT 6500 GSRGSRGSRGSR Building #1Building #1Building #2Building #2 ISP 1ISP 1 ISP 2ISP 2 PPPoEPPPoE Conc.Conc. L2L2 L2 to the coreL2 to the core doesndoesnt scalet scale 中心化的模型中心化的模型

28、不建议采用不建议采用 28 Li Jian Hua 2001 COCO COCO POPPOP DistributionDistribution POPPOP RegionalRegional CoreCore AccessAccess Large Residential ComplexLarge Residential Complex ResidentialResidential BuildingBuilding ResidentialResidential BuildingBuilding POPPOP CAT2900CAT2900CAT3500CAT3500CAT3500CAT3500C

29、AT2900CAT2900 CAT 6500CAT 6500CAT 6500CAT 6500CAT 6500CAT 6500CAT 6500CAT 6500 GSRGSRGSRGSR Building #1Building #1Building #2Building #2 PPPoEPPPoE Conc.Conc. PPPoEPPPoE Conc.Conc. PPPoEPPPoE Conc.Conc. L3L3 L2L2 分布化的模型分布化的模型 建议采用建议采用 29 Li Jian Hua 2001 COCO COCO POPPOP DistributionDistribution POP

30、POP RegionalRegional CoreCore AccessAccess Large Residential ComplexLarge Residential Complex ResidentialResidential BuildingBuilding ResidentialResidential BuildingBuilding POPPOP CAT2900CAT2900CAT3500CAT3500CAT3500CAT3500CAT2900CAT2900 CAT 6500CAT 6500 Building #1Building #1Building #2Building #2

31、InternetInternet GSRGSR PPPoEPPPoE CAT 6500CAT 6500CAT 6500CAT 6500CAT 6500CAT 6500 7400 7400 7400 7400 7400 7400 RoutedRouted BridgedBridged L3L3 L2L2 GSRGSRGSRGSR 30 Li Jian Hua 2001 “SSGSSG服务选择网关是服务选择网关是 Cisco IOS Cisco IOS 功能特性功能特性 ，可以让注册用户根据它的第，可以让注册用户根据它的第2 2层或第三层或第三 层连接性从服务供应商处选择接入不同层连接性从服务供应

32、商处选择接入不同 服务服务 (IP (IP 目的网络目的网络)”)” 社区用户有了更多选择社区用户有了更多选择:ISP1,IPS2,ISP3. An SSG process is the Cisco IOS software component that enables Internet service subscribers to simultaneously and selectively access different service provider networks, and in so doing, access different service providers durin

33、g a single logon session. 31 Li Jian Hua 2001 ISP Extranet PPP Corporation PPP Client When the user wants to select another service, the PPP session must be torn down and re-initiated to the new destination No SSG 32 Li Jian Hua 2001 网上选择网上选择 用户通过用户通过IPIP网络登录网络登录一个门户网站一个门户网站 这个门户网站永远是可访问的这个门户网站永远是可访

34、问的 用户可以选择连接某个服务或退出莫个服用户可以选择连接某个服务或退出莫个服 务务 浏览器浏览器 外部网外部网 ISPISP 公司公司 Cisco 7400Cisco 7400 IPIP IPIP IPIP AAAAAAWeb DashboardWeb Dashboard SSGSSG IP/PPPoEIP/PPPoE Services 33 Li Jian Hua 2001 ISP A Cisco 6400 SSG ISP B 基于基于Web的业务选择的业务选择 & 广告广告 Simultaneous services 采用服务选择指示功能 (SSD) 创建用户和服务的连接 可以并发或顺序

35、的接入多种业务可以并发或顺序的接入多种业务 需要第3层连接:AAA,Cisco SSD,SSG均有固定IP地址 AAA Bridged/PPP/IP Subscriber profile Cisco SSD J2EE web server application 34 Li Jian Hua 2001 1.After establishing a service connection, the subscriber can access the Cisco SSD using a web browser. The Cisco SSD is typically available through

36、 a default network defined in the SSG. 2. When a subscriber opens the Cisco SSD URL, that subscriber is presented with An authentication window, then a service list and service view 3. The subscriber selects services from the service list, the content of which is defined in the subscriber RADIUS use

37、r profile. http:/servername/config 35 Li Jian Hua 2001 SSG SSG 就是不需要客户端的就是不需要客户端的 PPPoE PPPoE SSG SSG 可以是第可以是第2 2层或者第层或者第3 3层层, , PPPoE PPPoE 只可只可 以是第以是第2 2层层 SSG SSG的性能将等同于的性能将等同于PPPoEPPPoE 36 Li Jian Hua 2001 用户移动用户移动, ,所属所属VLANVLAN不变不变 VLAN sales mktg finance Login Name joe bill mary Dynamic VLAN

38、 learning Wiring Closet Policy Table Policy Server 端口端口 “动态的动态的” 检测新用户检测新用户 - MAC 地址地址, 接入交换机的位置接入交换机的位置 边缘交换机和策略服务器沟通边缘交换机和策略服务器沟通 “事件事件”信信 息息 边缘交换机等待策略服务器回答边缘交换机等待策略服务器回答 策略服务器回答策略服务器回答VLAN信息信息 边缘端口配置，动态改变到新边缘端口配置，动态改变到新 VLAN 37 Li Jian Hua 2001 URT Administrative ServerURT Administrative Server A

39、AA Server: RadiusAAA Server: Radius VLAN Policy Server (VPS)VLAN Policy Server (VPS) URT Logon Script: URT Logon Script: URT 2.1, Web-based user login URT Client moduleURT Client module Automatically downloaded by authentication server Automatically downloaded by authentication server Notifies VLAN

40、Policy Server on login/logout Manages DHCP release/renew lease Dynamic switch portsDynamic switch ports Server-to-Switch Communication Dynamic switch ports AAA Server URT Administrative Server(NT,2000) VPS DHCP Server URT Login Script URT Clients CatalystCatalystCatalyst BAN ZAN 38 Li Jian Hua 2001

41、NO 1 VLAN NO 2 VLAN NO 3 VLAN Gary DHCP Lease Si Cisco Edge Switch DHCP Release/Renew Login ACK Set NO 2 VLAN VLAN Policy Server RADIUS Server DHCP Server Login Request Login Response Accounting record RADIUS Request RADIUS Response DHCP Reply 39 Li Jian Hua 2001 NO 1 VLAN NO 2 VLAN NO 3 VLAN Gary S

42、i Cisco Edge Switch DHCP Release/Renew Logout ACK Set NO 1 VLAN VLAN Policy Server RADIUS Server DHCP Server Accounting record RADIUS Request RADIUS Response Logout Response Logout Request 40 Li Jian Hua 2001 COCO COCO POPPOP DistributionDistribution POPPOP RegionalRegional CoreCore AccessAccess Lar

43、ge Residential ComplexLarge Residential Complex ResidentialResidential BuildingBuilding ResidentialResidential BuildingBuilding POPPOP CAT2900CAT2900CAT3500CAT3500CAT3500CAT3500CAT2900CAT2900 CAT 6500CAT 6500CAT 6500CAT 6500CAT 6500CAT 6500CAT 6500CAT 6500 Building #1Building #1Building #2Building #

44、2 L3L3 L2L2 CAT 6500CAT 6500CAT 6500CAT 6500 InternetInternet GSRGSR PolicyPolicy ServerServer PolicyPolicy ServerServer PolicyPolicy ServerServer 41 Li Jian Hua 2001 VPS Server 5,000 ports 每个每个VPSVPS可支持多达可支持多达5,000 5,000 接入端口接入端口 42 Li Jian Hua 2001 URT Administrative Server 500,000+ ports VPS Serv

45、er 5,000 ports VPS Server 5,000 ports VPS Server 5,000 ports 每个每个URTURT管理器可支持管理器可支持100+ VPS 100+ VPS 控制器控制器 43 Li Jian Hua 2001 Catalyst 1912Catalyst 1912 Catalyst 1924Catalyst 1924 Catalyst 1924Catalyst 1924 Catalyst 2200Catalyst 2200 Catalyst 2820Catalyst 2820 Catalyst 2900Catalyst 2900 Catalyst 2

46、908XLCatalyst 2908XL Catalyst 2916M-XLCatalyst 2916M-XL Catalyst 2924CXLCatalyst 2924CXL Catalyst 2924XLCatalyst 2924XL Catalyst 2926Catalyst 2926 Catalyst 2948gCatalyst 2948g Catalyst 4003Catalyst 4003 Catalyst 4006Catalyst 4006 Catalyst 4912gCatalyst 4912g Catalyst 5000Catalyst 5000 Catalyst 5002C

47、atalyst 5002 Catalyst 5500Catalyst 5500 Catalyst 5505Catalyst 5505 Catalyst 5509Catalyst 5509 Catalyst 6006Catalyst 6006 Catalyst 6009Catalyst 6009 Catalyst 6506Catalyst 6506 Catalyst 6509Catalyst 6509 Catalyst 6509SPCatalyst 6509SP Catalyst C2912MfXLCatalyst C2912MfXL Catalyst C2912XLCatalyst C2912

48、XL Catalyst C2924CXLvCatalyst C2924CXLv Catalyst C2924MXLCatalyst C2924MXL Catalyst C2924XLvCatalyst C2924XLv Catalyst C3508GXLCatalyst C3508GXL Catalyst C3512XLCatalyst C3512XL Catalyst C3524XLCatalyst C3524XL Catalyst C3548XLCatalyst C3548XL 44 Li Jian Hua 2001 Prevent security attacks from the in

49、nerPrevent security attacks from the inner Leverages existing NT authentication serverLeverages existing NT authentication server Transparent to end usersTransparent to end users Works on any LAN port ,Works on any LAN port , User mobilityUser mobility partitions user traffic based on user identity

50、partitions user traffic based on user identity Can import discovered switch,VLAN,VTP domain form Can import discovered switch,VLAN,VTP domain form Cisco 2000,if the latter existCisco 2000,if the latter exist 45 Li Jian Hua 2001 基于端口的网络接入控制基于端口的网络接入控制 Currently draft, finial version expect at June 20

51、01Currently draft, finial version expect at June 2001 802-1x-d11.802-1x-d11.pdfpdf 建议建议RadiusRadius做认证服务器做认证服务器 draft-draft-congdoncongdon-radius-8021x-10.txt-radius-8021x-10.txt 宣传为宣传为 “ “AAA agent in edge switch”AAA agent in edge switch” 46 Li Jian Hua 2001 Controlled Path/Port Uncontrolled Path/P

52、ort Supplicant (PC) Authenticator (LAN Switches) Ex:Microsoft Windows XP Authentication (Radius) Server 802.1x Switch port 认证成功之前认证成功之前, ,仅允许仅允许EAPoLEAPoL信息通过信息通过, ,结束后结束后, ,才允许正常流量通过才允许正常流量通过 47 Li Jian Hua 2001 Controlled Path Uncontrolled Path Supplicant (PC) Authenticator (LAN Switches) Authenti

53、cation (Radius) Server EAPOL-Start EAP-Request/Id EAP-Response/Id RADIUS Access-RequestRADIUS Access-Challenge EAP-Request RADIUS Access-Request EAP-Response RADIUS Access-AcceptEAP-Success Data 非控制口是长开的非控制口是长开的, ,仅允许仅允许EAPOLEAPOL信息信息( (认证信息认证信息) )通过通过, ,其它正常的流量不允许通过其它正常的流量不允许通过 控制口是关闭的控制口是关闭的, ,仅当认

54、证成功结束后才打开仅当认证成功结束后才打开, ,允许正常的流量允许通过允许正常的流量允许通过 48 Li Jian Hua 2001 802.1x 802.1x 桌面桌面( (e.g. Windows XP)e.g. Windows XP) 802.1x enabled switch ports (e.g. 802.1x enabled switch ports (e.g. Catalyst 3500s,4000)Catalyst 3500s,4000) 802.1x access and 802.1x access and policy serverspolicy servers (ACS

55、(ACS & & URTURT) ) Optional network discovery and user Optional network discovery and user tracking from CiscoWorks2000tracking from CiscoWorks2000 Server-to-Switch Server-to-Switch Communication Communication DynamicDynamic switchswitch portsports RADIUSRADIUS Cisco WorksCisco Works VLANVLAN Policy

56、Policy ServerServer DHCPDHCP ServerServer BAN ZAN 49 Li Jian Hua 2001 PPPoEPPPoEURTURT 需要客户端软件安装需要客户端软件安装手工安装手工安装否否 L2/L3L2/L3L2L2L2/L3L2/L3 流量通过方式流量通过方式网关方式网关方式直通方式直通方式 计费方式计费方式时长流量服务等级时长流量服务等级时长服务等级时长服务等级 扩展性扩展性有限制有限制很强很强 用户带宽控制用户带宽控制支持单用户支持单用户支持用户群支持用户群 支持组播支持组播否否是是 建网方式集中分布建网方式集中分布均可均可均可均可 对接入层交

57、换机的要求对接入层交换机的要求无无需要交换机支持需要交换机支持 业务等级业务等级/ /选择实现选择实现实现较为复杂实现较为复杂简单简单 50 Li Jian Hua 2001 10Mbps 50Mbps 100Mbps 10M 1000元元/月月 50M 2000元元/月月 100M 3000元元/月月 1000M GE 10Mbps 50Mbps 100Mbps 用户用户C 用户用户A 用户用户B Catalyst 2948G-L3 Catalyst 4000-L3 Catalyst 6500 100M FE 接口接口 实际带宽实际带宽 51 Li Jian Hua 2001 接入端口上的速

58、率限制接入端口上的速率限制 每端口的带宽控制（每端口的带宽控制（Per Port Rate-Limit)Per Port Rate-Limit) 基于基于POPPOP点的速率控制服务点的速率控制服务 基于业务或者用户组带宽控制（基于业务或者用户组带宽控制（CARCAR） 基于基于7200/7400/65007200/7400/6500 52 Li Jian Hua 2001 Server-to-Switch Communication Dynamic switch ports URT Clients VLAN Policy Server 盗用/误用IP地址 VPS将端口设置为Login VLA

59、N 城域网骨干 53 Li Jian Hua 2001 只允许定义的只允许定义的MACMAC地址从特定的端口地址从特定的端口 接入接入 限制从特定的端口接入的限制从特定的端口接入的 MAC MAC地址数量地址数量 54 Li Jian Hua 2001 第第2 2层安全特性层安全特性 Secure Port (Secure Port (安全端口）安全端口） 边缘私有边缘私有 VLAN VLAN 第第3 3层安全特性层安全特性 线速访问控制列表线速访问控制列表ACLACL 静态静态IPIP到到MACMAC的绑定的绑定 55 Li Jian Hua 2001 一个私有虚拟网络：包含三种端口类型：一

60、个私有虚拟网络：包含三种端口类型： 隔离端口隔离端口： 只可以和混合端口通讯只可以和混合端口通讯 混合端口混合端口: : 可以和所有其他端口通讯可以和所有其他端口通讯 公共端口公共端口: : 可以和成员组其他公共端口和所有的混合端可以和成员组其他公共端口和所有的混合端 口通讯口通讯 所有的端口都属于同一所有的端口都属于同一VLAN (IPVLAN (IP子网子网) ) 56 Li Jian Hua 2001 xxxx 57 Li Jian Hua 2001 xxxx local proxy arp 58 Li Jian Hua 2001 静态映射静态映射 IP IP 地址到地址到 MAC MA