Case study of Huazhong University Student Dormitory Subnet

The goal of the Student Dormitory network in the east campus of Huazhong University of Science and Technology is to connect a total of 10694 information points of 15 new yunyuan student apartments to the campus network, each access point can access the campus network and Internet in the dormitory.
Requirement Analysis
1. The core switch device requires strong processing capabilities and good security, reliability, and scalability. It supports various mature technologies and can be smoothly upgraded to 10 Gigabit in the future.
2. the access layer network device must support the MAC address 802.1x and Port 802.1X functions to ensure account uniqueness. It also supports remote telnet management, mib-Ⅱ, and remote switch port functions; in addition, it also needs to adapt to a large number of concurrent user authentication and complex work environments.
3. the user name, IP address, MAC address, switch port, and switch IP address must be bound simultaneously to prevent unauthorized users from maliciously stealing legitimate user names, passwords, IP addresses, and MAC addresses, ensure billing.
4. Solve the Problem of setting up proxy servers without permission.
5. Standard Radius Authentication and billing are supported to connect multiple access devices. On the one hand, the device must support 802.1x authentication; on the other hand, the system must support the billing mode based on the duration, traffic, and monthly subscription; in order to provide a comprehensive, flexible, And customizable billing policy for network management; at the same time, it is also necessary to ensure the stability and ease of management of concurrent network operations for more than 30 thousand users.
6. The network must be highly reliable and easy to manage.
Network Design Principles
The Student Dormitory network has both the characteristics of the general network and its particularity. In addition to the reliability, stability, and security requirements required by the general network, when planning the construction of the Student Dormitory network, the controllability, high performance, and QoS of all information points should also be considered. In addition, in the network design, how to reserve extended space and invest in protection to meet the needs of new applications and the needs for increasing and changing the amount of information, it is also a key factor in the Construction of Student Dormitory network.
While fully considering the Multi-Application and easy management of the Student Dormitory network, the solution described in this article also follows the principles of high performance, critical service quality assurance, information point controllability, advancement, reliability, stability, and security.
Network Solution
In response to user needs, this solution uses a gigabit backbone network and a 10-Gigabit desktop network. The entire network uses a distributed three-layer switching architecture. With Ultra-high bandwidth and good scalability and manageability, see Figure ).

Network topology of the Student Dormitory in the east campus of Huazhong University of Science and Technology
Core layer: In the network core layer selected ruijie network original real-time network) independent research and development of 10G core switch RG-S6806.
Convergence layer: In the building convergence layer we choose ruijie network STAR-S3550 series three layer switch.
Access layer: access layer we choose ruijie network supporting 802.1x Gigabit smart switch RG-S2126G/2150G.
Secure Billing: This solution uses the 802.1x technology-based SAM system combined with the access layer S2126G/S2150G switch to manage student access control.
Network management: to manage the entire network device, we recommend that you configure the STAR View network management system.
Network solution features
High Performance
1-gigabit trunk and 10-Gigabit switch to desktop: the core is an exchange platform that supports 10-Gigabit technology. The trunk is 1-gigabit and 10-Gigabit switch to the desktop for high-speed data transmission.
Hardware Implementation of complex functions: the Core RG-S6806 not only implements layer-3 routing and switching, but also other key functions, such as ACL, QoS, Policy Routing and other complex functions are implemented by hardware, the aggregation STAR-S3550 is also Hardware Implementation Layer-3 switching, ACL and QoS, especially the core switch RG-S6806 uses the card intelligent distributed processing design, the user interface module can independently implement routing, switching, ACL, QoS, and collection of user information. This distributed processing can greatly improve the overall processing capability.
Distributed layer-3 switching: introducing layer-3 switching at the aggregation layer reduces the pressure on core switches, effectively reduces broadcast packets, and improves network transmission efficiency;
Ultra-high backplane ensures line rate forwarding of all data packets: the core, aggregation, and access layer switches used in this solution have ultra-high switching capacity and layer-2 and layer-3 packet forwarding rate, ensuring fast forwarding of all data lines.
Distributed Authentication and authentication packet separation from business data streams: The 802.1x-based ruijie security authentication management system is used by each access layer's security switch to authenticate access users, the authentication message and service data stream separation technology are used to achieve high-speed network transmission without bottlenecks.
Intelligent
End-to-End QoS: it covers port rate limits, application stream classification and identification, and multi-layer switching Quality Assurance such as key business traffic bandwidth assurance from access switches to aggregation to core;
Stream-based Intelligent Identification: the entire process is based on the switch physical port, MAC address, IP address, TCP/UDP port number to distinguish the same business flow;
Stream-based bandwidth control: the bandwidth speed is limited based on the vswitch port, MAC address, IP address, protocol, and application combinations;
High Security
Global Network Security: A linkage mechanism is established through the security control protocol, with Radius as the core. It supports the linkage of third-party firewalls, IDS, and security switches to achieve global network security;
Accurate authentication and identification beforehand: before using the network, the user account is bound to the IP address, MAC address, switch IP address, port, and VLAN, perform accurate identity authentication on the user, and bind the account with the switch and access port to achieve accurate user positioning.
Real-time processing: when there is a malicious attack on a protected key server or system in the network, the IDS intrusion detection system can detect the source IP address of the attack, through S-SCP security control protocol, IDS notifies S-Radius of the Attack Source IP address in real time, S-Radius finds the source malicious attackers in the online user table, and removes the malicious attackers offline through SNMP protocol. This entire process enables fully automated real-time processing.
Complete post-event Auditing: the log server records complete user access records, including the source IP address, destination IP address, source port, destination port, source MAC address, destination MAC address, access start time, access end time, send traffic, and accept traffic. Combined with the log management query system, you can perform quick and complete audits.
Inbound authentication: users only need to use the network to authenticate their identities to ensure that only valid users who have already applied for an account can use the network.
Powerful Access Control: bind the connected user account with six elements: IP address, MAC address, switch IP address, port, and VLAN to achieve account roaming;
High reliability
Link-level redundant backup and load balancing: the Core RG-S6806 and aggregation STAR-S3550 not only support the traditional 802.1d Spanning Tree Protocol, but also support the latest 802.1 w, 802.1s Spanning Tree Protocol, to ensure link redundancy, load balancing between two links is realized.
Key part redundancy: RG-S6806 provides redundant management switching engine, redundant power supply and other key parts redundancy, with ruijie advanced RAPS ruijie automatic protection system), to achieve high system stability and reliability.
RG-S6806 provides redundant management switching engine, redundant power supply and other key components redundancy, with ruijie advanced RAPS ruijie automatic protection system), to achieve high system stability and reliability. Strict testing: the selected equipment has been strictly tested by Smartbit and other professional instruments to ensure the reliability in the R & D and production stages;
Easy to manage
Three diagrams: simple and clear device management diagram, topology state diagram, and traffic analysis diagram minimize network management workload;
Culture: The Cultural interface and kernel are especially suitable for Chinese people;
All-in-One: a network management service enables complete management of the entire network and supports seamless Management of third-party network management software.
Completely resolves IP address conflicts and IP address theft: the IP address attribute verification during user authentication by ruijie S-Radius completely prevents IP address conflicts, this includes IP addresses that do not pass authentication as required, and IP addresses that are changed after authentication are removed immediately. You can bind your account to an IP address and assign a fixed IP address to each user, prevent IP addresses from being stolen by others.