Five basic principles for purchasing smart Switches

Principle 1:

Monitoring and Management of networks and devices

Management is the basis of intelligent exchange. Generally, the network management system includes five functional domains, including performance, configuration, failure, billing, and security, this is the most basic and commonly used function. With the expansion of the user's network scale and the increase of network applications, real-time monitoring and maintenance of network operation conditions become very necessary. The network management system and intelligent switching equipment must work closely together.

Currently, there are two common types of network management systems. One is a common network management platform, such as HP OpenView. It provides a third-party network management platform that supports the discovery and simple monitoring of all SNMP devices. However, because the devices of various manufacturers have a large number of self-developed private MIB (Management Information Base) libraries, the general network Management platform cannot identify and manage them. Therefore, if you want to monitor, manage, and configure various devices in detail, you must perform secondary development. In recent years, the devices of various vendors have been updated quickly, but the cooperation with third-party universal network management platforms has been very limited, making it difficult for the general network management platform to manage devices of multiple vendors in detail.

The other is a network management platform developed by network equipment manufacturers, such as Cisco WORKS and Digital China LinkManager. It can monitor, configure, and manage the devices of the manufacturer in detail, it is highly practical and inexpensive. However, the problem is that such network management systems cannot be used to achieve unified management of devices across the network. Therefore, users often use multiple network management workstations to install different systems for separate management.

As users demand uniform network management for different devices, manufacturers are also considering more open ways to support network management, such as opening a private MIB library, the MIB library is written in full accordance with RFC to achieve interoperability between devices and network management systems of different vendors.

At present, the proportion of the Application Network Management System in large and medium-sized enterprise networks has been greatly increased. Therefore, when selecting a network, you cannot perform topology discovery, traffic monitoring, status monitoring, and other common network management functions, it also puts forward higher requirements for remote device configuration, user management, access control, and QoS monitoring.

In addition, to save IP addresses and simplify management layers, different vendors use stack or cluster network management technologies to manage multiple devices as one logical device. Users can also pay attention to such products.

Principle 2:

Classification and processing of data of different application types

Another important manifestation of intelligent exchange is to automatically classify different types of data in the network and provide different transmission policies to ensure smooth operation of key applications, that is, QoS ).

Currently, common QoS technologies include IntServRSVP and DiffServ.

The former uses the Resource Reservation method, that is, for each different application, the "End-to-End" dedicated channel is reserved on the network, to ensure that key applications enjoy dedicated bandwidth resources. Resource Reservation is a virtual leased line solution that ensures the transmission quality of key applications, but cannot achieve bandwidth sharing, which can easily lead to a waste of line resources, resource Reservation is only suitable for simple network topologies, such as point-to-point physical connections between routers. It is difficult to implement complicated and large enterprise networks, let alone man.

Therefore, it is recommended that users use DiffServ switches to achieve "end-to-end" QoS. To implement DiffServ QoS, all related switches on the user's network must support the 802.1p priority function.

Principle 3:

Support for multimedia transmission

Vswitches support more and more functions and protocols dedicated to multimedia transmission, the most typical of which is multicast technology.

The Group Management Protocol IGMP has become a basic function required by smart switches. In addition to the RIP, OSPF, and other unicast routing protocols, layer-3 switches also support multicast routing protocols such as DVMRP, pim sm, and DM.

For multicast applications, such as video conferences), each switch can transmit group information throughout the network through the IGMP protocol, so that each switch can determine the members of each group, the multicast routing protocol can route multicast packets so that multicast packets can be transmitted smoothly over the network. Among them, DVMRP is equivalent to the RIP Protocol for unicast, suitable for small-scale network applications, while PIM is a protocol-Independent Multicast Routing Protocol, divided into intensive mode DM) and Sparse Mode SM). Dense mode is mainly applicable to scenarios with large network bandwidth and concentrated user distribution, such as the company's lan. Sparse Mode is mainly applicable to scenarios with small network bandwidth and sparse user distribution, for example, Wan or Internet.

Some switches are also configured with the Voice Gateway module, which enables the Ethernet switch to directly provide the VoIP function. However, such applications also need to separately deploy network cables and telephone lines on the client. If the client's VoIP gateway is used, you can transmit voice and data through a network cable. The two solutions are superior and inferior, and must be determined based on the actual situation.

Principle 4:

User Classification and Access Control

User Classification, permission settings, and access control are also important functions of smart networks. Due to the refinement of enterprise management, different access permissions should be set for different network resources for different users.

Access Permissions can be set at the workgroup level or user level.

Access Control Based on VLAN and layer-3 switching is a workgroup-level access control. In addition to isolating broadcast and improving network performance, VLAN is used to isolate different working groups for easy and controllable mutual access. A layer-3 switch can implement cross-VLAN access. By using the access control list ACL, you can set the access permissions of devices with different VLANs or IP addresses for different network services.

For Smart Community broadband access applications, each user is divided into individual VLANs, which can also implement user-level authentication and access control. However, this method is only applicable to fixed access users, and cannot realize billing.

Currently, in broadband access networks and enterprise networks, AAA technology is used in telecom operation networks for authorization, authentication, and billing, such as traditional RADIUS, PPPoE, and emerging 802.1x user authentication functions, it is integrated into a smart switch and works with the authentication server to implement user-based authentication and access control.

For enterprise networks, user authentication, access control, and service authentication are usually performed when users access different network service resources, rather than access authentication on user access ports. Therefore, access control lists or RADIUS Authentication servers are commonly used to set different access permissions for related application service resources and implement authentication and authorization for users.

For broadband access networks, user authentication is required to control the port connection status. Generally, access authentication is implemented through "PPPoE + RADIUS" or "802.1x + RADIUS.

PPPoE is a mature authentication method. It encapsulates Ethernet frames through the PPP protocol and provides point-to-point connections over unconnected Ethernet networks. PPPoE is similar to the traditional dial-up access method. A user uses a dialing software to initiate a PPP connection request. The request passes through an Ethernet switch or DSL device and ends on the Access Gateway device of the centralized control management layer. The Access Gateway device is responsible for terminating the PPP connection and working with RADIUS to implement user management and policy control.

802.1x originated from the EAPOL 802.11 Protocol and is a recent Ethernet authentication technology. 802.1x is a standard defined by IEEE to address port-based access control.

802.1x authentication controls user access by enabling or disabling user access ports before and after authentication. Port-based network access control is used to authenticate and control access devices at the physical access level of LAN devices. User devices connected to physical ports can access resources in the LAN if they can pass authentication. If they cannot pass authentication, they cannot access resources in the LAN, which is equivalent to physically disconnecting. When the authentication is passed, the Remote Authentication Server can transmit information from users, such as VLAN, CAR parameters, priority, and user access control lists. After the authentication is passed, the user's traffic will be monitored by the above parameters.

802.1x requires the access switch to support the EAPOL Protocol. At least the passthrough of the message is supported, but most of the existing network devices do not. Although more and more vendors are beginning to provide smart switch products that support 802.1x, the development of the Protocol is limited to a certain extent because the protocol standards are not yet mature and the implementation methods of different vendors are different.

Principle 5:

Prevent Network Attacks

To ensure that the core switch is not affected by DoS attacks, the whole network is paralyzed. Some vendors use the anti-attack technology in the firewall and IDS System in the core route switch, to ensure that the core switch is more stable and strong. This can especially defend against attacks from inside the network and improve system security. However, this technology is rarely used in edge switches.