Some time ago, the leaders asked me to re-optimize the network IP resources of our Organization. For the first time I had to undertake such a project, I had to dig my head and touch the stone to cross the river. Although the final work is not perfect, I have gained some experience and hope that I can help some colleagues who have troubles with similar work. As the saying goes, when you sharpen a knife and cut firewood without mistake. Now that we want to implement this project, we should first conduct preliminary research and analyze the needs. After reading the materials and talking with colleagues from lower-level units, I learned that there are some problems with the current network: first, complicated management. For various reasons, the technical staff of each organization have little contact with network equipment. Therefore, when you need to adjust network equipment, you can only use the previous data pair number to enter the seat, instead of directly adjusting the switch configuration, this indirectly increases the management difficulty of technicians. Second, the address is messy. Due to the fact that network applications are growing much faster than previously planned, the previously divided IP subnet and Vlan are not reasonable. Some units occupy a large number of IP addresses, but the usage is less than 10%, and some units even need additional subnets as their IP resources. If the problem is identified, it is necessary to set the project objectives. First, reduce the complexity of technical personnel management. This can be achieved by removing the Vlan in the unit. Secondly, IP subnets can be re-divided based on the needs of each organization, and each organization can use a maximum of one internal IP address segment C ), the remaining balance and address are removed. Can I do it immediately after setting a goal? The answer is no. The conflict between project implementation and the current situation must also be considered, that is, feasibility. As previous network planning focuses on security issues, a large number of subnets are set in each organization. This is the status quo of the first problem. My company has recently deployed a genuine Enterprise Edition anti-virus software and a relatively complete desktop management system, coupled with a constantly strict network usage management system, which has left the second place for security issues; in addition, my organization does not have an OA license). The confidential information transmitted over the network is also small, and the existence of VLANs is less important. This makes the first objective logical. However, the second goal is difficult. Since all workstations in our Organization use static IP addresses, if you change the IP addresses, you must ask the technical staff to modify them on each workstation. However, changing the IP address across different segments will definitely cause some workstations to be unable to access the Internet, which is related to the Gateway. If a new gateway is configured before the workstation is modified, the workstation that has not been modified cannot access the Internet for the time being. If a new gateway is configured later, the modified workstation cannot access the Internet for the time being ). In addition, if IP resources are adjusted across units, a strict sequence is required. Otherwise, two units may use the same network segment at the same time. Finally, after several regular meetings, it is determined that the IP address adjustment of all units is limited to this unit. Only one Vlan and one subnet are retained if the application needs to be implemented within a period of time. After adjustment, the final goal is as follows: 1. Delete the redundant Vlan of each unit and retain only one Vlan; 2. Remove multiple VLANs and perform less patching so that only one subnet is retained for each unit. Minimize network interruptions during implementation. Finally, we reached the stage of technical implementation. As the work of changing the workstation information is completed by the technical staff of each organization, I am mainly responsible for the switch. Here, we mainly solve the problem of minimizing network interruption time. First consider the current network condition: 650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php?refimg= "+ This. src) 'style = "border-bottom: 0px; border-left: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px "title =" image_thumb8 "border =" 0 "alt =" image_thumb8 "src =" http://www.bkjia.com/uploads/allimg/131227/0404001206-0.png "" 440 "=" "height =" 484 "/> Each unit has a different Vlan. Each Vlan corresponds to an IP subnet. All workstations in a Vlan use the IP addresses in the subnet, The subnet length, and the gateway pointing to the SVI. As it is planned to make all units use the original IP address segment as much as possible, in fact, except for the IP addresses of other network segments, the workstation that needs to change the IP address only occupies a small part. The vast majority of IP addresses can be classified as a 24-bit subnet mask subnet. There are two ways to change the subnet mask and the gateway does not affect network connectivity: 1. the network administrator first records the IP addresses of each SVI on the current core switch. Then configure the vswitch, delete the redundant vlan, shutdown each SVI, and classify all ports into the final vlan. Configure the remaining vlan SVI with the configured gateway IP address, and match the previously recorded SVI in the form of secondary. If the workstation sends an ARP request to the original gateway, the new gateway uses its MAC address as the ARP response. Therefore, the workstation uses the MAC address of SVI gateway B as the L2 destination address of the Internet data packet. After all workstation IP addresses are changed, delete these secondary addresses. Note that you must delete or shutdown the original SVI to configure the secondaryIP address in the final SVI. Otherwise, an error is returned: The address already exists. 2. Use proxy-arp when the following conditions are met: 1. The current IP address is in the same subnet as the final SVI; 2. The original SVI gateway) layer-3 Access to the final SVI gateway B ). The process is: Each workstation is configured with the final subnet mask and gateway, and finally deleted by the network management. Someone may ask, can the subnet mask and gateway address be different from the SVI corresponding to the Vlan, and can it be connected to the Internet? As long as the above two conditions are met, the answer is yes. When condition 1 is met, a new mask and gateway are configured for the workstation. When the workstation accesses the internet, it compares the subnet mask and finds that the Data Packet Destination is outside the subnet ", therefore, it will send data packets to "Gateway B in the same subnet" condition 1 ). Because it is within the same subnet, the workstation sends an ARP request broadcast. In this case, the original SVI gateway A configured with proxy-arp receives the broadcast request and checks whether layer-3 gateway B is reachable. If condition 2 is reached, your MAC will reply to the workstation in the form of an arp response. Finally, the workstation uses the mac address of SVI gateway A as the L2 destination address of the Internet data packet. After the IP addresses of all workstations are changed, delete vlan and SVI, and configure the new vlan and SVI. The two methods have advantages and disadvantages. The first method is that some routing protocols do not support the secondary address under the interface as the interface release; the second method has certain restrictions. In actual operation, select different methods based on different situations. Final Result: 650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php?refimg= "+ This. src) 'style = "border-bottom: 0px; border-left: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px "title =" image_thumb [1] "border =" 0 "alt =" image_thumb [1] "src =" http://www.bkjia.com/uploads/allimg/131227/0404004F1-1.png "" 422 "=" "height =" 484 "/> conclusion: the entire project takes one month, excluding the preliminary research. Of course, there are other projects that have been interrupted, and I have other busy jobs), involving almost 500 workstations in 26 locations. Of course, compared with the working station's comrades, I am easy to live, but I am also very overwhelmed. The following are some of the experiences my younger brother has summed up: 1. Please look at the network design team from a development perspective. Try not to leave it to the younger brother later to do the job, and eat with mixed meals. 2. We strongly recommend that network administrators use DHCP, which can save a lot of time to study other network optimization problems.
This article from the "Bitter Gourd" blog, please be sure to keep this source http://golehuang.blog.51cto.com/7499/357649