网络架构

a)应保证网络设备的业务处理能力满足业务高峰期需要;

  1. 访谈是否有过因设备性能问题导致的宕机情况。
  2. 看主要网络设备的CPU使用率和内存使用率(一段时间内),要求使用率峰值不大于70%
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Cisco
show memory
//查看内存使用情况
show cpu
//查看CPU使用率
show resource usage all
//查看会话连接数情况(可选)

HUAWEI/H3C
display memory
//查看内存使用情况
display cpu-usage
//查看CPU使用率
display session statistics
//查看会话连接数情况(可选)

显示设备的内存统计信息。

http://www.h3c.com/cn/d_201206/747196_30005_0.htm#_Toc326217683

1
2
3
4
5
6
7
<Sysname> display memory
The statistics about memory is measured in KB:
Slot 1:
             totl       used       free     shared    buffers     cached
Mem:       2019300     318600    1700700          0          0      84500
-/+ buffers/cache:     234100    1785200
Swap:            0          0          0

显示当前CPU利用率统计信息。

http://www.h3c.com/cn/d_201009/692184_30005_0.htm#_Toc271212291

1
2
3
4
5
<Sysname> display cpu-usage
Uint CPU usage:
     14% in last 5 seconds
     12% in last 1 minute
      8% in last 5 minutes

显示所有的会话统计信息。

http://www.h3c.com/cn/d_201809/1112432_30005_0.htm#_Toc524423106

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<Sysname> display session statistics

Current session(s):593951
         Current     TCP session(s): 0
                 Half-Open: 0            Half-Close: 0
         Current     UDP session(s): 593951
         Current    ICMP session(s): 0
         Current   RAWIP session(s): 0

Current relation table(s): 50000

Session establishment rate:    184503/s
         TCP     Session establishment rate:      0/s
         UDP     Session establishment rate:  184503/s
         ICMP    Session establishment rate:      0/s
         RAWIP   Session establishment rate:      0/s

Received     TCP:                   1538 packet(s)                  337567 byte(s)
Received     UDP:           86810494849 packet(s)          4340524910260 byte(s)
Received    ICMP:                 307232 packet(s)                17206268 byte(s)
Received   RAWIP:                       0 packet(s)                        0 byte(s)
Dropped      TCP:                       0 packet(s)                        0 byte(s)
Dropped      UDP:                       0 packet(s)                        0 byte(s)
Dropped     ICMP:                       0 packet(s)                        0 byte(s)
Dropped    RAWIP:                       0 packet(s)                        0 byte(s)

b)应保证网络各个部分的带宽满足业务高峰期需要;

  1. 访谈链路带宽是多少MB,是否有过网络带宽瓶颈的事件发生。
  2. 查看主要网络设备的接口流量状况,要求占用宽带值不大于80%
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Cisco
show interface Ethernet x/x/x (关键上/下连端口号)
//查看端口工作信息,判断端口的流量状况,算法:(int+out bit/1024*/1000(如端口带宽为1000mb/s)*100%

HUAWEI/H3C
display interface brief
//查所有接口情况

display interface GigabitEthernet x/x/x(关键上/下连端口号)
//查看端口流量信息(选择关键出口),判断端口的流量状况。
算法:int+out bytes/1024*/125(如端口带宽为1000Mb/s)*100%
■ Peak value of input(接口输入流量的峰值速率大小,单位为bytes/sec)
■ Peak value of output(接口输出流量的峰值速率大小,单位为bytes/sec)
1MB=1024Kb=1024*1024B(bytes)    1Mbps=0.125MB/S

显示所有接口的概要信息。

http://www.h3c.com/cn/d_201206/747151_30005_0.htm#_Toc326217530

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<Sysname> display interface brief
The brief information of interface(s) under route mode:
Link: ADM - administratively down; Stby - standby
Protocol: (s) - spoofing
Interface            Link Protocol Main IP         Description
Loop1                UP   UP(s)    --              one
M-GE0/0/0            UP   UP       192.168.0.61
NULL0                UP   UP(s)    --
REG0                 DOWN DOWN     --
Vlan1                DOWN DOWN     --
 

The brief information of interface(s) under bridge mode:
Link: ADM - administratively down; Stby - standby
Speed or Duplex: (a)/A - auto; H - half; F - full
Type: A - access; T - trunk; H - hybrid
Interface            Link Speed   Duplex Type PVID Description
BAGG1                DOWN auto    A      A    1
FGE1/0/49            DOWN 40G     F      A    50
FGE1/0/51            DOWN 40G     F      A    52
FGE1/0/52            DOWN 40G     F      A    53
XGE1/0/1             UP   10G(a)  F(a)
XGE1/0/2             DOWN auto    A      A    3    lanswitch
XGE1/0/3             DOWN auto    A      A    4
XGE1/0/4             DOWN auto    A      A    5
XGE1/0/5             DOWN auto    A      A    6
XGE1/0/6             DOWN auto    A      A    7
XGE1/0/7             DOWN auto    A      A    8
XGE1/0/8             DOWN auto    A      A    9
XGE1/0/9             DOWN auto    A      A    10

查看设备接口GigabitEthernet 1/0/1的状态信息。

https://support.huawei.com/hedex/pages/EDOC1000154488AZG0822J/07/EDOC1000154488AZG0822J/07/resources/cli/display_interface.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<sysname> display interface GigabitEthernet 1/0/1
GigabitEthernet1/0/1 current state : UP        
Line protocol current state : UP                                                
GigabitEthernet1/0/1 current firewall zone : trust
Description :  Interface Route Port
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)                  
Internet Address is 10.1.1.1/24                                                 
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a106-0e5b 
Media type is twisted pair, loopback not set, promiscuous mode not set          
1000Mb/s-speed mode, full-duplex mode, link type is auto negotiation            
Max-bandwidth : 1000000 kbps                                                
Last physical up time   : -                                                     
Last physical down time : 2015-05-07 20:33:13                                   
Current system time: 2015-05-11 10:08:18 
Top 3 input bit rate: 672688 bits/sec at 2018-01-15 11:11:41                                                                        
                      20872 bits/sec at 2018-01-15 11:11:40                                                                         
                      17456 bits/sec at 2018-01-14 19:23:00                                                                         
Top 3 output bit rate: 672000 bits/sec at 2018-01-15 11:11:41                                                                       
                       19568 bits/sec at 2018-01-15 11:11:40                                                                        
                       9064 bits/sec at 2018-01-14 11:11:53                                                                         
Top 3 input packet rate: 8008 packets/sec at 2018-01-15 11:11:41                                                                    
                         248 packets/sec at 2018-01-15 11:11:40                                                                     
                         216 packets/sec at 2018-01-14 11:11:56                                                                     
Top 3 output packet rate: 8000 packets/sec at 2018-01-15 11:11:41                                                                   
                          232 packets/sec at 2018-01-15 11:11:40                                                                    
                          80 packets/sec at 2018-01-14 11:11:53
Last 300 seconds input rate 2619  bytes/sec, 16  packets/sec                
Last 300 seconds output rate 28627  bytes/sec, 26  packets/sec              
     Input: 623941 bytes, 5743 packets
     Output: 0 bytes, 0 packets
     Input:
       Unicast: 0 packets, Multicast: 2700 packets
       Broadcast: 3043 packets, JumboOctets: 0 packets
       CRC: 0 packets, Symbol: 0 packets
       Overrun: 0 packets, InRangeLength: 0 packets
       LongPacket: 0 packets, Jabber: 0 packets, Alignment: 0 packets
       Fragment: 0 packets, Undersized Frame: 0 packets
       RxPause: 0 packets
     Output:
       Unicast: 0 packets, Multicast: 0 packets
       Broadcast: 0 packets, JumboOctets: 0 packets
       Lost: 0 packets, Overflow: 0 packets, Underrun: 0 packets
       System: 0 packets, Overrun: 0 packets
       TxPause: 0 packets
       Unknown Vlan: 0 packets
     Input bandwidth utilization  :    0%
     Output bandwidth utilization :    0%

c)应划分不同的网络区域,并按照方便管理和控制的原则为各网络区域分配地址;

  1. 看主要网络设备的配置,是否根据一定的原则合理的划分了不同网络区域,并分配了地址,且与网络拓扑图一致。
1
2
3
4
5
6
7
8
9
10
11
12
13
Cisco
sh run
//查看设备运行配置,查找相关vlan或interface vlan信息。

HUAWEI/H3C
display current-configuration
//查看设备当前配置,查找相关vlan或interface vlan信息。
display vlan brief
//显示设备上所有已创建VLAN的概要信息
display interface Vlan-interface brief
//显示VLAN接口的相关信息

brief:显示接口的概要信息。不指定该参数时,将显示接口的详细信息。

d)应避免将重要网络区域部署在边界处,重要网络区域与其他区域之间应采取可靠的技术隔离手段;

e)应提供线路、关键网络设备和关键计算机设备的硬件冗余,保证系统的可用性;

f)应按照业务的重要程度分配带宽,优先保障重要业务;

通信传输

a)应采用密码技术保证通信过程中数据的完整性;

b)应采用密码技术保证通信过程中数据的保密性;

c)应在通信前基于密码技术对通信的双方进行验证或认证;

d)应基于硬件密码模块对重要通信过程进行密码运算和密钥管理;

可信验证

a)可基于可信根对通信设备的系统引导程序、系统程序、重要配置参数和通信应用程序等进行可信验证,并将验证结果形成审计记录送至安全管理中心,并进行动态关联感知;