Achieve Network Access Control Using Static Routing Technology

When a Host application needs to send data packets to different network destinations, the router receives data information from an interface. The Network Layer checks this packet to determine the expected network to be sent. Then, the router checks its route table and uses the route table information to determine the expected port to be sent. The router encapsulates the data packet according to certain rules again, and then forwards the data packet on a port.

When a vro forwards any data packet, the route is determined. The router determines that the router can select the most appropriate interface to forward data packets. That is to say, a vro works mainly on a route table. If there is no route table or the information in the route table is incorrect, the vro will be like a heap of scrap iron, without any value.

Depending on the route table generation mechanism, Static Routing and dynamic routing can be divided.

Dynamic Routing means that the router automatically updates the route table according to certain methods. In the network, when a router or link fails to be added, some information will be generated on the network to inform the other party. The router updates its route table based on the information and adjusts the route information according to the predefined rules. It can be seen that dynamic routing can facilitate our management. However, it also brings about some problems. For example, dynamic routing will search all visible routes in the network. That is to say, if a dynamic route of a router is used, as long as there is no problem with the data link, generally, each network is reachable, this is not conducive to network access control by network administrators.

A static route is manually updated by the network administrator. When the network topology changes or the number of routers increases or decreases, the network administrator must manually update the route table of the router. Otherwise, network communication will be affected. However, compared with dynamic routing, Static Routing requires the network administrator to manually update the route table regardless of any changes to the enterprise network. This is a very heavy workload for network administrators.

However, Static Routing also has its advantages. For example, on the one hand, it does not need to enable the dynamic routing selection protocol service, so it can reduce the running resource overhead of the router. In addition, you do not need to send or transmit information on the network, which can reduce the bandwidth usage. To implement dynamic routing, some protocols, such as RIP, must be supported. These Protocols define the routing table generation rules in the vro. Running these protocols will occupy the resources of routers after all. At the same time, these protocols will often communicate with neighboring routers to determine whether the operation of the other party is normal. Undoubtedly, this will increase the burden on routers and enterprise network bandwidth.

However, the above advantages are not the main reason for using static routing. As the enterprise network is transformed and upgraded, these vro resources or network bandwidth restrictions are no longer the bottleneck resources during the establishment of the enterprise network. We decided to adopt the Static Routing Technology, which is another feature. Network administrators can use static routing to control network access.

For example, the company where the author is located is a big group company. The Group Corporation and the following three subsidiaries use the same network. Now, when establishing the network, the leaders hope that the networks of subsidiaries and group companies can be independent from each other and work together to avoid mutual interference.

Of course, there are many ways to achieve this requirement. For example, you can apply for an independent online account for each subsidiary. However, this processing method is a waste, because the group company already has a bare metal network, if you want to activate the network for other companies without going through the group's line, you need to pay a lot of extra money, the speed may not be as fast as the optical network, so it is not realistic.

In addition, the access control list of the CISCO router can also be controlled. However, this requires the vro to support this function. In addition, there are some configuration methods and the maintenance is not very good. Therefore, according to my understanding, although the access control list is a good network access control mechanism, in actual application, there are few enterprises to use because of its configuration, it is still difficult.

In fact, we can use static routing technology to control network routing.

The router routing table contains the following information. Destination network address, subnet mask, gateway, interface, and so on. The destination network address, subnet mask, and packet sending IP address can be used together to determine whether the departure and destination addresses belong to the same network. If they belong to the same network, the router does not forward data or process data according to predefined rules. If the sending Address and the destination address are not in the same subnet, the router determines the path based on the information in the route table. If the router cannot find a proper path, the data forwarding will be terminated, and our network administrator can control the route access according to this feature.

For example, if I add the following three subsidiaries to my current group company, there are a total of four subnets that can communicate with each other through routers. However, network communication between different companies is allowed. However, for various reasons, communication between them is unnecessary, and it will also bring great interference to our network maintenance. If a sub-network is poisoned, the performance of the other network may be affected, and other networks may be infected. At the same time, because computers in each subnet can access each other, this is not conducive to the security of data in each enterprise. In actual work, companies are independent of each other, so they generally do not need to access each other. Therefore, there is no need to access each subnet for any reason. Therefore, we can use the Static Routing mentioned above to control network access.

For example, the company's network has five vro connections, four vrouters connect to four subnets, and then a vro connects to the Internet. Now we can configure static routes on four vrouters connected to subnets. For example, we can set a static route on a router connected to the subnet of the Group Corporation. From the vro of the group subnet, only the fifth router information is known to the outside, but the vro paths of the other three subnets are not known. In this case, the router will end up failing to send data packets to other subnets. At the same time, it can still access the Internet normally.

It can be seen that static routing can help network administrators to enhance network access control. Although the workload of static routing configuration is relatively large, it is easy to implement a simple network structure for enterprise networks. According to my understanding, in fact, for a complicated enterprise, its router-level connection will not exceed five levels. Therefore, static routing configuration is not complex.

In addition, I would like to add another method to manually configure static routes. Before configuring a static route on a vro。, you can set the vro as a dynamic route table, view the relevant route information, and find out unnecessary route information. Then configure the vro. In this case, on the one hand, we can avoid missing useful route records, and on the other hand, we can also disable all unused route information. At the same time, we can also save a lot of trouble during configuration, because of the reference.

Pay attention to the following points when configuring Static Routing:

1. Try to use vswitches instead of vrouters. If an enterprise uses static routing to control network access during network deployment, it is recommended that you do not use other routers to expand network applications after the network is deployed. Instead, you should use vswitches instead of vrouters. That is to say, it is best to ensure the stability of the number and layout of routers in the enterprise network. In this case, the workload of router configuration can be reduced.

2. If Static Routing is configured on the vro, it is generally stored in the running-config file. This file is a temporary file. When the vro restarts, the information in this file will disappear. Therefore, when the static route configuration is complete and the test is complete, you need to use the COPY command to save the static route table information to startup-config. In addition, it is best to back up data remotely. In this case, when the vro fails, you do not need to configure additional settings on the backup vro to use it immediately.

3. Enterprises Adopt different management policies based on their different network security requirements. Different enterprises have different network security requirements. Therefore, they have different requirements for static route tables. If an enterprise has only dozens of computers and does not have different subnets, or the enterprise does not have high requirements on network security, static routing configuration can be used, there is no practical effect at all. Generally, Static Routing is used when the network security requirements are relatively high or the number of network hosts is too large and there are multiple subnets. Therefore, no technology is suitable for an enterprise. You must make reasonable choices based on the situation of the enterprise.

1. If I do not configure a route entry, how can I connect multiple network segments?
2. Precautions for wireless networking: Fault of wireless mutual access and Solutions
3. Mutual access and sharing between different systems in the LAN