Build a secure office network with me

With the development of information technology, the requirements for office networks are also changing. Our office network must meet three requirements,

1. Establish the company's internal Web server, E-mail server, and office automation server to achieve paperless office;

2. Sharing of materials, information and services;

3. Information exchange and email service.

Such an office network achieves great convenience, but we have to consider its security. In order to ensure information security on the network, we have to find a balance between the ease of use and security of the network to achieve maximum ease of use when the security is sufficient.

Security goals for office networks

To meet the needs of new offices and ensure the security of information technology, the office network has three security objectives:

1. All office terminals can access Web servers, E-mail servers, and office automation servers;

2. Sharing of information and print services between office terminals of each department;

3. Mutual access between departments is controlled, so that some computers in need can communicate with each other, while others cannot communicate with each other.

Office networking solution design

I plan to use VLAN and ACL technology to build an office network. A virtual LAN (VLAN) Logically divides the network into working groups with relatively independent functions) and routing can make a working group with relatively independent functions become different security zones that can restrict mutual access. Taking the marketing department and the finance department as examples, the solution topology is as follows (1 ).

1) divide three valns on the vswitch, and classify the Web server, E-mail server, and office automation server as VLAN1, named fuwu; The Planning and Finance Department as VLAN2 and named jicai; the marketing department is VLAN3 named shichang.

2) The vro uses the access control list and route pointing to control the flow of network data to achieve the security goal of the office network, so that VLAN2 and VALN3 become two security zones.

Overall Plan

Take the Cisco Catalyst 1900 switch and the Cisco 2600 router as examples to describe the detailed configuration of the solution.

VLAN Planning

(1) VLAN working mode: we use the static mode to specify the VLAN for the switch port.

(2) ISL label: ISL (Inter-Switch Link) is a protocol for transmitting VLAN information and VLAN data streams between switches, between switches and routers, and between switches and servers, by configuring ISL encapsulation on the port directly connected to the vswitch, you can allocate and configure VLANs across the entire network. We configure the ISL tag at fast Ethernet port 0.

(3) VTP (VLAN Trunking Protocol): It is a Protocol for synchronizing and transmitting VLAN configuration information between switches. Configurations on a VTP Server are transmitted to all switches in the network. VTP supports large-scale networks by reducing manual configurations. VTP has three modes: Server, client, and transparent. Our VTP settings: The VTP domain name is switch, the master switch is Server mode, and the other two switches are client mode.

ACL Planning

The main function of the access control list (ACL) is to restrict packets through the router port. There are two types: basic access control list and extended control list. We use the extended access list. The VLAN1 application extended access list is 101, the VLAN2 application extended access list is 102, and the VLAN3 application extended access list is 103.

Specific Configuration

Computer Configuration

The IP address 10.168.1.2 of the Web server and the IP address 10.168.1.1 of the Gateway (the router port corresponding to VLAN1.

The IP address of the email server 10.168.1.3 and the IP address 10.168.1.1 of the Gateway (vro1 port corresponding to VLAN1.

The IP address 10.168.1.4 of the Office Automation server and the IP address 10.168.1.1 of the Gateway (router port corresponding to VLAN1.

The IP address 10.168.2.2 and the IP address 10.168.2.1 of the Gateway (vro port corresponding to VLAN2) of the financial department office computer 1.

The IP address 10.168.2.3 and the IP address 10.168.2.1 of the Gateway (vro port corresponding to VLAN2) of the financial department office computer 2.

The IP address 10.168.3.2 of office computer 1 in the marketing department and the IP address 10.168.3.1 of the Gateway (router port corresponding to VLAN3.

The IP address of office computer 2 in the marketing department is 10.168.3.3, And the IP address of the Gateway (the router port corresponding to VLAN3) is 10.168.3.1.

Configuration of various network devices

(1) Primary switch:
Configure VTP
Vtp server
Vtp domain switch
Configure VLAN
VLAN 1 name fuwu
VLAN 2 name jicai
VLAN 3 name shichang
Port mode (the VLAN to which the specified port belongs)
Port Number of VLAN 1
VLAN-membership static 1
Port of VLAN 2
VLAN-membership static 2
VLAN 3 Port
VLAN-membership static 3
Configure the trunk at the switch interconnect port (switch and switch, switch and router)
Trunk on

2) switch of the Marketing Department
Configure VTP
Vtp client
Vtp domain switch
Port mode (the VLAN to which the specified port belongs)
Port Number of VLAN 1
VLAN-membership static 1
Port of VLAN 2
VLAN-membership static 2
VLAN 3 Port
VLAN-membership static 3
Configure the trunk at the switch interconnect port (switch and switch, switch and router)
Trunk on

(3) Financial Department Switch
Configure VTP
Vtp client
Vtp domain swtich
Port mode (the VLAN to which the specified port belongs)
Port Number of VLAN 1
VLAN-membership static 1
Port of VLAN 2
VLAN-membership static 2
VLAN 3 Port
VLAN-membership static 3
Configure the trunk at the switch interconnect port (switch and switch, switch and router)
Trunk on

(4) vro
Configure the ISL tag for Fast Ethernet port 0
Configure ISL labels for VLAN 1
Router # config t
Router # (config) int f0.1
Router # (config-if) ip address 10.168.1.1 255.255.255.0
Router # (config-if) encapsulation ISL 1
Configure ISL labels for VLAN 2
Router # (config) int f0.2
Router # (config-if) ip address 10.168.2.1 255.255.255.0
Router # (config-if) encapsulation ISL 2
Configure ISL labels for VLAN 3
Router # (config) int f0.3
Router # (config-if) ip address 10.168.3.1 255.255.255.0
Router # (config-if) encapsulation ISL 3
Routing (static ):
Ip route 10.168.1.0 255.255.255.0 FastEthernet0.1
Ip route 10.168.2.0 255.255.255.0 FastEthernet0.2
Ip route 10.168.3.0 255.255.255.0 FastEthernet0.3
Note: These three static routes can be left blank, and routers can use the cdp function to obtain the pass-through routes. Configure the access list. Configure the basic and extended access list in global vro mode.
Router (config) access-list 101 permit ip host 10.168.1.2 any
Router (config) access-list 101 permit ip host 10.168.1.3 any
Router (config) access-list 101 permit ip host 10.168.1.4 any
Router (config) access-list 102 permit ip host 10.168.2.2 10.168.1.0 0.20.255
Router (config) access-list 102 permit ip host 10.168.2.3 10.168.1.0 0.20.255
Router (config) access-list 103 permit ip host 10.168.3.2 10.168.1.0 0.20.255
Router (config) access-list 103 permit ip host 10.168.3.3 10.168.1.0 0.20.255

Specify the access list to a port
Router (config) int f0.1
Router (config-if) ip access-group 101 in