Along with the internet "figure" everywhere, more and more units have set up their own LAN network, but the local area network in the day-to-day work of employees, sharing the Internet to bring convenience at the same time, will encounter network virus attacks, IP address was illegally robbed, employees at the time of the casual play games and other phenomena; In order to ensure the normal work order, the unit leadership requires the author to strict management of the unit LAN network, especially to the employees of the time to strictly control the Internet, prohibit them at random at work during the Internet access.
Networking situation
The local area network of the author is built at the end of 2005, the LAN is connected to the Internet through the Rg-wall 100 model hardware firewall, all ordinary workstations in the local area network connect to the S6806 core switch of the Ruijie network through the common two layer switch; In order to facilitate the management of LAN network, and effectively control the network storm phenomenon of Lan, the author deliberately divided a number of virtual work subnets in the core switch of LAN, to ensure that the LAN network will not be affected by the broadcast storm, while ensuring that important servers or workstations in the LAN will not be arbitrarily accessed by illegal users
Control time on the Internet
The Unit server system and the important station system are divided into the virtual work Subnet 1, while the ordinary staff's workstation is divided into the virtual work Subnet 2, the unit leader requires each employee to be able to access the Internet only during the 12:00--14:00 period of noon each day, in addition, in Saturday, Sunday all day can be normal Internet access, other times strictly prohibit Internet access.
According to the work requirements of the unit leadership, the author repeatedly practiced several methods, the former unit through the proxy server to share the Internet, the author as long as the proxy server to do a simple set on it, but now the local area network workstations are rented by the unit 10 broadband fiber to share the Internet, through the use, The method of setting up the proxy server is not suitable for the current LAN network; In addition, the Rg-wall 100 model hardware firewall used by the unit LAN does not directly support the control of access time. In the case of no clue, the author consulted the operation instruction of the core switch S6806, found that the switch can support the time control of the Internet; After further understanding, the author found that as long as the core switch to set up some appropriate time control rules on the Internet, You can then apply the specified Internet access rule to the virtual work Subnet 2 on the normal employee workstation. According to this analysis, the author wrote down the following Internet access Time control rules, and the rule is named controls:
Time-range Control
Periodic Monday 0:00 to 12:00
Periodic Monday 14:00 to 23:59
Periodic Tuesday 0:00 to 12:00
Periodic Tuesday 14:00 to 23:59
Periodic Wednesday 0:00 to 12:00
Periodic Wednesday 14:00 to 23:59
Periodic Thursday 0:00 to 12:00
Periodic Thursday 14:00 to 23:59
Periodic Friday 0:00 to 12:00
Periodic Friday 14:00 to 23:59
!
More Wonderful content: http://www.bianceng.cnhttp://www.bianceng.cn/Network/jhjs/
Below, the author applies the above control rules to the virtual work subnet of the ordinary employee Workstation 2 on it (of which AAA is a name to be arbitrarily formulated):
IP Access-list Extended AAA
Permit IP 10.176.6.18 any
Permit IP 10.176.6.116 any
Deny IP 10.176.6.0 0.0.0.255 any time-range control
Permit IP any
!
Interface Vlan 2
IP address 10.176.6.1 255.255.255.0
IP Access-group AAA in
!
10.176.6.18 and 10.176.6.116 are two important workstations in virtual work Subnet 2, which can access the network all the time. In accordance with the above control settings, all normal workstations in virtual work Subnet 2 can only be used during the 12:00--14:00 of each day at noon. And during the Saturday and Sunday visits to the network, other times is not normal access to the network, so we can successfully achieve the ban on ordinary employees at work at random to visit the purpose of the Internet.
Controlling address conflicts
Through the previous control, we have implemented all the normal workstations in virtual work Subnet 2 to access the Internet only for a specified period of time. In fact, in any one virtual work subnet, there is always one or a few workstations need to surf the internet to deal with some important things, then how can these special workstations to access the Internet alone, and not subject to the above control rules? In fact, we have been in the previous control operation, Using control commands such as permit IP 10.176.6.18 Any, a special workstation with IP address for 10.176.6.18 can be accessed all day.
However, in the local area network working environment, we often encounter the problem that the IP address is illegally robbed by others, If a common workstation in virtual work Subnet 2 steals IP addresses such as 10.176.6.18, then that particular workstation will not be able to access the network, in the face of this phenomenon, what measures should we take to effectively control the IP address conflict? The key issue at the moment is, How to make a normal workstation in virtual work Subnet 2 Unable to use an IP address such as 10.176.6.18 to make sure that an important workstation is designated to use this address; After searching for relevant information on the Internet and checking the operation instruction of S6806 core switch, I found that as long as the S6806 core switch backstage , bind the physical address of the specified important Workstation network card to the 10.176.6.18 address. To achieve such control purposes, we can do this by doing the following:
First enter the designated important station system, click the "Start"/"Run" command, in the pop-up System Run dialog box, input string command "cmd", click the "OK" button, open the corresponding workstation System DOS command line work window;
Next at the DOS command prompt, the input string command "Ipconfig/all", after clicking the Enter key, we will see the physical address of the network card for the designated important station system as 000B.DBC5.41D4 from the result interface shown in Figure 1;
Below enters the core switch the backstage management system, executes the string command "Address-bind 10.176.6.18 000b.dbc5.41d4", then uses "the ARP 10.176.6.18000b.dbc5.41d4 arpa Gigabitethernet 2/3 "string command for address binding operations, so that even if the other common workstations in the LAN Rob 10.176.6.18 address, these ordinary workstations can not be normal access to the Internet, then the operation of the local area network stability can be effectively guaranteed.