How to build a large PPPoE network across VLANs

 

As we all know, in a large network, there are many unknown factors. ARP, attack packets, viruses, and so on cannot be prevented. PPPoE dialing can solve the problem that ARP spoofing causes access failure, however, the Intranet ARP and other attack packets still exist. If too many attack packets exist in the network, the user's network may still be abnormal. In some networks with high confidentiality requirements, user data security issues still exist.

Generally, to solve such problems in a large network, end users can be isolated into smaller networks by VLAN division, even a computer terminal uses a VLAN to isolate user broadcast packets.

Currently, most of the PPPoE server devices on the market do not support cross-VLAN dialing. Although PPPoE is a good Intranet management solution, it cannot be used in large networks, this is a pity.

To address this situation, blue ocean has launched a PPPoE Server Device for large networks. This allows large networks to be divided into VLAN and PPPoE dial-up management. The specific solution is as follows:

I. Solution topology:

 

Solution description:

I. The main device uses NatShell BRAS-5000 series gateway, this gateway can be used as a firewall, with the usual firewall NAT, attack protection and other functions, and support PPPoE service.

2. Enable VLAN on the LAN interface of NatShell BRAS-5000 gateway, and the LAN interface is connected to the TRUNK interface of the main switch.

3. Enable VLAN support for 802.1Q on the master switch and configure the TRUNK port so that it can communicate with all VLAN interfaces.

4. Enable the PPPoE service of NatShell BRAS-5000 gateway and listen to all VLAN interfaces.

5. user's computer access switch VLAN interface, through PPPoE dial-up Internet access.

 

Features:

I. the whole solution adopts the network-managed switch, NatShell BRAS-5000 gateway also has powerful management function, so the whole network has a high manageability.

2, the adoption of NatShell BRAS-5000 gateway as PPPoE server, as the core equipment, to provide PPPoE service for users in the network, all users in the network are using PPPoE dial-up Internet, completely eliminate ARP spoofing and other issues.

3. assign a PPPoE account to each user in the network for dial-up Internet access. This achieves high manageability for users, not only can different bandwidths be specified for each user, in addition, users can be assigned different IP addresses to flexibly and conveniently make control policies.

4. You can specify the time for each PPPoE user to access the Internet. For example, if the user is not allowed to access the Internet during the working period, the user is allowed to access the Internet during the rest period, or vice versa, the user's access time can be effectively controlled.

5. You can bind a MAC address to each PPPoE user so that the account can leave the computer in use and cannot easily access the Internet on another computer, effectively ensuring the controllability of the network.

 

Summary:

Because PPPoE dialing through VLAN is adopted, not only the advantages of PPPoE can be used, but also the network can be effectively managed through the traditional VLAN, which is an effective method for network management.

This article is from the blog "jianyi want to wet apricot rain"