How to build a secure office network

Source: Internet
Author: User
Tags mail switches

With the development of information technology, the requirements of the office network are also changing. My company's office network to meet the requirements of three aspects, 1, the establishment of the company's internal Web server, e-mail server, office Automation server, to achieve paperless office; 2. Sharing of information, information and services; 3. Information exchange and Mail service.

This kind of office network has achieved great convenience, however, we have to consider its security. In order to ensure the security of the information on the network, we have to find a balance between the ease of use and security of the network, in the case of sufficient security, to achieve maximum ease of use.

Security objectives to be achieved by the office network

For the office network to meet the needs of the new office and to ensure information technology security, office network mainly achieve three security goals: 1, to achieve all Office terminals can access the Web server, e-mail server, office Automation server; 2, to achieve all departments office terminal information and print services sharing; 3 , the exchange between the departments are controlled, so that some of the necessary computers can exchange, the rest can not be exchanged.

Design of office networking scheme

I'm going to use VLAN and ACL technology to build my office network. Virtual LAN (VLAN) divides the network logically into a working group with relatively independent functions, and if the access control (ACL) and routing point between the virtual LANs are combined, the independent working Group can be changed into different security zones with limited mutual visits. Take the Marketing department and accounting department two departments as an example, the scheme topology diagram is as follows (Figure 1).

1 on the switch to divide three valn, the Web server, e-mail server and office Automation server are zoned VLAN1, the name is Fuwu, the planning Finance department is VLAN2, the name is Jicai, the marketing department is VLAN3, the name is Shichang.

2 The router uses Access control lists and routing points to control the flow of network data to achieve the security objective of the office network, so that VLAN2 and VALN3 become two security zones.

Overall planning of the programme

Now take the Cisco Catalyst 1900 switch, Cisco 2600 router As an example, write out the detailed configuration of the scheme.

Planning for VLANs

(1) The working mode of the VLAN:

We use static mode to specify VLANs for switch ports.

(2) ISL Tags:

ISL (Inter-Switch Link) is a protocol between switches, between switches and routers, and between switches and servers to transfer multiple VLAN information and VLAN data streams, configured with ISL encapsulation via ports directly connected to the switch, The VLAN allocation and configuration of the entire network can be done across the switch. We configure the ISL tab at the Fast Ethernet port 0.

(3) VTP (VLAN trunking Protocol): It is a protocol for synchronizing and passing VLAN configuration information between switches. A configuration on a VTP server is passed to all switches in the network, VTP supports larger networks by reducing manual configuration. VTP has three modes of server, client, and transparent. Our VTP settings: VTP's domain name is switch, the main switch is server mode, and the other two switches are client mode.

Planning for ACLs

The main function of Access control list (ACL) is to restrict the packets passing through the router port. There are two basic access control lists and extended control lists.

We use the extended access list, VLAN1 the table number applying the extended access list to the 101,VLAN2 application extended access list is the table number for 102,VLAN3 application extended access list is 103.

Specific configuration

The configuration of the computer

The IP address of the Web server is 10.168.1.2, the gateway (VLAN1 corresponding router port) 10.168.1.1.

e-mail server IP address 10.168.1.3, gateway (VLAN1 corresponding router port) IP address 10.168.1.1.

Office Automation server IP address 10.168.1.4, gateway (VLAN1 corresponding router port) IP address 10.168.1.1.

Accounting Department Office Computer 1 IP address 10.168.2.2, gateway (VLAN2 corresponding router port) IP address 10.168.2.1.

Accounting Department Office Computer 2 IP address 10.168.2.3, gateway (VLAN2 corresponding router port) IP address 10.168.2.1.

Marketing Office Computer 1 IP address 10.168.3.2, gateway (VLAN3 corresponding router port) IP address 10.168.3.1.

Marketing Office Computer 2 IP address 10.168.3.3, gateway (VLAN3 corresponding router port) IP address 10.168.3.1.

Configuration of each network device

(1) Main switch:

Configure VTP

VTP Server

VTP Domain switch

Configuring VLANs

VLAN 1 Name Fuwu

VLAN 2 Name Jicai

VLAN 3 Name Shichang

Port mode (specifies the VLAN to which the port belongs)

Port of VLAN 1

Vlan-membership Static 1

Port of VLAN 2

Vlan-membership Static 2

Port of VLAN 3

Vlan-membership Static 3

Configure trunk at Switch interconnect ports (switches and switches, switches, and routers)

Trunk on

(2) Market Department switch

Configure VTP

VTP Client

VTP Domain switch

Port mode (specifies the VLAN to which the port belongs)

Port of VLAN 1

Vlan-membership Static 1

Port of VLAN 2

Vlan-membership Static 2

Port of VLAN 3

Vlan-membership Static 3

Configure trunk at Switch interconnect ports (switches and switches, switches, and routers)

Trunk on

(3) Accounting Department switch

Configure VTP

VTP Client

VTP Domain Swtich

Port mode (specifies the VLAN to which the port belongs)

Port of VLAN 1

Vlan-membership Static 1

Port of VLAN 2

Vlan-membership Static 2

Port of VLAN 3

Vlan-membership Static 3

Configure trunk at Switch interconnect ports (switches and switches, switches, and routers)

Trunk on

(4) Router

Fast Ethernet port 0 Configure ISL tags

Configure ISL tags for VLAN 1

Router#config T

router# (config) int f0.1

router# (config-if) IP address 10.168.1.1 255.255.255.0

router# (config-if) Encapsulation ISL 1

Configure ISL tags for VLAN 2

router# (config) int f0.2

router# (config-if) IP address 10.168.2.1 255.255.255.0

router# (config-if) Encapsulation ISL 2

Configure ISL tags for VLAN 3

Www.3lian.com

router# (config) int f0.3

router# (config-if) IP address 10.168.3.1 255.255.255.0

router# (config-if) Encapsulation ISL 3

Routing (Static):

IP Route 10.168.1.0 255.255.255.0 FastEthernet0.1

IP Route 10.168.2.0 255.255.255.0 FastEthernet0.2

IP Route 10.168.3.0 255.255.255.0 FastEthernet0.3

Explains that these three static routes can be added without the router being able to obtain passthrough routes through CDP functionality.

Configure access lists to configure basic and extended access lists in Router global mode

Router (config) access-list permit IP host 10.168.1.2 any

Router (config) access-list permit IP host 10.168.1.3 any

Router (config) access-list permit IP host 10.168.1.4 any

Router (config) access-list 102 permit IP host 10.168.2.2 10.168.1.0 0.255.255.255

Router (config) access-list 102 permit IP host 10.168.2.3 10.168.1.0 0.255.255.255

Router (config) access-list permit ip host 10.168.3.2 10.168.1.0 0.255.255.255

Router (config) access-list permit ip host 10.168.3.3 10.168.1.0 0.255.255.255

Assign the access list to a port

Router (config) int f0.1

Router (config-if) IP access-group

Router (config) int f0.2

Router (config-if) IP Access-group 102 in

Router (config) int f0.3

Router (config-if) IP access-group

The above scenario is based on Cisco Catalyst 1900, if the switch is Cisco Catalyst 2900,vlan configuration commands are slightly different.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.