With the development of information technology, the requirements of the office network are also changing. My company's office network to meet the requirements of three aspects, 1, the establishment of the company's internal Web server, e-mail server, office Automation server, to achieve paperless office; 2. Sharing of information, information and services; 3. Information exchange and Mail service.
This kind of office network has achieved great convenience, however, we have to consider its security. In order to ensure the security of the information on the network, we have to find a balance between the ease of use and security of the network, in the case of sufficient security, to achieve maximum ease of use.
Security objectives to be achieved by the office network
For the office network to meet the needs of the new office and to ensure information technology security, office network mainly achieve three security goals: 1, to achieve all Office terminals can access the Web server, e-mail server, office Automation server; 2, to achieve all departments office terminal information and print services sharing; 3 , the exchange between the departments are controlled, so that some of the necessary computers can exchange, the rest can not be exchanged.
Design of office networking scheme
I'm going to use VLAN and ACL technology to build my office network. Virtual LAN (VLAN) divides the network logically into a working group with relatively independent functions, and if the access control (ACL) and routing point between the virtual LANs are combined, the independent working Group can be changed into different security zones with limited mutual visits. Take the Marketing department and accounting department two departments as an example, the scheme topology diagram is as follows (Figure 1).
1 on the switch to divide three valn, the Web server, e-mail server and office Automation server are zoned VLAN1, the name is Fuwu, the planning Finance department is VLAN2, the name is Jicai, the marketing department is VLAN3, the name is Shichang.
2 The router uses Access control lists and routing points to control the flow of network data to achieve the security objective of the office network, so that VLAN2 and VALN3 become two security zones.
Overall planning of the programme
Now take the Cisco Catalyst 1900 switch, Cisco 2600 router As an example, write out the detailed configuration of the scheme.
Planning for VLANs
(1) The working mode of the VLAN:
We use static mode to specify VLANs for switch ports.
(2) ISL Tags:
ISL (Inter-Switch Link) is a protocol between switches, between switches and routers, and between switches and servers to transfer multiple VLAN information and VLAN data streams, configured with ISL encapsulation via ports directly connected to the switch, The VLAN allocation and configuration of the entire network can be done across the switch. We configure the ISL tab at the Fast Ethernet port 0.
(3) VTP (VLAN trunking Protocol): It is a protocol for synchronizing and passing VLAN configuration information between switches. A configuration on a VTP server is passed to all switches in the network, VTP supports larger networks by reducing manual configuration. VTP has three modes of server, client, and transparent. Our VTP settings: VTP's domain name is switch, the main switch is server mode, and the other two switches are client mode.
Planning for ACLs
The main function of Access control list (ACL) is to restrict the packets passing through the router port. There are two basic access control lists and extended control lists.
We use the extended access list, VLAN1 the table number applying the extended access list to the 101,VLAN2 application extended access list is the table number for 102,VLAN3 application extended access list is 103.
Specific configuration
The configuration of the computer
The IP address of the Web server is 10.168.1.2, the gateway (VLAN1 corresponding router port) 10.168.1.1.
e-mail server IP address 10.168.1.3, gateway (VLAN1 corresponding router port) IP address 10.168.1.1.
Office Automation server IP address 10.168.1.4, gateway (VLAN1 corresponding router port) IP address 10.168.1.1.
Accounting Department Office Computer 1 IP address 10.168.2.2, gateway (VLAN2 corresponding router port) IP address 10.168.2.1.
Accounting Department Office Computer 2 IP address 10.168.2.3, gateway (VLAN2 corresponding router port) IP address 10.168.2.1.
Marketing Office Computer 1 IP address 10.168.3.2, gateway (VLAN3 corresponding router port) IP address 10.168.3.1.
Marketing Office Computer 2 IP address 10.168.3.3, gateway (VLAN3 corresponding router port) IP address 10.168.3.1.
Configuration of each network device
(1) Main switch:
Configure VTP
VTP Server
VTP Domain switch
Configuring VLANs
VLAN 1 Name Fuwu
VLAN 2 Name Jicai
VLAN 3 Name Shichang
Port mode (specifies the VLAN to which the port belongs)
Port of VLAN 1
Vlan-membership Static 1
Port of VLAN 2
Vlan-membership Static 2
Port of VLAN 3
Vlan-membership Static 3
Configure trunk at Switch interconnect ports (switches and switches, switches, and routers)
Trunk on
(2) Market Department switch
Configure VTP
VTP Client
VTP Domain switch
Port mode (specifies the VLAN to which the port belongs)
Port of VLAN 1
Vlan-membership Static 1
Port of VLAN 2
Vlan-membership Static 2
Port of VLAN 3
Vlan-membership Static 3
Configure trunk at Switch interconnect ports (switches and switches, switches, and routers)
Trunk on
(3) Accounting Department switch
Configure VTP
VTP Client
VTP Domain Swtich
Port mode (specifies the VLAN to which the port belongs)
Port of VLAN 1
Vlan-membership Static 1
Port of VLAN 2
Vlan-membership Static 2
Port of VLAN 3
Vlan-membership Static 3
Configure trunk at Switch interconnect ports (switches and switches, switches, and routers)
Trunk on
(4) Router
Fast Ethernet port 0 Configure ISL tags
Configure ISL tags for VLAN 1
Router#config T
router# (config) int f0.1
router# (config-if) IP address 10.168.1.1 255.255.255.0
router# (config-if) Encapsulation ISL 1
Configure ISL tags for VLAN 2
router# (config) int f0.2
router# (config-if) IP address 10.168.2.1 255.255.255.0
router# (config-if) Encapsulation ISL 2
Configure ISL tags for VLAN 3
Www.3lian.com
router# (config) int f0.3
router# (config-if) IP address 10.168.3.1 255.255.255.0
router# (config-if) Encapsulation ISL 3
Routing (Static):
IP Route 10.168.1.0 255.255.255.0 FastEthernet0.1
IP Route 10.168.2.0 255.255.255.0 FastEthernet0.2
IP Route 10.168.3.0 255.255.255.0 FastEthernet0.3
Explains that these three static routes can be added without the router being able to obtain passthrough routes through CDP functionality.
Configure access lists to configure basic and extended access lists in Router global mode
Router (config) access-list permit IP host 10.168.1.2 any
Router (config) access-list permit IP host 10.168.1.3 any
Router (config) access-list permit IP host 10.168.1.4 any
Router (config) access-list 102 permit IP host 10.168.2.2 10.168.1.0 0.255.255.255
Router (config) access-list 102 permit IP host 10.168.2.3 10.168.1.0 0.255.255.255
Router (config) access-list permit ip host 10.168.3.2 10.168.1.0 0.255.255.255
Router (config) access-list permit ip host 10.168.3.3 10.168.1.0 0.255.255.255
Assign the access list to a port
Router (config) int f0.1
Router (config-if) IP access-group
Router (config) int f0.2
Router (config-if) IP Access-group 102 in
Router (config) int f0.3
Router (config-if) IP access-group
The above scenario is based on Cisco Catalyst 1900, if the switch is Cisco Catalyst 2900,vlan configuration commands are slightly different.