How to guarantee data security with third-tier exchange

Source: Internet
Author: User
Tags requires switches

    third-tier switches are more commonly used, so I studied how to use the third layer of exchange to ensure data security, here to share with you, I hope to be useful. Jiangxi 39 Yi Gong Co., Ltd. Backbone network topology is a multilevel star Gigabit Ethernet.

A high-performance switch, Cisco Catalyst 4006, with multiple gigabit and gigabit ports is placed in the center room of the Science building to serve as a backbone core switch. The company's primary servers and high-performance workstations use the gigabit switching ports of the central switch, with a low performance and a relatively small number of workstations connected to the gigabit ports of the third-tier switch, and a fibre-optic module installed in the backplane slots of the central switch, which is connected to the Catalyst 3512 switch of the production branch So that the workstations in each branch can also obtain the hundred gigabit bandwidth. The

Corporate computer network is configured to have the server side of Windows NT Server and the client is a Windows NT Workstation or WINDOWS95/98; The application system consists of two parts, the first part is the cad/cam/capp/ PDM system, and the other is enterprise resource planning Management (ERP) system. The Center room has an HP 6000 as the Windows NT Primary domain controller, also is the ERP server, HP LH3 as an independent CAD server, there is also a mail server, a network Management Server, a computer to make a diagram of the PC, all the product drawings concentrated in the computer center out of the map.

Security Requirements

1. In order to prevent the CAD product drawing from leaking through the management department's computer, it is necessary to divide two application systems into different network segments;

2. The whole system has only one primary domain controller, all the computers in the center room belong to CAD Network segment, but also requires the use of resources in the ERP server;

3. The company-level main leadership belongs to the ERP management network segment, but at the same time requires the management and use of resources in the CAD network segment.

VLAN-resolved

Ethernet is a network based on the CSMA/CD mechanism that inevitably generates packet broadcasts and conflicts, because data broadcasts consume bandwidth and also affect security, especially in windows-based networks, so it is necessary to reduce broadcasts in the network, You need to use a VLAN. VLAN can divide a broadcast domain into several broadcast domains, it is divided into three ways, based on the port, based on MAC address and based on network protocol. Cisco's solution is to recommend a VLAN for an IP segment (TCP/IP network), as is currently the case with the trunk technology to maintain the VLAN configurationConsistency. Trunk is a point-to-point link between switches or routes that can transmit multiple VLAN data at the same time, helping to extend the implementation VLAN from one switch to another.

in the Network layer seven protocol, the hub is the first layer of equipment connected to the same conflict domain and broadcast domain; The switch and the bridge are the second tier of devices that are connected in the same broadcast domain and each port is a conflict domain, so the switch can help reduce conflicts and enable duplex communication, However, it is not possible to reduce the broadcast traffic; the router is a third-tier switch device that connects devices in different broadcast domains and conflict domains, and can control broadcasts and conflicts through the routing function.

Three-layer Exchange simplification settings

After the VLAN is divided, the different VLAN can not communicate, so need routers to connect different VLAN, but with the third layer of switch after no more trouble. Catalyst 4006 is a more advanced Enterprise backbone switch by Cisco, which has the ability of the third layer switch, which solves the problem of VLAN communication and eliminates the chronic disease of low bandwidth of router. 4006 of the three-tier switching function is implemented on the 4232-L3 module, unlike the 5000 series and the 6000 series, 4000-tier switching in the three-series switch is done with the internal two virtual gigabit connections. The

Central switch has a total of two VLANs designed for CAD and ordinary users, with a network segment of 192.168.66.0 and 192.168.67.0. The switch provides a third-tier switch function for two VLANs, while using a static routing list to join certain special addresses and implement certain security policies.

in the actual network, five of the two and 4306-GB modules on the management module are connected through a fibre-optic two-level switch, providing the backbone gigabit. From 4006, 6/1 and 6/2 are two interfaces for routing (our three-tier module is plugged into the sixth slot of the switch), and for the three-tier switching module, the two ports are interfaces that connect 4006. Through the function of the third layer switch, the Enterprise network segmentation is realized, which improves the security of the data in the network
 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.