Implementation of campus networks in a university-VLAN and policy routing
Source: Internet
Author: User
Article title: Implementation of VLAN and policy routing on campus networks of a university. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
I. network topology (shown in the appendix) and network planning:
The vSwitch is Cisco2924, divided into three VLANs, VLAN10 for office use, VLAN13 for classroom use, VLAN12 for server area, and 24th ports for switch set to trunk mode (VLAN trunk line ).
The Gateway uses a Linux system and has two satellite cards installed. two Modem devices are used to dial up and establish a VPN. The office is assigned a subnet of 192.168.9.0/27 and the classroom is 192.168.10.0/24, the server area is 192.168.5.0/28.
In addition, the office is required to be able to access the Internet from to, and the Classroom is able to access the Internet from to, and each subnet can access the web server within 192.168.5.0/28.
Classrooms cannot access the office.
II. configuration of VLAN on the Cisco2924 switch:
On the Cisco2924 switch, set Port 1-8 to VLAN10, Port 9-16 to VLAN13, port 17-22 to VLAN13, and port 23 to vlan1. Set port 24 as a relay line.
VLAN division can be done in a general way. here we need to emphasize the configuration of the relay line:
Cisco2924 # conf t (entering global configuration mode)
Cisco2924 (config) # interface fastEthernet0/24 (enter port 24 configuration mode)
Cisco2924 (config-if) # switchport mode trunk (set Port 24 to relay mode)
Cisco2924 (config-if) # switchport trunk encapsulation dotlq (sets the encapsulation format of data frames to 802.1Q, and the default is Cisco-specific isl .)
Cisco2924 (config-if) # switchport trunk allowed vlan remove vlan-list (delete the list of VLANs that do not require VLAN relay. if it is all, use the all parameter .)
Cisco2924 (config-if) # switchport trunk allowed vlan add vlan-list 1-13 (add VLAN 1-13 to the VLAN relay list .)
Note: If the kernel supports vlanks based on macaddress assignment, the kernel should fill in the inner kernel (vlan.1.7m.tar.gz), copy macvlan_config to/sbin, and use the macvlan_config command to configure the VLAN.
(1) create VLAN10, VLAN12, and VLAN13
Vconfig add eth0 10
Vconfig add eth0 12
Vconfig add eth0 13
(2) set IP addresses for interfaces:
Ip address add 192.168.5.3/28 dev eth0.12 (DMZ Gateway)
Ip address add 192.168.10.1/24 dev eth0.13 (Classroom Gateway)
Ip address add 192.168.9.1/27 dev eth0.10 (office Gateway)
Ip link set dev eth0.12 up (enable device)
Ip link set dev eth0.10 up
Ip link set dev eth0.13 up
IV. configure dialing
1. create a dial-up network for the Office:
(1) create a dialing script file:/etc/ppp/dialisp1
#! /Bin/sh
/Usr/sbin/pppd/dev/ttyS0 57600 connect '/usr/sbin/chat-f/etc/ppp/chat95788 'login user 95788 mru 1500 mtu 1500 crtscts file/etc/ ppp/options. pstn_isp1
(2) create a session file for dialing:/etc/ppp/chat95788
""
OK atm3
OK atdt95788
CONNECT
(3) Create a session file for dialing:/etc/ppp/options. pstn_isp1
Local
Nodefaultroute
Noauth
Login
User 95788
Mru 1500
Mtu 1500
Crtscts
Updetach
Note: Because there are multiple dialing numbers, the default route cannot be obtained, so nodefaultroute is available.
2. create a dial-up network for Classroom:
(1) create a dialing script file:/etc/ppp/dialisp2
#! /Bin/sh
/Usr/sbin/pppd/dev/ttyS1 57600 connect '/usr/sbin/chat-f/etc/ppp/chat9_95788 'login user 95788 mru 1500 mtu 1500 crtscts file/etc/ ppp/options. pstn_isp2
(2) create a session file for dialing:/etc/ppp/chat9_95788
""
OK atm3
OK atdt9, 95788
CONNECT
Note: You need to dial 9 characters for this phone.
(3) Create a session file for dialing:/etc/ppp/options. pstn_isp2
Local
Noauth
Login
User 95788
Nodefaultroute
Mru 1500
Mtu 1500
Crtscts
Updetach
5. create a VPN (satellite) dialing script:
1. download the VPN client software under Linux: http://pion.xs4all.nl /~ Elf/pkg/pptp-linux-1.1.0.tar.gz
Decompress the package and copy the pptp file to/usr/sbin.
2. download the Linux driver for the satellite card:
3. create an office pptp dialing script:/etc/ppp/dialpptp1
Ip route add 210.12.254.4 dev ppp0 (x. x is the VPN server address provided by the ISP. this command sets the route to access x. x .)
/Etc/ppp/options.ppt p1 is the option file for establishing the office VPN connection. its content is as follows:
Local
User username
+ Chap
Remotename 210.12.254.4
Noauth
Mru 1400
Mtu 1400
Updetach
Note: Because data is encapsulated in PPTP, the header occupies a certain byte, so the mru and mtu values are smaller than those of ppp.
4. create the pptp dialing script for Classroom:/etc/ppp/dialpptp2
Ip route add x. x. x. x dev ppp2 (x. x. x. x is the VPN server address provided by the ISP. this command sets access to x. x. x. x route .)
Sleep 2
/Usr/sbin/pptp x. x. x file/etc/ppp/options.ppt p2 (establish PPTP connection)
/Etc/ppp/options.ppt p2 is the option file for establishing the office VPN connection. its content is as follows:
Local
User username
+ Chap
Remotename x. x
Noauth
Mru 1400
Mtu 1400
Updetach
5. perform a dial-up test:
Pay attention to the order of dialing.
6. set routing policies:
1. set the route table name:
Edit the/etc/iproute2/rt_tables file and add the following two lines to the end of the file:
100 classroom (name the route policy numbered 100 as classroom)
110 office (name the routing policy numbered 110 as office)
2. set the route:
(Set the route table of the classroom)
Ip route add 192.168.5.0/28 dev eth0.12 table classroom
(Set the office route table)
Ip route add 192.168.5.0/28 dev eth0.12 table office
(Set routing policies)
Ip rule add from 192.168.9.0/27 table office (data packets from 192.168.9.0/27 go to the office table)
Ip rule add from 192.168.10.0/24 table classroom (data packets from 192.168.10.0/24 go to the classroom table)
Ip rule add to 192.168.9.0/27 table main (data packets destined for 192.168.9.0/27 go to the main table)
Ip rule add to 192.168.10.0/27 table main (data packets destined for 192.168.10.0/27 go to the main table)
3. set the default route:
According to the previous description, we want to use different Modem for the classrooms and offices to access the internet, so we set different default routes for the classroom and office tables.
Ip route add default dev ppp1 table offcie
Ip route add default dev ppp3 table classroom
(Note: ppp1 is a VPN connection based on ppp0, and ppp3 is a VPN connection based on ppp2 .)
Everything is okay. now the thing is to sort out NAT settings and scripts. As for time-based access, you can use crond for control.
Sort the preceding execution scripts as follows: 1. the VLAN division script, as well as the local routing and routing policies that need to be executed at startup, and put them in/etc/rc. local:
/Sbin/ip addr add 0.0.0.0 dev eth0
/Sbin/ip link set dev eth0 up
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
