In-depth exploration of how layer-3 switches improve access security

Currently, network users have higher and higher requirements on device performance, which is also a driving force for the rapid development of layer-3 switches to meet other user needs, with the acceleration of industry informatization and the informatization process of small and medium-sized enterprises, the network construction hotspots are switching from the core of the network to the edge. Network Construction focuses on access and application migration, which brings a "golden" opportunity to the switch market. As many vendors push network intelligence to the edge and make more efforts to the market, the switch market is gaining the attention and favor of various network equipment princes and is expected to become another battlefield in the IT field.

At present, the battle's commanding heights are the third-tier switch market, especially the edge switch. According to market research, edge switches have begun to surpass core switches and gradually become dominant. The survey results on user requirements also prove that the most important factor for users to purchase a vswitch is application and security. Therefore, most of them use layer-3 or multi-layer switches with high manageability.

Improve traditional routing technology

With the rapid development of Internet/Intranet and the wide application of the B/S (Browser/Server) computing model, cross-region and cross-network business is growing rapidly, the industry and users are deeply aware of the bottleneck effect of traditional routers in the network. Therefore, it is imperative to improve the traditional routing technology. In this case, a new routing technology emerged, which is the third layer switch technology. A layer-3 device based on this technology is called a "Router" because it can operate on the layer-3 of the network protocol. It is a router that understands the device and can act as a route; if it is a "Switch", it is very fast, almost reaching the second-layer switching speed.

The improvement of the user's network application level is one of the main driving forces for large-scale application of layer-3 switches. The user is no longer satisfied with the basic functions of the vswitch, And will connect the input and output ports to forward the business flow. In addition to the switch, authentication, and packet filtering functions, the switch is expected to have the routing processing function. Different user applications also put forward new requirements for network elasticity.

At the same time, with the rapid expansion of the network scale and the increasing number of applications in the network, the user network must strengthen visitor control and restrict illegal user communication to ensure the security of the entire network, for example, the security management of devices in the campus network, the requirements of the resident network for secure access, and the isolation of various businesses in the enterprise network. However, normal switches cannot effectively isolate data transmission between sites in the network and control users' access permissions, which threatens the security of users' LAN. Layer-3 switches provide a policy-based security access mechanism through a variety of explicit or implicit VLAN division methods, improving network security and effectively inhibiting the generation of broadcast storms.

With the rapid development of China's enterprise network, campus network and broadband construction, the application of layer-3 switches has penetrated from the initial backbone layer and convergence layer to the edge access layer. The emergence of layer-3 switches, just as Cisco routers are widely used in wide area networks, will dominate the network for a long time in the future.

Meet Multimedia Applications

With the rapid development of the Internet, more and more users are applied on the network, and users are no longer limited to data transmission over the network, online Transaction, online teaching, on-demand video, Community cinema, and so on have increasingly become the real needs of users for the network. The pure layer-2 exchange can no longer meet the actual needs of users. The advantages of layer-3 switches are mainly reflected in application and network security.

Applications are mainly reflected in the fact that the user's network transmission is no longer limited to data, voice, video, and other multimedia information that has high requirements on latency and jitter can also be transmitted on the same network. Because common switches work on the Layer 2 (data link layer) of the OSI Layer 7 model, they provide very little control over the division of subnets and broadcast restrictions, which can easily cause network congestion, the loss and delay of data packets increase, and the service quality cannot be guaranteed. Layer-3 switches combine layer-2 switching technology in network communication with layer-3 routing or layer-3 forwarding technology, and achieve line rate switching through ASIC Technology, this greatly improves the packet forwarding capability of device data and eliminates forwarding bottlenecks. At the same time, network resources can be fully utilized through VLAN division, efficient multicast control, stream policy management, access control, and other functions to meet the application requirements of various users.

On the other hand, with the expansion of the network scale, the network becomes more and more complex. The cost of the network in terms of operation and management is greatly higher than the cost of the network equipment. The requirements for easy maintenance and management have also contributed to the wide application of layer-3 switches. In the past, network administrators spent 3/4 of their time maintaining the network infrastructure to ensure that communication traffic is optimized and to handle mobile and change operations. Generally, when a user moves to another physical location in the network, the network needs to be reconfigured, and even the user's workstation needs to perform a lot of management work.

The VLAN Technology of the layer-3 Switch solves the problem of network management. VLAN deployment reduces the resources required for Network Movement and change to save resources for users. At the same time, VLAN can automate network supervision and management, thus more effective network monitoring. Remote Management, remote network monitoring, and fault alarms provide an effective means for network administrators to manage them. Cisco's smart network architecture can help customers continuously add new content businesses in the market, such as distance education, call center, e-commerce, enterprise resource management, and customer relationship management, it helps enterprises reduce production costs, increase productivity, and develop new customers.

Improve system and access security

Network security is mainly reflected in two aspects: system security and access security. Most layer-3 switches have powerful security assurance systems. In terms of system security, security mechanisms are implemented in the overall architecture from the core to the edge of the network, which mainly refers to secure network management, that is, network management information is encrypted and controlled through specific technologies. Network Management Information contains the most abundant and complete network information. If the network management information is intentionally or unintentionally eavesdropped, damaged, or tampered with during transmission, this will cause unpredictable losses to the overall network and even enterprise operations.

Cisco uses appropriate technologies to improve and encrypt network management information throughout the network, and establishes a very solid security network system. In terms of security exchange across the network, multiple methods are implemented, including extending the root segment protection for each subnet, implementing multi-layer ACLs from core to edge switches, loading intrusion detection at the core layer, inter-network firewall, and Intranet VPN. method. In terms of access security, Cisco's various types of terminals apply the security access mechanism for access to the exchange system, including 802.1x access verification, RADIUS/TACACS + support, and MAC address verification; various types of virtual network technologies, such as dedicated virtual network for port isolation, 802.1q, and dynamic virtual network.

As a layer-3 switch of the core network equipment, its security is also reflected in other aspects, such as anti-hacker attack firewall. Most vswitches in the market also enhance security hardware. In addition, it is the redundancy capability. No manufacturer can ensure that its products do not fail. In case of a fault, it is very important to switch to a good device quickly. Therefore, the redundancy capability should be considered on the hardware: whether there are important redundant components, such as backup power supply, management module, and redundant ports, this is especially important for users with high security and reliability requirements, such as telecommunications and finance, as well as international or national standards related to the personal safety of staff, such as electromagnetic radiation standards and various security standards.