See how layer-3 switches ensure Network Security

Layer-3 switches are quite common, So I studied how layer-3 switches can ensure network security. Here I will share with you, hoping to help you. A high-performance switch Cisco Catalyst 4006 with multiple 1-gigabit ports and 10-Gigabit ports is placed in the center of the science and technology building as the core switch of the backbone network.

The company's master server and high-performance workstation use the Gigabit switching port of the central switch. workstations with low performance and less business volume are connected to the 10-ge ports of the central switch; the Optical Fiber Module is installed in the backplane slot of the central switch, and is connected to the Catalyst 3512 switch of the Production Branch through the optical fiber, so that the workstations in each branch can also obtain Mbps of bandwidth.

The company's computer network configuration is: the Server is a Windows NT Server, the client is Windows NT Workstation or Windows 95/98; the application system consists of two parts, the first part is the CAD/CAM/CAPP/PDM system, and the other is the ERP system for enterprise resource planning management. The central data center has an HP 6000 as the Windows NT primary domain controller and an ERP Server. HP LH3 serves as an independent CAD Server, an email Server, and a network management Server, a pc machine used for plotting. All the product drawings are displayed in the center of the computer.

Security requirements

1. In order to prevent the CAD design of product drawings from leaking through the computer of the management department, the two application systems must be divided into different network segments;

2. The entire system has only one master domain controller. All the computers in the central data center belong to the CAD network segment, but the resources in the ERP server must be used;

3. The company-level leadership belongs to the ERP management CIDR block, but also requires the management and use of resources in the cad cidr block.

Solve with VLAN

Ethernet is a network based on the CSMA/CD mechanism, which inevitably produces packets broadcast and conflicts. Data Broadcast occupies bandwidth and affects security, especially in Windows-based networks, therefore, it is necessary to reduce the number of broadcasts in the network and use VLAN. A VLAN can divide a broadcast domain into multiple broadcast domains in three ways: Based on ports, MAC addresses, and network protocols. Cisco's solution is to recommend that a VLAN correspond to an IP network segment TCP/IP network). Currently, we recommend that you use this method and use Trunk technology to maintain VLAN configuration consistency. The Trunk can transmit data from multiple VLANs at the same time on a point-to-point link between a vswitch or a route. It helps to expand a VLAN from one vswitch to another.

In layer-7 network protocols, the Hub is the first layer device, and the connected devices are in the same conflicting domain and broadcast domain. The switch and bridge are the second layer devices, the connected device is in the same broadcast domain, and each port is a conflict domain. Therefore, the switch can help reduce conflicts and implement duplex communication, but cannot reduce broadcast traffic; A vro is a layer-3 switch. The connected devices are in different broadcast domains and conflict domains. You can use the routing function to control broadcast and conflict.

Simplified layer-3 Switching

After VLAN division, different VLANs cannot communicate with each other. Therefore, a vro is required to connect different VLANs. However, with a layer-3 Switch, no more trouble is required. Catalyst 4006 is an advanced enterprise backbone network switch launched by Cisco. It has the layer-3 Switch capability, which not only solves VLAN communication problems, but also eliminates the problem of low bandwidth router. The 4006 layer-3 switching function is implemented on the 4232-L3 module. Unlike the 5000 Series and the 6000 series, the 4000 Series Switch layer-3 switching function is implemented through two internal virtual gigabit connections.

Two VLANs are designed for CAD and common users. The CIDR blocks are 192.168.66.0 and 192.168.67.0. The vswitch provides layer-3 vswitches for two VLANs, and adds some special addresses to the static routing list to implement certain security policies.

In the actual network, two management modules and five ipv6-gb modules connect to the second-level switch through optical fiber, providing trunk Gigabit. From the perspective of 4006, 6/1 and 6/2 are two interfaces for implementing the routing function. Our layer-3 module is inserted in the sixth slot of the switch. For the layer-3 Switching Module, the two ports are interfaces connected to port 4006. The layer-3 Switch feature enables enterprise network segmentation to improve data security in the network.