Hello everyone, I am senior Xiaohua, a blogger in the computer field. After years of study and practice, I have accumulated rich computer knowledge and experience. Here I would like to share my learning experience and skills with you to help you become a better programmer.
As a computer blogger, I have been focusing on programming, algorithms, software development and other fields, and have accumulated a lot of experience in these areas. I believe that sharing is a win-win situation. Through sharing, I can help others improve their technical level and at the same time get the opportunity to learn and communicate.
In my articles, you will see my analysis and analysis of various programming languages, development tools, and common problems. I will provide you with practical solutions and optimization techniques based on my actual project experience. I believe that these experiences will not only help you solve the problems you are currently encountering, but also improve your programming thinking and problem-solving abilities.
In addition to sharing technical aspects, I will also touch on some topics about career development and learning methods. As a former student, I know how to better improve myself and face challenges in the computer field. I will share some learning methods, interview skills and workplace experiences, hoping to have a positive impact on your career development.
My articles will be published in the CSDN community, which is a very active and professional computer technology community. Here you can communicate, learn and share with other people who love technology. By following my blog, you can get my latest articles as soon as possible and interact with me and other readers.
If you are interested in the computer field and hope to better improve your programming skills and technical level, then please follow my CSDN blog. I believe that what I share will help and inspire you, allowing you to achieve greater success in the computer field!
Let us become better programmers together and explore the wonderful world of computing together! Thank you for your attention and support!
All computer project source codes shared include documents and can be used for graduation projects or course designs. Welcome to leave a message to share questions and exchange experiences!
Summary
With the rapid development of network technology, enterprises with multiple remote branches must have good mobile office capabilities and needs in their information construction. A virtual private network (VPN) is a temporary, secure network established through a public network. The connection cost is lower than the traditional leased line. In addition, the use of tunnel and encryption technology can better ensure the security of information transmission on the company's intranet. Enterprise employees can access the enterprise's internal network at any time and remotely based on the Internet or 4G network, and efficiently carry out various office services. SSL VPN is the fastest, safest and most effective technology for remote users to access enterprise internal data. Users can use it quickly and securely It can effectively realize remote working, help enterprises improve productivity and enhance network security. It can also reduce the management and operation and maintenance costs of enterprises.
This article introduces the basic principles of VPN and several important implementation technologies. This article analyzes and compares the advantages and disadvantages of SSL VPN and IPsec VPN, and explains how to use SSL VPN technology to build an enterprise intranet. This paper gives an overview of SSL VPN technology, analyzes and studies the application of SSL VPN network technology in enterprise information systems, aiming to use SSL VPN technology to solve the shortcomings in large and medium-sized network applications to ensure the security of enterprise information systems.
Using SSL VPN to build an enterprise network, employees can dial up to connect to the company's internal network when they are on a business trip or at home, and transfer data securely. It has broad application prospects, has higher security requirements, and is more convenient for remote working. and stability.
Keywords: SSL enterprise security tunnel network
Abstract
With the rapid development of network technology, enterprises with multiple branches in different places must have good mobile office ability and demand in their information construction. Virtual private network (VPN) is a temporary and secure connection established through public network. Compared with the traditional way of leased line, it has lower cost. In addition, it uses tunnel and encryption technology, It can better ensure the security of information transmission on the company's intranet. Under the Internet or 4G network, enterprise employees can visit the internal network of the enterprise at any time and carry out all kinds of office business efficiently. SSL VPN is the fastest, safest and most effective technology for remote users to access the internal data of the enterprise. Users can realize remote business quickly and safely, and help the enterprise to improve productivity, Enhance network security. At the same time, it can also reduce the cost of enterprise management and operation and maintenance.
This paper introduces the basic principle of VPN and several important implementation technologies. This paper analyzes and compares the advantages and disadvantages of SSL VPN and IPSec VPN, and explains how to use SSL VPN technology to build enterprise intranet. This paper summarizes SSL VPN technology, analyzes and studies the application of SSL VPN network technology in enterprise information system, aiming at solving the problems existing in large and medium-sized network application by using SSL VPN technology, so as to ensure the security of enterprise information system.
Using SSL VPN to build enterprise network, employees can dial in to the company's internal network when they are on business or at home, and transfer data safely. It has a broad application prospect, higher security requirements, and more convenient and stable behavior to realize remote office.
Keywords: SSL enterprise security Tunnel network
Table of contents
1.2 Research significance... 1
Chapter 2 System Analysis... 3
2.2 Requirements analysis... 3
Chapter 3 Overview of related technologies... 6
4.1 Overall network design... 13
4.2 Network security design... 13
4.3 Network topology diagram... 14
Chapter 5 Detailed Design... 21
5.1 VPN technology implementation... 21
5.4 Aggregation layer design... 23
5.6 Key technologies and difficulties... 24
5.7 Existing problems and solutions... 24
Chapter 6 System Testing... 25
Chapter 1 Introduction
With the popularization and rapid development of informatization in the 21st century, people in all fields have enjoyed the great convenience brought by the Internet, but while enjoying it, it has also brought new problems, the most crucial of which is network security. . Network security issues have always been a matter of concern and fear in online platforms. In particular, users such as finance and enterprises attach great importance to network information security issues.
The development of network technology has also complicated the network environment, so not only are there various security issues in the system itself, but there are also endless security issues on the Internet. How to effectively use existing network environment technologies to improve the overall security and management level should be the primary problem to be solved. The development and progress of society has also made network hardware equipment more mature and stable.
1.1 Research background
Network system security is about national security, national stable development, and major strategic issues that citizens face in their lives and work. It can be said that without network security, there is no national security.
According to the current situation faced by network security in the world, the main security issues faced by network systems have been analyzed and settings have been made for various security issues. The result of the discussion is that the VPN technology developed to ensure the data transmission across regions is to enhance the controllability and security of the network. VPN (Virtual Private Network) is a virtual private network that relies on the public network. It has the technical characteristics of low rates, fast speed, strong scalability, and high security. It achieves an effect similar to renting an operator's dedicated line. It can create a dedicated tunnel between special data flows. The tunnel is a VPN. As for the core technology, it can be said that it is not called VPN without a tunnel. To implement tunnel technology, the tunnel protocol must be followed.
The emergence of Virtual Private Network solves the problem of secure access between fixed sites. It is a new network technology in recent years. It can create a virtual channel for point-to-point connection in the Internet network, thereby realizing the construction of a private network in a public network environment. This article mainly talks about SSL VPN technology in VPN. It belongs to network layer VPN technology and the security framework defined by IETF. It can be used to ensure point-to-point verification and encryption of data transmitted between public and private network environments to achieve data access. Low cost, high security features.
1.2 Research significance
The main significance of this project is to solve the security problem of data communication in the enterprise network, and realize the safe transmission of point-to-point virtualized tunnels for mobile office personnel of the enterprise in the ISP network, so as to provide reliability, security and confidentiality for data communication. Ensure that the data integrity of mobile office communications for outbound personnel is not affected.
1.3 Research content
Currently, with the development of information technology, information interaction among employees and partners within the enterprise has intensified. How to access the enterprise's internal system through the Internet and achieve remote working has become an inevitable requirement for enterprise development. The non-encrypted nature of public network transmission makes security and confidentiality extremely poor. Virtual Private Networks (VPNs) are increasingly favored by enterprises for their advantages of public network connection and encrypted transmission. VPN technologies include L2TP, PPTP, IPsec VPN and SSL VPN, etc. In the early enterprise remote office systems, IPSecVPN was mainly used. However, due to the shortcomings of IPSecVPN such as low communication performance, the need to install special client software, difficulty in installation and maintenance, and relatively few systems that are actually fully supported, in recent years, it has been gradually adopted. With the development of SSL VPN technology, more and more enterprises tend to use SSL VPN to build enterprise remote offices. Based on this, this article studies and discusses the implementation and design access of SSL VPN in enterprise networks.
Chapter 2 System Analysis
2.1 Feasibility analysis
2.1.1 Technical feasibility
Compared with traditional IPSec VPN, SSL VPN can allow more remote users of the company to access from different locations, access more network resources, and has lower requirements on client equipment, thereby reducing configuration and operation support costs. Many enterprise users use SSL VPN as remote secure access technology, and what they mainly value is its access control function. SSL VPN provides enhanced remote secure access capabilities. IPSec VPN achieves transparent access to the entire network by creating a tunnel between two sites for direct (non-proxy) access. As long as the tunnel is created the user PC behaves as if it were physically on the corporate LAN. This has many security risks, especially when the access user has excessive permissions. SSL VPN provides secure, proxyable connections. Only authenticated users can access resources, which is much safer. SSL VPN can subdivide encrypted tunnels, allowing end users to access the Internet and internal corporate network resources at the same time, which is controllable. In addition, SSL VPN can also refine the access control function to facilitate different access rights to different users to achieve scalable access. This kind of accurate functionality is basically unachievable for remote access IPSec VPN.
2.1.2 Economic feasibility
SSL VPN can access managed or unmanaged enterprise devices, such as home PCs or public Internet access locations, while IPSec VPN clients can only access managed or fixed devices. With the growing demand for remote access, IPSec VPN faces great challenges in access control, and the cost of management and operation is high. It is the best solution for point-to-point connections, but to complete remote secure access at any location, It is much more satisfactory to use SSL VPN.
2.1.3 Operational feasibility
IPSec VPN is difficult to traverse firewalls and NATs in a somewhat complicated network structure, and cannot effectively solve the problem of IP address conflicts. SSL VPN has almost no restrictions on access locations and can access network resources from a large number of Internet access devices at any remote location. SSL VPN communication is based on standard TCP/UDP protocol transmission, so it can traverse all NAT devices, proxy-based firewalls and stateful inspection firewalls. This allows users to access from anywhere, whether behind a proxy-based firewall on another company's network or over a broadband connection.
2.2 Demand analysis
2.2.1 Functional requirements
Enterprises need to use SSL VPN technology, which can securely extend the corporate network to any authorized user, so that external users or employees can use standard web browsers to establish remote access connections to company resources from anywhere with an Internet connection.
2.2.2 Non-functional requirements
1.Performance requirements
SSL VPN needs to be able to support multiple people at the same time for VPN connection to work, and it needs to be able to expand the number of users and the number of concurrent connections to exceed a certain user limit. The device network port needs to support Gigabit Internet access to the network and have multiple network cards. , can realize the separation of business and management addresses.
2. Usability requirements
SSL VPN is currently the simplest and most secure solution technology in the industry for remote users to access company data. It is basically not restricted by the access location and can traverse all NAT devices, proxy-based firewalls and stateful inspection firewalls. It does not require Like traditional IPSec VPN, client software must be installed on each client computer. SSL can realize remote connection of information in a simple and easy-to-use method. Any user computer with a browser installed can use it. Employees only need to use a web browser and its local SSL encryption to access from device terminals not owned by the company's LAN, such as home PCs, Internet kiosks or wireless hotspots. Corporate networks, often where IT departments cannot easily deploy and manage VPN client software for IPSec VPN connections. Where application access requirements are restricted, SSL VPN does not require the use of pre-installed VPN client software. Administrators can provide customized user portals and precise access control for Web sites and corporate applications.
3. Reliability requirements
As everyone knows, the domestic basic network environment is relatively harsh: fiber optics, residential broadband, ADSL , narrowband dial-up, 3G and other network access methods coexist, and there are multiple operators of China Telecom, China Mobile, and China Unicom, especially the situation of cross-operator lines. Due to its instability, the SSL VPN systems purchased by many users have poor performance after deployment and cannot achieve the planned goal of mobile working anytime and anywhere. After many users' SSL VPN accessed the platform, due to poor experience, fewer and fewer users connected and accessed it, and eventually it was in a state of neglect, with a low return on investment.
Therefore, VPN needs to have multi-line load and other technologies, as well as fast HTTP technology, flash-link technology, etc. These technologies can successfully increase the access speed of most SSL VPN end users several times.
5. Security requirements
In small and medium-sized enterprises, the products commonly used by users to isolate office networks and business networks are often unsatisfactory. Traditional products such as gatekeepers and firewalls cannot meet the needs of users who need to isolate networks while allowing access to certain applications. new requirements. Correspondingly, SSL VPN's isolation protection of the network, detailed allocation of access personnel permissions, recording and other functional features can perfectly meet user requirements and achieve secure access effects based on isolation. By deploying SSL VPN on the front end of the server or business network, it provides comprehensive security guarantees from logical isolation, access personnel, permission allocation, and access behavior auditing.
Chapter 3 Overview of Related Technologies
3.1 SSL VPN technology
3.1.1 Overview of SSL VPN
SSL (Secure Sockets Layer) is a set of Internet data security protocols developed by Netscape. The current version is 3.0. It has been widely used for authentication and encrypted data transmission between web browsers and servers. The SSL protocol is located between the TCP/IP protocol and various application layer protocols, providing security support for data communication. The SSL protocol can be divided into two layers: SSL Record Protocol: It is built on a reliable transmission protocol (such as TCP) and provides support for basic functions such as data encapsulation, compression, and encryption for high-level protocols. SSL Handshake Protocol: It is built on the SSL record protocol and is used for identity authentication, negotiation of encryption algorithms, and exchange of encryption keys between the communicating parties before actual data transmission begins.
3.1.2 Security of SSL VPN
In terms of remote access applications such as mobile offices that are emerging today, SSL VPN has greater advantages. Ensure the security of the SSLVPN solution from aspects such as transmission security, identity authentication, access security inspection, and access authorization.
1.Transmission security
The security of the transmission is guaranteed through the SSL protocol. SSL ensures the confidentiality, integrity and mutual authentication of data transmission and communication parties. It can use various public key (RSA, DSA) algorithms, symmetric key algorithms (DES, 3DES, RC4) and integrity (MD5, SHIA-1). )algorithm.
2. Identity authentication
In the SSL protocol, Client and Server will authenticate during the handshake phase, and this authentication is the authentication between devices. The two-way authentication of the SSL protocol ensures the credibility of the terminal device, but it cannot prove the identity of the person using the terminal. SSL VPN can provide access user identity authentication function at the application layer (rather than at the SSL layer). In addition to the traditional username/password authentication method, SSL VPN can also provide a variety of extended authentication methods such as digital certificate authentication, dynamic password authentication, and access terminal hardware feature code binding.
3. Access security check
The complexity of the user's environment and the uncertainty of the terminal used will potentially impact intranet security. Faced with this problem, SSL VPN gateway introduces terminal security inspection and control strategies to check the security and credibility of user terminals. The security status of the terminal is evaluated based on the inspection results and then it is decided whether the user is allowed to access the intranet and which resources can be accessed.
4.Access authorization
SSL VPN users are diverse, and users can be authorized based on roles, user groups, and individual users. For users' existing authorization systems, SSL VPN can support integration with existing external authorization systems, making it easier for administrators to deploy authorization policies for the entire network. By implementing different access authorizations for different users, the SSL VPN gateway can only allow legal users to access. Administrators can group users or define different roles and configure different resources so that specific users can only access authorized specific resources. The finer the granularity of the control of internal resources, the more effective the security of the intranet. SSLVPN can access and control URLs, IPs, ports, and application services.
3.1.3 Working process of SSL VPN
What is the connection process of SSL VPN, as shown below:
Figure 3.1 SSL VPN establishment process
1. The remote computer user logs in to the SSL VPN page, uses web browsing to open the external network address of the SSL VPN server 6.16.5.6, and enters the user's identity information, such as account and password to log in. At this time, an HTTPS session will be established, and the server will use this session to Users automatically load the SSL VPN client program;
2. The purpose of the SSL VPN client program at this time is to create a virtual network card for the user's PC to achieve a VPN connection to the headquarters network;
3. After the virtual network card is created, the SSL VPN server will take an address such as 192.168.1.2 from the address pool 192.168.1.0/24 and assign it to the remote computer user. At the same time, it will deliver routing, DNS and other information. The SSL VPN server will target this address. The pool will also have a server address 192.168.1.1, which serves as the gateway for all client program virtual network cards;
4. At this time, a new SSL session will be established between the SSL VPN client program and the server, specifically used to transmit traffic between the virtual network card and the SSL VPN server;
5. Assume that the remote computer user wants to access the company's internal DNS 10.6.16.1 server. According to the routing relationship, the remote PC will forward the request to access the company's internal DNS (source 192.168.1.2 and destination 10.6.16.1) to the SSL VPN server 192.168 through the virtual network card. 1.1;
6. The SSL VPN client program on the remote PC will encapsulate the IP packets sent by the virtual network card into a new SSL session and transmit them to the SSL VPN server through the Internet;
7. The SSL VPN server decrypts and finds that the IP destination address is 10.6.16.1 after decapsulation, then forwards it to the internal DNS server;
8. The reverse process and access to the internal ERP server 10.6.16.4 is similar to this.
3.1.4 SSL VPN vs. IPSEC VPN
(1) IPSec VPN deployment and management costs are high. The value of IPSec VPN lies in the security of its transmission. However, deploying IPScc requires major infrastructure modifications to facilitate remote access, but management costs are high. It requires complex software to be installed on the client. When the user's VPN policy changes, its management difficulty will increase exponentially. SSL VPN is just the opposite. The client does not need to install any software or hardware. Using a standard browser, it can securely access information on the Afghan network through the simple SSL security encryption protocol, and its cost is much lower.
(2) SSI VPN is installed. The IPSec protocol only establishes channels at the edge of the client's Rayleigh network resources. The scope of protection is sufficient to secure connections from customers to the company network edge, and all data on the internal network is transparent. The secure channel established by SSL is sufficient between the customer and the accessed resources. The data is not transparent whether on the internal network or on the Internet, and every operation of the resource by the customer must be authenticated and encrypted. to ensure true end-to-end security.
(3) SSI. VPN has better scalability. This is because when deploying IPSec VPN, the network topology must be considered. Adding new devices every day may cause changes in the network structure and require redeployment, resulting in poor scalability of IPSec VPN. SSL VPN is different. You can add servers that require VPN protection at any time as needed, which makes it more flexible.
3.2 DHCP technology
DHCP (Dynamic Host Configuration Protocol) is usually used in large-scale local area network environments. Its main function is to centrally manage and allocate IP addresses, so that hosts in the network environment can dynamically obtain IP addresses, Gateway addresses, and DNS. Server address and other information, and can improve the usage of the address.
The DHCP protocol uses a client/server model, and the dynamic allocation of host addresses is driven by the network host. When the DHCP server receives the information from the network host applying for an address, it will send relevant address configuration and other information to the network host to achieve dynamic configuration of the network host address information. DHCP has the following functions:
(1) Ensure that any IP address can only be used by one DHCP client at the same time.
(2) DHCP should be able to assign permanent fixed IP addresses to users.
(3) DHCP should be able to coexist with hosts that use other methods to obtain IP addresses (such as hosts with manually configured IP addresses).
(4) The DHCP server should provide services to existing BOOTP clients.
Figure 3.2 Working process of DHCP
DHCP has three mechanisms to assign IP addresses:
1) Automatic Allocation: The DHCP server assigns a permanent IP address to the host. Once the DHCP client successfully leases an IP address from the DHCP server for the first time, it can use the address permanently.
2) Dynamic Allocation: The DHCP server assigns a time-limited IP address to the host. When the time expires or the host explicitly gives up the address, the address can be used by other hosts.
3) Manual Allocation: The client's IP address is specified by the network administrator, and the DHCP server only tells the client host the specified IP address.
Of the three address allocation methods, only dynamic allocation can reuse addresses that are no longer needed by the client.
3.3 ACL design
ACL is a flow control technology based on packet filtering. It is widely used in routers. It can effectively control network users' access to network resources on the third layer, which can be specific to network applications between two network devices. A wide range of access control management can be carried out according to network segments. By implementing ACL, you can effectively deploy enterprise network outbound policies. It can also be used to control access to internal resources in the LAN and ensure resource security. However, it will increase router overhead and increase the complexity and difficulty of management. Whether to use ACL technology is a trade-off between management efficiency and network security. In the early days, ACL was only supported on routers. In recent years, it has been extended to layer 3 switches. Some layer 2 switches such as 2950 have also begun to provide ACL.
support.
Figure 3.3 ACL matching diagram
As can be seen from the above figure, the working process of ACL is as follows:
Regardless of whether there is an ACL on the router, after receiving the data packet, when the data enters a certain station, the router will first check it to see if it is routable. If it is not routable, it will be discarded. Otherwise, it will be found in the routing table. Detailed information of the route and corresponding outbound interface;
Assuming it is routable, find the interface to send it outbound. At this time, the router checks whether the outbound port is included in the ACL. If not, it will send it out directly from this port. If there is an ACL, the router will match the data with the ACL in order from top to bottom and execute them one by one. If it matches one of the ACLs, the data will be processed accordingly according to the operation specified by the ACL.
(allow or deny), and stop continuing to query; if no match is found at the end of the ACL, call the implicit statement deny any at the end of the ACL to discard the packet.
Access control lists can be broadly divided into two categories: standard access control lists and extended access control lists.
1. Standard IP access control list
A standard IP access control list matches the source address or part of the source address in the IP packet, and can take two actions to deny or allow the matched packet. The number range is from 1 to 99. The access control list is a standard IP access control list.
2. Extend IP access control list
The extended IP access control list has more matches than the standard IP access control list, including protocol type source address, destination address, source port, destination port, connection establishment and IP priority, etc. Access control lists with numbers ranging from 100 to 199 are extended IP access control lists.
3. Named IP Access Control List
The so-called named IP access control list uses the list name instead of the list number to define the IP access control list. It also includes two types of lists: standard and extended. The statements that define filtering are similar to the numbering method.
3.4 NAT design
The full name of NAT in English is "Network Address Translation", which means "Network Address Translation" in Chinese. It is an IETF (Internet Engineering Task Force, Internet Engineering Task Force) standard that allows an entire organization to appear with a public IP (Internet Protocol) address. on the Internet. As the name suggests, it is a technology that translates internal private network addresses (IP addresses) into legal network IP addresses. Therefore, we can believe that NAT can effectively solve the problem of insufficient public network addresses to a certain extent.
Simply put, NAT uses the internal address in the internal network of the LAN, and when the internal node wants to communicate with the external network, it will be at the gateway (which can be understood as the exit, like a yard door, for example). The address is replaced with a public address so that it can be used normally on the external public network (internet). NAT can enable multiple computers to share Internet connections. This function well solves the problem of the shortage of public IP addresses. Through this method, you can only apply for a legal IP address and connect the computers in the entire LAN to the Internet. At this time, NAT blocks the internal network, and all intranet computers are invisible to the public network, and intranet computer users are usually not aware of the existence of NAT. As shown below. The internal address mentioned here refers to the private IP address assigned to the node in the internal network. This address can only be used in the internal network and cannot be forwarded by routing.
3.5 OSPF design
The full name of routing protocol OSPF is Open Shortest Path First, which is the open shortest path first protocol. Because OSPF was developed by IETF, its use is not restricted by any manufacturer and can be used by everyone, so it is called open, and the shortest path first protocol is called open. Path priority (SPF) is just the core idea of OSPF. The algorithm it uses is Dijkstra's algorithm. Shortest path priority does not have much special meaning. There is no routing protocol that prioritizes the longest path. All protocols will choose the shortest one. .
The OSPF protocol introduces the concept of "hierarchical routing", which divides the network into a set of independent parts connected by a "backbone". These independent parts are called "areas", and the "backbone" part is called "Backbone area". Each area is like an independent network, and the OSPF router in this area only saves the link status of this area. The link state database of each router can be kept at a reasonable size, and the route calculation time and the number of packets will not be too large.
Figure 3.4 OSPF data packets
The advantage of OSPF is that it can support networks of various sizes, up to hundreds of routers; OSPF selects paths based on bandwidth; if the network topology changes, OSPF immediately sends an update message so that the change is reflected in the autonomous system Synchronization; because OSPF uses the shortest path tree algorithm to calculate routes through the collected link status, the algorithm itself guarantees that no self-loop route will be generated; because OSPF carries the mask information of the network segment when describing the route, the OSPF protocol It is not limited by natural masks and provides good support for VLSM and CIDR; the OSPF protocol allows the network of autonomous systems to be divided into areas for management, and the routing information transmitted between areas is further abstracted, thereby reducing the bandwidth occupied by the network; OSPF supports multiple equal-value routes to the same destination address; OSPF uses 4 different types of routes, which in order of priority are: intra-area routing, inter-area routing, type 1 external routing, and type 2 external routing; it Supports interface-based packet verification to ensure the security of route calculations.
Chapter 4 System Design
4.1 Overall network design
After several years of development, today's SSL VPN networking technology has become an inevitable choice for enterprises to build ERP systems. Since ERP access involves corporate privacy and data security issues, the security of data transmission and the legality of access must be considered when implementing remote access based on the Internet to prevent top-secret data from being obtained, tampered with, and manipulated by hackers or even competitors. destroy. Therefore, when building an enterprise ERP system, its security requirements are particularly prominent compared with other enterprise information systems. In addition, how to ensure the efficiency of the ERP system and maintain the scalability of the business under the premise of security are also key issues that need to be considered in the current ERP implementation. At the same time, the development of enterprise business also requires the ability to achieve highly secure and stable access to ERP systems.
There are 9 departments established in the network environment of this project, namely the Security Department, the Commercial Department, the Administrative Department, the Sales Department, the Human Resources Department, the Financial Department, the Manager's Office, the Technical Department, and the Conference Room. The local area network uses full Gigabit link interconnection to ensure network transmission speed. For network design, use the Cisco Packet Trace simulator. Let the switch automatically learn the VLAN information on the VTP Server. Also used in conjunction with SVI interfaces to route traffic between VLANs. The company's internal network uses the OSPF protocol. Users on the head office's internal network use NAT to convert private addresses on the intranet to private addresses on the external network to ensure security. Use DHCP service to dynamically allocate IP to improve utilization. Using ACL technology, the internal network can access the server and the external network, and the external network can access the server but not the internal network.
Zone the entire network and harden internal gateways. Reduce the problem of excessive useless data packets caused by large amounts of data circulation in the LAN. What we need is not only to adopt internationally advanced technology, but also to ensure the safety, reliability and practicality of the system, as well as high performance, high bandwidth and simple management. The overall network architecture is selected after internal analysis and discussion. The network architecture adopted is a three-layer hierarchical network design model of "core layer-aggregation layer-access layer".
4.2 Network security design
We have always paid attention to network security issues, and we also need to follow some principles when designing network security protection systems. The main ones are: the principle of least privilege, the principle of defense in depth, the principle of defense diversity, the principle of defense integrity, the principle of security and cost balance, and the principle of hierarchy of network resources.
(1) Principle of least privilege
Any object should only have the permissions that the object needs to complete its designated tasks, and limit the scope, space, time, etc. of permission use.
(2) Principle of defense in depth
The network security protection system is required to be a multi-layer security system. To avoid becoming a "single point of failure" in the network, multiple defense systems must be deployed.
(3) Principle of defense diversity
There are two aspects: technology and defense methods. In terms of technology, it is necessary to ensure host security and network security, and at the same time pay attention to guarding against viruses and Trojans. In terms of defense methods, firewalls, IDS, honeypots, etc. can be deployed to protect system security.
(4) Holistic principle of network security
It is required that when the network is attacked or damaged, the services of the network information center must be restored as quickly as possible to reduce losses.
(5) Safety evaluation and balance principle
For any network, absolute security is difficult to achieve and is not necessarily necessary, so it is necessary to establish a reasonable evaluation and balance system for practical security and user needs.
(6) Principles of standardization and consistency
The safety system is a complex system engineering involving human, technology, operation and other elements. Neither technology alone nor management alone can achieve this. Therefore, it is necessary to combine various safety technologies with operation management mechanisms, personnel ideological education and technical training, and the construction of safety rules and regulations.
With the deepening of enterprise informatization, the connection between enterprises, branch enterprises and foreign employees will not be separated by geographical separation. From the perspective of the transmission and integration of information flow, they are more like a whole, and remote secure access works collaboratively. The demand will become increasingly obvious. For this reason, many users are observing and looking for suitable products to meet their needs of accelerating ERP applications with a high degree of security. At this time, SSL VPN, which features high security, scalability, stability and flexible management, has gradually become the preferred access solution. Higher information security and application performance are the most obvious benefits brought by SSL VPN. Since the SSL protocol itself is a security technology, SSL VPN has the characteristics of preventing information leakage, rejecting illegal access, protecting the integrity of information, preventing user impersonation, and ensuring system availability. It can further ensure access security, thus Safety features have been expanded. As a security protocol between the application layer and the TCP/UDP layer, compared to IPSec SSL at the network layer, it can provide access control based on the application layer and is more suitable for the mobility and decentralization of remote secure access. After several years of development, today's SSL VPN networking technology has become an inevitable choice for enterprises to build ERP systems. Since the ERP system realizes data concentration and supply chain management, it requires the ERP system to operate stably with a high degree of security. SSL VPN only provides application layer interconnection. Each user can only access the applications authorized to him, and other resources cannot be accessed, ensuring the security of system resources.
4.3 Network topology diagram
The network structure designed based on SSL VPN adopts a typical three-layer hierarchy, which is the core-aggregation-access layer. The three-layer design architecture is undoubtedly the most suitable for enterprise network environments. The access layer implements the terminal's network interface, the aggregation layer collects the access traffic, and the core layer receives the aggregated traffic and forwards it, making the traffic clear and clear.
The core layer includes core switches and egress routers. The OSPF dynamic routing protocol is configured between core areas to automatically learn LAN routes. The egress router performs NAT address translation so that internal users can access the Internet normally.
As for the implementation of SSL VPN discussed in this topic, it is naturally configured on the router, because the router is an Internet access device. The device calls the group name and address pool of Internet access and SSL VPN, so that employees outside the enterprise can access the Internet at any time. SSL VPN remote access can be performed in any Internet environment to access the internal LAN for office work and data interaction; based on security considerations, the core switch also implements ACL control policy access restrictions for the SSL VPN virtual address pool.
The network topology diagram designed through the Cisco packet tracer simulator is as follows:
Figure 4.1 Network topology diagram
4.4 IP address planning
The IP address is divided into two parts: the network address and the host address. The structure of the IP address is similar to the telephone number we come into contact with daily. The telephone number consists of the area code and the device number. The network part in front of the IP address refers to a network segment, and the host part behind it refers to the network connected to this network. Terminal Equipment. The advantage of this hierarchical structure of IP addresses is that each three-layer network device does not need to store the IP address of each host, but only needs to store the network address of each network segment. Since the network address can represent all hosts in the network segment, routing table entries will also be greatly reduced and routing flexibility will be enhanced accordingly.
Table 4.1 IP address planning table
| department |
VLAN |
IP |
gateway |
| Ministry of Security |
10 |
10.1.10.0/24 |
10.1.10.1 |
| Ministry of Commerce |
11 |
10.1.11.0/24 |
10.1.11.1 |
| Administration Department |
12 |
10.1.12.0/24 |
10.1.12.1 |
| Sales |
13 |
10.1.13.0/24 |
10.1.13.1 |
| Personnel Department |
14 |
10.1.14.0/24 |
10.1.14.1 |
| Finance Department |
15 |
10.1.15.0/24 |
10.1.15.1 |
| Manager's room |
16 |
10.1.16.0/24 |
10.1.16.1 |
| Technology Department |
17 |
10.1.17.0/24 |
10.1.17.1 |
| meeting room |
18 |
10.1.18.0/24 |
10.1.18.1 |
| DNS server |
100 |
10.1.100.254/24 |
10.1.100.1 |
| sales server |
100 |
10.1.100.253/24 |
10.1.100.1 |
| Personnel server |
100 |
10.1.100.252/24 |
10.1.100.1 |
| Financial server |
100 |
10.1.100.251/24 |
10.1.100.1 |
| Network management PC |
100 |
10.1.100.2/24 |
10.1.100.1 |
4.5 Equipment selection
4.5.1 Core switch selection
It is recommended to use high-performance 10G Layer 3 switches for core layer equipment, connect to aggregation layer equipment through Gigabit links, and interconnect the core layer through 10G links. Therefore, it is recommended to use CISCO C9300-48T-A as the core switch this time .
Figure 4.2 Cisco®Catalyst®9300 product diagram
The Cisco® Catalyst® 9300 Series Switches are Cisco's leading stackable enterprise switching platform built for security, IoT, mobility and cloud. C9300-48T-A is only a 48-port data, Network Advantage Switch of the 9300 series. The Catalyst 9300 Series is the industry's most widely deployed next-generation switching platform. They are the industry's highest-density stacking bandwidth solution at 480 Gbps with the most flexible uplink architecture. The Catalyst 9300 Series is the first platform optimized for high-density 802.11ac Wave2. It sets a new maximum for network size. These switches are also future-ready with x86 CPU architecture and more memory, allowing them to host containers and run third-party applications and scripts natively inside the switch.
The specific parameters are as follows:
Table 4.2 C9300-48T-A parameters
| Product Code |
C9300-48T-A |
| Transmission rate |
10/100/1000Mbps |
| Backplane bandwidth |
256Gbps |
| Packet forwarding rate |
190.48Mpps |
| Product Description |
Total 10/100/1000 or Gigabit copper ports |
| Default AC power |
350WAC |
| PoE power available |
/ |
| Dimensions (height x width x depth) |
1.73 x 17.5 x 17.5 inches |
| weight |
16.33 pounds |
4.5.2 Aggregation switch selection
Aggregation switches include stackable Catalyst 3650 series multi-gigabit and 10-Gbps network switches that enable the convergence of wired and wireless networks, giving you the ability to scale and protect your network.
Figure 4.3 Catalyst 3650 product diagram
It is Cisco's first stackable access switching platform that implements wired and wireless services on a single platform based on Cisco IOS XE Software. With this technology, Cisco is the first to enable rich capabilities such as stateful switching (SSO)-based high availability on the stack, fine-grained QoS, security, and Flexible Netflow (FNF) across wired and wireless in a seamless manner. ). Additionally, wired-plus-wireless functionality is bundled into a single Cisco IOS Software image, which eliminates the need for numerous software images that users must qualify/certify before enabling in the network. Command line interface (CLI) management through a single console port eliminates numerous touch points for managing wired and wireless services, reducing network complexity, simplifying network operations, and lowering the TCO of managing the infrastructure. It also provides optimized energy-saving, EEE (on RJ45 port), low-power operation for best-in-class power management and power consumption features. Cisco Catalyst 3650 ports support reduced power mode so that unused ports can enter a low-power state.
CISCO WS-C3650-48TS-L is selected as the aggregation layer switch. The specific parameters are as follows:
Table 4.3 CISCO WS-C3650-48TS-L parameters
| product type |
Gigabit Ethernet switch |
| Transmission rate |
10/100/1000Mbps |
| exchange method |
store-and-forward |
| Port structure |
non-modular |
| Number of ports |
48 |
| Port description |
48 Gigabit Ethernet interfaces |
| voltage |
AC power |
| Power supply |
250W |
4.5.3 Access switch selection
The Cisco 2960 Series Switches are non-modular Gigabit Ethernet switches designed to provide entry-level, enterprise-class Layer 2 access for applications outside branch offices, traditional workspaces, and wiring closets.
Figure 4.4 Cisco 2960 product diagram
This series of products is designed to reduce total cost of ownership by simplifying operations and can leverage various Cisco IOS software capabilities to achieve secure and energy-saving business operations. Choose Cisco Catalyst 2960 series switches at the access layer. Because of its network characteristics similar to high-end switches and its high-density fixed ports, the 2960 series switches are generally suitable for access switches in campus networks. The 2960 series switches can support a lot of advanced switching features, such as: admission control, integrated security, flexibility, etc., and are reasonably priced and cost-effective. Can provide intelligent services to the edge of the network.
The 2960-X features: 4 x Small Form Factor Plus (SFP+) uplinks; 2 or 4 Gigabit Small Form Factor Plug (SFP) uplinks; Power over Ethernet Plus (PoE+) support Available in power budgets up to 370W; Permanent PoE provides uninterrupted power to connected devices, even when the switch is booting; Fanless operation, maximum operating temperature of 45°C when deployed outside a wiring closet; due to no activity Mechanical components for increased mean time between failures (MTBF); Less than 11.5 inches deep for space-constrained use cases; Lower power consumption and advanced energy management features; RJ45 and USB console access simplifies operation and is intuitive The web user interface is easy to deploy and manage, and can be configured and managed wirelessly via a Bluetooth interface. In terms of performance, the 2960 series switches support 32Gbit/s switching arrays; support EtherChannel links; and support up to 8,000 MAC addresses. Spanning tree redundancy and 802.3ad are also supported. In terms of security, the 2960 series switches support 802.1x advanced security features, enable remote access and remote management, and support encrypted administrator traffic in remote sessions, effectively protecting network security.
The access switch uses CISCO WS-C2960X-48TS-L switch. The specific parameters are as follows:
Table 4.4CISCO WS-C2960X-48TS-L parameters
| product type |
Managed switch |
| application level |
Second floor |
| Transmission rate |
10/100/1000Mbps |
| processor |
APM86392 600MHz dual core |
| Product memory |
Flash memory: 128MB |
| exchange method |
store-and-forward |
| Backplane bandwidth |
108Gbps |
| Packet forwarding rate |
107.1Mpps |
| Number of ports |
52 |
| Port description |
48 10/100/1000 interfaces, 4 SFP interfaces |
| Transmission mode |
Full duplex/half duplex adaptive |
| Product Size |
45×279×445mm |
Chapter 5 Detailed Design
本课题设计的网络环境中包含1台核心交换机、3台汇聚接入交换机、10台接入交换机,4台服务器,网络数据交互通过三层核心交换机转发,互联网出口链路接入路由器,设置SSL VPN供外出的员工在互联网上通过账户密码连接,进行远程办公,但是为了保障安全性,对于VPN账号和权限设定了限制,只允许连接的VPN账户访问固定的内部网段。
5.1 VPN技术实现方式
VPN技术的虚拟性体现在进行通信的用户对之间没有真正的物流连接,而是通过ISP供应商的公共网络,如Inlecmct,其专用线则表现为除了企业内部的负工可以使用网络资源外,外网用户无法进行数据和资源的共享。实现VPN的技术主要有以下几种方式:
(1)隧道技术。隧道技术将其他协议的数据包重新封装,在新的包头中传输,包头提供新的路中,从而使数据可以在Intenet中传输,隧道可以建立在不同的协议层,如网络层,应用层等。
(2)加密技术。通过使用现有的加解密技术,实现保密通信,确保公司信息和个人信息在网络中的安全传递吗,不被窃取。
(3)密饼管理技术。即产生、分发、控制、管理和跟踪密钥,开验证密钥的真实性。
(4)身份验证技术。对用户进行身份验证,通常使用用户名和密码或智能卡进行,只对过的合法人员能正常接入网络。
5.2 SSL安全性
SSL通过加密方式保护在互联网.上传输的数据安全性,它可以自动应用在每-一个浏览器上。这里,需要提供一个数字证书给Web服务器,这个数字证书需要付费购买,想对而言,给应用程序设立SSL服务是比较容易的。如果应用程序本身不支持SSL,那么就需要改变一些链接,这只与应用程序有关。对于出现较大信息量的情况,建议给SSL进行加速以避免流量瓶颈。通常SSL加速装置为热插拔装置。VPN则主要应用于虚拟连接网络,它可以确保数据的机密性并且具有一定的访问控制功能。过去,VPN总是和IPSec联系在-起,因为它是VPN加密信息实际用到的协议。IPSec运行于网络层,IPSec VPN则多用于连接两具网络或点到点之间的连接。
SSL可以防止信息泄漏。由于客户端与SSL VPN网关之间实现高强度的加密信息传输,因此虽然信息传输是通过公网进行的,但是其安全性是可以得到保证的。第三方即使可以得到传输数据,但是却无法得到隐藏到其中的明文信息。因此敏感的信息如业务账号等被保护起来,杜绝了有效信的泄露。(2 )杜绝非法访问.SSL VPN的访问要经过认证和授权,充分保证用户身份的合法性。SSL VPN只允许那些拥有相应权限的用户进行网络连接。如果请求连接的用户没有合法身份,则SSL VPN将拒绝其连接请求,从而限制了非法用户对内网的访问。(3)保护信息的完整性.SSL VPN使用数字证书进行机密性与完整性参数的协商,它不仅能够对所传输的数据进行机密性的保护,同时也对其提供完整性保护。当在传输过程中的数据被篡改之后,SSL VPN是可以检测到的,如果检测到数据被篡改,他们就会放弃所接收到的数据。
5.3核心层设计
图5.1 核心层
VPN的设计主要在核心层的功能主要是实现骨干网络之间的优化传输,骨干层设计任务的重点通常需要保证数据高速的传输。网络的控制功能最好尽量的少在骨干层上实施。核心层一直被认为是所有流量的最终承受者和汇聚者,所以对核心层的设计以及网络设备的要求十分严格。核心层设备将占投资的主要部分。
在既有网络的架构当中, SSL VPN的应用方式其实是很简单的,比起传统IPSecVPN要容易许多。因为它所在的位置是在防火墙后方,人员只需要针对SSL VPN装置在防火墙当中开启设定, 就完成安装了。并不会像IPSecVPN一样,需要针对不同用户开启不同的VPN Profile 设定。因为远程的使用者是利用浏览器连接到SSL VPN设备,然后透过IP封包转译的方式,由SSL VPN设备[模拟]远程使用者在[内部]进行数据存取,所以才有办法突破各种网络的限制,达到执行各种ERP、CRM或者是特定应用程序。传统使用VPNClient程序的架构,由于使用者取得的是内部IP位置,因此在执行企业内部专属程序的时候,只有该程序所使用的连接协议是VPN装置所支持,就没有设定上的问题。
本课题核心层的设备包含路由器和三层交换机,核心区域之间配置OSPF动态路由协议的骨干区域做路由的一个自动学习功能,路由器上做SSL VPN隧道连接,设立VPN组和账户密码以及VPN地址池来给连接用户进行分配,再通过核心交换机对这些地址池的访问限制做一个ACL访问控制列表策略。
5.4 汇聚层设计
图5.2 汇聚层设计
汇聚层的功能主要是连接接入层节点和核心层中心。汇聚层设计为连接本地的逻辑中心,仍需要较高的性能和比较丰富的功能,汇聚设备的转发能力也是需要一定的要求。
本课题设计的汇聚层主要用来汇聚接入交换机的上联链路,再通过汇聚设备统一的链路转发给核心交换机,减轻核心交换机的负荷,设计中包含3台汇聚交换机,这三台汇聚交换机每台分别接入3台接入交换机,做到汇聚的效果。交换机上创建接入层的vlan号,并且将所有互联口配置成Trunk口,放行多个VLAN通过。
5.5 接入层设计
核心层和汇聚层的设计中主要考虑的是网络性能和功能性要高,那么网络接入层的设计主要考虑的是使用性能价格比高的设备。接入层是内部员工或者外来人员最终与网络的接口,它应该提供即插即用的特性,同时应该非常易于使用和维护。当然我们也应该考虑端口密度的问题。
本设计的接入层分别部署在各个部门弱电间里,一个部门一台接入交换机,保证端口的可用性和外来人员接入的扩展性。
5.6 关键性技术及难点
网络环境设计中主要涉及的关键技术为互联网接口的NAT源地址转换策略和SSL VPN相关技术的实现和访问,局域网内部的路由学习则采用OSPF路由协议来进行学习。
难点在于NAT地址转换的时候出现了IP地址被占用的情况,后面发现使用端口复用NAT可以很好的解决内部用户同时上网的问题。
5.7 存在的问题和解决方法
在设计过程中发现,SSL VPN用户一但从互联网接入成功之后,内网的所有网段路由都可达,造成了很大的安全隐患。因此,通过ACL访问控制列表的限制措施下,设置了针对用户访问权限的一个放行和拒绝访问的规则集合,这样一来,远程办公的用户就算拨入VPN,也只能访问自己部门的一个网段及服务器。
第6章 系统测试
6.1 网络结论现象验收
6.1.1 查看DHCP地址池分配,如图6.1所示:
图6.1 DHCP地址池分配
6.1.2 网关地址状态
核心交换机网关地址状态,如图6.2所示:
图6.2 地址状态
6.1.3 OSPF邻居状态
路由器的OSPF建立状态,如图6.3所示:
图6.3 OSPF邻居状态
6.1.4 路由表信息
路由器的路由表信息如图6.4所示:
图6.4 OSPF路由信息
6.1.5 NAT信息
路由器地址转换信息如图6.5所示:
图6.5 NAT信息
6.2 连通性测试
6.2.1 终端DHCP自动获取测试
图6.6 人事部自动获取到地址
通过在核心交换机上设立了DHCP服务器,终端用户自动获取到了下发的地址。
6.2.2 跨VLAN之间的互相访问
图6.7 跨三层访问
通过商务部的PC去访问技术部跟会议室的网段,测试结果返回正常。
6.2.3 ACL测试
图6.8 访问销售部服务器
行政部访问销售部服务器返回的结果显示目的主机不可达,销售部访问销售部服务器返回结果正常,证明ACL生效了。
6.2.4 VPN连接测试
图6.9 VPN连接成功
图6.10 人事部VPN连接
上图可以看到人事部连接VPN成功后,只能访问人事部的网段,无法访问内部其它网段地址。
6.2.5 访问互联网测试
经理室访问互联网地址正常,如图6.11所示:
图6.11 经理室访问互联网
第7章 总结
本次设计的题目为基于SSL VPN技术的中小企业网络接入设计与实现,毕业设计是我们作为学生在学习阶段的最后一个环节,是对所学基础知识和专业知识的一种综合应用,是一种综合的再学习、再提高的过程,这一过程对学生的学习能力和独立思考及工作能力也是一个培养,同时毕业设计也是一个重要的环节,是我们步入社会参与实际工作的一次极好的演示,也是对我们自学能力和解决问题能力的一次考验,是学校生活与社会生活间的过渡。在完成毕业设计的这段时间里,我收获颇多,掌握了很多SSL VPN方面和网络方面的知识,对我所学过的知识有所巩固和提高,让我对现在社会的网络环境的现状有所了解。
参考文献
[1]张兴.SSL-VPN技术在高校图书馆资源共享中的应用研究[J].兰台世界,2020.
[2]马军锋.SSLVPN技术原理及其应用[J].电信网技术,2018,08:22-24.
[3]包丽红,李立亚.基于SSL的VPN技术研究[J].网络安全技术与应用,2018(5):38-40.
[4]吕俊霞,景文富.基于SSL的VPN技术原理与实现[J].济南职业学院学报,2019(04):112-115.
[5]包瑞.基于SSLVPN技术的远程资源访问模式研究[J].河南图书馆学刊,2020,30(001):72-74.
[6]梁绍宇.SSLVPN技术应用研究[D].华南理工大学.2018.
[7]陈旭东.VPDN与SSLVPN技术在"金保工程"中的应用[J].湖北民族学院学报:自然科学版,2018
[8]赵新辉,郭瑞.基于OpenVPN技术的SSLVPN的实现与研究[J].网络安全技术与应用,2018
[9]胡国强,邓希廉,周兆永.浅析SSLVPN技术在我校校园网的应用[J].中国科技博览,2020
[10]颜雪峰,翟雅萌,武渊博.基于SSL VPN技术的信息平台搭建[J].铁道通信信号,2021
[11]邵旻晖,竺荣,楼文彦.基于SSL VPN的医院OA-钉钉安全接入方案[J].电子技术与软件工程,2021
[12]刘邦桂.虚拟专用网技术在校园网应用中的研究与实现[J].软件工程,2020
[13]代锐锋.基于SSL虚拟技术的高校网络安全体系模型构建[J].计算机与现代化,2020
[14]童长卫.VPN技术在院校资源共享中的设计与实现[J].长江技术经济,2020
[15]刘媛,姜川.SSL VPN在黄委网络安全中的应用和改进[J].人民黄河,2020.
附 录
附 录1:
ip dhcp pool 10
network 10.1.10.0 255.255.255.0
default-router 10.1.10.1
dns-server 10.1.100.254
ip dhcp pool 11
network 10.1.11.0 255.255.255.0
default-router 10.1.11.1
dns-server 10.1.100.254
ip dhcp pool 12
network 10.1.12.0 255.255.255.0
default-router 10.1.12.1
dns-server 10.1.100.254
ip dhcp pool 13
network 10.1.13.0 255.255.255.0
default-router 10.1.13.1
dns-server 10.1.100.254
ip dhcp pool 14
network 10.1.14.0 255.255.255.0
default-router 10.1.14.1
dns-server 10.1.100.254
ip dhcp pool 15
network 10.1.15.0 255.255.255.0
default-router 10.1.15.1
dns-server 10.1.100.254
ip dhcp pool 16
network 10.1.16.0 255.255.255.0
default-router 10.1.16.1
dns-server 10.1.100.254
ip dhcp pool 17
network 10.1.17.0 255.255.255.0
default-router 10.1.17.1
dns-server 10.1.100.254
ip dhcp pool 18
network 10.1.18.0 255.255.255.0
default-router 10.1.18.1
dns-server 10.1.100.254
interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/4
no switchport
ip address 172.16.1.1 255.255.255.0
ip access-group 110 in
duplex auto
speed auto
interface FastEthernet0/5
switchport access vlan 100
interface Vlan10
mac-address 0001.6400.ba01
ip address 10.1.10.1 255.255.255.0
ip access-group 101 in
interface Vlan11
mac-address 0001.6400.ba02
ip address 10.1.11.1 255.255.255.0
ip access-group 101 in
interface Vlan12
mac-address 0001.6400.ba03
ip address 10.1.12.1 255.255.255.0
ip access-group 101 in
interface Vlan13
mac-address 0001.6400.ba04
ip address 10.1.13.1 255.255.255.0
ip access-group 100 in
interface Vlan14
mac-address 0001.6400.ba05
ip address 10.1.14.1 255.255.255.0
ip access-group 100 in
interface Vlan15
mac-address 0001.6400.ba06
ip address 10.1.15.1 255.255.255.0
ip access-group 100 in
interface Vlan16
mac-address 0001.6400.ba07
ip address 10.1.16.1 255.255.255.0
interface Vlan17
mac-address 0001.6400.ba08
ip address 10.1.17.1 255.255.255.0
interface Vlan18
mac-address 0001.6400.ba09
ip address 10.1.18.1 255.255.255.0
interface Vlan100
mac-address 0001.6400.ba0a
ip address 10.1.100.1 255.255.255.0
router ospf 1
log-adjacency-changes
network 10.1.0.0 0.0.255.255 area 0
network 172.16.0.0 0.0.255.255 area 0
access-list 101 permit ip any host 10.1.100.254
access-list 101 deny ip 10.1.10.0 0.0.0.255 10.1.100.0 0.0.0.255
access-list 101 deny ip 10.1.11.0 0.0.0.255 10.1.100.0 0.0.0.255
access-list 101 deny ip 10.1.12.0 0.0.0.255 10.1.100.0 0.0.0.255
access-list 101 permit ip any any
access-list 100 permit ip any host 10.1.100.254
access-list 100 permit ip 10.1.13.0 0.0.0.255 host 10.1.100.253
access-list 100 permit ip 10.1.14.0 0.0.0.255 host 10.1.100.252
access-list 100 permit ip 10.1.15.0 0.0.0.255 host 10.1.100.251
access-list 100 deny ip any 10.1.100.0 0.0.0.255
access-list 100 permit ip any any
access-list 110 permit ip 172.17.0.0 0.0.255.255 10.1.14.0 0.0.0.255
access-list 110 permit ip 172.18.0.0 0.0.255.255 10.1.15.0 0.0.0.255
access-list 110 permit ip 172.17.0.0 0.0.255.255 host 10.1.100.252
access-list 110 permit ip 172.18.0.0 0.0.255.255 10.1.100.0 0.0.0.255
access-list 110 deny ip 172.17.0.0 0.0.255.255 any
access-list 110 deny ip 172.18.0.0 0.0.255.255 any
access-list 110 permit ip any any
路由器源代码:
aaa authentication login 1 local
aaa authorization network 2 local
aaa authorization network vpn1 local
aaa authorization network 1 local
username vpn password 0 vpn
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp client configuration group vpn
key vpn
pool pool1
crypto isakmp client configuration group vpn1
key vpn
pool pool2
crypto ipsec transform-set lan esp-3des esp-md5-hmac
crypto dynamic-map map 10
set transform-set lan
reverse-route
crypto map map client authentication list 1
crypto map map isakmp authorization list 1
crypto map map client configuration address respond
crypto map map 10 ipsec-isakmp dynamic map
interface FastEthernet0/0
ip address 172.16.1.2 255.255.255.0
ip nat inside
duplex auto
speed auto
interface Serial0/0/0
ip address 211.192.45.1 255.255.255.0
ip nat outside
crypto map map
router ospf 1
log-adjacency-changes
network 172.16.0.0 0.0.255.255 area 0
default-information originate
ip local pool pool1 172.17.1.100 172.17.1.200
ip local pool pool2 172.18.1.100 172.18.1.200
ip nat inside source list 1 interface Serial0/0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 211.192.45.2
access-list 1 permit any
汇聚交换机1源代码:
interface FastEthernet0/1
switchport mode trunk
interface FastEthernet0/2
switchport access vlan 10
interface FastEthernet0/3
switchport access vlan 11
interface FastEthernet0/4
switchport access vlan 12
汇聚交换机2源代码:
interface FastEthernet0/1
switchport mode trunk
interface FastEthernet0/2
switchport access vlan 13
interface FastEthernet0/3
switchport access vlan 14
interface FastEthernet0/4
switchport access vlan 15
汇聚交换机3源代码:
interface FastEthernet0/1
switchport mode trunk
interface FastEthernet0/2
switchport access vlan 16
interface FastEthernet0/3
switchport access vlan 17
interface FastEthernet0/4
switchport access vlan 18