Hello everyone, I am senior Xiaohua, a blogger in the computer field. After years of study and practice, I have accumulated rich computer knowledge and experience. Here I would like to share my learning experience and skills with you to help you become a better programmer.
As a computer blogger, I have been focusing on programming, algorithms, software development and other fields, and have accumulated a lot of experience in these areas. I believe that sharing is a win-win situation. Through sharing, I can help others improve their technical level and at the same time get the opportunity to learn and communicate.
In my articles, you will see my analysis and analysis of various programming languages, development tools, and common problems. I will provide you with practical solutions and optimization techniques based on my actual project experience. I believe that these experiences will not only help you solve the problems you are currently encountering, but also improve your programming thinking and problem-solving abilities.
In addition to sharing technical aspects, I will also touch on some topics about career development and learning methods. As a former student, I know how to better improve myself and face challenges in the computer field. I will share some learning methods, interview skills and workplace experiences, hoping to have a positive impact on your career development.
My articles will be published in the CSDN community, which is a very active and professional computer technology community. Here you can communicate, learn and share with other people who love technology. By following my blog, you can get my latest articles as soon as possible and interact with me and other readers.
If you are interested in the computer field and hope to better improve your programming skills and technical level, then please follow my CSDN blog. I believe that what I share will help and inspire you, allowing you to achieve greater success in the computer field!
Let us become better programmers together and explore the wonderful world of computing together! Thank you for your attention and support!
All computer project source codes shared include documents and can be used for graduation projects or course designs. Welcome to leave a message to share questions and exchange experiences!
Summary
With the rapid development of computer network technology, especially the advent of the information age, people are gradually realizing the importance of informatization. It has become an inevitable trend for an enterprise to have its own network. The establishment of an enterprise network is an important step for enterprises to develop toward informatization. inevitable choice. Nowadays, many companies are building their own websites to promote their brands and increase their brand influence. However, with the continuous improvement and development of computer network technology, the performance of many enterprise networks can no longer keep up with the changes in modern information. For many enterprises, expanding the existing network is an indispensable measure. In recent years, with the continuous improvement and maturity of network technology, enterprises have become more and more dependent on computer network systems. Now enterprises have higher and higher requirements for the backward compatibility of newly built networks. Therefore, this graduation project is mainly based on various technologies and implementation plans that may be used in the enterprise network planning and construction process, and provides theoretical basis and practical guidance for the establishment and design of enterprise network systems.
This design combines the actual needs of small and medium-sized enterprises, and uses examples to analyze, design, configure, and simulate a dual-core dual-link network for small and medium-sized enterprises. It mainly uses HSRP, OSPF, ACL, NAT and other technologies for design and improvement.
The network architecture and implementation designed this time have greatly improved the office efficiency within the enterprise. It has brought great convenience and a full online experience to the employees of the enterprise, and the use of control lists has deepened security control.
Keywords: ACL enterprise network computer network architecture
Abstract
With the rapid development of computer network technology, especially the advent of the information age, people gradually realize the importance of informatization. It has become an inevitable trend for an enterprise to have its own network. The establishment of enterprise network is an inevitable choice for an enterprise to develop towards informatization. Now many enterprises have built their own websites to promote the brand and improve the brand influence. But with the continuous improvement and development of computer network technology, the performance of many enterprise networks can not keep up with the changes of modern information. For many enterprises, expanding the existing network is an essential measure. In recent years, with the continuous improvement and maturity of network technology, enterprises are more and more dependent on computer network system. Now enterprises have higher requirements for backward compatibility of new network. Therefore, the graduation project is mainly based on various technologies and implementation schemes that may be used in the process of enterprise network planning and construction, which provides theoretical basis and practical guidance for the establishment and design of enterprise network system.
Combined with the actual needs of small and medium-sized enterprises, this design analyzes, designs, configures and simulates a dual core and dual link network for small and medium-sized enterprises. It mainly uses HSRP, OSPF, ACL, NAT and other technologies to improve the design.
The design of the network architecture and implementation, greatly improve the office efficiency of the enterprise, enterprise employees bring great convenience and full online experience, and the use of control list for security control.
Keywords: ACL Enterprise network computer network architecture
Table of contents
1.2 Research significance... 1
Chapter 2 System Analysis... 2
2.2 Requirements analysis... 2
Chapter 3 Overview of related technologies... 4
4.1 Network architecture design principles... 11
4.2 Network topology diagram... 12
4.3 Network security design... 12
Chapter 5 Detailed Design... 17
5.1 Core layer network design... 17
5.2 Aggregation layer network design... 18
5.4 Key technologies and difficulties... 18
Chapter 6 System Testing... 19
Chapter 1 Introduction
The design of this topic mainly focuses on the design of enterprise network security. It is necessary to fully master the ACL protocol and provide a theoretical introduction to the key research directions of ACL; deploy ACL to the enterprise to reasonably reduce unnecessary access and increase the security of the enterprise's intranet; use cisco packet tracer to simulate Use the server to simulate the entire network environment; properly call ACL to use packet filtering, network address translation, policy routing, dynamic routing, etc.; master the matching principles and application methods of ACL; master the differences between different business modules of ACL (such as TELNET). Application method: optimize the network structure, achieve rapid convergence within the area and fully master the common ACL commands.
With the continuous development and popularization of computer networks, computer networks have brought endless resources. The construction of networks in an enterprise is an inevitable choice for enterprises to develop towards informatization. An enterprise will have higher and higher compatibility requirements for its newly built network in the future. But at the same time, its security risks also bring us a lot of trouble. The enterprise network is a large and complex network system. It can not only provide basic operations for a series of applications such as modern development, comprehensive information management, etc. platform. It can also provide many application services to transmit information to various systems in a timely and accurate manner, which brings a lot of convenience to work. Therefore, in the design of network security solutions, some needs of the enterprise and future compatibility must be taken into consideration when selecting servers and network equipment. Many companies now have their own networks to promote their brands through the Internet, making employees' work more and more convenient. After the company's network is successfully established, you can browse information (WWW), receive and receive emails (E-MAIL), file transfer (FTP), and other functions. When configuring servers and network devices, we must configure them according to some user requirements. This time, LAN technology was mainly used in the design of the enterprise network. LAN security measures should be able to comprehensively target various threats and vulnerabilities, so as to ensure the confidentiality, integrity and availability of network information.
1.2 Research significance
With the development of the network, the Internet is becoming more and more common in our daily lives. The scale of enterprise networks is also gradually expanding, the number of computers used is increasing, the development of computer network technology, the widespread application of enterprise information technology, enterprise computer application systems are applied to all aspects of enterprise management, and the application level is getting higher and higher. These applications are It has played a huge role in promoting enterprises to improve their management level and increase economic benefits, but at the same time it has brought many new problems and greater management difficulties to enterprise network management.
1.3 Research content
As network applications play an increasingly important role in enterprise operations, network applications provide a way for cooperation between different enterprises, communication between internal departments of the enterprise, and sharing of resources; but at the same time, network interconnection has also led to the The confidentiality of information and data between departments is reduced, which affects the information security of the enterprise. Therefore, the security management of enterprise networks must take into account the access control between various departments. The use of access control lists (ACLs) can ensure that enterprise network resources are not illegally used and accessed, that external intruders cannot steal internal information, and can reduce the number of enterprises increasing network Additional expenses for safety equipment.
Chapter 2 System Analysis
2.1 Feasibility analysis
2.1.1 Technical feasibility
With the development and popularization of computer networks, the development trend of global informatization is getting closer and closer to us. At the same time, the security of the network environment is also subject to more and more threats. Traditional network security precautions alone are no longer sufficient. .Meet today's network security protection needs. Nowadays, most enterprises have implemented their own network systems, which store a large number of internal enterprise files and information. However, this information is likely to be illegally stolen and destroyed during the transmission process, which will cause serious problems to the enterprise. bring immeasurable losses. Therefore, the protection of enterprise network security is very important. It is necessary to protect the relevant network system hardware, software, and data in the system so that it can operate continuously and reliably.
ACL technology can do traffic statistics, flow mirroring, issue CAR rate limits, etc. There are also many network functions that are actually implemented through ACL, such as IP binding, Portal authentication, MAC authentication, and attack prevention, although they are not visible on the command line. In the shadow of ACL, ACL is actually used in network software implementation. These functions are enough to illustrate the power of ACL. It can be said that network equipment cannot do without ACL, and network equipment cannot function at all without ACL. Data centers have very high requirements for networks. They must operate securely and deploy services flexibly, all of which are inseparable from ACLs. With the increasing number of complex applications in data centers, better use of ACL and enriching the various functions of ACL are inevitable choices for enterprise network technology deployment.
2.1.2 Economic feasibility
ACL technology does not require the purchase of independent equipment for deployment at the network level. For example, network equipment and security equipment such as switches, routers, firewalls, etc. in enterprises can implement ACL access control operations. There is no need to spend separate costs for procurement. , ACL technology can guarantee a large degree of enterprise network security, and at the same time, enterprises do not need to spend more money to purchase independent equipment.
2.2 Demand analysis
2.2.1 Functional requirements
There is no doubt that there is no need for any form of "preaching". Today, when information and networks are widely used, any network manager or user knows very well that all computer networks used are bound to be attacked and attacked intentionally or unintentionally. Risk of damage. Enterprise networks also have security risks. For most network hackers, successfully intruding into the network system of a company, especially a well-known company, has the value of proving and showing off their "ability", although the original intention of this behavior may not have a malicious purpose; stealing the company's network Data, or even destroying its network system, has more realistic and long-term business value [5]. Therefore, the necessity of establishing a complete security system for enterprise networks is self-evident.
Using access control lists on internal servers and clients of an enterprise can protect the security of the enterprise's internal network and protect it from attacks by external hackers when the enterprise's network is connected to the Internet. However, for corporate networks, there are not only external attacks but also internal attacks. Internal access control lists (ACLs) can help protect network security from internal harm, such as employees stealing corporate confidential documents, or internal sabotage caused by competing companies. Therefore, the enterprise network needs to meet the requirements of restricted access to servers among various departments. Some special departments are not allowed to access the server, or a server that does not need to access the Internet needs to restrict access to the server through an ACL. At the same time, the company puts forward requirements for the network. First, the network must be feasible. All employees are allowed to access the external network with authorization. They can have fast network speeds during working hours, and the network must have good security. At the same time, important servers in the internal network must have control policies in place to prevent external unauthorized access. Traffic is prohibited from entering the company intranet.
2.2.2 Non-functional requirements
1. Network environment requirements
As various business applications of enterprises gradually move to computer networks, the uninterrupted operation of network communications has become the key to ensuring the normal production and operation of enterprises. Modern large-scale enterprise networks should mainly consider three aspects in terms of reliability design: First, device-level reliability design. Here we not only examine whether the network equipment has achieved redundant backup of key components, but also consider the overall design architecture and processing engine of the network equipment. Types and other aspects should be investigated; secondly, the reliability design of the business. Here we should pay attention to whether the network equipment has an impact on the normal operation of the business during the fault switching process; thirdly, the reliability design of the link. The link security of Ethernet comes from Due to its multi-path selection, when building an enterprise network, it is necessary to consider whether the network equipment can provide effective link self-healing means and support for fast rerouting protocols.
2.Management needs
The current network has developed into an "application-centered" information infrastructure platform, and the requirements for network management capabilities have been raised to the level of business requirements. Those traditional network devices that seemed very intelligent and advanced at the time have long been out of date in today's society. It cannot effectively support the development of network management needs. Therefore, modern large-scale enterprise networks urgently need network equipment to have the ability to support "application-centered" intelligent network operation and maintenance, and to have a set of intelligent management software to free network management personnel from heavy work. Therefore, the switches in the network need network-manageable switches, and remote management login is enabled. Operation and maintenance personnel do not need to enter the weak current room or computer room to directly manage the equipment when a fault occurs, which provides convenience for operation and maintenance managers.
3. Reliability requirements
4. Communication volume requirements
Enterprises have a large amount of data interaction and file downloads every day. The entire network environment needs to ensure that enterprise users' Internet access and data transmission links are not congested, and they can browse web pages and perform business operations at high speed.
5. Security requirements
A complete and feasible set of network security and network management policies should be established in the network to control the content of network service requests so that illegal access is rejected before reaching the host; access authentication for legal users should be strengthened, while user access rights should be controlled to a minimum limit; backup and disaster recovery, strengthen system backup, and achieve rapid system recovery; strengthen network security management, provide network security awareness and prevention technology for all system personnel; prevent malicious attacks and destruction by intruders; protect users during online transmission Confidentiality, integrity.
Chapter 3 Overview of Related Technologies
3.1 HSRP technology
HSRP (Hot Standby Router Protocol) hot standby router protocol, that is, multiple routers form a "hot standby group" and simulate a virtual router. The virtual router has a virtual IP address and a virtual MAC address. In a hot backup group, only one router forwards data packets as the active router. Only when the active router fails, a backup router will be selected as the active router, but for the hosts in the network, the virtual router does not occur. Any changes will not cause the host communication to be interrupted.
The HSRP protocol is used in an environment where gateway devices are redundant. It applies the concept of virtualization to a certain extent and logically virtualizes multiple gateway devices into one logical device, that is, a hot backup group.
However, only one device in this hot backup group actually functions as a forwarder for the gateway, that is, it is in the Active state. The other devices are not working, that is, the standby state. They only listen to the HSRP packets sent by the active device to confirm the active device.
It is in working status. The default hello is sent every 3 seconds. If the standby does not receive the hHSRP packet from the active device, it is deemed that the active device is faulty and another router is automatically elected to change from the standby state to the active state to inherit the work.
In a specific actual LAN, multiple hot backup groups may coexist or overlap. Each hot backup group simulates a virtual router and has a well-known-MAC address and an IP address. The IP address, the interface address of the router in the group, and the host are in the same subnet, but cannot be the same. When there are multiple hot backup groups on a LAN, the load can be shared by distributing hosts to different hot backup groups.
How HSRP works HSRP uses a priority scheme to determine which router configured with the HSRP protocol becomes the default active router. If the priority of a router is set higher than that of all other routers, the router becomes the active router. The default priority of a router is 100, so if you set just one router to a priority higher than 100, that router will become the active router.
By broadcasting HSRP priorities between routers configured with the HSRP protocol, the HSRP protocol selects the current active router. When the active router cannot send hello messages within a preset period of time, the backup router with the highest priority becomes the active router. Packet transmission between routers is transparent to all hosts on the network. Routers configured with the HSRP protocol exchange the following three types of multicast messages:
Hello—The hello message notifies other routers to send the router’s HSRP priority and status information. The HSRP router defaults to sending a hello message every 3 seconds;
Coup—Sends a coup message when a backup router becomes an active router;
Resign—When the active router is going down or when a router with a higher priority sends a hello message, the active router sends a resign message. At any time, a router configured with the HSRP protocol will be in one of the following five states:
Initial———The state when HSRP is started. HSRP has not yet run. This state is generally entered when the configuration is changed or the port has just been started.
Listen - The router has obtained a virtual IP address, but it is neither an active router nor a waiting router. It keeps listening for HELLO messages sent from active routers and waiting routers.
Speak——In this state, the router sends HELLO messages regularly and actively participates in the election of active routers or waits for routers.
Standby—The router is prepared to take over packet transmission functions when the active router fails.
Active——The router performs packet transmission function.
3.2 DHCP technology
DHCP is the abbreviation of Dynamic Host Configuration Protocol. DHCP is a technology used to centrally manage and configure user IPs. It solves the tedious process of manually configuring IP addresses. Even in smaller networks, DHCP can be used to make subsequent IP configurations of network devices simple and fast. In order to solve the problem of configuring network parameters such as IP addresses, the IETF organization developed the BOOTP protocol. The BPPTP protocol runs in a relatively static environment, and administrators need to configure a special BOOTP parameter file for each host before it can be used. In response to the various shortcomings of BOOTP, the IETF has developed a new protocol that provides a protocol for dynamically allocating and configuring network configuration parameters (ie, IP addresses), which is DHCP.
DHCP uses an IP address range to allocate IP to all terminals to achieve dynamic and unified management and configuration of IP addresses. The IP address assigned by the DHCP server to each client defines a usage period, which is called a lease. Before the lease expires, if the DHCP client still needs to use the IP address, it can request to extend the lease; if not, it can actively release the IP address. When no other free addresses are available, the DHCP server will allocate the IP address actively released by the client to other clients. All IP addresses dynamically allocated by the DHCP server are limited by the lease period, and different DHCP servers can configure different lease periods. Staticly assigned IP addresses are not limited by the lease period and have an unlimited usage period. The DHCP client will not wait until the lease expires before applying for an IP address. This will cause the IP address to be reclaimed by the server and then assigned to other clients. To ensure that the original IP address can be used, the client will start applying for a lease extension at a certain point before the lease expires.
The following figure describes the workflow of DHCP in general scenarios. It is mainly divided into four steps.
Figure 3.1 DHCP workflow chart
1).Discovery stage
The DHCP client that connects to the network for the first time does not know the IP address of the DHCP server. In order to obtain the IP address of the DHCP server, the DHCP client sends a DHCP DISCOVER message in broadcast mode. (The DHCP DISCOVER message carries the client's MAC address, request parameter table entry, broadcast flag and other information).
2).Provide stage
The DHCP server that is on the same network segment as the DHCP client will receive the DHCP DISCOVER message. The DHCP server selects an address pool that is in the same network segment as the IP address of the interface that receives the DHCP DISCOVER message, and selects an available IP address from it, and then Sent to DHCP client through DHCP OFFER message.
3).Request stage
If multiple DHCP servers respond to DHCP OFFER messages to the DHCP client, the DHCP client generally only receives the first received DHCP OFFER message. After receiving the DHCP OFFER message, the DHCP client sends a DHCP REQUEST message in broadcast mode. The DHCP REQUEST message contains the DHCP server identifier and client IP address that the client wants to choose.
The DHCP client broadcasts a DHCP REQUEST message to notify all DHCP servers. It will select the IP address provided by a DHCP server, and other DHCP servers will assign the IP address assigned to the DHCP client to other DHCP clients.
4). Confirmation stage
When the DHCP server receives the DHCP REQUEST message sent by the DHCP client, the DHCP server responds with a DHCP ACK message, indicating that the IP address requested in the DHCP REQUEST message is allocated to the client.
3.3 STP technology
STP protocol introduction: STP---Spanning Tree Protocol (Spanning Tree Protocol) logically breaks the loop to prevent the occurrence of broadcast storms. In a switching network, a single point of failure may occur. The so-called single point of failure refers to It is due to the failure of a certain device in the network that affects the communication of the entire network. In order to avoid single points of failure and improve network reliability, it can be solved by building a redundant topology. However, a redundant topology will cause loops in our network and produce other impacts. In order to solve the problem of Layer 2 loops, STP was designed.
The basic principle of STP is to determine the network topology by transmitting a special protocol message, Bridge Protocol Data Unit (BPDU), between switches. There are two types of BPDU, configuration BPDU (and TCN BPDU). The former is used to calculate a loop-free spanning tree, and the latter is used to shorten the refresh time of MAC table entries when the layer 2 network topology changes.
The role of STP: It can be applied to the establishment of tree topology structures in computer networks. Its main function is to prevent redundant links in the bridge network from forming loops, which can solve the problem of network robustness that requires redundant links in the core layer network. requirements, and can solve the problem of "broadcast storm" caused by physical loops formed by redundant links.
(1) Broadcast storm
Assume that the STP protocol is not enabled on the switching device. If PC1 sends a broadcast request, the broadcast message will be received by port1 of the two switching devices, and broadcasted out through port2 respectively. Then, port2 of the two switches will receive the packet from the other switching device. The broadcast packets are then forwarded from port 1 of the two switching devices respectively. This process is repeated, eventually causing the entire network resources to be exhausted and the network to be paralyzed and unavailable.
(2) Multi-frame copy
When PC1 sends a request broadcast, the request can directly reach the other party's device, but the switch will also receive and flood the data. The flooded data is transmitted from the link to the other party's device. After repeated transmission, the other party's device will Get multiple identical data frames.
(3) MAC address table shock
Switch S1 can learn the MAC address of PCB on Port2, but since S2 will forward the broadcast data frame sent by PC2 to its other ports, S1 can also learn the MAC address of PC2 on port1. In this way, broadcast frames are continuously forwarded between the two switching devices, and S1 will constantly modify its MAC address table. Causes flapping in the MAC address table.
In order to ensure the redundancy of the link and ensure that the above problems will not occur, we designed the STP protocol to solve the problem. The core idea is to retain an optimal route and recalculate the optimal route when a link problem occurs. , which not only ensures redundancy, but also ensures that no Layer 2 loops will occur.
3.4 OSPF technology
The full name of routing protocol OSPF is Open Shortest Path First, which is the open shortest path first protocol. Because OSPF was developed by IETF, its use is not restricted by any manufacturer and can be used by everyone, so it is called open, and the shortest path first protocol is called open. Path priority (SPF) is just the core idea of OSPF. The algorithm it uses is Dijkstra's algorithm. Shortest path priority does not have much special meaning. There is no routing protocol that prioritizes the longest path. All protocols will choose the shortest one. .
State machine----When OSPF is established, there are various stages;
(1) Down Once the local sends a hello packet, it enters the next state
(2) Init initializes the hello packet received locally and stores the local RID to enter the next state.
(3) 2way two-way communication neighbor relationship establishment flag;
Condition matching: The point-to-point network directly enters the next state; the MA network will conduct DR/BDR election (40S), and non-DR/BDR rooms are not allowed to enter the next state;
(4) exstart pre-start uses DBD similar to hello to elect the master-slave relationship. The RID is larger than the master, and the master enters the next state first.
(5) Exchange quasi-exchange uses real DBD packages for database directory sharing, which requires ACK;
(6) Loading uses LSR/LSU/LSack to obtain unknown LSA information;
(7) Flag for establishment of Full forwarding adjacency relationship
OSPF working process:
After the startup configuration is completed, the hello packet is used locally to establish neighbor relationships and generate neighbor tables;
Conditional matching is performed, and the failed matches remain neighbors. Only the hello packet period is kept alive;
Those who successfully match will use DBD/LSR/LSU/LSack to obtain unknown LSA information. After collecting all LSAs in their network, an LSDB-data table will be generated; then the shortest path algorithm will be used to calculate the local distance to all unknown network segments. The optimal route is then loaded into the routing table and convergence is completed.
3.5 ACL technology
3.5.1 Principle of ACL
Access Control List ACL uses packet filtering technology to read the information in the third and fourth layer headers on the router, such as source address, destination address, source port, destination port, etc., based on the predefined Rules filter packets to achieve access control purposes. That is to say, edit the source address, destination address, port number and other parameter information of some data initiation to collect traffic matching rules, and then filter the incoming and outgoing packet requests through the configured matching message action and other information and access control list parameters. , to achieve security control of routers and networks.
3.5.2 The role of ACL
ACL can be used in enterprises to limit network traffic and improve network performance. For example, an ACL can specify the priority of a data packet based on its protocol. ACL provides a means to control communication traffic. For example, ACL can limit or simplify the length of routing update information, thus limiting the communication traffic passing through a certain network segment of the router. It is also a basic means for enterprises to provide secure network access. It determines what type of traffic is forwarded or blocked at a router port. For example, users can allow e-mail traffic to be routed and deny all Telnet traffic.
For example, if a certain department requires that only the WWW function can be used, it can be implemented through ACL; for example, for the confidentiality of a certain department, it is not allowed to access the external network, and the external network is not allowed to access it, and it can be implemented through ACL.
3.5.3 ACL classification
Table 3.1 Types of ACLs
| Classification |
Applicable IP version |
Rule definition description |
Number range |
|
| Basic ACL |
IPv4 |
Only the source IP address, fragmentation information, and effective time period information of the packet are used to define the rules. |
2000~2999 |
|
| Advanced ACL |
IPv4 |
You can use the source IP address of IPv4 packets, or you can use the destination IP address, IP protocol type, ICMP type, TCP source/destination port, UDP source/destination port number, effective time period, etc. to define rules. |
3000~3999 |
|
| Layer 2 ACL |
IPv4 and IPv6 |
Use the Ethernet frame header information of the packet to define rules, such as source MAC (Media Access Control) address, destination MAC address, Layer 2 protocol type, etc. |
4000~4999 |
|
| User-defined ACL |
IPv4 and IPv6 |
Use the message header, offset position, string mask and user-defined string to define the rules, that is, use the message header as the basis to specify the number of bytes in the message starting from the "AND" with the string mask. ” operation, and compares the extracted string with the user-defined string to filter out matching messages. |
5000~5999 |
|
| User ACL |
IPv4 |
You can use the source IP address or source UCL (User Control List) group of the IPv4 message, or you can use the destination IP address or destination UCL group, IP protocol type, ICMP type, TCP source port/destination port, and UDP source port/destination. Port number, etc. to define rules. |
6000~9999 |
|
| Basic ACL6 |
IPv6 |
Rules can be defined using the source IPv6 address, fragmentation information, and effective time period of IPv6 packets. |
2000~2999 |
|
| Advanced ACL6 |
IPv6 |
Rules can be defined using the source IPv6 address, destination IPv6 address, IPv6 protocol type, ICMPv6 type, TCP source/destination port, UDP source/destination port number, effective time period, etc. of the IPv6 message. |
3000~3999 |
|
3.6 NAT technology
NAT (Network Address Translation) is Network Address Translation technology. It was born in 1994. This method has slowed down the depletion of IPV4 addresses, although IPV4 had allocated the last address two years ago, that is, in 2019. , but this technology can be extended to IPV6 networks.
There are three types of NAT:
Static NAT (one-to-one). Convert the private IP address of the internal network to a public IP address. The IP address pair is one-to-one and remains unchanged.
Dynamic address NAT (Pooled NAT) (many-to-many). When converting an internal network's private IP address to a public IP address, the IP address is undefined and random. All private IP addresses authorized to access the Internet can be randomly converted to any specified legal IP address. In other words, as long as you specify which internal addresses can be translated and which legal addresses are used as external addresses, dynamic NAT translation can be performed. Dynamic NAT configures an external IP address pool on the router. When an internal computer needs to communicate with the outside, it dynamically takes out an external IP address from the address pool and binds their corresponding relationship to the NAT table. After the communication is completed, the external network IP is released and can be used by other internal IP address translations. This DHCP lease IP has similarities. When the legal IP addresses provided by the ISP are slightly less than the number of computers inside the network. Dynamic conversion can be used.
Network Address Port Translation NAPT (Network Address Port Translation). Change the source port of outgoing data packets and perform port conversion, using port multiplexing. All hosts in the internal network can share a legal external IP address to access the Internet, which can save IP address resources to the maximum extent. At the same time, all hosts within the network can also be hidden to effectively avoid attacks from the Internet. Therefore, PAT rules are currently most commonly used in the network. This is the most commonly used NAT technology and one of the most important reasons why IPv4 can be maintained to this day. It provides a many-to-one method. For multiple internal network IP addresses, border routing can assign them an external network. IP, use different ports of this external network IP to communicate with the outside world. NAPT is different from dynamic NAT in that it maps internal connections to a separate IP address in the external network and adds a port number selected by the NAT device to the address.
Chapter 4 System Design
4.1 Network architecture design principles
In this system design, we adopted a layered design method to break the logical structure of the network into parts, and discussed the details of design and implementation in layers. The network topology is divided into three layers, namely core layer, aggregation layer and access layer.
Benefits of adopting a layered design approach:
(1) Cost saving. When traffic flows from the access layer to the core layer, it is converged on high-speed links; when traffic flows from the core layer to the access layer, it is spread out on low-speed links. Therefore, the access layer router can use smaller device of. After adopting the hierarchical design method, each layer is responsible for different data transmission, and there is no need to consider the same problem at the same time. The modular nature of the hierarchical model enables each layer in the network to make good use of bandwidth and reduce the waste of system resources.
(2) It is easy to understand. The network topology structure designed using the split design method has a clear hierarchical structure and can implement management of different difficulties at different levels, reducing the cost of management.
(3) Easy to expand. The hierarchical modularization designed by the hierarchical design method is more conducive to system expansion. Easy-to-debug hierarchical modularization can decompose the network topology into easy-to-understand subnet structures. Administrators can more easily determine the scope of network faults and eliminate network faults faster.
4.2 Network topology diagram
Figure 4.1 Network topology diagram
4.3 Network security design
Meeting the basic security requirements of the enterprise network is a necessary condition for the successful operation of the network. On this basis, providing strong security guarantee is an important principle of network system security. Numerous network devices and servers are deployed within the network. Protecting the normal operation of these devices and maintaining the security of major business systems are basic security requirements for the network. For various network attacks, how to resist and detect network attacks while providing flexible and efficient network communication and information services, and provide means to track attacks.
Enterprises should use access control and establish an access control system for specific network segments and services to prevent the vast majority of attacks before they reach the attack target;
Regularly check security vulnerabilities. Through periodic inspections of security vulnerabilities, even if the attack can reach the attack target, most attacks can be invalid; attack monitoring, through the attack monitoring system established for specific network segments and services, can detect absolute errors in real time. Most attacks; encrypted communication, active encrypted communication can prevent attackers from understanding or modifying sensitive information; authentication, a good authentication system can prevent attackers from impersonating legitimate users; backup and recovery, a good backup and recovery mechanism can When an attack causes losses, data and system services are restored as quickly as possible; multi-layer defense delays or blocks attackers from reaching the attack target after breaking through the first line of defense; internal information is hidden so that attackers cannot understand the basic situation in the system ; Establish a security monitoring center to provide security system management, monitoring, maintenance and emergency services for information systems.
4.4 IP address planning
IP address is the identification of host and device in the network. In the same network, two hosts cannot use the same IP address.
Otherwise, there will be a conflict and communication will be impossible. Therefore, the IP address needs to be unique. At the same time, with the continuous development and expansion of enterprises and the continuous increase of business and personnel, the scalability requirements of IP addresses are reflected. Therefore, when designing IP addresses, there must be margin.
Table 4.1 IP address planning
| department |
VLAN |
IP |
gateway |
| Production Technology Department |
10 |
172.16.10.0/24 |
172.16.10.254 |
| Planning and Marketing Department |
11 |
172.16.11.0/24 |
172.16.11.254 |
| Safety Supervision Department |
12 |
172.16.12.0/24 |
172.16.12.254 |
| Finance Department |
13 |
172.16.13.0/24 |
172.16.13.254 |
| Human Resources Department |
14 |
172.16.14.0/24 |
172.16.14.254 |
| Administration Department |
15 |
172.16.15.0/24 |
172.16.15.254 |
| General Manager's Office |
16 |
172.16.16.0/24 |
172.16.16.254 |
| DNS server |
20 |
172.16.20.1/24 |
172.16.17.254 |
| WEB server |
20 |
172.16.20.2/24 |
172.16.20.254 |
| Email server |
20 |
172.16.20.3/24 |
172.16.20.254 |
| DHCP server |
20 |
172.16.20.4/24 |
172.16.20.254 |
| FTP server |
20 |
172.16.20.5/24 |
172.16.20.254 |
4.5 Equipment selection
4.5.1 Core switch selection
The core switch uses Cisco's CISCO WS-C6509-E enterprise-class switch. The switch throughput and backplane bandwidth meet the data interaction requirements of small and medium-sized enterprises. The specific parameters are as follows:
Table 4.2WS-C6509-E parameters
| The main parameters |
product type |
Enterprise grade switch |
| application level |
fourth floor |
|
| Transmission rate |
10/100/1000Mbps |
|
| exchange method |
store-and-forward |
|
| Backplane bandwidth |
720Gbps |
|
| Packet forwarding rate |
387Mpps |
|
| MAC address table |
64K |
|
| Port parameters |
Port structure |
Modular |
| Extension modules |
9 modular slots |
|
| Transmission mode |
Support full duplex |
|
| Features |
VLAN |
support |
| QOS |
support |
|
| network management |
support |
|
| ACL |
support |
|
| Other parameters |
Power supply |
4000W |
Figure 4.2 WS-C6509-E switch
4.5.2 Aggregation switch selection
CISCO WS-C3560X-24T-L switch is selected for deployment as the aggregation switch in the enterprise network . The specific parameters of this switch are as follows:
Table 4.2 C3560X parameters
| product type |
Gigabit Ethernet switch |
| application level |
Second floor |
| Transmission rate |
10/100/1000Mbps |
| Product memory |
DRAM memory: 256MB FLASH memory: 128MB |
| exchange method |
store-and-forward |
| Backplane bandwidth |
160Gbps |
| Packet forwarding rate |
65.5Mpps |
| Port structure |
non-modular |
| Port description |
24 10/100/1000 Ethernet ports |
Figure 4.3 CISCO WS-C3560X-24T-L
4.5.3 Router selection
路由器使用思科Cisco®2900 系列集成多业务路由器建立在 25 年思科创新和产品领先地位之上。新平台的构建旨在继续推动分支机构的发展,为分支机构提供富媒体协作和虚拟化,同时最大程度地节省运营成本。第 2 代集成多业务路由器平台支持未来的多核 CPU,支持具有未来增强的视频功能的高容量 DSP(数字信号处理器)、具有更高可用性的高功率服务模块、具有增强 POE 的千兆位以太网交换产品以及新能源监控和控制功能,同时提高整体系统性能。此外,通过全新 Cisco IOS® 软件通用映像和服务就绪引擎模块,还可以将硬件和软件部署分离,从而奠定灵活的技术基础以及时满足不断发展的网络需求。总而言之,通过智能集成市场领先的安全、统一通信、无线和应用程序服务,Cisco 2900 系列可提供无与伦比的总拥有成本节约和网络灵活性。
表4.3 2911路由器特性
| 模块化平台 |
Cisco 2900 系列集成多业务路由器是高度模块化平台,具有多种类型的模块插槽,可添加连接性和服务,以满足不同的分支机构网络需求。ISR 通过模块提供行业内范围最广的局域网和广域网连接选项,以适应未来技术的现场升级,而无需更换平台。 |
| 处理器 |
Cisco 2900 系列由高性能多核处理器支持,可在分支机构运行多并发服务的同时,满足其不断增长的高速广域网连接需求。 |
| 多千兆位光纤 (MGF) |
Cisco 2900 系列引入了创新的多千兆位光纤 (MGF),可实现有效的模块到模块通信,从而增强模块间的服务交互,同时减少路由处理器的管理费用。 |
| TDM 互联光纤 |
通过使用系统架构中的 TDM 互联光纤,分支机构的统一通信服务得到显著增强,从而可扩展 DS-0 通道容量。 |
| 集成千兆位以太网端口 |
所有板载广域网端口均为 10/100/1000 千兆位以太网广域网路由端口。Cisco 2921 和 2951 上的三个 10/100/1000 以太网广域网端口之一代替了 RJ-45 端口,支持基于小型封装热插拔 (SFP) 的连接以及光纤连接。 |
图4-4 2911路由器
第5章 详细设计
传统中小型局域网络由二层交换机构成局域网骨干,整个网络是一个广播域。如果企业中的网络都属于同一个子网掩码的网段之下,那么网内的二层数据之间的交互不需要通过网关设备,也就相当于局域网内都通过一台或者多台接入交换机的MAC寻址转发就搞定了,只有跨网段访问的地址才需要经过网关。
本课题的企业网络设计总体逻辑架构,遵循现代局域网的部署准则,由三层交换设备构成局域网骨干,对各个部门按需划分VLAN,进行逻辑隔离,这些小型局域网通过三层设备的路由交换功能互连。无论是哪种网段,都是计算机节点的划分方式。但目前基于三层交换实现跨网段访问的方法,已经逐渐成为主流。因为三层起码可做到可控、可查、可溯源的安全效果。
5.1 核心层网络设计
图5.1 核心层
网络核心层的主要工作是交换数据包,核心层设备的主要存在任务是为了数据交互转发的,要尽量避免在核心上接入过多的终端设备;并且核心层的路由一定要具备可到达性,也就是说核心设备对网内的所有设备或者目的都需要具备路由可达,可实现交互转发的一个功能。
此次设计为提高核心层交换网络的可靠性,实现物理链路和网关冗余的双层保障, 核心层将决定使用HSRP (热备份路由器协议)来实现网关冗余,至于物理链路的冗余则通过STP生成树的环路监测机制来实行。对于各个业务VLAN终端地址,网关均指向这个HSRP所维护的虛拟IP地址,因此才能够保证HSRP技术为全网提供一个可靠的网关地址,以实现在核心层核心交换机之间进行设备的硬件冗余,并且HSRP通过内部的协议传输机制可以自动进行工作角色的切换。进而为网络高效处理大集中数据提供了可靠的保障。
5.2 汇聚层网络设计
5.2 汇聚层设计
汇聚层网络主要完成企业各园区内办公楼宇和相关单位的内接入交换机的,汇聚及数据交换和VLAN终结,汇聚层是核心层和接入层的连接模块,其主要功能联合公司自动化系统的汇聚层,主要是为各个配线间以及服务器群的中心网络设备提供接入层设备的集中和核心层链路的接入。
本课题设计的汇聚层网络上联核心交换机、下联接入交换机,均采用双线STP破环实现链路的备份冗余,让网络不存在单点故障问题的发生,保证用户上网体验。
5.3 接入层设计
图5.3 接入层设计
接入层是面向最终用户的设备,主要功能如下:提供高密度的用户端口;提供许可控制,包括:安全控制和QoS控制。采用多层网络的设计方法,必须依赖于利用网络的高弹性和扩充性。所谓的弹性指的是对故障的容忍度和故障情况下的恢复能力;所谓扩充性是指根据实际需要,可以在各个不同层次实现升级和扩充,实现对网络可控的、有序的优化。在这种体系结构内,接入层为终端用户提供10/100M交换端口,并提供到网络汇聚层的.上联链路。各个楼层的终端设备或局域网络全部通过接入层进入网络系统。
5.4 关键性技术及难点
本课题采用的关键技术为ACL访问控制列表,针对一些部门对服务器的访问限制,服务器的上网限制等策略实现企业内的网络安全,排除安全隐患的发生;其次局域网内使用了DHCP、OSPF、NAT等IP路由关键技术,针对冗余性的考虑核心设备还使用了HSRP+STP组合物理链路、网关冗余。
本次设计的难点在于ACL访问控制的策略配置,思科设备上配置ACL一但条目顺序配置错误,那么就需要删除整条ACL规则来进行重新配置,因此配置ACL的时候需要格外注意,一是注意规则配置顺序,二是注意应用的策略方向,以免造成网络大面积中断的网络事故。
第6章 系统测试
6.1 调试与测试
6.1.1核心交换机的HSRP配置调试
interface Vlan10 //进入VLAN 10
ip address 172.16.10.252 255.255.255.0 //配置IP地址
ip helper-address 172.16.20.4 //配置DHCP中继
standby 10 ip 172.16.10.254 //配置HSRP虚拟网关地址
standby 10 priority 101 //配置HSRP优先级
standby 10 preempt //设置HSRP状态为抢占
interface Vlan11
mac-address 0040.0b31.7502
ip address 172.16.11.252 255.255.255.0
ip helper-address 172.16.20.4
standby 11 ip 172.16.11.254
standby 11 priority 101
standby 11 preempt
核心交换机HSRP协议状态如下:
图6.1 核心交换机HSRP状态
本次设计的网络环境中使用两台核心交换机上配置热备份路由器协议HSRP实现终端的网关冗余,当Active设备宕机后马上standby设备会立马接替进行转发,两台设备的相互冗余可以保证整个网络的不中断和可靠性。
6.1.2 DHCP的相关配置
DHCP服务器旁挂核心,创建地址池,网关设备通过DHCP中继协议的指向来向服务器请求地址下发,具体配置如下:
图6.2 DHCP服务器配置
服务器区域设立了DHCP服务器,通过核心交换机在每个网关上设立DHCP中继协议来对接服务器,让接入终端设备都可以自动获取到服务器上所设立的地址池,既简化了管理员手动配置的操作,也能解决IP地址冲突的问题。
6.1.3 OSPF的配置
两台核心交换机配置OSPF路由协议与互联网接入路由器互联,核心交换机相互学习路由,路由器学习网内内部路由并且下发默认路由至核心交换机上。
router ospf 1
router-id 1.1.1.1
log-adjacency-changes
network 172.31.1.0 0.0.0.255 area 0
network 172.16.10.0 0.0.0.255 area 0
network 172.16.11.0 0.0.0.255 area 0
network 172.16.12.0 0.0.0.255 area 0
network 172.16.13.0 0.0.0.255 area 0
network 172.16.14.0 0.0.0.255 area 0
network 172.16.15.0 0.0.0.255 area 0
network 172.16.16.0 0.0.0.255 area 0
network 172.16.20.0 0.0.0.255 area 0
图6.3路由器上学习到内部路由
OSPF动态路由协议在网络环境中应用最为广泛,因为他具有很高的可靠性和收敛速度,对于内部设备的路由变动和增加可以做到第一时间学习路由,不需要像RIP那样等待一定时间的全量更新,本次设计上核心交换机和路由器之间就配置了OSPF路由协议达到自动学习路由的目的,从上图可看出,OSPF协议正常,设备已经自动学习到了局域网内部的路由网段,不需要管理员再进行手动配置。
6.1.4 ACL技术应用
图6.4 ACL配置
在两台核心交换机上配置ACL不允许生产技术部访问邮件服务器、计划营销部访问WEB服务器以及安全监察部访问FTP服务器的操作。核心交换机上的具体配置如下:
access-list 100 deny ip 172.16.10.0 0.0.0.255 host 172.16.20.3 //拒绝生产技术部访问邮件服务器
access-list 100 deny ip 172.16.11.0 0.0.0.255 host 172.16.20.2 //拒绝计划营销部访问WEB服务器
access-list 100 deny ip 172.16.12.0 0.0.0.255 host 172.16.20.5 //拒绝安全监察部访问FTP服务器
access-list 100 permit ip any any //所有流量方向
6.1.5 NAT技术
图6.5 NAT状态
出口路由器上配置NAT地址转换和服务器端口映射,实现内网用户上网需求和对外发布的服务器映射需求。同时在NAT调用的ACL规则上排除了DHCP服务器地址,拒绝DHCP服务器连接互联网。
具体配置如下:
access-list 1 deny host 172.16.20.4 //拒绝源地址为DHCP服务器的流量
access-list 1 permit any //所有流量方向
ip nat inside source list 1 interface GigabitEthernet0/2 overload //将ACL 1 规则调用在NAT地址转换上,并将转换地址设置为G0/2的出接口地址。
ip nat inside source static tcp 172.16.20.2 80 164.100.222.1 80 //WEB服务器映射公网地址164.100.222.1
6.2 连通性测试
6.2.1 DHCP自动获取地址测试
图6.4安全监察部终端自动获取地址
安全监察部通过DHCP动态主机协议自动获取到服务器下发的地址和网关以及DNS。
6.2.2 局域网连通性测试
图6.5 总经理室ping测试
通过总经理室的PC来对生产技术部和计划营销部的终端连通性进行测试,测试结果正常。
6.2.3 ACL限制测试
图6.6拒绝计划营销部访问WEB服务器
用生产技术部的终端和计划营销部的终端同时访问WEB服务器,发现计划营销部无法请求到WEB服务器,生产技术部可正常访问。测试结果正常。
6.2.4 NAT测试
图6.7 访问NAT测试
使用人力资源部终端和DHCP服务器同时访问互联网,发现DHCP服务器无法访问互联,而人力资源部可正常访问。测试结果正常。