Design and implementation of network security solutions for medium and large enterprises based on ensp

1. Demand background

The specific background of the company's departments: The company has four departments: Human Resources Department, Finance Department, Sales Department, and Marketing Department, as well as an employee dormitory building. The company needs to provide external Internet services. Important departments within the company need to protect data security and access control.

(1) Divide vlans and subnets according to customer needs, departments, and topology

(2) Use reasonable routing protocol planning

(3) Private network users access the public network

(4) Core layer redundancy and load balancing. By deploying MSTP and VRRP on three-layer switches, traffic in office areas and apartment buildings can be separated to achieve redundancy and load balancing.

(5) Isolate the intranet and public network

(6) Firewall dual-machine hot backup and dual exits ensure reliability

2. Address planning

Head office address planning

department	address space	Belongs to vlan	gateway
Finance Department	10.0.10.0/24	Vlan10	10.0.10.254/24
Sales	10.0.20.0/24	Vlan20	10.0.20.254/24
Personnel Department	10.0.30.0/24	Vlan30	10.0.30.254/24
Marketing Department	10.0.40.0/24	Vlan40	10.0.40.254/24
staff dorm	10.0.50.0/24	Vlan50	10.0.50.254/24
internal server	10.0.100.0/24	Vlan100	10.0.100.254/24

3. Configuration process

1. Access layer implementation

For the access layer, set them to vlan10, vlan20, vlan30, vlan40, and vlan50 respectively according to the plan.

The port accessing the user is added to the relevant VLAN, and the upstream port is opened to the trunk port to allow the relevant VLAN to pass. The same applies to the branch access layer. In addition, configure MSTP multi-instance spanning tree on the access layer switch and add relevant VLANs to different instances.

stp region-configuration //Enter MSTP mode

region-name huawei //Configure the domain name to huawei

instance 1 vlan 10 20 //Add vlan10 and vlan20 to instance 1

instance 2 vlan 30 40 //Add vlan30 and vlan40 to instance 2

active region-configuration //activate configuration

2. Core layer implementation

(1) DHCP implementation

Deploy DHCP on core switches

Configure DHCP:

dhcp enable //Enable DHCP function

ip pool vlan10 //Create an IP address pool named vlan10

network 10.0.10.0 mask 255.255.255.0 //Configure the address pool network segment

gateway-list 10.0.10.1 //Configure the gateway address of this address pool address

excluded-ip-address 10.0.10.2 10.0.10.3 //Configure excluded addresses

dhcp select global //Define dhcp as global mode

（2）MSTP+VRRP：

stp instance 1 root primary //Specify this switch as the primary root bridge

stp instance 2 root secondary //Specify this switch as the backup root bridge

2) VRRP key code, the same applies to other gateway configurations:

interface Vlanif10

ip address 10.0.10.2 255.255.255.0

//Create VRRP backup group 10 and configure the virtual IP address of VRRP backup group 10.0.10.1

vrrp vrid 10 virtual-ip 10.0.10.1

//Set the priority of switch A in VRRP backup group 10 to 120, which is higher than the priority of switch B, 100

vrrp vrid 10 priority 120

(3) Link aggregation

Set up link aggregation between the two core switches. The key code is as follows:

interface eth-trunk 1 //Create an Eth-Trunk interface with ID 1

mode lacp //Configure the link aggregation mode to LACP mode

interface g0/0/6

eth-trunk 1 //Add the interface to Eth-Trunk 1

//Set the interface link type to trunk

interface eth-trunk 1

port link-type trunk

3. Network export implementation

(1) Deploy NAT:

The NAT key code is as follows:

//Create a security policy from the source address of the internal network that needs to be connected to the external network:

security-policy

rule name nat

source-zone trust

destination-zone untrust

action permit

//Create a secure NAT policy for the source address that needs to be connected to the Internet:

nat-policy

rule name nat

source-zone trust

destination-zone untrust

action source-nat easy-ip

4. Routing protocol implementation

The core switch is connected to the egress device through dual uplinks and uses Layer 3 OSPF routing technology.

//This configuration is the same for other devices to declare their directly connected network segments.

[Core-A-ospf-1]area 0

[Core-A-ospf-1-area-0.0.0.0]network 10.0.0.0 0.255.255.255

5. Implementation of dual-machine hot standby function

# Configure a VGMP group on the FW to monitor uplink and downlink service interfaces.

[FW_A] hrp track interface GigabitEthernet 1/0/0

[FW_A] hrp track interface GigabitEthernet 1/0/1

[FW_A] hrp adjust ospf-cost enable //Adjust OSPF Cost value function according to VGMP status

# Specify the heartbeat port on the FW and enable the dual-machine hot backup function.

[FW_A] hrp interface GigabitEthernet 0/0/6 remote 10.10.10.1

[FW_A] hrp enable

[FW_B] hrp standby-device

[FW_B] hrp enable

6. Intranet security configuration

Access control, access to the Finance Department is denied

[SW-A]acl 3000

[SW-A-acl-adv-3000]description deny_cw

[SW-A-acl-adv-3000]rule deny ip source 10.0.0.0 0.0.255.255 destination 10.0.10.0 0.0.0.255 //deny other networks to access finance

[SW-A]traffic-filter inbound acl 3000 //Global call

For DHCP security control, configure the upstream interface to trust DHCP messages, that is, only receiving DHCP response messages from the upstream interface is normal behavior.

interface Ethernet0/0/1

dhcp snooping enable

dhcp snooping trusted

return

[SW1-Ethernet0/0/1]int e0/0/2

[SW1-Ethernet0/0/2] dhcp snooping enable

[SW1-Ethernet0/0/2] dhcp snooping trusted

Enable access security configuration for the financial department:

[SW1-Ethernet0/0/3]port-security enable //Enable interface security

[SW1-Ethernet0/0/3]port-security protect-action shutdown //Trigger security protection action to close the port

[SW1-Ethernet0/0/3]port-security max-mac-num 1 //A port allows at most one user to access

Firewall egress security configuration