Computer Network Technology and Application
Chapter 28 Network Technology Application Examples
Chapter 28 Network Technology Application Examples (3)
(5) Update anti-virus software and firewall software in time, check the system frequently, and download and install system vulnerability patches in time.
(6) Do not open suspicious emails at will, let alone run executable programs in email attachments.
(7) If any abnormality is found in the computer, the network should be disconnected in time, and virus checking and antivirus processing should be carried out.
2. Internet users
(1) Purchase a set of anti-virus software with network anti-virus function, regularly update the software and detect viruses.
(2) Install a network virus prevention server on the network system.
(3) Try to avoid using workstations with floppy drives.
(4) Reasonably set the user's access rights, and prohibit users from having more read and write rights.
(5) Regularly carry out file and database backup.
(6) Formulate strict network operation rules and systems.
8.2 Small and medium-sized enterprise LAN establishment design
This section will take the establishment of a representative local area network of small and medium-sized enterprises as an example, mainly including the following contents: demand analysis, network topology design, network hardware equipment selection and planning, Internet access, virtual local area network (VLAN) design , virtual private network (VPN) design, IP address allocation, enterprise network security measures.
8.2.1 Requirements Analysis
[Example] XX company currently has about 500 employees and more than 400 computers. The main information points are concentrated in the administration department, marketing department, research and development department, technology department, planning department, etc. Now it is necessary to set up an enterprise LAN to achieve the following goals .
(1) Realize common enterprise tasks and needs such as secure access to the Internet, publishing corporate information, publicizing corporate culture, expressing opinions and exchanging work, communicating with the outside world, remote employees using the Internet to access company resources, and using FTP servers to access documents and materials, etc. Provide user-to-user, user-to-application connection services with reasonable speed and reliable functions.
(2) Focus on the development of future technology, so that the existing network has good scalability.
(3) Provide convenient monitoring and management functions to ensure the stable operation of the network, and improve the efficiency of network management personnel to solve faults to the greatest extent.
(4) Complete the established tasks with limited costs, and consider the reasonable application of server bandwidth to ensure that all resources can obtain the greatest possible benefits.
8.2.2 Network topology design
The enterprise LAN adopts a three-layer structure network design model, the core layer is composed of high-end routers and switches, the distribution layer is composed of routers and switches for implementing policies, and the access layer is composed of low-end switches connecting users.
8.2.3 Selection and planning of network hardware equipment
1. Router selection and planning
In terms of router equipment selection, the router connected to the Internet plans to use Cisco2811XM as the Internet access agent of the computer room, providing mapping between the internal network IP and external network IP of all servers in the computer room for Internet access and external services, and can also be used to connect branch offices for VPN interconnection. Realize remote access.
Since the router Cisco2811XM is responsible for the external service of the enterprise business, redundant backup is required to ensure that the normal work of the company's servers will not be affected when the router fails.The HSRP protocol is adopted here, and a "hot backup group" is formed by two Cisco2811XMs.Set one of them as the active router and the other as the standby router, so that when the active router fails, the standby router can immediately take over and become the active router.
2. Selection and planning of switches
The selection of switches is mainly based on the amount of data in the enterprise network, and the core and access layer devices are determined accordingly.There are 400 computers in this network. In extreme cases, these 400 computers can access the network at the same time. According to 100Mbps per node, the maximum traffic will reach 30G.In order to ensure the bandwidth requirements of each access switch to the greatest extent, CISCOWS-C3560 G-24TS-S switch is selected here to complete the store-forward function between Layer [-] switches, and each port is used to connect the access switches of each floor and department , to achieve interconnection.
The switch is used as a VLAN domain server to establish, modify and manage VLANs; in addition, it can also enable the port security policy of binding the port and the MAC address for the port directly connected to the PC, and apply the access list to the VLAN and each port to Do network access control, etc.
In view of the limited network overhead of general enterprises, only the redundant configuration of modules and engines is performed for the redundancy of core switches.Switches on each floor choose Cisco 2950 series switches, and each floor can set up a distribution room to aggregate the access switches of all departments on the floor; all switches in the same distribution room are stacked through TRUNC to connect terminal workstations and users to the corporate LAN and provide wire-speed connectivity performance on every port.The server area and the edge access area select Catalyst2950G-24 switches for dual uplink to the core switch.
8.2.4 Internet access
The enterprise LAN has two lines connected to the Internet: one of which provides proxy Internet service for all internal employees through ADSL, and the broadband connection is a 5M dial-up dynamic IP line; the other is a digital circuit connected to the local ISP, with a broadband connection of 10M and a fixed IP. Network services for each server of the enterprise.
8.2.5 Virtual LAN Design
In order to effectively suppress broadcast storms on the network, increase the flexibility and security of network connections, centralize management and control, and reduce management costs, VLAN (Virtual Local Area Network) technology can be used to divide the physical network connected by switches into multiple logical subnet.
There are many ways to divide VLANs on the switch. In order to meet the needs of the specific use process to the greatest extent and reduce the workload of users in the use and maintenance of VLANs, the method of dividing VLANs based on IP can be used.
8.2.6 Virtual Private Network (VPN) Design
Enterprise applications include basic applications and business applications. Basic network applications such as internal file sharing, mail and office automation systems do not have very high requirements for network reliability and security, while business application systems are fundamental to the normal operation of enterprises. Its reliability and safety are directly related to the survival of the enterprise.Therefore, two ways to connect to the Internet can be used to connect to the external network. For the connection to the remote branch, VPN can be used to realize the connection to the private network.
Current VPN applications for enterprise networks can be divided into two main types: site-to-site and remote access VPNs.In view of the fact that the main purpose of establishing VPN for this enterprise is to connect remote branches and offices (marketing department), and the traffic mainly flows between remote branches and the headquarters office, site-to-site VPN is adopted.In terms of topology, a star topology is adopted, which simplifies the complexity of configuration, and only needs to establish multiple IPSec and GRE tunnels at the headquarters to reach the branches.
8.2.7 IP address allocation
In the network of the TCP/IP protocol, there are two ways to set the IP address: manually set the static IP and automatically obtain the dynamic IP.When the network scale is relatively large, instead of manually setting the IP address of the client, it is only necessary to configure a DHCP server in the network to assign an IP address.We can regard this DHCP server as an IP address database.
The client sends a request to this database every time it starts to automatically obtain an IP address, which can reduce the burden of network management.In this example, using the method of setting static IP, interested readers can think about and design DHCP to dynamically assign IP.
Among the enterprise intranet servers, the servers that need to provide external services all use the intranet IP, the router completes the mapping with the external IP, and the IP that provides services in the program must also be configured as the intranet IP.Internal access All services provided externally need to use internal IP, and cannot be accessed directly with external IP.
Corporate Network Security Measures
The security of the enterprise LAN mainly includes two aspects: the security of the LAN and the security of accessing the Internet.
The core area of the enterprise network is usually attacked by data eavesdropping (Sniff), trust relationship utilization, and IP spoofing (Spoofing). Therefore, a high-performance switch can be set up to effectively avoid data eavesdropping.In addition, access control can be used to reduce the chance of accessing confidential information on servers in another VLAN through intruded hosts in one VLAN.Finally, in order to prevent source address spoofing, RFC2827 filtering can be used to filter the external access of those source addresses that do not belong to its own VLAN on the core switch, thereby greatly enhancing the security of the intranet.
Attacks that usually occur in the Internet access module include IP spoofing (Spoofing), denial of service (Dos), password attack, application layer attack, unauthorized access, viruses and Trojan horses, etc.For these attacks, RFC1918 and RFC2827 address filtering can be set in the Internet access area, which can prevent address spoofing and effectively prevent denial of service attacks (Dos).At the same time, limit the rate of non-important information to alleviate the pressure of denial of service attacks.
Installing the host intrusion detection system on the public server in the DMZ area of the firewall can effectively prevent attacks such as password attacks, port redirection, and unauthorized access.In addition, the use of PVLAN (Private VLAN) makes different servers located in the same VLAN isolated from each other, which can prevent attacks that exploit trust relationships.Of course, setting up the application program and the operating system reasonably, regularly patching various security patches and other daily maintenance work can effectively prevent the invasion of viruses and various Trojan horse programs.
【chapter summary】
The two examples listed in this chapter are the practical application of common network technologies in modern social work and business.Through the detailed explanation of two examples, we can clearly understand how to build a local area network and how to configure network services; make better use of network technology to bring us advantages, change our life and work methods, and compete in the fierce modern business Get a head start.In addition, this chapter also analyzes the potential threats and hazards in the local area network. On the basis of clarifying the importance and necessity of network security, it proposes corresponding network security precautions and strategies to ensure that the local area network can run safely, reliably, conveniently and quickly .
(End of this chapter)
(5) Update anti-virus software and firewall software in time, check the system frequently, and download and install system vulnerability patches in time.
(6) Do not open suspicious emails at will, let alone run executable programs in email attachments.
(7) If any abnormality is found in the computer, the network should be disconnected in time, and virus checking and antivirus processing should be carried out.
2. Internet users
(1) Purchase a set of anti-virus software with network anti-virus function, regularly update the software and detect viruses.
(2) Install a network virus prevention server on the network system.
(3) Try to avoid using workstations with floppy drives.
(4) Reasonably set the user's access rights, and prohibit users from having more read and write rights.
(5) Regularly carry out file and database backup.
(6) Formulate strict network operation rules and systems.
8.2 Small and medium-sized enterprise LAN establishment design
This section will take the establishment of a representative local area network of small and medium-sized enterprises as an example, mainly including the following contents: demand analysis, network topology design, network hardware equipment selection and planning, Internet access, virtual local area network (VLAN) design , virtual private network (VPN) design, IP address allocation, enterprise network security measures.
8.2.1 Requirements Analysis
[Example] XX company currently has about 500 employees and more than 400 computers. The main information points are concentrated in the administration department, marketing department, research and development department, technology department, planning department, etc. Now it is necessary to set up an enterprise LAN to achieve the following goals .
(1) Realize common enterprise tasks and needs such as secure access to the Internet, publishing corporate information, publicizing corporate culture, expressing opinions and exchanging work, communicating with the outside world, remote employees using the Internet to access company resources, and using FTP servers to access documents and materials, etc. Provide user-to-user, user-to-application connection services with reasonable speed and reliable functions.
(2) Focus on the development of future technology, so that the existing network has good scalability.
(3) Provide convenient monitoring and management functions to ensure the stable operation of the network, and improve the efficiency of network management personnel to solve faults to the greatest extent.
(4) Complete the established tasks with limited costs, and consider the reasonable application of server bandwidth to ensure that all resources can obtain the greatest possible benefits.
8.2.2 Network topology design
The enterprise LAN adopts a three-layer structure network design model, the core layer is composed of high-end routers and switches, the distribution layer is composed of routers and switches for implementing policies, and the access layer is composed of low-end switches connecting users.
8.2.3 Selection and planning of network hardware equipment
1. Router selection and planning
In terms of router equipment selection, the router connected to the Internet plans to use Cisco2811XM as the Internet access agent of the computer room, providing mapping between the internal network IP and external network IP of all servers in the computer room for Internet access and external services, and can also be used to connect branch offices for VPN interconnection. Realize remote access.
Since the router Cisco2811XM is responsible for the external service of the enterprise business, redundant backup is required to ensure that the normal work of the company's servers will not be affected when the router fails.The HSRP protocol is adopted here, and a "hot backup group" is formed by two Cisco2811XMs.Set one of them as the active router and the other as the standby router, so that when the active router fails, the standby router can immediately take over and become the active router.
2. Selection and planning of switches
The selection of switches is mainly based on the amount of data in the enterprise network, and the core and access layer devices are determined accordingly.There are 400 computers in this network. In extreme cases, these 400 computers can access the network at the same time. According to 100Mbps per node, the maximum traffic will reach 30G.In order to ensure the bandwidth requirements of each access switch to the greatest extent, CISCOWS-C3560 G-24TS-S switch is selected here to complete the store-forward function between Layer [-] switches, and each port is used to connect the access switches of each floor and department , to achieve interconnection.
The switch is used as a VLAN domain server to establish, modify and manage VLANs; in addition, it can also enable the port security policy of binding the port and the MAC address for the port directly connected to the PC, and apply the access list to the VLAN and each port to Do network access control, etc.
In view of the limited network overhead of general enterprises, only the redundant configuration of modules and engines is performed for the redundancy of core switches.Switches on each floor choose Cisco 2950 series switches, and each floor can set up a distribution room to aggregate the access switches of all departments on the floor; all switches in the same distribution room are stacked through TRUNC to connect terminal workstations and users to the corporate LAN and provide wire-speed connectivity performance on every port.The server area and the edge access area select Catalyst2950G-24 switches for dual uplink to the core switch.
8.2.4 Internet access
The enterprise LAN has two lines connected to the Internet: one of which provides proxy Internet service for all internal employees through ADSL, and the broadband connection is a 5M dial-up dynamic IP line; the other is a digital circuit connected to the local ISP, with a broadband connection of 10M and a fixed IP. Network services for each server of the enterprise.
8.2.5 Virtual LAN Design
In order to effectively suppress broadcast storms on the network, increase the flexibility and security of network connections, centralize management and control, and reduce management costs, VLAN (Virtual Local Area Network) technology can be used to divide the physical network connected by switches into multiple logical subnet.
There are many ways to divide VLANs on the switch. In order to meet the needs of the specific use process to the greatest extent and reduce the workload of users in the use and maintenance of VLANs, the method of dividing VLANs based on IP can be used.
8.2.6 Virtual Private Network (VPN) Design
Enterprise applications include basic applications and business applications. Basic network applications such as internal file sharing, mail and office automation systems do not have very high requirements for network reliability and security, while business application systems are fundamental to the normal operation of enterprises. Its reliability and safety are directly related to the survival of the enterprise.Therefore, two ways to connect to the Internet can be used to connect to the external network. For the connection to the remote branch, VPN can be used to realize the connection to the private network.
Current VPN applications for enterprise networks can be divided into two main types: site-to-site and remote access VPNs.In view of the fact that the main purpose of establishing VPN for this enterprise is to connect remote branches and offices (marketing department), and the traffic mainly flows between remote branches and the headquarters office, site-to-site VPN is adopted.In terms of topology, a star topology is adopted, which simplifies the complexity of configuration, and only needs to establish multiple IPSec and GRE tunnels at the headquarters to reach the branches.
8.2.7 IP address allocation
In the network of the TCP/IP protocol, there are two ways to set the IP address: manually set the static IP and automatically obtain the dynamic IP.When the network scale is relatively large, instead of manually setting the IP address of the client, it is only necessary to configure a DHCP server in the network to assign an IP address.We can regard this DHCP server as an IP address database.
The client sends a request to this database every time it starts to automatically obtain an IP address, which can reduce the burden of network management.In this example, using the method of setting static IP, interested readers can think about and design DHCP to dynamically assign IP.
Among the enterprise intranet servers, the servers that need to provide external services all use the intranet IP, the router completes the mapping with the external IP, and the IP that provides services in the program must also be configured as the intranet IP.Internal access All services provided externally need to use internal IP, and cannot be accessed directly with external IP.
Corporate Network Security Measures
The security of the enterprise LAN mainly includes two aspects: the security of the LAN and the security of accessing the Internet.
The core area of the enterprise network is usually attacked by data eavesdropping (Sniff), trust relationship utilization, and IP spoofing (Spoofing). Therefore, a high-performance switch can be set up to effectively avoid data eavesdropping.In addition, access control can be used to reduce the chance of accessing confidential information on servers in another VLAN through intruded hosts in one VLAN.Finally, in order to prevent source address spoofing, RFC2827 filtering can be used to filter the external access of those source addresses that do not belong to its own VLAN on the core switch, thereby greatly enhancing the security of the intranet.
Attacks that usually occur in the Internet access module include IP spoofing (Spoofing), denial of service (Dos), password attack, application layer attack, unauthorized access, viruses and Trojan horses, etc.For these attacks, RFC1918 and RFC2827 address filtering can be set in the Internet access area, which can prevent address spoofing and effectively prevent denial of service attacks (Dos).At the same time, limit the rate of non-important information to alleviate the pressure of denial of service attacks.
Installing the host intrusion detection system on the public server in the DMZ area of the firewall can effectively prevent attacks such as password attacks, port redirection, and unauthorized access.In addition, the use of PVLAN (Private VLAN) makes different servers located in the same VLAN isolated from each other, which can prevent attacks that exploit trust relationships.Of course, setting up the application program and the operating system reasonably, regularly patching various security patches and other daily maintenance work can effectively prevent the invasion of viruses and various Trojan horse programs.
【chapter summary】
The two examples listed in this chapter are the practical application of common network technologies in modern social work and business.Through the detailed explanation of two examples, we can clearly understand how to build a local area network and how to configure network services; make better use of network technology to bring us advantages, change our life and work methods, and compete in the fierce modern business Get a head start.In addition, this chapter also analyzes the potential threats and hazards in the local area network. On the basis of clarifying the importance and necessity of network security, it proposes corresponding network security precautions and strategies to ensure that the local area network can run safely, reliably, conveniently and quickly .
(End of this chapter)
Tap the screen to use advanced tools
Tip: You can use left and right keyboard keys to browse between chapters.
You'll Also Like
-
Taiping Order
Chapter 567 1 days ago -
There's a ghost inside me
Chapter 1331 1 days ago -
Conan: Beika Town in the White Eyes
Chapter 123 1 days ago -
Cang Yuantu: I turn into ice and take charge of killing
Chapter 110 1 days ago -
Iron Man on the pitch
Chapter 303 1 days ago -
I can only say this game is very simple
Chapter 402 2 days ago -
The End of the World: I built the Supreme Shelter one year in advance
Chapter 197 2 days ago -
Miss Witch, it's time to clean up the entries
Chapter 218 2 days ago -
Fusion is the noblest form of summoning!
Chapter 403 2 days ago -
My family is super strong
Chapter 590 2 days ago
