Shulou(Shulou.com)06/01 Report--

In a project that I will implement, there are two sets of network systems within a company to achieve physical isolation between internal and external networks, and employees use dual network card isolators to switch different networks when they access the internal and external networks. With the progress of business and technology, users need to deploy a desktop cloud system, use the desktop cloud to build the internal and external network, and use the cloud terminal in the front end to connect to the desktop cloud server and log in to the desktop access. This creates a lot of problems:

1. Because users have only one network cable at each cloud terminal where the desktop cloud system will be deployed, it is not like other companies to use internal and external networks by laying two network cables in front of each terminal to switch different networks.

2. There is only one network port on the integrated machine of the cloud terminal, so it is impossible for the double network ports to access the internal and external networks.

Here, I think it is impossible to adopt the physical isolation scheme like the general internal and external network access, so I can only use the network logic isolation scheme (divide into different VLAN, use ACL to isolate the internal and external network). In this project, I use software and hardware devices such as super-converged integrated server system, Vmware Horizon6, Huawei 10 Gigabit core switch, Huawei Gigabit access switch, public network firewall, WEB firewall, IPS, cloud terminal all-in-one machine, etc. Part of the system topology diagram is as follows:

As can be seen in the above topology diagram, super five network cables are used between the cloud terminal all-in-one machine and the gigabit access switch, and between the super-converged integrated server system and the 10 Gigabit switch, a SFP+ multi-mode module is used to realize the connection. On the 10 Gigabit core switch, an electrical port is connected to the internal network optical fiber private line, and one electric port is connected to the external network firewall out of the Internet network, and an IPS is transparently deployed between the external network firewall and the core switch. Deploy a WEB firewall (for intranet users to protect WEB sites) between the access switch and the core switch.

In order to better avoid problems in the implementation process, I set up an experimental environment to walk through it. My experimental topology diagram is as follows:

1. In the topology diagram, I simplified the IPS and WEB firewall without hindering the process of simulating the real world.

2. I use VMware Workstation software to install a WIN2008 R2 system to simulate the intranet and extranet desktop systems.

3. I use VMware Workstation software to install a WINXP system to simulate the end user.

4. I use Huawei's eNSP to simulate the core and access switch system.

5. I use VMware Workstation software to install Panabit to simulate the firewall system and use the extranet function.

6. In terms of function, end users can access the internal and external network desktop clouds normally, while the internal and external network desktop clouds cannot access each other (to achieve logical isolation between the internal and external networks).

7. The public network desktop cloud can be used on Internet normally, while the private network desktop cloud cannot be used on Internet.

The topology diagram of Huawei eNSP network is as follows:

1. Create VLAN 17,20,50,100 on the core switch

2. Set the gateway of each VLAN to 254respectively.

3. VLAN50 can access VLAN17, 20meme VLAN17 and VLAN20 can not access each other

4. VLAN17 can access the public network, and the rest of the VLAN refuses to access the public network

5. Public network desktop cloud VM is connected to VMware Workstation virtual network VMnet1.

6. Intranet desktop cloud VM is connected to VMware Workstation virtual network VMnet2.

7. The end user is connected to the VMware Workstation virtual network VMnet3

8. Panabit is connected to VMware Workstation virtual network VMnet4.

9. Panabit, another network card is bridged on the local physical network card.

The configuration of the access switch is as follows:

#

Sysname sw2 # renamed to SW2

#

Vlan batch 17 20 50 100 # establish VLAN17 20 50 100

#

Interface GigabitEthernet0/0/1

Port link-type trunk

Port trunk allow-pass vlan 2 to 4094 # enters the interface G0UniUniPay 1 and does Trunk mode, allowing all VLAN to pass through.

#

Interface GigabitEthernet0/0/2

Port link-type access

Port default vlan 50 # enters the interface G0Unigamer 2, does access mode, and converts it into VLAN50.

#

The configuration of the core switch is as follows:

System-view

[Huawei] sysname sw1

[sw1] vlan batch 17 20 50 100 # create different VLAN

[sw1] interface g0Compact 1 # enters G00Universe 0 / 1

[sw1-GigabitEthernet0/0/1] port link-type access

[sw1-GigabitEthernet0/0/1] port default vlan 17 # into VLAN17

[sw1-GigabitEthernet0/0/1] qu

[sw1] interface g0Compact 2 # enters G00Universe 0 / 2

[sw1-GigabitEthernet0/0/2] port link-type access

[sw1-GigabitEthernet0/0/2] port default vlan 20 # into VLAN20

[sw1-GigabitEthernet0/0/2] qu

[sw1] interface g0Compact 3 # enters G00Universe 0 / 3

[sw1-GigabitEthernet0/0/3] port link-type trunk

[sw1-GigabitEthernet0/0/3] port trunk allow-pass vlan all # build TRUNK to allow all VLAN to pass through

[sw1-GigabitEthernet0/0/3] qu

[sw1] interface vlan 17

[sw1-Vlanif17] ip address 172.16.17.254 255.255.255.0 # specify the gateway of VLAN17

[sw1-Vlanif17] qu

[sw1] interface vlan 20

[sw1-Vlanif20] ip address 192.168.20.254 255.255.255.0 # specify the gateway of VLAN20

[sw1-Vlanif20] qu

[sw1] interface vlan 50

[sw1-Vlanif50] ip address 192.168.50.254 255.255.255.0 # specify the gateway of VLAN50

[sw1-Vlanif50] qu

[sw1] interface vlan 100

[sw1-Vlanif100] ip address 10.10.10.254 255.255.255.0 # specify the IP address of VLAN100

[sw1-Vlanif100] qu

[sw1] acl number 3000 # configure access rules from VLAN17 to VLAN20

[sw1-acl-adv-3000] rule deny ip source 172.16.17.0 0.0.0.255 destination 192.168.

20.0 0.0.0.255

[sw1-acl-adv-3000] qu

[sw1] traffic classifier c_vlan17 # configure flow classification c_vlan17 to classify messages that match ACL 3000

[sw1-classifier-c_vlan17] if-match acl 3000

[sw1-classifier-c_vlan17] qu

[sw1] traffic behavior b_vlan17 # is configured as b_vlan17, and the action is to reject the passing of the message.

[sw1-behavior-b_vlan17] deny

[sw1-behavior-b_vlan17] qu

[sw1] traffic policy p_vlan17 # configure flow policy p_vlan17 to associate flow classification c_vlan17 with popular b_vlan17

[sw1-trafficpolicy-p_vlan17] classifier c_vlan17 behavior b_vlan17

[HUAWEI-trafficpolicy-p_market] quit

[sw1] interface g0rampact 1 # apply flow policy p_vlan17 to GE0/0/1 interface

[sw1-GigabitEthernet0/0/1] traffic-policy p_vlan17 inbound

[sw1-GigabitEthernet0/0/1] qu

[sw1] interface g0/0/24

[sw1-GigabitEthernet0/0/24] port link-type access

[sw1-GigabitEthernet0/0/24] port default vlan 100 # into VLAN100

[sw1-GigabitEthernet0/0/24] qu

[sw1] ip route-static 0.0.0.0 0.0.0.0 10.10.10.10 # configure default route to public network firewall

Save

After configuring all the switches, I went to VMware Workstation to install WIN2008 R2 and WINXP systems. This process is very simple. I will no longer describe the process, but will only explain how to connect the system to different networks to do experiments.

1. Connect WINXP to VMNET3 network

2. Set the IP address of WINXP to 192.168.50.3 and the gateway to 192.168.50.254.

3. Use the PING command to see if you can PING the gateway.

4. Connect WIN2008 R2 to VMNET1 network first.

5. Set the IP address of WIN2008 R2 to 172.16.17.2 and the gateway to 172.16.17.254.

6. Use the PING command to see if you can PING the gateway.

7. Install the IIS service in the WIN2008 R2 system, and then enable the default website, because it is very simple and I will not introduce it here. Enter 172.16.17.2 in the IE browser in the WINXP system to see if you can open the default website. If so, it means that the cloud terminal can access the desktop cloud system of the public network normally.

8. Then we connect the WIN2008 R2 system to the VMNET2 network to simulate the intranet desktop cloud system

9. Modify the IP address of WIN2008 R2 to 192.168.20.2 and the gateway to 192.168.20.254

10. Use the PING command to see if you can PING the gateway.

11. In the WINXP system, enter 192.168.20.2 with an IE browser to see if you can open the default website. If so, it means that the intranet desktop cloud system can be accessed normally from the cloud terminal. Using the same method to test the extranet desktop cloud system 172.16.17.2 can also open the website. I will not repeat the description here. The completion of all the tests means that the cloud terminal can normally access the internal and external network systems respectively.

12. Since I only have WIN2008 and XP systems, I connect WINXP to VMNET1 to simulate the extranet desktop cloud system.

13. I changed the IP address of WINXP to 172.16.17.3 and the gateway to 172.16.17.254

14. Then use the PING command to PING192.168.20.2 to see if I can do ACL on the core switch to deny mutual access between internal and external networks. If it is not possible to PING, it means that the internal and external network isolation function has been played.

15. Go to PING172.16.17.3 in the WIN2008 R2 system. If you cannot PING, it means that you have played the function of isolating internal and external networks.

Here, I use Panabit software to simulate the firewall and really realize the function of Internet on the internal equipment. Install Panabit in VMware Workstation first. In the Panabit system, I used three network cards, the first one connected to the VMNET3 network, as a management interface. The second block is connected to the VMNET4 network and connected to the core switch. The third network card is connected to the VMNET0 network and bridged to my physical network card to simulate Internet.

17. Enter the user name root and password panaos.

17. Use ifconfig to check the addresses of the three network cards, and use the ifconfig le0 192.168.50.10 255.255.255.0 command to give the management network port device IP address.

18. Enter the 192.168.50.10 address on the browser of your physical machine to WEB to manage Panabit.

19. Click here to continue to browse this website, enter the user name admin, password panaos

20. After entering the page, I enter the system maintenance-upgrade system and patch it up.

21. Enter the system maintenance-management interface, set the interface address, and submit it.

22. Enter the system maintenance-data interface, and the other two network cards are connected to the internal and external network, and submitted.

23. Enter the application routing-interface line and set the LAN interface and WAN interface respectively.

24. Click LAN Interface-add, and set the interface name inside,IP address 10.10.10.10 and the network mask 255.255.255.0. The rest will not be changed by default.

25. Click WAN Interface-add, set the interface name outside,IP address 192.168.1.200, gateway 192.168.1.1 (this is the address of the light cat in my home), and DNS is also 192.168.1.1.

26. Click Application Route-Policy routing, set the policy for the private network to access the public network, and use the source address 172.16.17.0 Universe 24 (the cloud address of the public network) to NAT the public network.

27. Connect WINXP to VMNET2, simulate the intranet desktop cloud, PING192.168.1.1, and see if you can access the Internet, and you can't access the web page when you open it. It realizes the feature that the intranet desktop cloud cannot be used on Internet.

28. Connect WIN2008 R2 to VMNET1, simulate the public network desktop cloud, PING192.168.1.1, and see if you can access Internet. Open the web page and visit Baidu. It realizes the function that the extranet desktop cloud can be used on Internet.

29. In the end, I tested another function, that is, to access the private network server in Internet. First, connect WIN2008 R2 to VMNET1, set the IP address 172.16.17.2, the gateway 172.16.17.254 and DNS 192.168.1.1. On Panabit, apply route-port mapping, as shown in the following figure:

30. Then, on the physical machine, enter the IP address 192.168.1.200 (equivalent to the public network address) by using an IE browser, and the results can be accessed normally and the function test is normal.

In the end, all the experiments and results have been done, and all the functions have been realized. Of course, some people may use better methods and practices. I just give you a reference here, hoping to be helpful to you in the future project.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.