Third layer exchange technology analysis and application in data security
Squiring: Seraph Chutium ----- http://com.6to23.com/
Three-layer exchange technology analysis
Simply put, three-layer exchange technology is: Layer 2 exchange technology three-layer forwarding technology. It solves the division of the network segment in the LAN, the subnet must be managed by the router, solve the network bottleneck problem caused by the low speed and complex of the traditional router. What is three-layer exchange three-layer exchange (also known as multi-layer switching technology, or IP switching technology) is proposed relative to traditional exchange concepts. It is well known that traditional exchange technology is to operate in the Layer 2-data link layer in the OSI network standard model, while the three-layer switching technology implements high speed forwarding of packets in the network model. Simply put, three-layer exchange technology is: Layer 2 exchange technology three-layer forwarding technology. The appearance of three-layer exchange technology has solved the partition of the network segment in the LAN, and the subnets in the network segment must be managed by the router, solve the network bottleneck problem caused by the low speed and complex complicated traditional router. The three-layer switching principle is a device with three-layer switching. It is a second-layer switch with a third layer routing function, but it is organic combination of the two, not simply putting the hardware and software of the router device. On the local area network switch. The principle is: assuming that two sites A, B using IP protocols are communicating through the third layer switch, and sending sites a when they start sending, and determine whether the B station is compared to the IP address of the B station. In the same subnet. If the destination station B is in the same subnet in the same subnet, the second layer forwarding is performed. If the two sites are not in the same subnet, if the send station A is to communicate with the destination station B, the send station A is to issue an ARP (address parsing) package to the "default gateway", and the IP address of "Default Gateway" is actually Three-layer switching module of the three-layer switch. When sending a ARP request to the IP address of the Default Gateway, if the three-layer switching module already knows the MAC address of the B station during the previous communication process, the MAC address of the b is replying to the transmit station A. Otherwise, the three-layer switching module broadcasts an ARP request to the B station based on the routing information. After the B station gets this ARP request, the MAC address is replied to the three-layer switching module, and the three-layer switching module saves this address and reply to the send station A, while will B The mac address of the station is sent to the MAC address table of the Layer 2 switching engine. Since then, the data packet sent by the A to B is all given to the Layer 2 switching process, and the information is exchanged high-speed. Since the three-layer processing is only required only during the routing process, most of the data is forwarded through a Layer 2, so the speed of the three-layer switch is very fast, close to the speed of the Layer 2, and is much lower than the same router. The three-layer switch type three-layer switch can be divided into both pure hardware and pure software depending on its processing data. (1) The three-layer technology of pure hardware is relatively technically complicated, high cost, but the speed is fast, good performance, strong load capacity. The principle is that the use of the ASIC chip and uses hardware to find and refresh. As shown in Figure 1.
Figure 1 Pure hardware three-layer switch principle
After the data is received by the port interface chip, first look for the corresponding destination MAC address in the Layer 2 switching chip. If it is found, the second layer forwarding is performed, otherwise the data is sent to the three-layer engine. In the three-layer engine, the ASIC chip finds the corresponding routing table information, compared to the destination IP address of the data, then sends the ARP packet to the destination host, get the MAC address of the host, send the MAC address to the second layer chip, The packet is forwarded from a two-layer chip. (2) Software-based three-layer switch technology is simple, but the speed is slow, and it is not suitable as the main dry. The principle is to find the routing table in the way using the CPU software. as shown in picture 2.
Figure 2 Software three-layer switch principle
After the data is received by the port interface chip, first look for the corresponding destination MAC address in the Layer 2 switching chip, if it is found, the second layer forwarding will be sent to the CPU. The CPU finds the corresponding routing table information, compared to the destination IP address of the data, and then sends the ARP packet to the destination host to get the MAC address of the host, send the MAC address to the second layer chip, and forward the data package by two-layer chip . Because the low-cost CPU processing is slow, this three-layer switch processing is slow. Market Product Selection In recent years, the broadband IP network is built into hotspots, and the third-layer switch product that is suitable for positioning in the access layer or small and medium-sized aggregate layer is taken as an example, and the specific techniques of some three-layer switches are introduced. In the market, the mainstream access to the third layer of switches, mainly Cisco's Catalyst 2948G-L3, Extreme Summit24 and AlliedTelesyn's Rapier24, etc., these three-layer switch products have characteristics, including most of the three-layer switching features. . Of course, when selecting a third-layer switch, the user can determine and select the product or other manufacturers of products or other manufacturers, such as the PASSPORT / Acceler series of the NortelTron (four after Cabletron, "in Cabletron. Most SSR three-layer switches have been incorporated into Riverstone, Avaya's Cajun M Series, 3COM's SuperStack3 4005 Series. In addition, domestic network vendors Shenzhou digital network, TCL network, Shanghai radio and television should be confident, the Violet Network, the first letter, etc. have launched a three-layer switch product. Here are three products to introduce you to fully understand the three-layer switches and choose the right model for your own situation. Cisco Catalyst 2948G-L3 Switch combines the industry standard iOS to provide a complete solution, fully supporting the iOS access control list ACL in version 12.0 (10), with core Catalyst 6000, can complete end-to-end comprehensive broadband metropolitan area network (Catalyst 6000 Use the MSFC module to complete its multi-layer swap service, and have stopped using the RSM routing switch module, and iOS version 6.1 fully supports the ACL). Extreme Three-layer exchange product solutions provide unique Ethernet bandwidth allocation capabilities, cutting units of 500kbps or 200kbps, and service providers can realize fixed delay transmission of audio and video depending on bandwidth usage. AlliedTelesyn Rapier24 The PPPoE feature provided by the three-layer switch is rich and improved by the user's certification billing. It can be suitable for a variety of access networks, flexible, easy to implement business selection, and protect current users' existing investment, and other cooperation NAT (Network Address Translation) and DHCP's Server SERVER, to optimize many service providers. In summary, the three-layer switch proposed from the concept to today's popularization, although only a few years, its expansion features are also rich in practical applications. With the development of ASIC hardware chip technology, the promotion of practical applications, three-story technology and products will also be further developed. Use three floors to ensure data security
The main network topology structure of Jiangxi Sanjiu Yigo Co., Ltd. is a multi-stage star Gigabit Ethernet. Place a high-performance switch Cisco Catalyst 4006 with multiple gigabits and 100 megabytes in the center of the technology building, as the core switch of the backbone. The company's primary server and high-performance workstation uses a center switch to connect to the center of the center switch to the center switches in a workstation of the center switch; the fiber module is installed in the backplane slot of the central switch. Catalyst 3512 switches in the production branch through the fiber optic fiber, allowing the workstation in each division to obtain 100 megabytes. The company's computer network is configured to: The server side is Windows NT Server, the client is Windows NT Workstation or Windows 95/98; the application system includes two parts, the first part is the CAD / CAM / CAPP / PDM system, the other is the enterprise resource plan management (ERP) system. There is an HP 6000 as a Windows NT main domain controller, and also an ERP server. It is an independent CAD server, and there is a mail server, a network management server, a PC used as a map, all Product drawing is concentrated in computer center. ■ Security Requirements 1. In order to prevent CAD design, product drawings from the management department must be separated from different network segments to different network segments; 2. Only one main domain controller, center All computers in the computer room are CAD network segments, but requires resources in the ERP server; 3. The company-level main leaders belong to the ERP management network segment, but also requires management and resources in the CAD network segment. ■ Solve the Ethernet based on the CSMA / CD mechanism based on the CSMA / CD mechanism, inevitably generate the broadcast and conflicts of the package, due to the data broadcasting, which affects the safety, especially in Windows-based networks, so it is necessary to reduce the network The broadcast is required to use VLAN. VLANs can divide a broadcast domain into multiple broadcast domains, which are divided into three ways, based on port, MAC address and web protocol. The Cisco solution is to suggest a VLAN corresponding to an IP network segment (TCP / IP network), which is suitable for this way and uses Trunk technology to maintain the consistency of the VLAN configuration. Trunk is an extension of multiple VLAN data between the switch between the switches or points between the route, can also transmit multiple VLAN data simultaneously, helping to extend the implementation of the VLAN from one switch to another. In the network seven-layer protocol, HUB is the first layer of equipment, and the connected device is within the same conflict domain and the broadcast domain; the switch and the bridge are the second layer of equipment, and the connected device is in the same broadcast domain, each port is one Conflict domains, so switches can help reduce conflicts, and can achieve duplex communication, but can not reduce broadcast traffic; router is a third-layer device, connected equipment can control broadcast and conflicts through routing function . ■ Three-layer switching simplified settings After the VLAN, the different VLANs cannot be communicated, so there is a router to connect to different VLANs, but there is no need to trouble so much after the third layer of switches. Catalyst 4006 is a more advanced enterprise main network switch launched by Cisco, with third-level exchange capabilities, which complement the VLAN communication problem, and eliminates the low ribbon of the router. 4006 The three-layer switching function is implemented on the 4232-L3 module. Unlike the 5000 series and 6000 series, the 3-layer exchange of 4000 series switches is done by two virtual Gigabit connections that are internal. Two VLANs were designed on the center switch, which were used for CAD and ordinary users, respectively from 192.168.66.0 and 192.168.67.0, respectively.
