Reprint of DHCP services in multi-VLAN environments: FreexPloit
When upgrading the network, you must take into account the various aspects, and how to implement DHCP services in a multi-VLAN environment is one of them.
principle
Using the DHCP method, you need to use the broadcast packet, according to normal conditions, DHCP services can only be implemented in the same broadcast domain. The establishment of VLAN is to isolate the broadcast package, why can DHCP cross-network segments on a three-layer switch? This requires us to convert the broadcast packets requested by DHCP to unicast requests, will forward the request to forward the request To the VLAN where the DHCP server is located, the cross-VLAN service of DHCP is implemented.
Implementation
In order to achieve DHCP services across VLANs, you need to start from two aspects, on the one hand, on the switch to indicate the IP address of the DHCP server on the switch, and on the other hand, create a new scope on the DHCP server.
The following is described as an example of Cisco's CATLYST 4506 as an example:
1. Configure the DHCP server on the switch:
IP DHCP-Server 192.168.0.69
2. Set the IP address of the same DHCP server for each VLAN in the switch:
Interface VLAN11
IP Address 192.168.1.254 255.255.255.0
IP Helper-Address 192.168.0.69 DHCP Server IP
Interface VLAN12
IP Address 192.168.2.254 255.255.255.0
IP Helper-Address 192.168.0.69 DHCP Server IP
3. Set the network address on the DHCP server to the scope of 192.168.1.0, 192.168.2.0, and set these "routers" options to the interface IP address of the corresponding VLAN.
Constructing "copper wall iron wall" with network equipment
The author performs ACL (Access Control List) configuration on the router and switch to prevent viruses and hackers attack, and the effect is very good. After the configuration, the network equipment effectively prevents the attack of oscillating wave in many hosts without the corresponding patches.
Because viruses (especially system vulnerability viruses) are propagated and attacked by the corresponding port, we can consider setting the corresponding ACL on the router or switches.
We will explain as an example with Cisco products, and the specific ACL configuration is as follows:
Access-list 101 permit TCP Any Any Establish
This command is an ACL that only allows the established connection to transmit data from the outside, and a connection that is not established in advance will be rejected. Finally, the ACL can be bound to the corresponding port to achieve the purpose of preventive viruses.
Let us now take a look at how to use this technology to meet the shock wave. Many computers have no patch, so that the exterior infected the host of oscillatingly spread viruses through the 3 ports of 445, 5554 and 9996. Since we set ACL, this data will be filtered out by the router when the external virus actively transmits the internal 445, 5554, 9996 port, and the truly anti-happening is true. Such settings have no effect on users in the intranet.
prompt
1. Because the ESTABLISHED statement only supports the TCP protocol, if the company wants to transmit DNS and other information, set the corresponding ACL statement to open the UDP transmission, format is Access-List 101 permit udp any again.
2. After this setting, the user complained that the FTP can not be used, because FTP password verification and data transfer are not the same port, password verification uses 21 ports, and data transmission uses 20 ports, so we also add corresponding ACL, format For Access-List 101 Permit TCP Any Any EQ FTP-DATA or Access-List 101 Permit TCP ANY Any EQ 20. Prevent a malicious attack NT vulnerability by means of router
In addition to ADSL dial-up, cell broadband Internet access is also very common online. If you use a cell broadband Internet access, do you think the router is just an Internet tool? In fact, you can use your router, you can also prevent hackers' attacks. Let us come in active.
OBJECTIVE: To limit the external computer to the 192.168.0.1 of this cell, the 23 (Telnet), 80 (WWW), 3128 and other ports of the host.
Prerequisites: The interface of the Router connects the internal network is ethernet0 / 1. After each command, press ENTER to execute, and the Cisco route is required.
Step 1 Select Run in the Start menu, enter "cmd" in the pop-up dialog box and enter, then the window is connected, and the router is connected under the prompt, the instruction format is "Telnet Router IP Address". When the Telnet Password is required to enter Telnet Password, the "login" word is displayed, enter the password and confirm, and then enter the instruction enable, and the password is entered when entering the enable password on the screen.
Tip: These two passwords are generally provided by router manufacturers or dealers, they can call queries.
Step 2 Enter the instruction Router # Configure Termihal to enter the router's configuration mode, and the router can only be set on this mode.
Step 3 After entering the configuration mode, enter the instruction router (config) #access -list 101 deny tcp any host 192.168.0.1 EQ Telnet, the function of the instruction is to set the access list Access list Access LIST , this command represents refusing to connect to the IP address Any request for the host of 192.168.0.1 belonging to port port 23 (telnet).
Step 4 Enter the router config # aecess -list 101 deny TCP Any Host 192.168.0.1 EQ WWW instructions to reject a request from the host to the port 80 (WWW) of the IP address of 192.168.0.1.
Step 5 The last needs to reject the host from anywhere to the IP address of 192.168.0.1, which is a port 3128, which requires input instruction Routerconfig # Access List 101 deny TCP ANY Host 192.168.0.1 EQ 3128 to complete.
Step 6 At this point, we have set up our expected access list, however, in order to allow all other IPs to access smoothly, we also need to enter Routerconfig # acess -list 101 permit ip any again to allow other access requests.
However, in order to enable the router to perform the list of access we do, we also need to add this list to the interface check program, and the specific operation is as follows.
Enter the instruction Routerconfig # interface EO / 1 Enter the interface interface Ethernet 0/1, then type the instruction Routerconfig-IF # ip access-group 101 OUT to implement the access list on this interface. In this way, any TCP package to leave the interface must pass the check list rule, that is, the host from the IP address 192.168.0.1, port (port) belongs to Telnet (23), WWW (80) The access of 3128 will be refused. Finally, the input command WRITE will set the write start configuration, and it is very successful. In this way, your host is too safe, although only a few common ports are prohibited, but you can refuse the unfair people. Also, if you see what port may be attacked or have a vulnerability, you can also block the vulnerability through the above method.
Windows2000 Server / Advance Server NAT shared online routing settings
Windows 2000 Server / Advance Server As the core of Microsoft network products, we have powerful network management service features, we can directly utilize their built-in routing service functions to achieve local area network sharing Internet access, rather than using the ICS equipped (shared Internet access).
In the ADSL virtual dial environment, for the PPPoe program that uses analog 56K dial-up, because PPPoE is not standard dial, routing services cannot confirm that the dial port and device, we don't debug success, easy to implement, A line mode ADSL is similar to this.
First enter the server as an Administrator administrator, open the routing setting, as shown below
After entering the "Routing and Remote Access" console, we choose "Configure and enable routing and remote access",
Then enter the Configuration Wizard interface, click Next, in public settings we should be to let the server as a shared Internet server, so we select "Internet Connecting Server"
The wizard will then make us decide to use a simple ICS (Internet Connection Sharing) or a more powerful NAT routing server. (ICS we have introduced this column). We choose to set it into a router
Then the server will allow us to set the interface used to connect the Internet. If you use the Enternet Series Dial, select Efficient Networks P.p.p.o.p.e Adapter, use the special line mode to select the NIC settings to connect the ADSL Bonds ISP. Of course, if you use 56K dial, select "Create a new request dial-up Internet connection", follow the new wizard to complete the settings, PPPoE simulation 56K dialing existence is not implemented.
The wizard will prompt our DNS address resolution settings, in order to access the Internet URL correctly, we choose DNS on the Internet.
The final installation wizard will prompt you, the routing service will provide NAT routing services within the LAN address, generally automatically detect the local area network address range correctly, click Next to complete the settings.
After the settings we can see "Network Address Translation (NAT)" in the console, define the internal connection and external connections, see the property to confirm whether the correct interface is selected.
After the server setting is complete, you need to set up the local area network client. The setting method is also very simple, set the gateway and DNS to Windows 2000 Server / Advance Server
