The implementation of DHCP services in a multi-VLAN environment is upgraded to the network, and you must take into account all aspects, and how to implement DHCP services in a multi-VLAN environment is one of them. The principle uses DHCP mode to obtain IP addresses, need to utilize broadcast packets, according to normal conditions, DHCP services can only be implemented within the same broadcast domain. The establishment of VLAN is to isolate the broadcast package, why can DHCP cross-network segments on a three-layer switch? This requires us to convert the broadcast packets requested by DHCP to unicast requests, will forward the request to forward the request To the VLAN where the DHCP server is located, the cross-VLAN service of DHCP is implemented. Implementation Method In order to achieve DHCP services across VLANs, it is necessary to start from two aspects. On the one hand, on the switch to specify the IP address of the DHCP server, on the other hand, create a new scope on the DHCP server. The following is a specific step of CATLYST 4506 below: 1. Configure the DHCP server on the switch: IP DHCP-Server 192.168.0.69 2. Set the same DHCP server for each VLAN in the switch: Interface VLAN11 ip address 192.168.1.254 255.255.255.0 ip helper-address 192.168.0.69 DHCP server IP interface Vlan12 ip address 192.168.2.254 255.255.255.0 ip helper-address 192.168.0.69 DHCP server IP 3. disposed on the DHCP server network address 192.168 respectively . 1.0, 192.168.2.0 The scope of the field, and set these rolers to the "router" option to the interface IP address of the corresponding VLAN. Constructing the "Copper Wall Wall" author with network equipment to perform ACL (Access Control List) configuration on routers and switches to prevent viruses and hackers, and the effect is very good. After the configuration, the network equipment effectively prevents the attack of oscillating wave in many hosts without the corresponding patches. Because viruses (especially system vulnerability viruses) are propagated and attacked by the corresponding port, we can consider setting the corresponding ACL on the router or switches. We will explain as an example. The specific ACL configuration is as follows: Access-list 101 permit TCP Any Any ESTABLISHED This command is an ACL, which allows the connected connection from the outside to the external direction, and connection not established in advance The rejection will be rejected. Finally, the ACL can be bound to the corresponding port to achieve the purpose of preventive viruses. Let us now take a look at how to use this technology to meet the shock wave. Many computers have no patch, so that the exterior infected the host of oscillatingly spread viruses through the 3 ports of 445, 5554 and 9996. Since we set ACL, this data will be filtered out by the router when the external virus actively transmits the internal 445, 5554, 9996 port, and the truly anti-happening is true. Such settings have no effect on users in the intranet. Tip 1. Because the ESTABLISHED statement only supports the TCP protocol, if the company wants to transmit DNS and other information, set the corresponding ACL statement to open UDP transmission, format is Access-List 101 permit udp any any.
2. After this setting, the user complained that the FTP can not be used, because FTP password verification and data transfer are not the same port, password verification uses 21 ports, and data transmission uses 20 ports, so we also add corresponding ACL, format For Access-List 101 Permit TCP Any Any EQ FTP-DATA or Access-List 101 Permit TCP ANY Any EQ 20. Available with routers to prevent malicious attacks NT vulnerabilities In addition to ADSL dial-up, cell broadband Internet access is also very common. If you use a cell broadband Internet access, do you think the router is just an Internet tool? In fact, you can use your router, you can also prevent hackers' attacks. Let us come in active. OBJECTIVE: To limit the external computer to the 192.168.0.1 of this cell, the 23 (Telnet), 80 (WWW), 3128 and other ports of the host. Prerequisites: The interface of the Router connects the internal network is ethernet0 / 1. After each command, press ENTER to execute, and the Cisco route is required. Step 1 Select Run in the Start menu, enter "cmd" in the pop-up dialog box and enter, then the window is connected, and the router is connected under the prompt, the instruction format is "Telnet Router IP Address". When the Telnet Password is required to enter Telnet Password, the "login" word is displayed, enter the password and confirm, and then enter the instruction enable, and the password is entered when entering the enable password on the screen. Tip: These two passwords are generally provided by router manufacturers or dealers, they can call queries. Step 2 Enter the instruction Router # Configure Termihal to enter the router's configuration mode, and the router can only be set on this mode. Step 3 After entering the configuration mode, enter the instruction router (config) #access -list 101 deny tcp any host 192.168.0.1 EQ Telnet, the function of the instruction is to set the access list Access list Access LIST , this command represents refusing to connect to the IP address Any request for the host of 192.168.0.1 belonging to port port 23 (telnet). Step 4 Enter the router config # aecess -list 101 deny TCP Any Host 192.168.0.1 EQ WWW instructions to reject a request from the host to the port 80 (WWW) of the IP address of 192.168.0.1. Step 5 The last needs to reject the host from anywhere to the IP address of 192.168.0.1, which is a port 3128, which requires input instruction Routerconfig # Access List 101 deny TCP ANY Host 192.168.0.1 EQ 3128 to complete. Step 6 At this point, we have set up our expected access list, however, in order to allow all other IPs to access smoothly, we also need to enter Routerconfig # acess -list 101 permit ip any again to allow other access requests. However, in order to enable the router to perform the list of access we do, we also need to add this list to the interface check program, and the specific operation is as follows. Enter the instruction Routerconfig # interface EO / 1 Enter the interface interface Ethernet 0/1, then type the instruction Routerconfig-IF # ip access-group 101 OUT to implement the access list on this interface.
In this way, any TCP package to leave the interface must pass the check list rule, that is, the host from the IP address 192.168.0.1, port (port) belongs to Telnet (23), WWW (80) The access of 3128 will be refused. Finally, the input command WRITE will set the write start configuration, and it is very successful. In this way, your host is too safe, although only a few common ports are prohibited, but you can refuse the unfair people. Also, if you see what port may be attacked or have a vulnerability, you can also block the vulnerability through the above method. Windows2000 Server / Advance Server NAT shared Internet Routing Windows 2000 Server / Advance Server As the core of Microsoft network products, with powerful network management service features, we can directly utilize their built-in routing service functions to achieve local area network sharing Internet, not use The ICS (shared Internet function) is equipped. Http://www.acnow **** In the ADSL virtual dial-up environment, for the PPPoe program that uses analog 56K dial, because PPPoE is not standard dial, routing services cannot confirm the dial port and device, we have no debugging. Success, it can be easily implemented under the Enternet Series using the analog LAN's network card, and the line mode ADSL is similar. http://www.acnow.net/ Piltlb6GWBQ First enter the server as an Administrator administrator, open the routing setting, as shown below http://www.acnow.net/ YG This topic is as follows: http: // www .kew.net / properly after the "Routing and Remote Access" console, we select "Configure and enable Routing and Remote Access", http://www.acnow.net/ Piltlb6GWBQ This topic is as follows: http: // Www.acnow.net/ Piltlb6GWBQ then go to the Configuration Wizard interface, click Next, we should be the server as a shared Internet server in public settings, so we select "Internet Connection Server" http://www.acnow. NET / PILTLB6GWBQ This topic related pictures are as follows: http://www.acnow.net/ Piltlb6GWBQ The Wizard will make us decide to use simple ICS (Internet Connection Sharing) or more powerful NAT routing servers. (ICS we have introduced this column). We choose to set it into a router http://www.acnow.net/ Piltlb6GWBQ This topic related pictures are as follows: http://www.acnow.net/PilTlb6GWBQ then the server will let us set up The interface used to connect the Internet, select the Efficient Networks PPPoe Adapter using the Enternet Series Dial, and use the special line mode to select the NIC settings for the IP settings provided by the ADSL Bond ISP. Of course, if you use 56K dial, select "Create a new request dial-up Internet connection", follow the new wizard to complete the settings, PPPoE simulation 56K dialing existence is not implemented.
