An enterprise intranet generally divides multiple VLANs. Dividing VLANs can improve intranet security and make it easier to manage. For example: wired and wireless are in different network segments, and wireless devices are not allowed to access the corporate intranet, which can protect internal information security; and different network strategies and flow control policies can be configured for different network segments. And dividing the VLAN can divide the broadcast domain and avoid broadcast storm. The division of VLAN generally has the following three methods:
1. Divide VLANs through Layer 3 switches
As shown above. Layer 3 switches can support VLAN division and corresponding VLAN permission settings.
2. Assign VLAN directly on the gateway
Port-based VLAN is the simplest way to divide VLAN. As shown in the figure below, multiple VLANs are divided directly on the WSG gateway, and then connected to the Layer 2 switch to achieve the effect of dividing VLANs.
3. 802.1Q VLAN division scheme
The WSG gateway is connected to the trunk port of the Layer 2 switch to form an 802.1Q VLAN. This is also an important way of VLAN formation.
4. Configure policies to prohibit mutual access between VLANs
Through WSG's "firewall policy", you can control the mutual access between VLANs. As shown in the figure below, to prohibit communication between the wireless network segment 192.168.2.x and the wired network segment 192.168.1.x, set the blocking rule in the "Forward" direction of the "Intranet".
After the local area network is divided into VLANs, it is necessary to set VLAN mutual access rules reasonably, in order to more effectively improve the intranet security factor. In general, you can refer to the following rules:
Mutual access is prohibited between non-server network segments.
The server network segment allows access from other VLANs.
The server network segment also needs security protection means such as *** detection.
The number of terminals in each network segment is preferably controlled within 200.