Contents

Lab0: Vlans and ACL's

Following the previous post, we will now add Vlans and ACL’s to add an extra layer of security.

ACL’s

The Public, Administrative, and Development networks can communicate with each other. To avoid this, we will add ACL’s to R1. We create rules for each network:

Public Network

For this network, we need to deny routing to the Administrative and Development networks. We create an access-list 2:

1
2
3
4
5
R1(config)#access-list 2 deny 172.16.30.0 0.0.1.255
R1(config)#access-list 2 deny 172.16.32.0 0.0.7.255
R1(config)#access-list 2 deny 172.16.40.0 0.0.7.255
R1(config)#access-list 2 deny 172.16.48.0 0.0.1.255
R1(config)#access-list 2 permit any

Now, on the interface for this network on R1:

1
2
R1(config)#int gig2/0
R1(config-if)#ip access-group 2 out

We verify the rules with:

1
2
3
4
5
6
7
R1(config)#do sh access-list 2
Standard IP access list 2
 10 deny 172.16.30.0, wildcard bits 0.0.1.255
 20 deny 172.16.32.0, wildcard bits 0.0.7.255
 30 deny 172.16.40.0, wildcard bits 0.0.7.255
 40 deny 172.16.48.0, wildcard bits 0.0.1.255
 50 permit any

If we test connectivity to/from the Public network, we will notice that there is no response.

Administrative Network

Similarly to the Public network, we create an access-list 3 denying the Public and Development networks:

1
2
3
4
5
6
7
8
R1(config)#access-list 3 deny 172.16.20.0 0.0.3.255
R1(config)#access-list 3 deny 172.16.24.0 0.0.3.255
R1(config)#access-list 3 deny 172.16.28.0 0.0.1.255
R1(config)#access-list 3 deny 172.16.40.0 0.0.7.255
R1(config)#access-list 3 deny 172.16.48.0 0.0.1.255
R1(config)#access-list 3 permit any
R1(config)#int gig3/0
R1(config-if)#ip access-group 3 out

Development Network

We deny routing to the Administrative and Public networks:

1
2
3
4
5
6
7
8
R1(config)#access-list 4 deny 172.16.20.0 0.0.3.255
R1(config)#access-list 4 deny 172.16.24.0 0.0.3.255
R1(config)#access-list 4 deny 172.16.28.0 0.0.1.255
R1(config)#access-list 4 deny 172.16.30.0 0.0.1.255
R1(config)#access-list 4 deny 172.16.32.0 0.0.7.255
R1(config)#access-list 4 permit any
R1(config)#int gig4/0
R1(config-if)#ip access-group 4 out

We review the list of rules:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
R1(config)#do sh access-list
Standard IP access list 1
 10 permit 172.16.20.0, wildcard bits 0.0.0.255 (2 matches)
 20 permit 172.16.30.0, wildcard bits 0.0.0.255 (5 matches)
 30 permit 172.16.40.0, wildcard bits 0.0.0.255 (1 match)
Standard IP access list 2
 10 deny 172.16.30.0, wildcard bits 0.0.1.255
 20 deny 172.16.32.0, wildcard bits 0.0.7.255
 30 deny 172.16.40.0, wildcard bits 0.0.7.255
 40 deny 172.16.48.0, wildcard bits 0.0.1.255
 50 permit any
Standard IP access list 3
 10 deny 172.16.20.0, wildcard bits 0.0.3.255
 20 deny 172.16.24.0, wildcard bits 0.0.3.255
 30 deny 172.16.28.0, wildcard bits 0.0.1.255
 40 deny 172.16.40.0, wildcard bits 0.0.7.255
 50 deny 172.16.48.0, wildcard bits 0.0.1.255
 60 permit any
Standard IP access list 4
 10 deny 172.16.20.0, wildcard bits 0.0.3.255
 20 deny 172.16.24.0, wildcard bits 0.0.3.255
 30 deny 172.16.28.0, wildcard bits 0.0.1.255
 40 deny 172.16.30.0, wildcard bits 0.0.1.255
 50 deny 172.16.32.0, wildcard bits 0.0.7.255
 60 permit any
R1(config)#

With these rules, the networks are isolated and do not lose connectivity to the internet. We create list 1 for the NAT pool

Wildards
For the public network we use the Wildard 0.0.3.255 for blocks 172.16.20.0-172.16.23.0, this form is described in chapter 10 of the book

/pentesting/lab/lab01/images/wildcards.png
Figura 1: Wildards para cada bloque

Vlans

Table of Vlans for each network:

Vlan Id Network
20 Public
30 Administrative
40 Development

Public Network Switch (SWP)

We will add a device to provide information to clients, and this device will be in the Administrative network:

/pentesting/lab/lab01/images/vlanNet.png
Figure 2: Vlan connection

We create the vlans that we will use in this switch:

1
2
3
4
5
SWP(config)#vlan 20
SWP(config-vlan)#name publicNet
SWP(config-vlan)#vlan 30
SWP(config-vlan)#name adminNet
SWP(config-vlan)#

Now, we assign the interfaces gig2/0-3 to vlan 20:

1
2
3
4
SWP(config)#int range gig2/0-3
SWP(config-if-range)#switchport mode access
SWP(config-if-range)#switchport access vlan 20
SWP(config-if-range)#

Similarly, for interfaces gig3/0-3 to vlan 30:

1
2
3
SWP(config)#int range gig3/0-3
SWP(config-if-range)#switchport mode access
SWP(config-if-range)#switchport access vlan 30

We review the vlan table:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
SWP(config)#do sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/0, Gi0/1, Gi0/2, Gi0/3
                                                Gi1/0, Gi1/1, Gi1/2, Gi1/3
20   publicNet                        active    Gi2/0, Gi2/1, Gi2/2, Gi2/3
30   adminNet                         active    Gi3/0, Gi3/1, Gi3/2, Gi3/3
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0   
20   enet  100020     1500  -      -      -        -    -        0      0   
30   enet  100030     1500  -      -      -        -    -        0      0   
1002 fddi  101002     1500  -      -      -        -    -        0      0   
1003 tr    101003     1500  -      -      -        -    -        0      0   
1004 fdnet 101004     1500  -      -      -        ieee -        0      0   
1005 trnet 101005     1500  -      -      -        ibm  -        0      0   

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

SWP(config)#
Trunk interface
In this scenario, only VLAN 30 will be passing between SWA and SWP, so there’s no requirement to set up a trunk interface.

Administrative Network Switch (SWA)

We create the vlan that we will use in this case:

1
2
3
SWA(config)#vlan 30
SWA(config-vlan)#name adminNet
SWA(config-vlan)#

Now, we assign the interfaces gig3/0-3 to vlan 30:

1
2
3
SWA(config)#int range gig3/0-3
SWA(config-if-range)#switchport mode access
SWA(config-if-range)#switchport access vlan 30

The vlan table:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
SWA(config)#do sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/0, Gi0/1, Gi0/2, Gi0/3
                                                Gi1/0, Gi1/1, Gi1/2, Gi1/3
                                                Gi2/0, Gi2/1, Gi2/2, Gi2/3
30   adminNet                         active    Gi3/0, Gi3/1, Gi3/2, Gi3/3
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0   
30   enet  100030     1500  -      -      -        -    -        0      0   
1002 fddi  101002     1500  -      -      -        -    -        0      0   
1003 tr    101003     1500  -      -      -        -    -        0      0   
1004 fdnet 101004     1500  -      -      -        ieee -        0      0   
1005 trnet 101005     1500  -      -      -        ibm  -        0      0   

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

SWA(config)#

Development Network Switch (SWD)

We create the vlan:

1
2
3
SWA(config)#vlan 40
SWA(config-vlan)#name devNet
SWA(config-vlan)#

Now, we assign the interfaces gig1/0-3 to vlan 40:

1
2
3
4
SWA(config)#int range gig1/0-3
SWA(config-if-range)#switchport mode access
SWA(config-if-range)#switchport access vlan 40
SWA(config-if-range)#

We verify the vlan table:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
SWA(config)#do sh vlan

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/0, Gi0/1, Gi0/2, Gi0/3
                                                Gi2/0, Gi2/1, Gi2/2, Gi2/3
                                                Gi3/0, Gi3/1, Gi3/2, Gi3/3
40   devNet                           active    Gi1/0, Gi1/1, Gi1/2, Gi1/3
1002 fddi-default                     act/unsup 
1003 token-ring-default               act/unsup 
1004 fddinet-default                  act/unsup 
1005 trnet-default                    act/unsup 

VLAN Type  SAID       MTU   Parent RingNo BridgeNo Stp  BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1    enet  100001     1500  -      -      -        -    -        0      0   
40   enet  100040     1500  -      -      -        -    -        0      0   
1002 fddi  101002     1500  -      -      -        -    -        0      0   
1003 tr    101003     1500  -      -      -        -    -        0      0   
1004 fdnet 101004     1500  -      -      -        ieee -        0      0   
1005 trnet 101005     1500  -      -      -        ibm  -        0      0   

Primary Secondary Type              Ports
------- --------- ----------------- ------------------------------------------

SWA(config)#

The connectivity in all networks to the internet is not interrupted.

In the next post, we will connect an Openwrt router to GNS3.