Following the previous post , we will now add Vlans and ACL’s to add an extra layer of security.
ACL’s
The Public, Administrative, and Development networks can communicate with each other. To avoid this, we will add ACL’s to R1. We create rules for each network:
Public Network
For this network, we need to deny routing to the Administrative and Development networks. We create an access-list 2:
1
2
3
4
5
R1( config) #access-list 2 deny 172.16.30.0 0.0.1.255
R1( config) #access-list 2 deny 172.16.32.0 0.0.7.255
R1( config) #access-list 2 deny 172.16.40.0 0.0.7.255
R1( config) #access-list 2 deny 172.16.48.0 0.0.1.255
R1( config) #access-list 2 permit any
Now, on the interface for this network on R1:
1
2
R1( config) #int gig2/0
R1( config-if) #ip access-group 2 out
We verify the rules with:
1
2
3
4
5
6
7
R1( config) #do sh access-list 2
Standard IP access list 2
10 deny 172.16.30.0, wildcard bits 0.0.1.255
20 deny 172.16.32.0, wildcard bits 0.0.7.255
30 deny 172.16.40.0, wildcard bits 0.0.7.255
40 deny 172.16.48.0, wildcard bits 0.0.1.255
50 permit any
If we test connectivity to/from the Public network, we will notice that there is no response.
Administrative Network
Similarly to the Public network, we create an access-list 3 denying the Public and Development networks:
1
2
3
4
5
6
7
8
R1( config) #access-list 3 deny 172.16.20.0 0.0.3.255
R1( config) #access-list 3 deny 172.16.24.0 0.0.3.255
R1( config) #access-list 3 deny 172.16.28.0 0.0.1.255
R1( config) #access-list 3 deny 172.16.40.0 0.0.7.255
R1( config) #access-list 3 deny 172.16.48.0 0.0.1.255
R1( config) #access-list 3 permit any
R1( config) #int gig3/0
R1( config-if) #ip access-group 3 out
Development Network
We deny routing to the Administrative and Public networks:
1
2
3
4
5
6
7
8
R1( config) #access-list 4 deny 172.16.20.0 0.0.3.255
R1( config) #access-list 4 deny 172.16.24.0 0.0.3.255
R1( config) #access-list 4 deny 172.16.28.0 0.0.1.255
R1( config) #access-list 4 deny 172.16.30.0 0.0.1.255
R1( config) #access-list 4 deny 172.16.32.0 0.0.7.255
R1( config) #access-list 4 permit any
R1( config) #int gig4/0
R1( config-if) #ip access-group 4 out
We review the list of rules:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
R1( config) #do sh access-list
Standard IP access list 1
10 permit 172.16.20.0, wildcard bits 0.0.0.255 ( 2 matches)
20 permit 172.16.30.0, wildcard bits 0.0.0.255 ( 5 matches)
30 permit 172.16.40.0, wildcard bits 0.0.0.255 ( 1 match)
Standard IP access list 2
10 deny 172.16.30.0, wildcard bits 0.0.1.255
20 deny 172.16.32.0, wildcard bits 0.0.7.255
30 deny 172.16.40.0, wildcard bits 0.0.7.255
40 deny 172.16.48.0, wildcard bits 0.0.1.255
50 permit any
Standard IP access list 3
10 deny 172.16.20.0, wildcard bits 0.0.3.255
20 deny 172.16.24.0, wildcard bits 0.0.3.255
30 deny 172.16.28.0, wildcard bits 0.0.1.255
40 deny 172.16.40.0, wildcard bits 0.0.7.255
50 deny 172.16.48.0, wildcard bits 0.0.1.255
60 permit any
Standard IP access list 4
10 deny 172.16.20.0, wildcard bits 0.0.3.255
20 deny 172.16.24.0, wildcard bits 0.0.3.255
30 deny 172.16.28.0, wildcard bits 0.0.1.255
40 deny 172.16.30.0, wildcard bits 0.0.1.255
50 deny 172.16.32.0, wildcard bits 0.0.7.255
60 permit any
R1( config) #
With these rules, the networks are isolated and do not lose connectivity to the internet. We create list 1 for the NAT pool
Wildards
For the public network we use the Wildard 0.0.3.255 for blocks 172.16.20.0-172.16.23.0, this form is described in chapter 10 of the book
Figura 1: Wildards para cada bloque
Vlans
Table of Vlans for each network:
Vlan Id
Network
20
Public
30
Administrative
40
Development
Public Network Switch (SWP)
We will add a device to provide information to clients, and this device will be in the Administrative network:
Figure 2: Vlan connection
We create the vlans that we will use in this switch:
1
2
3
4
5
SWP( config) #vlan 20
SWP( config-vlan) #name publicNet
SWP( config-vlan) #vlan 30
SWP( config-vlan) #name adminNet
SWP( config-vlan) #
Now, we assign the interfaces gig2/0-3 to vlan 20:
1
2
3
4
SWP( config) #int range gig2/0-3
SWP( config-if-range) #switchport mode access
SWP( config-if-range) #switchport access vlan 20
SWP( config-if-range) #
Similarly, for interfaces gig3/0-3 to vlan 30:
1
2
3
SWP( config) #int range gig3/0-3
SWP( config-if-range) #switchport mode access
SWP( config-if-range) #switchport access vlan 30
We review the vlan table:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
SWP( config) #do sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/0, Gi0/1, Gi0/2, Gi0/3
Gi1/0, Gi1/1, Gi1/2, Gi1/3
20 publicNet active Gi2/0, Gi2/1, Gi2/2, Gi2/3
30 adminNet active Gi3/0, Gi3/1, Gi3/2, Gi3/3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
20 enet 100020 1500 - - - - - 0 0
30 enet 100030 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
SWP( config) #
Trunk interface
In this scenario, only VLAN 30 will be passing between SWA and SWP, so there’s no requirement to set up a trunk interface.
Administrative Network Switch (SWA)
We create the vlan that we will use in this case:
1
2
3
SWA( config) #vlan 30
SWA( config-vlan) #name adminNet
SWA( config-vlan) #
Now, we assign the interfaces gig3/0-3 to vlan 30:
1
2
3
SWA( config) #int range gig3/0-3
SWA( config-if-range) #switchport mode access
SWA( config-if-range) #switchport access vlan 30
The vlan table:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
SWA( config) #do sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/0, Gi0/1, Gi0/2, Gi0/3
Gi1/0, Gi1/1, Gi1/2, Gi1/3
Gi2/0, Gi2/1, Gi2/2, Gi2/3
30 adminNet active Gi3/0, Gi3/1, Gi3/2, Gi3/3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
30 enet 100030 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
SWA( config) #
Development Network Switch (SWD)
We create the vlan:
1
2
3
SWA( config) #vlan 40
SWA( config-vlan) #name devNet
SWA( config-vlan) #
Now, we assign the interfaces gig1/0-3 to vlan 40:
1
2
3
4
SWA( config) #int range gig1/0-3
SWA( config-if-range) #switchport mode access
SWA( config-if-range) #switchport access vlan 40
SWA( config-if-range) #
We verify the vlan table:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
SWA( config) #do sh vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Gi0/0, Gi0/1, Gi0/2, Gi0/3
Gi2/0, Gi2/1, Gi2/2, Gi2/3
Gi3/0, Gi3/1, Gi3/2, Gi3/3
40 devNet active Gi1/0, Gi1/1, Gi1/2, Gi1/3
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 0 0
40 enet 100040 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 0 0
1003 tr 101003 1500 - - - - - 0 0
1004 fdnet 101004 1500 - - - ieee - 0 0
1005 trnet 101005 1500 - - - ibm - 0 0
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
SWA( config) #
The connectivity in all networks to the internet is not interrupted.
In the next post , we will connect an Openwrt router to GNS3.