In this LAB (Part 1 of 2) we will build a network full of:
- Vlans with port security.
- Single static routes (very tedious work that requires concentration )
- Multiple types of servers (with usernames/passwords)
- Local Firewalls (Non-ASA)
Cute little LAB huh? ……..not so fast! This LAB Bites.
>>>>>DOWNLOAD THE LAB HERE <<<<<
Cheaters Guide is at the bottom………
In the diagram you see above there are 17 different vlans. Two of those vlans we will configure but not use. The remaining two vlans will be used for the next LAB.
Ok let’s start with a completely clean and NON-CONFIGURED network.
Nothing has been configured. However, I have preset PC, Switches, Routers, and Servers with names and cable/wire/media connections.
You will have to :
1. Set IP addresses on all nodes.
2. Configure vlans and assign the access/trunk ports.
3. Security will be established between PC’s and switches to help direct traffic to other areas of the network and to block off access to other parts. (MAC-Address)
4. Configure PC’s and Servers with Firewalls to grant or deny access.
With VLANS come “ENCAPSULATION” on the routers.
When using VLANS it is important to remember that you have to CREATE THEM and then INTERFACE them, some you will have to OPEN the port as well.
We will be using ‘VLAN 1’ as the “NATIVE VLAN” in this scenario. Just an FYI, you should never use VLAN 1 as the Native VLAN. More on the VLAN1 topic in the next LAB (Part 2)
Below you will find the address schemes.
|192.168.10.5 /24||192.168.30.6 /24||192.168.50.7 /24||192.168.70.8 /24|
S0/0/1 10.1.1.6 /30
|192.168.10.6 /24||192.168.30.7 /24||192.168.50.8 /24||192.168.70.9 /24|
|192.168.10.7 /24||192.168.30.8 /24||192.168.50.9 /24||192.168.80.5 /24|
|192.168.10.8 /24||192.168.30.9 /24||192.168.60.5 /24||192.168.80.6 /24|
|192.168.10.9 /24||192.168.40.5 /24||192.168.60.6 /24||192.168.80.7 /24|
|192.168.20.5 /24||192.168.40.6 /24||192.168.60.7 /24||192.168.80.8 /24|
|192.168.20.6 /24||192.168.40.7 /24||192.168.60.8 /24||192.168.80.9 /24|
|192.168.20.7 /24||192.168.40.8 /24||192.168.60.9 /24||Fa0/1 10.1.1.1 /30|
|S0/0/1 10.1.1.10 /30|
|192.168.20.8 /24||192.168.40.9 /24||192.168.70.5 /24||FA0/1 10.1.1.2 /30|
|192.168.20.9 /24||192.168.50.5 /24||192.168.70.6 /24||S0/0/1 10.1.1.9 /30|
|S0/0/0 10.1.1.5 /30|
|192.168.30.5 /24||192.168.50.6 /24||192.168.70.7 /24|
Set IP addresses on all nodes.
Lab Part 1 of 2
We will be using ‘VLAN 1’ as the “NATIVE VLAN” in this scenario. Just an FYI, you should never use VLAN 1 as the Native VLAN. More on the VLAN 1 topic in the next LAB (Part 2).
All PC’s will need to be set with an IP address that will be associated with a specific VLAN ID.
Set up the vlans for each switch that’s attached to neighboring PC’s!
PC1-5 = access VLAN 10
PC6-10 = access VLAN 20
PCA1-5 = access VLAN 30
PCB1-5 = access VLAN 40
PCC1-5 = access VLAN 50
PCD1-5 = access VLAN 60
PCE1-5 = access VLAN 70
PCF1-5 = access VLAN 80
Also create VLAN 90 & 100 (We’ll get to that in the next LAB)
On Switches S1 & S2 enable/create VLANS 10,20,30,40.
On Switches S5 & S6 enable/create VLANS 50,60,70,80
On Switches S3, S4, & S7 enable/create VLANS
On Switch S-A enable/create VLANS 1,2,3,4
On Switch S-B enable/create VLANS 5 & 6
Switch S-C Has no active VLANS
Enable access ports for the connection between switches and pc’s.
Enable trunks ports for :
S2 fa0/22, fa0/24
S3 fa0/3, fa0/22-23
S4 fa0/3, fa0/22-23
S5 fa0/22, fa0/24
S7 fa0/1-2, fa0/24
S-C No available trunk ports
Next shut down all UNUSED ports.
Configure MAC addresses to be sticky. Enter the switchport port-security mac-address sticky command on all active access ports.
Configuring Port Security on all access ports with violation set to SHUTDOWN.
Encapsulate each interface of each router that is adjacent to their connecting switch.
Set static routes between each router so that all nodes have access to each and every node on the network. 100% connectivity across the whole network.
Set firewall parameters on PC’s and Servers
Only PC1-5 can use Staff email
Only PC6-10 can use Mgmt email
ALL PC’s have access to WEB/DNS Except:
PCF1-5 no access to DNS
PCE1-3 no access to DNS
Only the following have access to Syslog
Only the following have access to T/FTP
All have access to TACACS+
Set SSH as the backup mode for TACACS+ closing down access to Telnet on each router.
Set up Servers
all routers are clients
www. cdwitulski .com
CHECK YOUR CONNECTIONS!
The second LAB(Part 2) will build off of this configuration.
Here are some great resources to help along the way!
Difference between an IP address and a physical address.Difference between a MAC address and an IP address!
Difference between IP/MAC/Gateway address
More MAC vs Ip address.
Here are a few links to help you understand VLANS Access/Trunk ports