In this LAB (Part 1 of 2) we will build a network full of:

  • Vlans with port security.
  • Single static routes (very tedious work that requires concentration )
  • Multiple types of servers (with usernames/passwords)
  • Local Firewalls (Non-ASA)
  • SSH/AAA/TACACS+

Cute little LAB huh? ……..not so fast! This LAB Bites.


>>>>>DOWNLOAD THE LAB HERE <<<<<

Cheaters Guide is at the bottom………

In the diagram you see above there are 17 different vlans. Two of those vlans we will configure but not use. The remaining two vlans will be used for the next LAB.

Ok let’s start with a completely clean and NON-CONFIGURED network. 

Nothing has been configured. However, I have preset PC, Switches,  Routers, and Servers with names and cable/wire/media connections.

You will have to :
1. Set IP addresses on all nodes.
2. Configure vlans and assign the access/trunk ports.
3. Security will be established between PC’s and switches to help direct traffic to other areas of the network and to block off access to other parts. (MAC-Address)
4. Configure PC’s and Servers with Firewalls to grant or deny access. 

With VLANS come “ENCAPSULATION” on the routers.
When using VLANS it is important to  remember that you have to CREATE THEM  and then INTERFACE them, some you will have to OPEN the port as well.

We will be using ‘VLAN 1’ as the “NATIVE VLAN” in this scenario. Just an FYI, you should never use VLAN 1 as the Native VLAN. More on the VLAN1 topic in the next LAB (Part 2)

Below you will find the address schemes.

PC1PCA2PCC3PCE4R4
192.168.10.5 /24192.168.30.6 /24192.168.50.7 /24192.168.70.8 /24
S0/0/1 10.1.1.6 /30
     
PC2PCA3PCC4PCE5
EMAIL-Staff
192.168.10.6 /24192.168.30.7 /24192.168.50.8 /24192.168.70.9 /24
192.168.1.5 /24
    
GATEWAY 192.168.1.1
PC3PCA4PCC5PCF1Web
192.168.10.7 /24192.168.30.8 /24192.168.50.9 /24192.168.80.5 /24
192.168.2.5 /24
    
GATEWAY 192.168.2.1
PC4PCA5PCD1PCF2DNS
192.168.10.8 /24192.168.30.9 /24192.168.60.5 /24192.168.80.6 /24
192.168.3.5 /24
    
GATEWAY 192.168.3.1
PC5PCB1PCD2PCF3SYSLOG
192.168.10.9 /24192.168.40.5 /24192.168.60.6 /24192.168.80.7 /24
192.168.4.5 /24
    
GATEWAY 192.168.4.1
PC6PCB2PCD3PCF4T/FTP
192.168.20.5 /24192.168.40.6 /24192.168.60.7 /24192.168.80.8 /24
192.168.5.5 /24
    
GATEWAY 192.168.5.1
PC7PCB3PCD4PCF5
EMAIL-Mgmt
192.168.20.6 /24192.168.40.7 /24192.168.60.8 /24192.168.80.9 /24
192.168.6.5 /24
    
GATEWAY 192.168.6.1
PC8PCB4PCD5R1
AAA/TACACS+
192.168.20.7 /24192.168.40.8 /24192.168.60.9 /24Fa0/1 10.1.1.1 /30
192.168.7.5 /24
   S0/0/1 10.1.1.10 /30
GATEWAY 192.168.7.1
PC9PCB5PCE1R2 
192.168.20.8 /24192.168.40.9 /24192.168.70.5 /24FA0/1 10.1.1.2 /30 
     
PC10PCC1PCE2R3 
192.168.20.9 /24192.168.50.5 /24192.168.70.6 /24S0/0/1 10.1.1.9 /30 
   S0/0/0 10.1.1.5 /30 
PCA1PCC2PCE3  
192.168.30.5 /24192.168.50.6 /24192.168.70.7 /24  

Set IP addresses on all nodes.
Lab Part 1 of 2
We will be using ‘VLAN 1’ as the “NATIVE VLAN” in this scenario. Just an FYI, you should never use VLAN 1 as the Native VLAN. More on the VLAN 1 topic in the next LAB (Part 2).

Step 1:
All PC’s will need to be set with an IP address that will be associated with a specific VLAN ID.

Step 2.
Set up the vlans for each switch that’s attached to neighboring PC’s!

PC1-5 = access VLAN 10
PC6-10 = access VLAN 20
PCA1-5 = access VLAN 30
PCB1-5 = access VLAN 40
PCC1-5 = access VLAN 50
PCD1-5 = access VLAN 60
PCE1-5 = access VLAN 70
PCF1-5 = access VLAN 80
Also create VLAN 90 & 100 (We’ll get to that in the next LAB)

Step 3:
On Switches S1 & S2 enable/create VLANS 10,20,30,40.
On Switches S5 & S6 enable/create VLANS 50,60,70,80
On Switches S3, S4, & S7 enable/create VLANS
10,20,30,40,50,60,70,80,90,100.
On Switch S-A enable/create VLANS 1,2,3,4
On Switch S-B enable/create VLANS 5 & 6
Switch S-C Has no active VLANS

Step 4:
Enable access ports for the connection between switches and pc’s.
Enable trunks ports for :
S1 fa0/23-24
S2 fa0/22, fa0/24
S3 fa0/3, fa0/22-23
S4 fa0/3, fa0/22-23
S5 fa0/22, fa0/24
S6 fa0/23-24
S7 fa0/1-2, fa0/24
S-A fa0/1
S-B fa0/1
S-C No available trunk ports

Step 5:
Next shut down all UNUSED ports.
Configure MAC addresses to be sticky. Enter the switchport port-security mac-address sticky command on all active access ports.

Step 6:
Configuring Port Security on all access ports with violation set to SHUTDOWN.

Step 7:
Encapsulate each interface of each router that is adjacent to their connecting switch.

Step 8:
Set static routes between each router so that all nodes have access to each and every node on the network. 100% connectivity across the whole network.

Step 9:
Set firewall parameters on PC’s and Servers

Only PC1-5 can use Staff email
Only PC6-10 can use Mgmt email

ALL PC’s have access to WEB/DNS Except:
PCF1-5 no access to DNS
PCE1-3 no access to DNS

Only the following have access to Syslog
PCC1-5
PCD1&4
All Routers

Only the following have access to T/FTP
PCB1-5
PC7-8

All have access to TACACS+

Step 10:
Set SSH as the backup mode for TACACS+ closing down access to Telnet on each router.
username/password
backup/cisco

Step 11:
Set up Servers

Staff Email:
usernames/passwords
carol/1234
bob/pass
june/222icu
edith/r2d2c3po
quinn/guess

Management Email:
usernames/passwords
admin1/cisco
admin2/netacad
admin3/router
admin4/switch
admin5/qwerty

TACACS+
key=cisco
all routers are clients
usernames/passwords

  1. hal/2000
  2. anon/ymous
  3. ghost/1337

 

T/FTP
Username/Password/permissions
admin/pass/rwdnl
staff/password/rl

DNS
www. cdwitulski .com 

 

CHECK  YOUR CONNECTIONS!

The second LAB(Part 2) will build off of this configuration.


Here are some great resources to help along the way!
Difference between an IP address and a physical address.Difference between a MAC address and an IP address!
Difference between IP/MAC/Gateway address
More MAC vs Ip address.

Here are a few links to help you understand VLANS Access/Trunk ports
https://www.youtube.com/watch?v=2hUUaG4o3DA
https://www.youtube.com/watch?v=aBOzFa6ioLw
https://www.youtube.com/watch?v=-H20S65OB3E
https://www.youtube.com/watch?v=kbLfyjP20Yo
https://www.youtube.com/watch?v=8WHr0pLbTKs


NEED THE CHEATERS GUIDE??

CLICK  HERE FOR THE FULLY CONFIGURED LAB TO SEE WHAT WENT WRONG!