Abstract: An ACL is a series of IOS commands that filter packets based on information in the packet header. By default, a router does not have any ACLs configured. When an ACL is applied to an interface, the router performs the additional task of evaluating all network packets as they pass through the interface to determine if the packet can be forwarded. practice making a design network of two buildings for company security by taking the access control list to apply to the filter Several tasks and to give made the network secure.
Introduction
we have discussed on the network to have the design of
two buildings for the company. this in design the building on the left is
divided into three sections such as accounting marketing HR. The building on
the right is divided into four to have D&R staff IT and server. the two buildings are connected to the core router and allow
the device to communicate so that all devices can access the internet. then the core router is where we need to configure the access
control list to ensure network security. So to ensure a secure network there
must be some requirements for all staff allows access
to the internet but not access to the server and only IT can telnet to all
devices. whereas D&R can only connect to its web server. This network is
designed to have protocols such as enter virtual LAN (inter VLAN) Open Shortest
Path First Protocol (OSPF)
network Address
Translation (NAT) and access control list (ACL).
Objectives
The main objective of the proposed
network is wanting to design a secure network by applying an access control
list on the router to block some devices not accessing devices and others to
ensure to have security in the network.
Network Requirements
Design networks
give security needs and have requirements such as
·
all staff allows
access to the internet but not anything.
·
only IT can
telnet to all devices.
·
All D&Rs can only connect to their web server but not anything.
Topology
The first figure is the topology
we have prepared for the network design of the two buildings and all sub-interfaces
are on the route (inter-Vlan). The use router on a stick The network administrator
doesn’t need to create separate VLAN interfaces like g0/1 to g0/10. Instead,
all the interfaces are created with a single interface. So, for building A and
building B to be connected to each other, we use OSPF which is a protocol in
dynamic routing. This method is simple to implement and used for small to
medium-sized networks. The OSPF is one of the Interior Gateway Protocols (IGP),
which helps to find the best routing path between the source and the
destination router using its own shortest path first (SPF) algorithm. It is a
Link-state routing protocol that is used to distribute routing information
about data packets within a large Autonomous System. When
it is configured, it listens to its neighbors in the networks, and it gathers
all the link state data available. This data is then used to make a topology
map that contains all available paths in the network. This database is saved
for use, and we call it Link State Database.
Once the Link State Database is made, it is used to calculate
the shortest path to subnets/networks using an algorithm known as Shortest Path
First, developed by Edger W Dijkstra. OSPF creates 3 tables in the Routing
Table Neighbor Table and topology Table. That OSPF is in our router act ESPR
because it connects the inter-area, and it receives the route from any device
evolution from the internal to the external. Then in order to be able to
connect to the internet we must use NAT to work to translate private IP
addresses in an internal network to a public IP address before packets are sent
to an external network.
Network Devices
In
the network of design on the network device used are
· the
Cisco Catalyst 2960-S Series Switches are fixed-configuration Fast Ethernet
switches that provide enterprise-class Layer 2 switching for campus and branch
access applications. Cisco 2960 switches, combined in a stack with the data
transmission ports at 16 Gb/s backplane capacity and Throughput is 6.5 Mpps.
· in
the network use router category 2911 has three port Gigabit Ethernet for connection
into building A and building B and ISP.
· The
part building B of used switch L3
|
Building A |
|
|
D&R |
192.168.10.10 |
|
IT |
192.168.30.10 |
|
Staff |
192.168.20.10 |
|
Web server |
192.168.40.10 |
|
Server |
192.168.40.11 |
|
Building A |
|
|
Accounting |
192.168.70.10 |
|
Marketing |
192.168.60.11 |
|
HR |
192.168.50.12 |
VLAN switch0
Make VLAN in
switch0.
Switch(config-vlan)#name 10
Switch(config-vlan)#exit
Switch(config)#vlan
20
Switch(config-vlan)#name
20
witch(config-vlan)#exit
Switch(config)#vlan
30
|
Figure 2 22222 |
Switch(config-vlan)#exit
If you
look at figure 2 to connect the port into pc. it is port access and the port
connected into the route and switch 1 is the port trunk.
Switch(config)#interface
fastEthernet 0/2
Switch(config-if)#switchport
mode access
Switch(config-if)#switchport
access vlan 10
Switch(config-if)#spanning-tree
bpduguard enable
Switch(config-if)#exit
Switch(config)#interface
fastEthernet 0/3
Switch(config-if)#switchport mode
access
Switch(config-if)#switchport access
vlan 20
Switch(config-if)#spanning-tree
bpduguard enable
Switch(config)#interface
fastEthernet 0/4
Switch(config-if)#switchport mode
access
Switch(config-if)#switchport access
vlan 30
Switch(config-if)#spanning-tree
bpduguard enable
Switch(config-if)#exit
itch(config-if)#exit
spanning tree bpduguard enable
Recommend
configuring the spanning tree when connected to work station or any device to
prevent
looping within a network topology. STP was created to avoid the problems that
arise when computers exchange data on a local area network (LAN) that contains
redundant paths.
Switch(config)#interface
gigabitEthernet 0/1
Switch(config-if)#switchport
mode access
Switch(config-if)# switchport trunk allowed vlan
10,20,30,40
Switch(config-if)#exit
Switch(config)#interface
fastEthernet 0/1
Switch(config-if)#switchport mode
access
Switch(config-if)# switchport mode
trunk
Switch(config-if)#exit
VLAN
switch1
Switch1(config-vlan)#name 40
Switch1(config-vlan)#exit
Switch(config)#interface
range fastEthernet 0/2-3
Switch(config-if)#switchport
mode access
Switch(config-if)#
switchport access vlan 40
Switch(config-if)#exit
Switch(config)#interface
fastEthernet 0/1
Switch(config-if)#switchport
mode access
Switch(config-if)#
switchport mode trunk
Switch(config-if)#exit
Switch
layer 3
Switch(config)#vlan
50
Switch(config-vlan)#name
50
Switch(config-vlan)#exit
Switch(config)#vlan
60
Switch(config-vlan)#name
60
Switch(config-vlan)#exit
Switch(config)#vlan
70
Switch(config-vlan)#name
70
Switch(config-vlan)#exit
Switch(config)#interface
vlan 50
Switch(config-if)#ip
address 192.168.50.12 255.255.255.0
Switch(config-if)#no
shut
Switch(config)#interface
vlan 60
Switch(config-if)#ip
address 192.168.60.11 255.255.255.0
Switch(config-if)#no
shut
Switch(config)#interface
vlan 70
Switch(config-if)#ip
address 192.168.70.10 255.255.255.0
Switch(config-if)#no
shut
Switch(config)#interface
fastEthernet 0/1
Switch(config-if)#switchport
mode access
Switch(config-if)#switchport
access vlan 70
Switch(config-if)#spanning-tree
bpduguard enable
Switch(config-if)#exit
Switch(config)#interface
fastEthernet 0/2
Switch(config-if)#switchport
mode access
Switch(config-if)#switchport
access vlan 60
Switch(config-if)#spanning-tree
bpduguard enable
Switch(config)#interface fastEthernet 0/3
Switch(config-if)#switchport
mode access
Switch(config-if)#switchport
access vlan 50
Switch(config-if)#spanning-tree
bpduguard enable
Switch(config-if)#exit
itch(config-if)#exit
Configure
the sub-interface on the router
Router(config)#interface
gigabitEthernet 0/1.10
Router(config-subif)#encapsulation
dot1q 10
Router(config-subif)#ip
address 192.168.10.1 255.255.255.0
Router(config-subif)#exit
Router(config)#interface gigabitEthernet 0/1.20
Router(config-subif)#encapsulation dot1q 20
Router(config-subif)#ip address 192.168.20.1 255.255.255.0
Router(config-subif)#exit
Router(config)#interface gigabitEthernet 0/1.30
Router(config-subif)#encapsulation dot1q 30
Router(config-subif)#ip address 192.168.30.1 255.255.255.0
Router(config-subif)#exit
Router(config)#interface gigabitEthernet 0/1.40
Router(config-subif)#encapsulation dot1q 40
Router(config-subif)#ip address 192.168.40.1 255.255.255.0
Router(config-subif)#exit
encapsulation dot1q
What are encapsulation dot1q and we command it to do?
Where the client sends a plot through the switch, it will
take the frame then when it’s up to the router by the router is a layer 3
device that cannot take the frame. the
encapsulation dot1q deletes the taking frame and encapsulates the IP. when it
comes out of the router it will take the fame back.
In building A connect building B to use protocol OSPF. OSPF
on the router to have many such as internal router ABR and ASBR. So, this lab acts
ASBR because it is connected inter-area and outside receives redistribution.
Then inter-area routing interface to connect area1 you need to configure it to
be area1.
Configure Router
Router(config)#interface
gigabitEthernet 0/0
Router(config-if)#ip
address 172.16.0.1 255.255.255.0
Router(config)#route
ospf 1
Router(config-router)#network
172.16.0.1 0.0.0.255 area 1
Router(config-router)#exit
Router(config)#route
ospf 1
Router(config-router)#network
192.168.10.0 0.0.0.255 area 0
Router(config-router)#network
192.168.20.0 0.0.0.255 area 0
Router(config-router)#network
192.168.30.0 0.0.0.255 area 0
Router(config-router)#network
192.168.40.0 0.0.0.255 area 0
Router(config-router)#exit
Router(config)#interface
gigabitEthernet 0/0
Router(config-if)#ip
ospf network point-to-point
Configure Layer 3
Router(config)#interface
gigabitEthernet 0/1
Router(config-if)#ip address
172.16.0.2 255.255.255.0
Router(config)#route ospf 1
Router(config-router)#network
172.16.0.2 0.0.0.255 area 1
Router(config-router)#exit
Router(config)#route ospf 1
Router(config-router)#network
192.168.500.0 0.0.0.255 area 1
Router(config-router)#network
192.168.60.0 0.0.0.255 area 1
Router(config-router)#network
192.168.70.0 0.0.0.255 area 1
Router(config-router)#exit
Router(config)#interface
gigabitEthernet 0/1
Router(config-if)#ip ospf network
point-to-point
All devices
can route into the internet you need a protocol Network address translation
(NAT). because all device is to have private IPs. NAT is a service that enables
private IP networks to use the internet and cloud. NAT translates private IP
addresses in an internal network to a public IP address before packets are sent
to an external network. With NAT, an organization needs one
IP address or one limited public IP address to represent an entire group of
devices as they connect outside their network. Port Address Translation (PAT)
enables one single IP to be shared by multiple hosts using IP and port address
translation.
Router ISP
Router(config)#interface
gigabitEthernet 0/0
Router(config-if)#ip address 1.1.1.1
255.255.255.252
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)# interface loopback 0
Router(config)#ip address 8.8.8.8
255.255.255.255
Router(config)#ip nat inside source
list NAT interface gigabitEthernet 0/2 overload
Router 1
Router(config)#interface
gigabitEthernet 0/2
Router(config-if)#ip address 1.1.1.2
255.255.255.252
Router(config-if)#exit
Router(config)# ip route 0.0.0.0
0.0.0.0 1.1.1.1
Router(config)#ip nat inside source
list NAT interface gigabitEthernet 0/2 overload
Router(config-if)#ip address nat
outside
Router(config-if)#exit
Router(config)# interface
gigabitEthernet 0/1.10
Router(config-if)#ip address nat
inside
Router(config-if)#exit
Router(config)# interface
gigabitEthernet 0/1.20
Router(config-if)#ip address nat
inside
Router(config-if)#exit
Router(config)# interface
gigabitEthernet 0/1.30
Router(config-if)#ip address nat
inside
Router(config-if)#exit
Router(config)# interface gigabitEthernet
0/1.40
Router(config-if)#ip address nat
inside
Router(config-if)#exit
Router(config)#interface
gigabitEthernet 0/0
Router(config-if)#ip address nat
inside
Router(config-if)#exit
Router(config)#route ospf 1
Router(config-router)#default-information
originate
default-information originate
|
S* 0.0.0.0/0 [1/0] via 1.1.1.2 |
Any OSPF router can originate default routes injected into a
normal area. The OSPF router does not create a default route into the OSPF
domain by default. The ‘default-information originate’ command is required for
OSPF to generate a default route In
our example above, router R1 is directly connected to the Internet. It’s a
common enterprise setup where all Internet traffic breaks out from a single
site. In R1, we have a static route configured pointing to the ISP/Internet
next hop device.
Configure access control list.
All devices have access to the internet but have to D&R
does not access the internet. Network D&R 192.168.10.0 255.255.255.0
Router(config)# ip access-list
standard NAT
Router(config-std-nacl)#10 deny
192.168.10.0 .0.0.0.255
Router(config-std-nacl)#20 permit
any
Router(config-std-nacl)#eixt
All devices are not telnet, only IT can telnet to all devices.
Router(config)# ip access-list
standard TELNET
Router(config-std-nacl)#
permit 192.168.30.0 0.0.0.255
Router(config)#line vty 5 15
Router(config-line)#password 12345
Router(config-line)#login
Router(config-line)#access-class
TELNET in
All non-D&R devices cannot access the web server only
connect to their web server.
Router(config)#ip access-list extended D&R
Router(config-ext-nacl)#permit tcp host 192.168.10.10 host
192.168.40.10 eq 80
Router(config-ext-nacl)#permit ip any host 192.168.40.10
Router(config-ext-nacl)#exit
Router(config)#interface gigabitEthernet 0/1.40
Router(config-subif)#ip access-group D&R out
Router(config-subif)#exit
all staff allows access to the internet but not anything by
network 192.168.20.10 denies any
Router(config)#ip access-list
standard staff.
Router(config-std-nacl)#deny
192.168.20.0 0.0.0.255
Router(config-std-nacl)#permit any
Router(config)#interface
gigabitEthernet 0/1.10
Router(config-subif)#ip access-group
staff out
Router(config-subif)#exit
Router(config)#interface
gigabitEthernet 0/1.30
Router(config-subif)#ip access-group
staff out
Router(config-subif)#exit
Router(config)#interface
gigabitEthernet 0/0
Router(config-subif)#ip access-group
staff in
Router(config-submit)#exit
Result
 , Network access translator(NAT of PAT) ospf multi area ,VLAN for project FINAL exam semester II ){kind=link}
0 Comments