This chapter will show you what you need to create and configure Small Businesses Network. On the beginning we will start with hardware. In this tutorial we use only Cisco hardware, this is maybe expensive solution but working stable and most important have a loot of materials and guide how to configure and maintain your hardware in the future.
On the picture below you see topology of the network we work with.
Step 1. On the beginning you need to create Addressing Table. In this tutorial i create one but you can change all numbers and names if you wish.
Device | Interface | Network/Address |
R1 | Gi0/0.20 | 172.16.20.254/24 |
Gi0/0.40 | 172.16.40. 254/24 | |
Gi0/0.60 | 172.16.60. 254/24 | |
Gi0/0.88 | 172.16.88. 254/24 | |
Gi0/1.250 | 172.16.250. 254/24 | |
Gi0/1.254 | 172.16.254. 254/24 | |
S1 | SVI | 172.16.88. 253/24 |
S2 | SVI | 172.16.88. 252/24 |
S3 | SVI | 172.16.88. 251/24 |
PC1 | NIC | 172.16.20.10/24 |
PC2 | NIC | 172.16.40.10/24 |
PC3 | NIC | 172.16.60.10/24 |
PC4 | NIC | 172.16.20.11/24 |
PC5 | NIC | 172.16.40.11 |
PC6 | NIC | 172.16.60.11 |
DNS Server | NIC | 172.16.254.252 |
Step 2. Create VLAN Assignment Table – You need to decided how many VLAN you wish and with which restrictions.
VLAN Number | VLAN Name | Device/Ports |
20 | VLAN20 Sale | S2: Fa0/1 – Fa0/5 S3: Fa0/1 – Fa0/5 |
40 | VLAN40 Finance | S2: Fa0/6 – Fa0/10 S3: Fa0/6 – Fa0/10 |
60 | VLAN60 IT | S2: Fa0/11 – Fa0/15 S3: Fa0/11 – Fa0/15 |
88 | VLAN88 Management | S1: SVI S2: SVI S3: SVI |
Step 3. Configure initial device settings on all devices and create VLANs on the switches. In this course i will use basic security configurations with basic password ( cisco ).
Router
Router> Router>en Router#conf t Router(config)#hostname R1 R1(config)#no ip domain-lookup R1(config)#enable secret cisco R1(config)#line console 0 R1(config-line)#password cisco R1(config-line)#login R1(config-line)#line vty 0 15 R1(config-line)#password cisco R1(config-line)#login R1(config-line)#exit R1(config)#service password-encryption R1(config)#
Switch 1, Switch 2 and Switch 3 – Same Configuration, only hostname is different
Switch> Switch >en Switch #conf t Switch (config)#hostname S1 S1(config)#no ip domain-lookup S1(config)#enable secret cisco S1(config)#line console 0 S1(config-line)#password cisco S1(config-line)#login S1(config-line)#line vty 0 15 S1(config-line)#password cisco S1(config-line)#login S1(config-line)#exit S1(config)#service password-encryption S1(config)#vlan 20 S1(config-vlan)#name VLAN20 Sale S1(config-vlan)#vlan 40 S1(config-vlan)#name VLAN40 Finance S1(config-vlan)#vlan 60 S1(config-vlan)#name VLAN60 IT S1(config-vlan)#vlan 88 S1(config-vlan)#name VLAN88 Management S1(config-vlan)#
Step4. Configure FastEthernet interfaces on S2 and S3 according to Assignment Table. Configuration is the same for both devices.
S3(config)#int range fa0/1-5 S3(config-if-range)#switchport mode access S3(config-if-range)#switchport access vlan 20 S3(config-if-range)#int range fa0/6-10 S3(config-if-range)#switchport mode access S3(config-if-range)#switchport access vlan 40 S3(config-if-range)#int range fa0/11-15 S3(config-if-range)#switchport mode access S3(config-if-range)#switchport access vlan 60 S3(config-if-range)#
Step 5. Configure SVIs of the S1 , S2 and S3 switcher using information from Addressing Tables. Configure the IP address for the management VLAN and the default-gateway IP address. Configure the SVIs so that they will be reachable by devices on other networks after the network has been fully configured.
S1(config)#int vlan 88 S1(config-if)# S1(config-if)#ip address 172.16.88.253 255.255.255.0 S1(config-if)#no shutdown S1(config-if)#exit S1(config)#ip default-gateway 172.16.88.254
S2(config)#int vlan 88 S2(config-if)# S2(config-if)#ip address 172.16.88.252 255.255.255.0 S2(config-if)#no shutdown S2(config-if)#exit S2(config)#ip default-gateway 172.16.88.254
S3(config)#int vlan 88 S3(config-if)# S3(config-if)#ip address 172.16.88.251 255.255.255.0 S3(config-if)#no shutdown S3(config-if)#exit S3(config)#ip default-gateway 172.16.88.254
Step 6. Configure VLAN trunking between the S1, S2, and S3 switches and configure VTP domain name to Business
S1(config)#vtp domain Business S1(config)#int g0/1 S1(config-if)#switchport mode trunk S1(config-if)#int range fa0/23-24 S1(config-if-range)#switchport mode trunk
S2(config)# vtp domain Business S2(config)#int fa0/23 S2(config-if)#switchport mode trunk
S3(config)# vtp domain Business S3(config)#int fa0/24 S3(config-if)#switchport mode trunk
Step 7. Now we use the information in the Addressing and VLAN tables to configure inter-VLAN routing on R1. Configure inter-VLAN routing among VLANs 20, 40, 60 and 88 through Gi0/0 subinterfaces and inter-VLAN routing for VLANs 250 and 254 through Gi0/1 subinterfaces.
R1(config)#int g0/0.20 R1(config-subif)#encapsulation dot1q 20 R1(config-subif)#ip address 172.16.20.254 255.255.255.0 R1(config-subif)#int g0/0.40 R1(config-subif)#encapsulation dot1q 40 R1(config-subif)#ip address 172.16.40.254 255.255.255.0 R1(config-subif)#int g0/0.60 R1(config-subif)#encapsulation dot1q 60 R1(config-subif)#ip address 172.16.60.254 255.255.255.0 R1(config-subif)#int g0/0 R1(config-if)#no shutdown R1(config-if)#int g0/1.250 R1(config-subif)#encapsulation dot1q 250 R1(config-subif)#ip address 172.16.250.254 255.255.255.0 R1(config-subif)#int g0/1.254 R1(config-subif)#encapsulation dot1q 254 R1(config-subif)#ip address 172.16.254.254 255.255.255.0 R1(config-subif)#int g0/1 R1(config-if)#no shutdown
After we finish this we need to configure all Hosts including two Servers ( see on topology picture ). For this job we can use Addressing table. When we finished our network is probably working but with no restrictions.
Step 8. Create restrictions – Configure Access Control Lists. You will configure two access control lists on the R1 router. The ACL to restrict access to the vty lines on R1 and allow only hosts on the VLAN60 IT VLAN to access the vty lines of R1. We need to create standard ACL using number 10 and apply this ACL to VTY 0 15.
R1(config)#access-list 10 permit 172.16.60.0 0.0.0.255 R1(config)#line vty 0 15 R1(config-line)#access-class 10 in R1(config-line)#exit
After that we need to restrict access to the internal web server create a named standard ACL using the name INT-WEB and allow hosts on the VLAN40 Finance and VLAN60 IT VLANs to reach the internal administrative web server at www.int.com. No other internal and Internet hosts should be able to access the internal administrative web server.
R1(config)#ip access-list standard INT-WEB R1(config-std-nacl)#permit 172.16.40.0 0.0.0.255 R1(config-std-nacl)#permit 172.16.60.0 0.0.0.255 R1(config-std-nacl)#exit R1(config)#int g0/1.250 R1(config-subif)#ip access-group INT-WEB out
Now we can check what we created. If all works good we can access internet from all VLANs, can access web server from VLAN40 and VLAN60. We can access each other through VLANs and only VLAN60 can access to Router.